PSP: move internal types from extensions to policy.
This commit is contained in:
Slava Semushin
@@ -28,9 +28,6 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
api "k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
"k8s.io/kubernetes/pkg/security/apparmor"
|
||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||
)
|
||||
|
||||
func TestValidateDaemonSetStatusUpdate(t *testing.T) {
|
||||
@@ -2317,527 +2314,3 @@ func TestValidateReplicaSet(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidatePodSecurityPolicy(t *testing.T) {
|
||||
validPSP := func() *extensions.PodSecurityPolicy {
|
||||
return &extensions.PodSecurityPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "foo",
|
||||
Annotations: map[string]string{},
|
||||
},
|
||||
Spec: extensions.PodSecurityPolicySpec{
|
||||
SELinux: extensions.SELinuxStrategyOptions{
|
||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
||||
},
|
||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
||||
},
|
||||
FSGroup: extensions.FSGroupStrategyOptions{
|
||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
||||
},
|
||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
||||
},
|
||||
AllowedHostPaths: []extensions.AllowedHostPath{
|
||||
{PathPrefix: "/foo/bar"},
|
||||
{PathPrefix: "/baz/"},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
noUserOptions := validPSP()
|
||||
noUserOptions.Spec.RunAsUser.Rule = ""
|
||||
|
||||
noSELinuxOptions := validPSP()
|
||||
noSELinuxOptions.Spec.SELinux.Rule = ""
|
||||
|
||||
invalidUserStratType := validPSP()
|
||||
invalidUserStratType.Spec.RunAsUser.Rule = "invalid"
|
||||
|
||||
invalidSELinuxStratType := validPSP()
|
||||
invalidSELinuxStratType.Spec.SELinux.Rule = "invalid"
|
||||
|
||||
invalidUIDPSP := validPSP()
|
||||
invalidUIDPSP.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
|
||||
invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: -1, Max: 1}}
|
||||
|
||||
missingObjectMetaName := validPSP()
|
||||
missingObjectMetaName.ObjectMeta.Name = ""
|
||||
|
||||
noFSGroupOptions := validPSP()
|
||||
noFSGroupOptions.Spec.FSGroup.Rule = ""
|
||||
|
||||
invalidFSGroupStratType := validPSP()
|
||||
invalidFSGroupStratType.Spec.FSGroup.Rule = "invalid"
|
||||
|
||||
noSupplementalGroupsOptions := validPSP()
|
||||
noSupplementalGroupsOptions.Spec.SupplementalGroups.Rule = ""
|
||||
|
||||
invalidSupGroupStratType := validPSP()
|
||||
invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
|
||||
|
||||
invalidRangeMinGreaterThanMax := validPSP()
|
||||
invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
||||
{Min: 2, Max: 1},
|
||||
}
|
||||
|
||||
invalidRangeNegativeMin := validPSP()
|
||||
invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
||||
{Min: -1, Max: 10},
|
||||
}
|
||||
|
||||
invalidRangeNegativeMax := validPSP()
|
||||
invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
|
||||
{Min: 1, Max: -10},
|
||||
}
|
||||
|
||||
wildcardAllowedCapAndRequiredDrop := validPSP()
|
||||
wildcardAllowedCapAndRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||
wildcardAllowedCapAndRequiredDrop.Spec.AllowedCapabilities = []api.Capability{extensions.AllowAllCapabilities}
|
||||
|
||||
requiredCapAddAndDrop := validPSP()
|
||||
requiredCapAddAndDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
||||
requiredCapAddAndDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||
|
||||
allowedCapListedInRequiredDrop := validPSP()
|
||||
allowedCapListedInRequiredDrop.Spec.RequiredDropCapabilities = []api.Capability{"foo"}
|
||||
allowedCapListedInRequiredDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
||||
|
||||
invalidAppArmorDefault := validPSP()
|
||||
invalidAppArmorDefault.Annotations = map[string]string{
|
||||
apparmor.DefaultProfileAnnotationKey: "not-good",
|
||||
}
|
||||
