PSA: small cleanups for tests that use RelaxPolicyForUserNamespacePods

make sure to cleanup after setting RelaxPolicyForUserNamespacePods setup test variables to be a little more terse and similar between tests cleanup Allowed checking Signed-off-by: Peter Hunt <pehunt@redhat.com>
2025-07-25 12:43:23 +00:00 · 2024-07-23 11:59:53 -04:00 · 2024-07-23 11:59:53 -04:00 · 7e750a62a1
commit 7e750a62a1
parent 17521f04a4
2 changed files with 39 additions and 39 deletions
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
@ -25,12 +25,12 @@ import (

 func TestRunAsNonRoot(t *testing.T) {
 	tests := []struct {
-		name                                     string
-		pod                                      *corev1.Pod
-		expectReason                             string
-		expectDetail                             string
-		allowed                                  bool
-		enableUserNamespacesPodSecurityStandards bool
+		name           string
+		pod            *corev1.Pod
+		expectReason   string
+		expectDetail   string
+		expectAllowed  bool
+		relaxForUserNS bool
 	}{
 		{
 			name: "no explicit runAsNonRoot",
@ -87,8 +87,8 @@ func TestRunAsNonRoot(t *testing.T) {
 			pod: &corev1.Pod{Spec: corev1.PodSpec{
 				HostUsers: utilpointer.Bool(false),
 			}},
-			allowed:                                  true,
-			enableUserNamespacesPodSecurityStandards: true,
+			expectAllowed:  true,
+			relaxForUserNS: true,
 		},
 		{
 			name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
@ -98,21 +98,24 @@ func TestRunAsNonRoot(t *testing.T) {
 				},
 				HostUsers: utilpointer.Bool(true),
 			}},
-			expectReason:                             `runAsNonRoot != true`,
-			expectDetail:                             `pod or container "a" must set securityContext.runAsNonRoot=true`,
-			allowed:                                  false,
-			enableUserNamespacesPodSecurityStandards: true,
+			expectReason:   `runAsNonRoot != true`,
+			expectDetail:   `pod or container "a" must set securityContext.runAsNonRoot=true`,
+			expectAllowed:  false,
+			relaxForUserNS: true,
 		},
 	}

 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.enableUserNamespacesPodSecurityStandards {
+			if tc.relaxForUserNS {
 				RelaxPolicyForUserNamespacePods(true)
+				t.Cleanup(func() {
+					RelaxPolicyForUserNamespacePods(false)
+				})
 			}
 			result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
-			if result.Allowed && !tc.allowed {
-				t.Fatal("expected disallowed")
+			if result.Allowed != tc.expectAllowed {
+				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
 			}
 			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
 				t.Errorf("expected\n%s\ngot\n%s", e, a)
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
@ -25,12 +25,12 @@ import (

 func TestRunAsUser(t *testing.T) {
 	tests := []struct {
-		name                                     string
-		pod                                      *corev1.Pod
-		expectAllow                              bool
-		expectReason                             string
-		expectDetail                             string
-		enableUserNamespacesPodSecurityStandards bool
+		name           string
+		pod            *corev1.Pod
+		expectAllowed  bool
+		expectReason   string
+		expectDetail   string
+		relaxForUserNS bool
 	}{
 		{
 			name: "pod runAsUser=0",
@ -51,7 +51,7 @@ func TestRunAsUser(t *testing.T) {
 					{Name: "a", SecurityContext: nil},
 				},
 			}},
-			expectAllow: true,
+			expectAllowed: true,
 		},
 		{
 			name: "pod runAsUser=nil",
@ -61,7 +61,7 @@ func TestRunAsUser(t *testing.T) {
 					{Name: "a", SecurityContext: nil},
 				},
 			}},
-			expectAllow: true,
+			expectAllowed: true,
 		},
 		{
 			name: "containers runAsUser=0",
@ -89,15 +89,15 @@ func TestRunAsUser(t *testing.T) {
 					{Name: "f", SecurityContext: &corev1.SecurityContext{RunAsUser: utilpointer.Int64(4)}},
 				},
 			}},
-			expectAllow: true,
+			expectAllowed: true,
 		},
 		{
 			name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
 			pod: &corev1.Pod{Spec: corev1.PodSpec{
 				HostUsers: utilpointer.Bool(false),
 			}},
-			expectAllow:                              true,
-			enableUserNamespacesPodSecurityStandards: true,
+			expectAllowed:  true,
+			relaxForUserNS: true,
 		},
 		{
 			name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
@ -108,27 +108,24 @@ func TestRunAsUser(t *testing.T) {
 				},
 				HostUsers: utilpointer.Bool(true),
 			}},
-			expectAllow:                              false,
-			expectReason:                             `runAsUser=0`,
-			expectDetail:                             `pod must not set runAsUser=0`,
-			enableUserNamespacesPodSecurityStandards: true,
+			expectAllowed:  false,
+			expectReason:   `runAsUser=0`,
+			expectDetail:   `pod must not set runAsUser=0`,
+			relaxForUserNS: true,
 		},
 	}

 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.enableUserNamespacesPodSecurityStandards {
+			if tc.relaxForUserNS {
 				RelaxPolicyForUserNamespacePods(true)
+				t.Cleanup(func() {
+					RelaxPolicyForUserNamespacePods(false)
+				})
 			}
 			result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec)
-			if tc.expectAllow {
-				if !result.Allowed {
-					t.Fatalf("expected to be allowed, disallowed: %s, %s", result.ForbiddenReason, result.ForbiddenDetail)
-				}
-				return
-			}
-			if result.Allowed {
-				t.Fatal("expected disallowed")
+			if result.Allowed != tc.expectAllowed {
+				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
 			}
 			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
 				t.Errorf("expected\n%s\ngot\n%s", e, a)