Merge pull request #59137 from php-coder/improve_allow_priv_escalation_test

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Move test cases to a proper test method

**What this PR does / why we need it**:
Prior this change, we had tests in `TestValidatePodSpec()` method that is designated for testing `ValidatePodSpec()`. But because we test code from the `ValidateSecurityContext()` method, the tests should belong to `TestValidateSecurityContext()`.

This PR improves the tests. Now the tests become less fragile because `ValidatePodSpec()` do a lot more validations than `ValidateSecurityContext()`.

**Which issue(s) this PR fixes**:
Related to https://github.com/kubernetes/kubernetes/pull/52803 where this code and tests were introduced.

**Release note**:
```release-note
NONE
```

PTAL @jessfraz 
CC @simo5
This commit is contained in:
Kubernetes Submit Queue 2018-02-08 09:06:54 -08:00 committed by GitHub
commit af3ea72cda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -5964,38 +5964,6 @@ func TestValidatePodSpec(t *testing.T) {
DNSPolicy: core.DNSClusterFirst,
PriorityClassName: "InvalidName",
},
"with privileged and allowPrivilegeEscalation false": {
Containers: []core.Container{
{
Name: "ctr",
Image: "image",
ImagePullPolicy: "IfNotPresent",
Ports: []core.ContainerPort{
{HostPort: 8080, ContainerPort: 2600, Protocol: "TCP"}},
SecurityContext: &core.SecurityContext{
Privileged: boolPtr(true),
AllowPrivilegeEscalation: boolPtr(false),
},
},
},
},
"with CAP_SYS_ADMIN and allowPrivilegeEscalation false": {
Containers: []core.Container{
{
Name: "ctr",
Image: "image",
ImagePullPolicy: "IfNotPresent",
Ports: []core.ContainerPort{
{HostPort: 8080, ContainerPort: 2600, Protocol: "TCP"}},
SecurityContext: &core.SecurityContext{
Capabilities: &core.Capabilities{
Add: []core.Capability{"CAP_SYS_ADMIN"},
},
AllowPrivilegeEscalation: boolPtr(false),
},
},
},
},
}
for k, v := range failureCases {
if errs := ValidatePodSpec(&v, field.NewPath("field")); len(errs) == 0 {
@ -11986,11 +11954,10 @@ func TestValidateTLSSecret(t *testing.T) {
}
func TestValidateSecurityContext(t *testing.T) {
priv := false
runAsUser := int64(1)
fullValidSC := func() *core.SecurityContext {
return &core.SecurityContext{
Privileged: &priv,
Privileged: boolPtr(false),
Capabilities: &core.Capabilities{
Add: []core.Capability{"foo"},
Drop: []core.Capability{"bar"},
@ -12035,17 +12002,25 @@ func TestValidateSecurityContext(t *testing.T) {
}
privRequestWithGlobalDeny := fullValidSC()
requestPrivileged := true
privRequestWithGlobalDeny.Privileged = &requestPrivileged
privRequestWithGlobalDeny.Privileged = boolPtr(true)
negativeRunAsUser := fullValidSC()
negativeUser := int64(-1)
negativeRunAsUser.RunAsUser = &negativeUser
privWithoutEscalation := fullValidSC()
privWithoutEscalation.Privileged = boolPtr(true)
privWithoutEscalation.AllowPrivilegeEscalation = boolPtr(false)
capSysAdminWithoutEscalation := fullValidSC()
capSysAdminWithoutEscalation.Capabilities.Add = []core.Capability{"CAP_SYS_ADMIN"}
capSysAdminWithoutEscalation.AllowPrivilegeEscalation = boolPtr(false)
errorCases := map[string]struct {
sc *core.SecurityContext
errorType field.ErrorType
errorDetail string
sc *core.SecurityContext
errorType field.ErrorType
errorDetail string
capAllowPriv bool
}{
"request privileged when capabilities forbids": {
sc: privRequestWithGlobalDeny,
@ -12057,8 +12032,22 @@ func TestValidateSecurityContext(t *testing.T) {
errorType: "FieldValueInvalid",
errorDetail: "must be between",
},
"with CAP_SYS_ADMIN and allowPrivilegeEscalation false": {
sc: capSysAdminWithoutEscalation,
errorType: "FieldValueInvalid",
errorDetail: "cannot set `allowPrivilegeEscalation` to false and `capabilities.Add` CAP_SYS_ADMIN",
},
"with privileged and allowPrivilegeEscalation false": {
sc: privWithoutEscalation,
errorType: "FieldValueInvalid",
errorDetail: "cannot set `allowPrivilegeEscalation` to false and `privileged` to true",
capAllowPriv: true,
},
}
for k, v := range errorCases {
capabilities.SetForTests(capabilities.Capabilities{
AllowPrivileged: v.capAllowPriv,
})
if errs := ValidateSecurityContext(v.sc, field.NewPath("field")); len(errs) == 0 || errs[0].Type != v.errorType || !strings.Contains(errs[0].Detail, v.errorDetail) {
t.Errorf("[%s] Expected error type %q with detail %q, got %v", k, v.errorType, v.errorDetail, errs)
}