invalidAppArmorAllowed := validPSP()
|
||||
invalidAppArmorAllowed.Annotations = map[string]string{
|
||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + ",not-good",
|
||||
}
|
||||
|
||||
invalidSysctlPattern := validPSP()
|
||||
invalidSysctlPattern.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "a.*.b"
|
||||
|
||||
invalidSeccompDefault := validPSP()
|
||||
invalidSeccompDefault.Annotations = map[string]string{
|
||||
seccomp.DefaultProfileAnnotationKey: "not-good",
|
||||
}
|
||||
invalidSeccompAllowAnyDefault := validPSP()
|
||||
invalidSeccompAllowAnyDefault.Annotations = map[string]string{
|
||||
seccomp.DefaultProfileAnnotationKey: "*",
|
||||
}
|
||||
invalidSeccompAllowed := validPSP()
|
||||
invalidSeccompAllowed.Annotations = map[string]string{
|
||||
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good",
|
||||
}
|
||||
|
||||
invalidAllowedHostPathMissingPath := validPSP()
|
||||
invalidAllowedHostPathMissingPath.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
||||
{PathPrefix: ""},
|
||||
}
|
||||
|
||||
invalidAllowedHostPathBacksteps := validPSP()
|
||||
invalidAllowedHostPathBacksteps.Spec.AllowedHostPaths = []extensions.AllowedHostPath{
|
||||
{PathPrefix: "/dont/allow/backsteps/.."},
|
||||
}
|
||||
|
||||
invalidDefaultAllowPrivilegeEscalation := validPSP()
|
||||
pe := true
|
||||
invalidDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
||||
|
||||
emptyFlexDriver := validPSP()
|
||||
emptyFlexDriver.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
|
||||
emptyFlexDriver.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{}}
|
||||
|
||||
nonEmptyFlexVolumes := validPSP()
|
||||
nonEmptyFlexVolumes.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{{Driver: "example/driver"}}
|
||||
|
||||
type testCase struct {
|
||||
psp *extensions.PodSecurityPolicy
|
||||
errorType field.ErrorType
|
||||
errorDetail string
|
||||
}
|
||||
errorCases := map[string]testCase{
|
||||
"no user options": {
|
||||
psp: noUserOptions,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
||||
},
|
||||
"no selinux options": {
|
||||
psp: noSELinuxOptions,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"no fsgroup options": {
|
||||
psp: noFSGroupOptions,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"no sup group options": {
|
||||
psp: noSupplementalGroupsOptions,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"invalid user strategy type": {
|
||||
psp: invalidUserStratType,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "MustRunAsNonRoot", "RunAsAny"`,
|
||||
},
|
||||
"invalid selinux strategy type": {
|
||||
psp: invalidSELinuxStratType,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"invalid sup group strategy type": {
|
||||
psp: invalidSupGroupStratType,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"invalid fs group strategy type": {
|
||||
psp: invalidFSGroupStratType,
|
||||
errorType: field.ErrorTypeNotSupported,
|
||||
errorDetail: `supported values: "MustRunAs", "RunAsAny"`,
|
||||
},
|
||||
"invalid uid": {
|
||||
psp: invalidUIDPSP,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "min cannot be negative",
|
||||
},
|
||||
"missing object meta name": {
|
||||
psp: missingObjectMetaName,
|
||||
errorType: field.ErrorTypeRequired,
|
||||
errorDetail: "name or generateName is required",
|
||||
},
|
||||
"invalid range min greater than max": {
|
||||
psp: invalidRangeMinGreaterThanMax,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "min cannot be greater than max",
|
||||
},
|
||||
"invalid range negative min": {
|
||||
psp: invalidRangeNegativeMin,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "min cannot be negative",
|
||||
},
|
||||
"invalid range negative max": {
|
||||
psp: invalidRangeNegativeMax,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "max cannot be negative",
