Skip to content

Commit d5f094b

Browse files
author
Amarthya Valija
committed
Fix test case for Security Context enforcement
1 parent e7e72f8 commit d5f094b

File tree

1 file changed

+33
-12
lines changed

1 file changed

+33
-12
lines changed

osde2e/managed_cluster_validating_webhooks_test.go

Lines changed: 33 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
"k8s.io/apimachinery/pkg/util/intstr"
2828
"k8s.io/client-go/dynamic"
2929
"k8s.io/client-go/kubernetes/scheme"
30+
"k8s.io/utils/pointer"
3031
"sigs.k8s.io/controller-runtime/pkg/client/config"
3132
"sigs.k8s.io/controller-runtime/pkg/log"
3233
"sigs.k8s.io/e2e-framework/klient/k8s"
@@ -116,11 +117,11 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
116117
Name: "test",
117118
Image: "quay.io/jitesoft/nginx:mainline",
118119
SecurityContext: &v1.SecurityContext{
119-
AllowPrivilegeEscalation: boolPtr(false),
120+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
120121
Capabilities: &v1.Capabilities{
121122
Drop: []v1.Capability{"ALL"},
122123
},
123-
RunAsNonRoot: boolPtr(true),
124+
RunAsNonRoot: pointer.BoolPtr(true),
124125
SeccompProfile: &v1.SeccompProfile{
125126
Type: v1.SeccompProfileTypeRuntimeDefault,
126127
},
@@ -130,7 +131,6 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
130131
},
131132
}
132133

133-
// Create the pod
134134
err := client.Create(context.TODO(), pod)
135135
Expect(err).NotTo(HaveOccurred())
136136
})
@@ -155,20 +155,46 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
155155
Spec: v1.PodSpec{
156156
Containers: []v1.Container{
157157
{
158-
Name: "test",
158+
Name: "test-ubi",
159+
Image: "registry.access.redhat.com/ubi8/ubi-minimal",
160+
SecurityContext: &v1.SecurityContext{
161+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
162+
Capabilities: &v1.Capabilities{
163+
Drop: []v1.Capability{"ALL"},
164+
},
165+
RunAsNonRoot: pointer.BoolPtr(true),
166+
SeccompProfile: &v1.SeccompProfile{
167+
Type: v1.SeccompProfileTypeRuntimeDefault,
168+
},
169+
},
170+
},
171+
{
172+
Name: "test-nginx",
159173
Image: "quay.io/jitesoft/nginx:mainline",
160174
SecurityContext: &v1.SecurityContext{
161-
AllowPrivilegeEscalation: boolPtr(false),
175+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
162176
Capabilities: &v1.Capabilities{
163177
Drop: []v1.Capability{"ALL"},
164178
},
165-
RunAsNonRoot: boolPtr(true),
179+
RunAsNonRoot: pointer.BoolPtr(true),
166180
SeccompProfile: &v1.SeccompProfile{
167181
Type: v1.SeccompProfileTypeRuntimeDefault,
168182
},
169183
},
170184
},
171185
},
186+
Tolerations: []v1.Toleration{
187+
{
188+
Key: "node-role.kubernetes.io/master",
189+
Value: "toleration-key-value",
190+
Effect: v1.TaintEffectNoSchedule,
191+
},
192+
{
193+
Key: "node-role.kubernetes.io/infra",
194+
Value: "toleration-key-value2",
195+
Effect: v1.TaintEffectNoSchedule,
196+
},
197+
},
172198
},
173199
}
174200
})
@@ -194,7 +220,7 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
194220

195221
err := client.Get(ctx, saName, namespaceName, sa)
196222

197-
if (err == nil) {
223+
if err == nil {
198224
err = client.Delete(ctx, sa)
199225
Expect(err).ToNot(HaveOccurred(), "Failed to delete existing Service Account")
200226
}
@@ -632,8 +658,3 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
632658
})
633659
})
634660
})
635-
636-
// Helper function to create a pointer to a bool
637-
func boolPtr(b bool) *bool {
638-
return &b
639-
}

0 commit comments

Comments
 (0)