Merge pull request #115384 from sourcelliu/allowlist

Add test for pkg/kubelet/sysctl/allowlist_test.go
This commit is contained in:
Kubernetes Prow Robot 2023-02-14 12:45:51 -08:00 committed by GitHub
commit 8f55d34507
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -17,6 +17,8 @@ limitations under the License.
package sysctl
import (
"k8s.io/api/core/v1"
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
"testing"
)
@ -34,6 +36,7 @@ func TestNewAllowlist(t *testing.T) {
{sysctls: []string{"net.*.foo"}, err: true},
{sysctls: []string{"net.*/foo"}, err: true},
{sysctls: []string{"foo"}, err: true},
{sysctls: []string{"foo*"}, err: true},
} {
_, err := NewAllowlist(append(SafeSysctlAllowlist(), test.sysctls...))
if test.err && err == nil {
@ -65,9 +68,13 @@ func TestAllowlist(t *testing.T) {
{sysctl: "net.ipv4.ip_local_port_range.a.b.c", hostNet: false},
{sysctl: "kernel.msgmax", hostIPC: true},
{sysctl: "kernel.sem", hostIPC: true},
{sysctl: "net.b.c", hostNet: true},
}
pod := &v1.Pod{}
pod.Spec.SecurityContext = &v1.PodSecurityContext{}
attrs := &lifecycle.PodAdmitAttributes{Pod: pod}
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem"))
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem", "net.b.*"))
if err != nil {
t.Fatalf("failed to create allowlist: %v", err)
}
@ -76,11 +83,30 @@ func TestAllowlist(t *testing.T) {
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil {
t.Errorf("expected to be allowlisted: %+v, got: %v", test, err)
}
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
status := w.Admit(attrs)
if !status.Admit {
t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status)
}
}
for _, test := range invalid {
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
t.Errorf("expected to be rejected: %+v", test)
}
pod.Spec.HostNetwork = test.hostNet
pod.Spec.HostIPC = test.hostIPC
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
status := w.Admit(attrs)
if status.Admit {
t.Errorf("expected to be rejected: %+v", test)
}
}
// test for: len(pod.Spec.SecurityContext.Sysctls) == 0
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{}
status := w.Admit(attrs)
if !status.Admit {
t.Errorf("expected to be allowlisted,got %+v", status)
}
}