|
||||
},
|
||||
"non-empty required drops and all caps are allowed by a wildcard": {
|
||||
psp: wildcardAllowedCapAndRequiredDrop,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "must be empty when all capabilities are allowed by a wildcard",
|
||||
},
|
||||
"invalid required caps": {
|
||||
psp: requiredCapAddAndDrop,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "capability is listed in defaultAddCapabilities and requiredDropCapabilities",
|
||||
},
|
||||
"allowed cap listed in required drops": {
|
||||
psp: allowedCapListedInRequiredDrop,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "capability is listed in allowedCapabilities and requiredDropCapabilities",
|
||||
},
|
||||
"invalid AppArmor default profile": {
|
||||
psp: invalidAppArmorDefault,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
||||
},
|
||||
"invalid AppArmor allowed profile": {
|
||||
psp: invalidAppArmorAllowed,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "invalid AppArmor profile name: \"not-good\"",
|
||||
},
|
||||
"invalid sysctl pattern": {
|
||||
psp: invalidSysctlPattern,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", SysctlPatternFmt),
|
||||
},
|
||||
"invalid seccomp default profile": {
|
||||
psp: invalidSeccompDefault,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "must be a valid seccomp profile",
|
||||
},
|
||||
"invalid seccomp allow any default profile": {
|
||||
psp: invalidSeccompAllowAnyDefault,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "must be a valid seccomp profile",
|
||||
},
|
||||
"invalid seccomp allowed profile": {
|
||||
psp: invalidSeccompAllowed,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "must be a valid seccomp profile",
|
||||
},
|
||||
"invalid defaultAllowPrivilegeEscalation": {
|
||||
psp: invalidDefaultAllowPrivilegeEscalation,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
|
||||
},
|
||||
"invalid allowed host path empty path": {
|
||||
psp: invalidAllowedHostPathMissingPath,
|
||||
errorType: field.ErrorTypeRequired,
|
||||
errorDetail: "is required",
|
||||
},
|
||||
"invalid allowed host path with backsteps": {
|
||||
psp: invalidAllowedHostPathBacksteps,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "must not contain '..'",
|
||||
},
|
||||
"empty flex volume driver": {
|
||||
psp: emptyFlexDriver,
|
||||
errorType: field.ErrorTypeRequired,
|
||||
errorDetail: "must specify a driver",
|
||||
},
|
||||
}
|
||||
|
||||
for k, v := range errorCases {
|
||||
errs := ValidatePodSecurityPolicy(v.psp)
|
||||
if len(errs) == 0 {
|
||||
t.Errorf("%s expected errors but got none", k)
|
||||
continue
|
||||
}
|
||||
if errs[0].Type != v.errorType {
|
||||
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
||||
}
|
||||
if errs[0].Detail != v.errorDetail {
|
||||
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
||||
}
|
||||
}
|
||||
|
||||
// Update error is different for 'missing object meta name'.
|
||||
errorCases["missing object meta name"] = testCase{
|
||||
psp: errorCases["missing object meta name"].psp,
|
||||
errorType: field.ErrorTypeInvalid,
|
||||
errorDetail: "field is immutable",
|
||||
}
|
||||
|
||||
// Should not be able to update to an invalid policy.
|
||||
for k, v := range errorCases {
|
||||
v.psp.ResourceVersion = "444" // Required for updates.
|
||||
errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp)
|
||||
if len(errs) == 0 {
|
||||
t.Errorf("[%s] expected update errors but got none", k)
|
||||
continue
|
||||
}
|
||||
if errs[0].Type != v.errorType {
|
||||
t.Errorf("[%s] received an unexpected error type. Expected: '%s' got: '%s'", k, v.errorType, errs[0].Type)
|
||||
}
|
||||
if errs[0].Detail != v.errorDetail {
|
||||
t.Errorf("[%s] received an unexpected error detail. Expected '%s' got: '%s'", k, v.errorDetail, errs[0].Detail)
