tests

2024-10-23 02:23:53 +00:00 · 2024-10-02 18:04:53 +02:00 · 2024-10-02 18:04:53 +02:00 · f5bb014274
commit f5bb014274
parent 8a1c2a0c84
2 changed files with 13 additions and 14 deletions
--- a/pipeline/backend/kubernetes/kubernetes.go
+++ b/pipeline/backend/kubernetes/kubernetes.go
@ -43,8 +43,7 @@ import (
 const (
 	EngineName = "kubernetes"
 	// TODO: 5 seconds is against best practice, k3s didn't work otherwise
-	defaultResyncDuration       = 5 * time.Second
-	efaultFSGroup         int64 = 1000
+	defaultResyncDuration = 5 * time.Second
 )

 var defaultDeleteOptions = newDefaultDeleteOptions()
@ -100,7 +99,7 @@ func configFromCliContext(ctx context.Context) (*config, error) {
 				ImagePullSecretNames:        c.StringSlice("backend-k8s-pod-image-pull-secret-names"),
 				SecurityContext: SecurityContextConfig{
 					RunAsNonRoot: c.Bool("backend-k8s-secctx-nonroot"), // cspell:words secctx nonroot
-					FSGroup:      newInt64(defaultFSGroup),
+					FSGroup:      newInt64(1000),
 				},
 				NativeSecretsAllowFromStep: c.Bool("backend-k8s-allow-native-secrets"),
 			}
--- a/pipeline/backend/kubernetes/pod_test.go
+++ b/pipeline/backend/kubernetes/pod_test.go
@ -391,16 +391,6 @@ func TestPodPrivilege(t *testing.T) {
 	}
 	pod, err = createTestPod(false, false, secCtx)
 	assert.NoError(t, err)
-	assert.Nil(t, pod.Spec.SecurityContext)
-	assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
-
-	// step is not privileged, but security context is requesting privileged
-	secCtx = SecurityContext{
-		Privileged: newBool(true),
-	}
-	pod, err = createTestPod(false, false, secCtx)
-	assert.NoError(t, err)
-	assert.NotNil(t, pod.Spec.SecurityContext)
 	assert.Equal(t, &v1.PodSecurityContext{
 		SELinuxOptions:           (*v1.SELinuxOptions)(nil),
 		WindowsOptions:           (*v1.WindowsSecurityContextOptions)(nil),
@ -409,12 +399,22 @@ func TestPodPrivilege(t *testing.T) {
 		RunAsNonRoot:             (*bool)(nil),
 		SupplementalGroups:       []int64(nil),
 		SupplementalGroupsPolicy: (*v1.SupplementalGroupsPolicy)(nil),
-		FSGroup:                  newInt64(1000),
+		FSGroup:                  newInt64(0),
 		Sysctls:                  []v1.Sysctl(nil),
 		FSGroupChangePolicy:      (*v1.PodFSGroupChangePolicy)(nil),
 		SeccompProfile:           (*v1.SeccompProfile)(nil),
 		AppArmorProfile:          (*v1.AppArmorProfile)(nil),
 	}, pod.Spec.SecurityContext)
+	assert.Nil(t, pod.Spec.Containers[0].SecurityContext)
+
+	// step is not privileged, but security context is requesting privileged
+	secCtx = SecurityContext{
+		Privileged: newBool(true),
+	}
+	pod, err = createTestPod(false, false, secCtx)
+	assert.NoError(t, err)
+	assert.Nil(t, pod.Spec.SecurityContext)
+	assert.Equal(t, (*v1.PodSecurityContext)(nil), pod.Spec.SecurityContext)

 	// step is privileged and security context is requesting privileged
 	secCtx = SecurityContext{