github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #88488 from gnufied/implement-fix-recursive-chown

Browse Source 
Implement changes for fsgroup recursive chown
This commit is contained in:
Kubernetes Prow Robot
2020-03-05 21:39:30 -08:00
committed by GitHub
parent e90c908f64 b132959687
commit 264e2f1744
107 changed files with 2924 additions and 2001 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
pkg/api/pod/util_test.go
View File

@@ -462,6 +462,133 @@ func TestPodConfigmaps(t *testing.T) {
}
}
func TestDropFSGroupFields(t *testing.T) {
nofsGroupPod := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "container1",
Image: "testimage",
},
},
},
}
}
var podFSGroup int64 = 100
changePolicy := api.FSGroupChangeAlways
fsGroupPod := func() *api.Pod {
return &api.Pod{
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "container1",
Image: "testimage",
},
},
SecurityContext: &api.PodSecurityContext{
FSGroup: &podFSGroup,
FSGroupChangePolicy: &changePolicy,
},
},
}
}
podInfos := []struct {
description string
featureEnabled bool
newPodHasFSGroupChangePolicy bool
pod func() *api.Pod
expectPolicyInPod bool
}{
{
description: "oldPod.FSGroupChangePolicy=nil, feature=true, newPod.FSGroupChangePolicy=true",
featureEnabled: true,
pod: nofsGroupPod,
newPodHasFSGroupChangePolicy: true,
expectPolicyInPod: true,
},
{
description: "oldPod=nil, feature=false, newPod.FSGroupChangePolicy=true",
featureEnabled: false,
pod: func() *api.Pod { return nil },
newPodHasFSGroupChangePolicy: true,
expectPolicyInPod: false,
},
{
description: "oldPod=nil, feature=true, newPod.FSGroupChangePolicy=true",
featureEnabled: true,
pod: func() *api.Pod { return nil },
newPodHasFSGroupChangePolicy: true,
expectPolicyInPod: true,
},
{
description: "oldPod.FSGroupChangePolicy=nil, feature=false, newPod.FSGroupChangePolicy=true",
featureEnabled: false,
pod: nofsGroupPod,
newPodHasFSGroupChangePolicy: true,
expectPolicyInPod: false,
},
{
description: "oldPod.FSGroupChangePolicy=true, feature=false, newPod.FSGroupChangePolicy=true",
featureEnabled: false,
pod: fsGroupPod,
newPodHasFSGroupChangePolicy: true,
expectPolicyInPod: true,
},
{
description: "oldPod.FSGroupChangePolicy=true, feature=false, newPod.FSGroupChangePolicy=false",
featureEnabled: false,
pod: fsGroupPod,
newPodHasFSGroupChangePolicy: false,
expectPolicyInPod: false,
},
{
description: "oldPod.FSGroupChangePolicy=true, feature=true, newPod.FSGroupChangePolicy=false",
featureEnabled: true,
pod: fsGroupPod,
newPodHasFSGroupChangePolicy: false,
expectPolicyInPod: false,
},
}
for _, podInfo := range podInfos {
t.Run(podInfo.description, func(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ConfigurableFSGroupPolicy, podInfo.featureEnabled)()
oldPod := podInfo.pod()
newPod := oldPod.DeepCopy()
if oldPod == nil && podInfo.newPodHasFSGroupChangePolicy {
newPod = fsGroupPod()
}
if oldPod != nil {
if podInfo.newPodHasFSGroupChangePolicy {
newPod.Spec.SecurityContext = &api.PodSecurityContext{
FSGroup: &podFSGroup,
FSGroupChangePolicy: &changePolicy,
}
} else {
newPod.Spec.SecurityContext = &api.PodSecurityContext{}
}
}
DropDisabledPodFields(newPod, oldPod)
if podInfo.expectPolicyInPod {
secContext := newPod.Spec.SecurityContext
if secContext == nil || secContext.FSGroupChangePolicy == nil {
t.Errorf("for %s, expected fsGroupChangepolicy found none", podInfo.description)
}
} else {
secConext := newPod.Spec.SecurityContext
if secConext != nil && secConext.FSGroupChangePolicy != nil {
t.Errorf("for %s, unexpected fsGroupChangepolicy set", podInfo.description)
}
}
})
}
}
func TestDropSubPath(t *testing.T) {
podWithSubpaths := func() *api.Pod {
return &api.Pod{