|
||||
}
|
||||
}
|
||||
|
||||
mustRunAs := validPSP()
|
||||
mustRunAs.Spec.FSGroup.Rule = extensions.FSGroupStrategyMustRunAs
|
||||
mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs
|
||||
mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
|
||||
mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{
|
||||
{Min: 1, Max: 1},
|
||||
}
|
||||
mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
|
||||
|
||||
runAsNonRoot := validPSP()
|
||||
runAsNonRoot.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAsNonRoot
|
||||
|
||||
caseInsensitiveAddDrop := validPSP()
|
||||
caseInsensitiveAddDrop.Spec.DefaultAddCapabilities = []api.Capability{"foo"}
|
||||
caseInsensitiveAddDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
||||
|
||||
caseInsensitiveAllowedDrop := validPSP()
|
||||
caseInsensitiveAllowedDrop.Spec.RequiredDropCapabilities = []api.Capability{"FOO"}
|
||||
caseInsensitiveAllowedDrop.Spec.AllowedCapabilities = []api.Capability{"foo"}
|
||||
|
||||
validAppArmor := validPSP()
|
||||
validAppArmor.Annotations = map[string]string{
|
||||
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault + "," + apparmor.ProfileNamePrefix + "foo",
|
||||
}
|
||||
|
||||
withSysctl := validPSP()
|
||||
withSysctl.Annotations[extensions.SysctlsPodSecurityPolicyAnnotationKey] = "net.*"
|
||||
|
||||
validSeccomp := validPSP()
|
||||
validSeccomp.Annotations = map[string]string{
|
||||
seccomp.DefaultProfileAnnotationKey: "docker/default",
|
||||
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*",
|
||||
}
|
||||
|
||||
validDefaultAllowPrivilegeEscalation := validPSP()
|
||||
pe = true
|
||||
validDefaultAllowPrivilegeEscalation.Spec.DefaultAllowPrivilegeEscalation = &pe
|
||||
validDefaultAllowPrivilegeEscalation.Spec.AllowPrivilegeEscalation = true
|
||||
|
||||
flexvolumeWhenFlexVolumesAllowed := validPSP()
|
||||
flexvolumeWhenFlexVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.FlexVolume}
|
||||
flexvolumeWhenFlexVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
|
||||
{Driver: "example/driver1"},
|
||||
}
|
||||
|
||||
flexvolumeWhenAllVolumesAllowed := validPSP()
|
||||
flexvolumeWhenAllVolumesAllowed.Spec.Volumes = []extensions.FSType{extensions.All}
|
||||
flexvolumeWhenAllVolumesAllowed.Spec.AllowedFlexVolumes = []extensions.AllowedFlexVolume{
|
||||
{Driver: "example/driver2"},
|
||||
}
|
||||
successCases := map[string]struct {
|
||||
psp *extensions.PodSecurityPolicy
|
||||
}{
|
||||
"must run as": {
|
||||
psp: mustRunAs,
|
||||
},
|
||||
"run as any": {
|
||||
psp: validPSP(),
|
||||
},
|
||||
"run as non-root (user only)": {
|
||||
psp: runAsNonRoot,
|
||||
},
|
||||
"comparison for add -> drop is case sensitive": {
|
||||
psp: caseInsensitiveAddDrop,
|
||||
},
|
||||
"comparison for allowed -> drop is case sensitive": {
|
||||
psp: caseInsensitiveAllowedDrop,
|
||||
},
|
||||
"valid AppArmor annotations": {
|
||||
psp: validAppArmor,
|
||||
},
|
||||
"with network sysctls": {
|
||||
psp: withSysctl,
|
||||
},
|
||||
"valid seccomp annotations": {
|
||||
psp: validSeccomp,
|
||||
},
|
||||
"valid defaultAllowPrivilegeEscalation as true": {
|
||||
psp: validDefaultAllowPrivilegeEscalation,
|
||||
},
|
||||
"allow white-listed flexVolume when flex volumes are allowed": {
|
||||
psp: flexvolumeWhenFlexVolumesAllowed,
|
||||
},
|
||||
"allow white-listed flexVolume when all volumes are allowed": {
|
||||
psp: flexvolumeWhenAllVolumesAllowed,
|
||||
},
|
||||
}
|
||||
|
||||
for k, v := range successCases {
|
||||
if errs := ValidatePodSecurityPolicy(v.psp); len(errs) != 0 {
|
||||
t.Errorf("Expected success for %s, got %v", k, errs)
|
||||
}
|
||||
|
||||
// Should be able to update to a valid PSP.
|
||||
v.psp.ResourceVersion = "444" // Required for updates.
