mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-10-23 02:23:53 +00:00
tests
This commit is contained in:
parent
8a1c2a0c84
commit
f5bb014274
2 changed files with 13 additions and 14 deletions
|
@ -43,8 +43,7 @@ import (
|
||||||
const (
|
const (
|
||||||
EngineName = "kubernetes"
|
EngineName = "kubernetes"
|
||||||
// TODO: 5 seconds is against best practice, k3s didn't work otherwise
|
// TODO: 5 seconds is against best practice, k3s didn't work otherwise
|
||||||
defaultResyncDuration = 5 * time.Second
|
defaultResyncDuration = 5 * time.Second
|
||||||
efaultFSGroup int64 = 1000
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var defaultDeleteOptions = newDefaultDeleteOptions()
|
var defaultDeleteOptions = newDefaultDeleteOptions()
|
||||||
|
@ -100,7 +99,7 @@ func configFromCliContext(ctx context.Context) (*config, error) {
|
||||||
ImagePullSecretNames: c.StringSlice("backend-k8s-pod-image-pull-secret-names"),
|
ImagePullSecretNames: c.StringSlice("backend-k8s-pod-image-pull-secret-names"),
|
||||||
SecurityContext: SecurityContextConfig{
|
SecurityContext: SecurityContextConfig{
|
||||||
RunAsNonRoot: c.Bool("backend-k8s-secctx-nonroot"), // cspell:words secctx nonroot
|
RunAsNonRoot: c.Bool("backend-k8s-secctx-nonroot"), // cspell:words secctx nonroot
|
||||||
FSGroup: newInt64(defaultFSGroup),
|
FSGroup: newInt64(1000),
|
||||||
},
|
},
|
||||||
NativeSecretsAllowFromStep: c.Bool("backend-k8s-allow-native-secrets"),
|
NativeSecretsAllowFromStep: c.Bool("backend-k8s-allow-native-secrets"),
|
||||||
}
|
}
|
||||||
|
|
|
@ -391,16 +391,6 @@ func TestPodPrivilege(t *testing.T) {
|
||||||
}
|
}
|
||||||
pod, err = createTestPod(false, false, secCtx)
|
pod, err = createTestPod(false, false, secCtx)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.Nil(t, pod.Spec.SecurityContext)
|
|
||||||
assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
|
|
||||||
|
|
||||||
// step is not privileged, but security context is requesting privileged
|
|
||||||
secCtx = SecurityContext{
|
|
||||||
Privileged: newBool(true),
|
|
||||||
}
|
|
||||||
pod, err = createTestPod(false, false, secCtx)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
assert.NotNil(t, pod.Spec.SecurityContext)
|
|
||||||
assert.Equal(t, &v1.PodSecurityContext{
|
assert.Equal(t, &v1.PodSecurityContext{
|
||||||
SELinuxOptions: (*v1.SELinuxOptions)(nil),
|
SELinuxOptions: (*v1.SELinuxOptions)(nil),
|
||||||
WindowsOptions: (*v1.WindowsSecurityContextOptions)(nil),
|
WindowsOptions: (*v1.WindowsSecurityContextOptions)(nil),
|
||||||
|
@ -409,12 +399,22 @@ func TestPodPrivilege(t *testing.T) {
|
||||||
RunAsNonRoot: (*bool)(nil),
|
RunAsNonRoot: (*bool)(nil),
|
||||||
SupplementalGroups: []int64(nil),
|
SupplementalGroups: []int64(nil),
|
||||||
SupplementalGroupsPolicy: (*v1.SupplementalGroupsPolicy)(nil),
|
SupplementalGroupsPolicy: (*v1.SupplementalGroupsPolicy)(nil),
|
||||||
FSGroup: newInt64(1000),
|
FSGroup: newInt64(0),
|
||||||
Sysctls: []v1.Sysctl(nil),
|
Sysctls: []v1.Sysctl(nil),
|
||||||
FSGroupChangePolicy: (*v1.PodFSGroupChangePolicy)(nil),
|
FSGroupChangePolicy: (*v1.PodFSGroupChangePolicy)(nil),
|
||||||
SeccompProfile: (*v1.SeccompProfile)(nil),
|
SeccompProfile: (*v1.SeccompProfile)(nil),
|
||||||
AppArmorProfile: (*v1.AppArmorProfile)(nil),
|
AppArmorProfile: (*v1.AppArmorProfile)(nil),
|
||||||
}, pod.Spec.SecurityContext)
|
}, pod.Spec.SecurityContext)
|
||||||
|
assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
|
||||||
|
|
||||||
|
// step is not privileged, but security context is requesting privileged
|
||||||
|
secCtx = SecurityContext{
|
||||||
|
Privileged: newBool(true),
|
||||||
|
}
|
||||||
|
pod, err = createTestPod(false, false, secCtx)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.Nil(t, pod.Spec.SecurityContext)
|
||||||
|
assert.Equal(t, (*v1.PodSecurityContext)(nil), pod.Spec.SecurityContext)
|
||||||
|
|
||||||
// step is privileged and security context is requesting privileged
|
// step is privileged and security context is requesting privileged
|
||||||
secCtx = SecurityContext{
|
secCtx = SecurityContext{
|
||||||
|
|
Loading…
Reference in a new issue