test: Add unit tests for privileged runtime functions
- Add unit test for privilegedSandbox - Add unit test for getRuntime Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This commit is contained in:
Jose Carlos Venegas Munoz
parent
ca16bd601a
commit
bdc5eee544
@ -19,10 +19,10 @@ package server
|
||||
import (
|
||||
"testing"
|
||||
|
||||
criconfig "github.com/containerd/cri/pkg/config"
|
||||
"github.com/containerd/cri/pkg/util"
|
||||
imagedigest "github.com/opencontainers/go-digest"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/containerd/cri/pkg/util"
|
||||
)
|
||||
|
||||
// TestGetUserFromImage tests the logic of getting image uid or user name of image user.
|
||||
@ -142,3 +142,64 @@ func TestBuildLabels(t *testing.T) {
|
||||
assert.Empty(t, configLabels[containerKindLabel], "should not add new labels into original label")
|
||||
assert.Equal(t, "b", configLabels["a"], "change in new labels should not affect original label")
|
||||
}
|
||||
|
||||
func Test_criService_getRuntime(t *testing.T) {
|
||||
|
||||
const (
|
||||
privilegedWorkload = true
|
||||
nonPrivilegedWorkload = false
|
||||
)
|
||||
|
||||
nonPrivilegedRuntime := criconfig.Runtime{
|
||||
Type: "io.containerd.runtime.v1.linux",
|
||||
Engine: "kata-runtime",
|
||||
Root: "",
|
||||
}
|
||||
|
||||
privilegedRuntime := criconfig.Runtime{
|
||||
Type: "io.containerd.runtime.v1.linux",
|
||||
Engine: "runc",
|
||||
Root: "",
|
||||
}
|
||||
|
||||
// Crate a configuration that does not specify a privileged runtime
|
||||
// Both privileged and non-privileged workloads are created with the
|
||||
// defaultRuntime (nonPrivilegedRuntime).
|
||||
nonPrivilegedConfig := criService{
|
||||
config: criconfig.Config{
|
||||
PluginConfig: criconfig.DefaultConfig(),
|
||||
},
|
||||
}
|
||||
nonPrivilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
|
||||
|
||||
// Crate a configuration that specifies a privileged runtime
|
||||
// The privileged workloads are created with the privilegedRuntime
|
||||
// The non-privileged workloads be created with the
|
||||
// defaultRuntime(nonPrivilegedRuntime)
|
||||
privilegedConfig := criService{
|
||||
config: criconfig.Config{
|
||||
PluginConfig: criconfig.DefaultConfig(),
|
||||
},
|
||||
}
|
||||
privilegedConfig.config.ContainerdConfig.DefaultRuntime = nonPrivilegedRuntime
|
||||
privilegedConfig.config.ContainerdConfig.PrivilegedRuntime = privilegedRuntime
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
cri criService
|
||||
privileged bool
|
||||
wantRuntime criconfig.Runtime
|
||||
}{
|
||||
{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, privilegedWorkload, nonPrivilegedRuntime},
|
||||
{"nonPrivilegedConfig/PrivilegedWorkload", nonPrivilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
|
||||
{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, privilegedWorkload, privilegedRuntime},
|
||||
{"PrivilegedConfig/nonPrivilegedWorkload", privilegedConfig, nonPrivilegedWorkload, nonPrivilegedRuntime},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
gotRuntime := tt.cri.getRuntime(tt.privileged)
|
||||
assert.Equal(t, tt.wantRuntime, gotRuntime)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@ -435,3 +435,58 @@ func TestTypeurlMarshalUnmarshalSandboxMeta(t *testing.T) {
|
||||
|
||||
// TODO(random-liu): [P1] Add unit test for different error cases to make sure
|
||||
// the function cleans up on error properly.
|
||||
|
||||
func TestPrivilegedSandbox(t *testing.T) {
|
||||
privilegedContext := runtime.RunPodSandboxRequest{
|
||||
Config: &runtime.PodSandboxConfig{
|
||||
Linux: &runtime.LinuxPodSandboxConfig{
|
||||
SecurityContext: &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
nonPrivilegedContext := runtime.RunPodSandboxRequest{
|
||||
Config: &runtime.PodSandboxConfig{
|
||||
Linux: &runtime.LinuxPodSandboxConfig{
|
||||
SecurityContext: &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
hostNamespace := runtime.RunPodSandboxRequest{
|
||||
Config: &runtime.PodSandboxConfig{
|
||||
Linux: &runtime.LinuxPodSandboxConfig{
|
||||
SecurityContext: &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: false,
|
||||
NamespaceOptions: &runtime.NamespaceOption{
|
||||
Network: runtime.NamespaceMode_NODE,
|
||||
Pid: runtime.NamespaceMode_NODE,
|
||||
Ipc: runtime.NamespaceMode_NODE,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
type args struct {
|
||||
req *runtime.RunPodSandboxRequest
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want bool
|
||||
}{
|
||||
{"Security Context is nil", args{&runtime.RunPodSandboxRequest{}}, false},
|
||||
{"Security Context is privileged", args{&privilegedContext}, true},
|
||||
{"Security Context is not privileged", args{&nonPrivilegedContext}, false},
|
||||
{"Security Context namespace host access", args{&hostNamespace}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := privilegedSandbox(tt.args.req); got != tt.want {
|
||||
t.Errorf("privilegedSandbox() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user