|
||||
if errs := ValidatePodSecurityPolicyUpdate(validPSP(), v.psp); len(errs) != 0 {
|
||||
t.Errorf("Expected success for %s update, got %v", k, errs)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidatePSPVolumes(t *testing.T) {
|
||||
validPSP := func() *extensions.PodSecurityPolicy {
|
||||
return &extensions.PodSecurityPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
||||
Spec: extensions.PodSecurityPolicySpec{
|
||||
SELinux: extensions.SELinuxStrategyOptions{
|
||||
Rule: extensions.SELinuxStrategyRunAsAny,
|
||||
},
|
||||
RunAsUser: extensions.RunAsUserStrategyOptions{
|
||||
Rule: extensions.RunAsUserStrategyRunAsAny,
|
||||
},
|
||||
FSGroup: extensions.FSGroupStrategyOptions{
|
||||
Rule: extensions.FSGroupStrategyRunAsAny,
|
||||
},
|
||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
volumes := psputil.GetAllFSTypesAsSet()
|
||||
// add in the * value since that is a pseudo type that is not included by default
|
||||
volumes.Insert(string(extensions.All))
|
||||
|
||||
for _, strVolume := range volumes.List() {
|
||||
psp := validPSP()
|
||||
psp.Spec.Volumes = []extensions.FSType{extensions.FSType(strVolume)}
|
||||
errs := ValidatePodSecurityPolicy(psp)
|
||||
if len(errs) != 0 {
|
||||
t.Errorf("%s validation expected no errors but received %v", strVolume, errs)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsValidSysctlPattern(t *testing.T) {
|
||||
valid := []string{
|
||||
"a.b.c.d",
|
||||
"a",
|
||||
"a_b",
|
||||
"a-b",
|
||||
"abc",
|
||||
"abc.def",
|
||||
"*",
|
||||
"a.*",
|
||||
"*",
|
||||
"abc*",
|
||||
"a.abc*",
|
||||
"a.b.*",
|
||||
}
|
||||
invalid := []string{
|
||||
"",
|
||||
"ä",
|
||||
"a_",
|
||||
"_",
|
||||
"_a",
|
||||
"_a._b",
|
||||
"__",
|
||||
"-",
|
||||
".",
|
||||
"a.",
|
||||
".a",
|
||||
"a.b.",
|
||||
"a*.b",
|
||||
"a*b",
|
||||
"*a",
|
||||
"Abc",
|
||||
func(n int) string {
|
||||
x := make([]byte, n)
|
||||
for i := range x {
|
||||
x[i] = byte('a')
|
||||
}
|
||||
return string(x)
|
||||
}(256),
|
||||
}
|
||||
for _, s := range valid {
|
||||
if !IsValidSysctlPattern(s) {
|
||||
t.Errorf("%q expected to be a valid sysctl pattern", s)
|
||||
}
|
||||
}
|
||||
for _, s := range invalid {
|
||||
if IsValidSysctlPattern(s) {
|
||||
t.Errorf("%q expected to be an invalid sysctl pattern", s)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Test_validatePSPRunAsUser(t *testing.T) {
|
||||
var testCases = []struct {
|
||||
name string
|
||||
runAsUserStrategy extensions.RunAsUserStrategyOptions
|
||||
fail bool
|
||||
}{
|
||||
{"Invalid RunAsUserStrategy", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategy("someInvalidStrategy")}, true},
|
||||
{"RunAsUserStrategyMustRunAs", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs}, false},
|
||||
{"RunAsUserStrategyMustRunAsNonRoot", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAsNonRoot}, false},
|
||||
{"RunAsUserStrategyMustRunAsNonRoot With Valid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 4, Max: 5}}}, false},
|
||||
{"RunAsUserStrategyMustRunAsNonRoot With Invalid Range", extensions.RunAsUserStrategyOptions{Rule: extensions.RunAsUserStrategyMustRunAs, Ranges: []extensions.UserIDRange{{Min: 2, Max: 3}, {Min: 5, Max: 4}}}, true},
|
||||
}
|
||||
|
||||
for _, testCase := range testCases {
|
||||
t.Run(testCase.name, func(t *testing.T) {
|
||||
errList := validatePSPRunAsUser(field.NewPath("status"), &testCase.runAsUserStrategy)
|
||||
actualErrors := len(errList)
|
||||
expectedErrors := 1
|
||||
if !testCase.fail {
|
||||
expectedErrors = 0
|
||||
}
|
||||
if actualErrors != expectedErrors {
|
||||
t.Errorf("In testCase %v, expected %v errors, got %v errors", testCase.name, expectedErrors, actualErrors)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user