mirror of
https://github.com/truecharts/library-charts.git
synced 2026-07-04 13:31:24 -03:00
**Description** <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. --> ⚒️ Fixes # <!--(issue)--> **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [x] 🔃 Refactor of current code **🧪 How Has This Been Tested?** <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> **📃 Notes:** <!-- Please enter any other relevant information here --> **✔️ Checklist:** - [x] ⚖️ My code follows the style guidelines of this project - [x] 👀 I have performed a self-review of my own code - [x] #️⃣ I have commented my code, particularly in hard-to-understand areas - [x] 📄 I have made corresponding changes to the documentation - [x] ⚠️ My changes generate no new warnings - [x] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [x] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Co-authored-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
660 lines
17 KiB
YAML
660 lines
17 KiB
YAML
suite: pod securityContext test
|
|
templates:
|
|
- common.yaml
|
|
release:
|
|
name: test-release-name
|
|
namespace: test-release-namespace
|
|
tests:
|
|
- it: should pass with securityContext from "global"
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- documentIndex: &statefulSetDoc 0
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
- 568
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
|
|
- it: should pass with securityContext from "global" and partial override with "pod"
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
asserts:
|
|
- documentIndex: *statefulSetDoc
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
- 568
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
|
|
- it: should pass with securityContext from "global" and full override with "pod"
|
|
set:
|
|
some_sysctl_name: some_name
|
|
some_sysctl_value: 2
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: "{{ .Values.some_sysctl_name }}"
|
|
value: "{{ .Values.some_sysctl_value }}"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
asserts:
|
|
- documentIndex: *statefulSetDoc
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
- 568
|
|
sysctls:
|
|
- name: some_name
|
|
value: "2"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
|
|
- it: should pass with fsGroup and supplementalGroups with long int
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 100000514
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 100000514
|
|
asserts:
|
|
- documentIndex: *statefulSetDoc
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 100000514
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 100000514
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with sysctls automatically appended based on services
|
|
set:
|
|
some_sysctl_name: some_name
|
|
some_sysctl_value: 2
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: "{{ .Values.some_sysctl_name }}"
|
|
value: "{{ .Values.some_sysctl_value }}"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
workload-name2:
|
|
enabled: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
service:
|
|
service-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 80
|
|
service-name2:
|
|
enabled: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 53
|
|
service-name3:
|
|
enabled: true
|
|
type: ClusterIP
|
|
targetSelector: workload-name2
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 443
|
|
asserts:
|
|
- documentIndex: *statefulSetDoc
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
- 568
|
|
sysctls:
|
|
- name: some_name
|
|
value: "2"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "53"
|
|
- documentIndex: &otherStatefulSetDoc 1
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *otherStatefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls:
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "443"
|
|
|
|
- it: should pass with sysctls net.ipv4.ip_unprivileged_port_start NOT appended with hostnet
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
hostNetwork: true
|
|
workload-name2:
|
|
enabled: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
service:
|
|
service-name:
|
|
enabled: true
|
|
primary: true
|
|
type: ClusterIP
|
|
targetSelector: workload-name2
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 443
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with fsGroup 0
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 0
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- documentIndex: &statefulSetDoc 0
|
|
isKind:
|
|
of: StatefulSet
|
|
- documentIndex: *statefulSetDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 0
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with no sysctls port_start automatically appended based on services when port is higher than 1024
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
service:
|
|
service-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 25000
|
|
targetPort: 3000
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with with gpu assigned to single container
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
supplementalGroups:
|
|
- 1000
|
|
containers:
|
|
container1:
|
|
enabled: true
|
|
primary: true
|
|
probes:
|
|
liveness:
|
|
enabled: false
|
|
readiness:
|
|
enabled: false
|
|
startup:
|
|
enabled: false
|
|
resources:
|
|
limits:
|
|
nvidia.com/gpu: 1
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
- 107
|
|
- 568
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with with gpu assigned to multiple pods
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
supplementalGroups:
|
|
- 1000
|
|
containers:
|
|
container1:
|
|
enabled: true
|
|
primary: true
|
|
probes:
|
|
liveness:
|
|
enabled: false
|
|
readiness:
|
|
enabled: false
|
|
startup:
|
|
enabled: false
|
|
resources:
|
|
limits:
|
|
nvidia.com/gpu: 1
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec:
|
|
containers:
|
|
container1:
|
|
enabled: true
|
|
primary: true
|
|
probes:
|
|
liveness:
|
|
enabled: false
|
|
readiness:
|
|
enabled: false
|
|
startup:
|
|
enabled: false
|
|
resources:
|
|
limits:
|
|
nvidia.com/gpu: 1
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
- 107
|
|
- 568
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 44
|
|
- 107
|
|
- 568
|
|
sysctls: []
|
|
|
|
- it: should pass with with device assigned to selected pod
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec: {}
|
|
persistence:
|
|
dev01:
|
|
enabled: true
|
|
type: device
|
|
hostPath: /dev/sda
|
|
mountPath: /test
|
|
targetSelector:
|
|
workload-name2:
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 568
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 5
|
|
- 10
|
|
- 20
|
|
- 24
|
|
- 568
|
|
sysctls: []
|
|
|
|
# Failures
|
|
- it: should fail with empty securityContext from "global"
|
|
set:
|
|
securityContext:
|
|
pod: null
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty [securityContext.pod]
|
|
|
|
- it: should fail with empty fsGroup
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty [fsGroup]
|
|
|
|
- it: should fail with empty fsGroupChangePolicy
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty [fsGroupChangePolicy]
|
|
|
|
- it: should fail with invalid fsGroupChangePolicy
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: invalid
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected [fsGroupChangePolicy] to be one of [Always, OnRootMismatch], but got [invalid]
|
|
|
|
- it: should fail with empty name in sysctls
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
sysctls:
|
|
- name: ""
|
|
value: "some_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty [name] in [sysctls]
|
|
|
|
- it: should fail with empty value in sysctls
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
sysctls:
|
|
- name: some_name
|
|
value: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: StatefulSet
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty [value] in [sysctls]
|
|
|
|
- it: should fail with non unique supplementalGroups
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
- 107
|
|
- 44
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected [supplementalGroups] to have only unique values, but got [1000, 44, 107, 44, 568]
|