mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-12-07 09:43:15 +00:00
Visit ephemeral containers when calculating fs user
This commit is contained in:
carlory
@@ -34,7 +34,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"k8s.io/kubernetes/pkg/util/slice"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
utilptr "k8s.io/utils/pointer"
|
||||
"k8s.io/utils/ptr"
|
||||
)
|
||||
|
||||
func TestLoadPodFromFile(t *testing.T) {
|
||||
@@ -169,14 +169,14 @@ func TestFsUserFrom(t *testing.T) {
|
||||
InitContainers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -195,19 +195,28 @@ func TestFsUserFrom(t *testing.T) {
|
||||
InitContainers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(999),
|
||||
RunAsUser: ptr.To[int64](999),
|
||||
},
|
||||
},
|
||||
},
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
EphemeralContainers: []v1.EphemeralContainer{
|
||||
{
|
||||
EphemeralContainerCommon: v1.EphemeralContainerCommon{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: ptr.To[int64](1001),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -215,6 +224,34 @@ func TestFsUserFrom(t *testing.T) {
|
||||
},
|
||||
wantFsUser: nil,
|
||||
},
|
||||
{
|
||||
desc: "init and regular containers have runAsUser specified and the same",
|
||||
pod: &v1.Pod{
|
||||
Spec: v1.PodSpec{
|
||||
SecurityContext: &v1.PodSecurityContext{},
|
||||
InitContainers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
wantFsUser: ptr.To[int64](1000),
|
||||
},
|
||||
{
|
||||
desc: "all have runAsUser specified and the same",
|
||||
pod: &v1.Pod{
|
||||
@@ -223,25 +260,34 @@ func TestFsUserFrom(t *testing.T) {
|
||||
InitContainers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: utilptr.Int64Ptr(1000),
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
EphemeralContainers: []v1.EphemeralContainer{
|
||||
{
|
||||
EphemeralContainerCommon: v1.EphemeralContainerCommon{
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: ptr.To[int64](1000),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
wantFsUser: utilptr.Int64Ptr(1000),
|
||||
wantFsUser: ptr.To[int64](1000),
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user