Merge pull request #57464 from php-coder/verify_run_as_non_root_test

Automatic merge from submit-queue (batch tested with PRs 57746, 57621, 56839, 57464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

security_context_test.go(TestVerifyRunAsNonRoot): add more test cases

**What this PR does / why we need it**:
In #56503 we modified `VerifyRunAsNonRoot` function add add one more argument. As [was requested](https://github.com/kubernetes/kubernetes/pull/56503#discussion_r153870821) by @simo5, this change should have a unit test.

This PR adds this test and also some more to cover more execution paths.

**Release note**:
```release-note
NONE
```

PTAL @pweil- @liggitt 
CC @simo5
This commit is contained in:
Kubernetes Submit Queue 2018-01-02 15:26:47 -08:00 committed by GitHub
commit b20c83789f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -45,16 +45,20 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
}
rootUser := int64(0)
anyUser := int64(1000)
runAsNonRootTrue := true
runAsNonRootFalse := false
for _, test := range []struct {
desc string
sc *v1.SecurityContext
fail bool
desc string
sc *v1.SecurityContext
uid *int64
username string
fail bool
}{
{
desc: "Pass if SecurityContext is not set",
sc: nil,
uid: &rootUser,
fail: false,
},
{
@ -62,6 +66,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{
RunAsUser: &rootUser,
},
uid: &rootUser,
fail: false,
},
{
@ -69,6 +74,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootFalse,
},
uid: &rootUser,
fail: false,
},
{
@ -77,6 +83,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot: &runAsNonRootFalse,
RunAsUser: &rootUser,
},
uid: &rootUser,
fail: false,
},
{
@ -85,6 +92,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue,
RunAsUser: &rootUser,
},
uid: &rootUser,
fail: true,
},
{
@ -92,12 +100,35 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
uid: &rootUser,
fail: true,
},
{
desc: "Fail if image's username is set and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
username: "test",
fail: true,
},
{
desc: "Pass if image's user is non-root and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
uid: &anyUser,
fail: false,
},
{
desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
fail: false,
},
} {
pod.Spec.Containers[0].SecurityContext = test.sc
uid := int64(0)
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], &uid, "")
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username)
if test.fail {
assert.Error(t, err, test.desc)
} else {