From 7e750a62a18488c01b6c1c60a33f46ae307aefe9 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Tue, 23 Jul 2024 11:59:53 -0400 Subject: [PATCH] PSA: small cleanups for tests that use RelaxPolicyForUserNamespacePods make sure to cleanup after setting RelaxPolicyForUserNamespacePods setup test variables to be a little more terse and similar between tests cleanup Allowed checking Signed-off-by: Peter Hunt --- .../policy/check_runAsNonRoot_test.go | 33 +++++++------- .../policy/check_runAsUser_test.go | 45 +++++++++---------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go index e8067496cdd..04c58204195 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go @@ -25,12 +25,12 @@ import ( func TestRunAsNonRoot(t *testing.T) { tests := []struct { - name string - pod *corev1.Pod - expectReason string - expectDetail string - allowed bool - enableUserNamespacesPodSecurityStandards bool + name string + pod *corev1.Pod + expectReason string + expectDetail string + expectAllowed bool + relaxForUserNS bool }{ { name: "no explicit runAsNonRoot", @@ -87,8 +87,8 @@ func TestRunAsNonRoot(t *testing.T) { pod: &corev1.Pod{Spec: corev1.PodSpec{ HostUsers: utilpointer.Bool(false), }}, - allowed: true, - enableUserNamespacesPodSecurityStandards: true, + expectAllowed: true, + relaxForUserNS: true, }, { name: "UserNamespacesPodSecurityStandards enabled with HostUsers", @@ -98,21 +98,24 @@ func TestRunAsNonRoot(t *testing.T) { }, HostUsers: utilpointer.Bool(true), }}, - expectReason: `runAsNonRoot != true`, - expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`, - allowed: false, - enableUserNamespacesPodSecurityStandards: true, + expectReason: `runAsNonRoot != true`, + expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`, + expectAllowed: false, + relaxForUserNS: true, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - if tc.enableUserNamespacesPodSecurityStandards { + if tc.relaxForUserNS { RelaxPolicyForUserNamespacePods(true) + t.Cleanup(func() { + RelaxPolicyForUserNamespacePods(false) + }) } result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) - if result.Allowed && !tc.allowed { - t.Fatal("expected disallowed") + if result.Allowed != tc.expectAllowed { + t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) } if e, a := tc.expectReason, result.ForbiddenReason; e != a { t.Errorf("expected\n%s\ngot\n%s", e, a) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go index 490b07257cc..d47ab1921a4 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go @@ -25,12 +25,12 @@ import ( func TestRunAsUser(t *testing.T) { tests := []struct { - name string - pod *corev1.Pod - expectAllow bool - expectReason string - expectDetail string - enableUserNamespacesPodSecurityStandards bool + name string + pod *corev1.Pod + expectAllowed bool + expectReason string + expectDetail string + relaxForUserNS bool }{ { name: "pod runAsUser=0", @@ -51,7 +51,7 @@ func TestRunAsUser(t *testing.T) { {Name: "a", SecurityContext: nil}, }, }}, - expectAllow: true, + expectAllowed: true, }, { name: "pod runAsUser=nil", @@ -61,7 +61,7 @@ func TestRunAsUser(t *testing.T) { {Name: "a", SecurityContext: nil}, }, }}, - expectAllow: true, + expectAllowed: true, }, { name: "containers runAsUser=0", @@ -89,15 +89,15 @@ func TestRunAsUser(t *testing.T) { {Name: "f", SecurityContext: &corev1.SecurityContext{RunAsUser: utilpointer.Int64(4)}}, }, }}, - expectAllow: true, + expectAllowed: true, }, { name: "UserNamespacesPodSecurityStandards enabled without HostUsers", pod: &corev1.Pod{Spec: corev1.PodSpec{ HostUsers: utilpointer.Bool(false), }}, - expectAllow: true, - enableUserNamespacesPodSecurityStandards: true, + expectAllowed: true, + relaxForUserNS: true, }, { name: "UserNamespacesPodSecurityStandards enabled with HostUsers", @@ -108,27 +108,24 @@ func TestRunAsUser(t *testing.T) { }, HostUsers: utilpointer.Bool(true), }}, - expectAllow: false, - expectReason: `runAsUser=0`, - expectDetail: `pod must not set runAsUser=0`, - enableUserNamespacesPodSecurityStandards: true, + expectAllowed: false, + expectReason: `runAsUser=0`, + expectDetail: `pod must not set runAsUser=0`, + relaxForUserNS: true, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - if tc.enableUserNamespacesPodSecurityStandards { + if tc.relaxForUserNS { RelaxPolicyForUserNamespacePods(true) + t.Cleanup(func() { + RelaxPolicyForUserNamespacePods(false) + }) } result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec) - if tc.expectAllow { - if !result.Allowed { - t.Fatalf("expected to be allowed, disallowed: %s, %s", result.ForbiddenReason, result.ForbiddenDetail) - } - return - } - if result.Allowed { - t.Fatal("expected disallowed") + if result.Allowed != tc.expectAllowed { + t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) } if e, a := tc.expectReason, result.ForbiddenReason; e != a { t.Errorf("expected\n%s\ngot\n%s", e, a)