From 8ca97dcde1bf44e5a5af8a2efb77787e9e16c2de Mon Sep 17 00:00:00 2001 From: mantuliu <240951888@qq.com> Date: Sun, 29 Jan 2023 22:48:27 +0800 Subject: [PATCH 1/3] Add test for pkg/kubelet/sysctl/allowlist_test.go --- pkg/kubelet/sysctl/allowlist_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/kubelet/sysctl/allowlist_test.go b/pkg/kubelet/sysctl/allowlist_test.go index 5d838365e4f..cc1a1558317 100644 --- a/pkg/kubelet/sysctl/allowlist_test.go +++ b/pkg/kubelet/sysctl/allowlist_test.go @@ -17,6 +17,8 @@ limitations under the License. package sysctl import ( + "k8s.io/api/core/v1" + "k8s.io/kubernetes/pkg/kubelet/lifecycle" "testing" ) @@ -66,6 +68,9 @@ func TestAllowlist(t *testing.T) { {sysctl: "kernel.msgmax", hostIPC: true}, {sysctl: "kernel.sem", hostIPC: true}, } + pod := &v1.Pod{} + pod.Spec.SecurityContext = &v1.PodSecurityContext{} + attrs := &lifecycle.PodAdmitAttributes{Pod: pod} w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem")) if err != nil { @@ -76,11 +81,32 @@ func TestAllowlist(t *testing.T) { if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil { t.Errorf("expected to be allowlisted: %+v, got: %v", test, err) } + pod.Spec.HostNetwork = test.hostNet + pod.Spec.HostIPC = test.hostIPC + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}} + status := w.Admit(attrs) + if !status.Admit { + t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status) + } } for _, test := range invalid { if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil { t.Errorf("expected to be rejected: %+v", test) } + pod.Spec.HostNetwork = test.hostNet + pod.Spec.HostIPC = test.hostIPC + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}} + status := w.Admit(attrs) + if status.Admit { + t.Errorf("expected to be rejected: %+v", test) + } + } + + // test for: len(pod.Spec.SecurityContext.Sysctls) == 0 + pod.Spec.SecurityContext.Sysctls = nil + status := w.Admit(attrs) + if !status.Admit { + t.Errorf("expected to be allowlisted,got %+v", status) } } From 52e7bf58cf4f0cc61cd3c928e38e2fa7c1015f6b Mon Sep 17 00:00:00 2001 From: mantuliu <240951888@qq.com> Date: Tue, 31 Jan 2023 23:55:09 +0800 Subject: [PATCH 2/3] cut avoid unnecessary code duplications Signed-off-by: mantuliu <240951888@qq.com> --- pkg/kubelet/sysctl/allowlist_test.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/kubelet/sysctl/allowlist_test.go b/pkg/kubelet/sysctl/allowlist_test.go index cc1a1558317..bbdc30209b0 100644 --- a/pkg/kubelet/sysctl/allowlist_test.go +++ b/pkg/kubelet/sysctl/allowlist_test.go @@ -81,9 +81,7 @@ func TestAllowlist(t *testing.T) { if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil { t.Errorf("expected to be allowlisted: %+v, got: %v", test, err) } - pod.Spec.HostNetwork = test.hostNet - pod.Spec.HostIPC = test.hostIPC - pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}} + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} status := w.Admit(attrs) if !status.Admit { t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status) @@ -96,7 +94,7 @@ func TestAllowlist(t *testing.T) { } pod.Spec.HostNetwork = test.hostNet pod.Spec.HostIPC = test.hostIPC - pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{v1.Sysctl{test.sysctl, test.sysctl}} + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} status := w.Admit(attrs) if status.Admit { t.Errorf("expected to be rejected: %+v", test) @@ -104,7 +102,7 @@ func TestAllowlist(t *testing.T) { } // test for: len(pod.Spec.SecurityContext.Sysctls) == 0 - pod.Spec.SecurityContext.Sysctls = nil + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{} status := w.Admit(attrs) if !status.Admit { t.Errorf("expected to be allowlisted,got %+v", status) From 3f8ada67c5363e7b0c06ee3cbb44a6d20c9a9e09 Mon Sep 17 00:00:00 2001 From: mantuliu <240951888@qq.com> Date: Wed, 1 Feb 2023 10:47:38 +0800 Subject: [PATCH 3/3] impove the coverage Signed-off-by: mantuliu <240951888@qq.com> --- pkg/kubelet/sysctl/allowlist_test.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/kubelet/sysctl/allowlist_test.go b/pkg/kubelet/sysctl/allowlist_test.go index bbdc30209b0..9535eabbd9b 100644 --- a/pkg/kubelet/sysctl/allowlist_test.go +++ b/pkg/kubelet/sysctl/allowlist_test.go @@ -36,6 +36,7 @@ func TestNewAllowlist(t *testing.T) { {sysctls: []string{"net.*.foo"}, err: true}, {sysctls: []string{"net.*/foo"}, err: true}, {sysctls: []string{"foo"}, err: true}, + {sysctls: []string{"foo*"}, err: true}, } { _, err := NewAllowlist(append(SafeSysctlAllowlist(), test.sysctls...)) if test.err && err == nil { @@ -67,12 +68,13 @@ func TestAllowlist(t *testing.T) { {sysctl: "net.ipv4.ip_local_port_range.a.b.c", hostNet: false}, {sysctl: "kernel.msgmax", hostIPC: true}, {sysctl: "kernel.sem", hostIPC: true}, + {sysctl: "net.b.c", hostNet: true}, } pod := &v1.Pod{} pod.Spec.SecurityContext = &v1.PodSecurityContext{} attrs := &lifecycle.PodAdmitAttributes{Pod: pod} - w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem")) + w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem", "net.b.*")) if err != nil { t.Fatalf("failed to create allowlist: %v", err) } @@ -81,7 +83,7 @@ func TestAllowlist(t *testing.T) { if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil { t.Errorf("expected to be allowlisted: %+v, got: %v", test, err) } - pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}} status := w.Admit(attrs) if !status.Admit { t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status) @@ -94,7 +96,7 @@ func TestAllowlist(t *testing.T) { } pod.Spec.HostNetwork = test.hostNet pod.Spec.HostIPC = test.hostIPC - pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} + pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}} status := w.Admit(attrs) if status.Admit { t.Errorf("expected to be rejected: %+v", test)