Merge pull request #57464 from php-coder/verify_run_as_non_root_test

Automatic merge from submit-queue (batch tested with PRs 57746, 57621, 56839, 57464). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. security_context_test.go(TestVerifyRunAsNonRoot): add more test cases **What this PR does / why we need it**: In #56503 we modified `VerifyRunAsNonRoot` function add add one more argument. As [was requested](https://github.com/kubernetes/kubernetes/pull/56503#discussion_r153870821) by @simo5, this change should have a unit test. This PR adds this test and also some more to cover more execution paths. **Release note**: ```release-note NONE ``` PTAL @pweil- @liggitt CC @simo5
2025-07-24 20:24:09 +00:00 · 2018-01-02 15:26:47 -08:00 · 2018-01-02 15:26:47 -08:00 · b20c83789f
commit b20c83789f
parent 45a069a241 a91e2dc4d2
1 changed files with 36 additions and 5 deletions
--- a/pkg/kubelet/kuberuntime/security_context_test.go
+++ b/pkg/kubelet/kuberuntime/security_context_test.go
@ -45,16 +45,20 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 	}
 	rootUser := int64(0)
 	anyUser := int64(1000)
 	runAsNonRootTrue := true
 	runAsNonRootFalse := false
 	for _, test := range []struct {
-		desc string
+		desc     string
-		sc   *v1.SecurityContext
+		sc       *v1.SecurityContext
-		fail bool
+		uid      *int64
 		username string
 		fail     bool
 	}{
 		{
 			desc: "Pass if SecurityContext is not set",
 			sc:   nil,
 			uid:  &rootUser,
 			fail: false,
 		},
 		{
@ -62,6 +66,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 			sc: &v1.SecurityContext{
 				RunAsUser: &rootUser,
 			},
 			uid:  &rootUser,
 			fail: false,
 		},
 		{
@ -69,6 +74,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 			sc: &v1.SecurityContext{
 				RunAsNonRoot: &runAsNonRootFalse,
 			},
 			uid:  &rootUser,
 			fail: false,
 		},
 		{
@ -77,6 +83,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 				RunAsNonRoot: &runAsNonRootFalse,
 				RunAsUser:    &rootUser,
 			},
 			uid:  &rootUser,
 			fail: false,
 		},
 		{
@ -85,6 +92,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 				RunAsNonRoot: &runAsNonRootTrue,
 				RunAsUser:    &rootUser,
 			},
 			uid:  &rootUser,
 			fail: true,
 		},
 		{
@ -92,12 +100,35 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
 			sc: &v1.SecurityContext{
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			uid:  &rootUser,
 			fail: true,
 		},
 		{
 			desc: "Fail if image's username is set and RunAsNonRoot is true",
 			sc: &v1.SecurityContext{
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			username: "test",
 			fail:     true,
 		},
 		{
 			desc: "Pass if image's user is non-root and RunAsNonRoot is true",
 			sc: &v1.SecurityContext{
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			uid:  &anyUser,
 			fail: false,
 		},
 		{
 			desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
 			sc: &v1.SecurityContext{
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			fail: false,
 		},
 	} {
 		pod.Spec.Containers[0].SecurityContext = test.sc
-		uid := int64(0)
+		err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username)
 		err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], &uid, "")
 		if test.fail {
 			assert.Error(t, err, test.desc)
 		} else {