mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Add test for pkg/kubelet/sysctl/allowlist_test.go
This commit is contained in:
parent
8e642d3d0d
commit
8ca97dcde1
@ -17,6 +17,8 @@ limitations under the License.
|
|||||||
package sysctl
|
package sysctl
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"k8s.io/api/core/v1"
|
||||||
|
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -66,6 +68,9 @@ func TestAllowlist(t *testing.T) {
|
|||||||
{sysctl: "kernel.msgmax", hostIPC: true},
|
{sysctl: "kernel.msgmax", hostIPC: true},
|
||||||
{sysctl: "kernel.sem", hostIPC: true},
|
{sysctl: "kernel.sem", hostIPC: true},
|
||||||
}
|
}
|
||||||
|
pod := &v1.Pod{}
|
||||||
|
pod.Spec.SecurityContext = &v1.PodSecurityContext{}
|
||||||
|
attrs := &lifecycle.PodAdmitAttributes{Pod: pod}
|
||||||
|
|
||||||
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem"))
|
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -76,11 +81,32 @@ func TestAllowlist(t *testing.T) {
|
|||||||
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil {
|
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil {
|
||||||
t.Errorf("expected to be allowlisted: %+v, got: %v", test, err)
|
t.Errorf("expected to be allowlisted: %+v, got: %v", test, err)
|
||||||
}
|
}
|
||||||
|
pod.Spec.HostNetwork = test.hostNet
|
||||||
|
pod.Spec.HostIPC = test.hostIPC
|
||||||
|
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}}
|
||||||
|
status := w.Admit(attrs)
|
||||||
|
if !status.Admit {
|
||||||
|
t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range invalid {
|
for _, test := range invalid {
|
||||||
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
|
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
|
||||||
t.Errorf("expected to be rejected: %+v", test)
|
t.Errorf("expected to be rejected: %+v", test)
|
||||||
}
|
}
|
||||||
|
pod.Spec.HostNetwork = test.hostNet
|
||||||
|
pod.Spec.HostIPC = test.hostIPC
|
||||||
|
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}}
|
||||||
|
status := w.Admit(attrs)
|
||||||
|
if status.Admit {
|
||||||
|
t.Errorf("expected to be rejected: %+v", test)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// test for: len(pod.Spec.SecurityContext.Sysctls) == 0
|
||||||
|
pod.Spec.SecurityContext.Sysctls = nil
|
||||||
|
status := w.Admit(attrs)
|
||||||
|
if !status.Admit {
|
||||||
|
t.Errorf("expected to be allowlisted,got %+v", status)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user