diff --git a/pkg/security/admission/admission_test.go b/pkg/security/admission/admission_test.go index 31cc86a347fa..6631689ddf60 100644 --- a/pkg/security/admission/admission_test.go +++ b/pkg/security/admission/admission_test.go @@ -223,48 +223,38 @@ func TestAdmitSuccess(t *testing.T) { Level: "s0:c1,c0", } + // level matches a value from namespace (see CreateNamespaceForTest()) + seLinuxLevelFromNamespace := "s0:c1,c0" + testCases := map[string]struct { - pod *kapi.Pod - expectedUID int64 - expectedLevel string - expectedFSGroup int64 - expectedSupGroups []int64 - expectedPriv bool + pod *kapi.Pod + expectedPodSC *kapi.PodSecurityContext + expectedContainerSC *kapi.SecurityContext }{ "specifyUIDInRange": { - pod: specifyUIDInRange, - expectedUID: *specifyUIDInRange.Spec.Containers[0].SecurityContext.RunAsUser, - expectedLevel: "s0:c1,c0", - expectedFSGroup: defaultGroup, - expectedSupGroups: []int64{defaultGroup}, + pod: specifyUIDInRange, + expectedPodSC: podSC(seLinuxLevelFromNamespace, defaultGroup, defaultGroup), + expectedContainerSC: containerSC(seLinuxLevelFromNamespace, goodUID), }, "specifyLabels": { - pod: specifyLabels, - expectedUID: 1, - expectedLevel: specifyLabels.Spec.Containers[0].SecurityContext.SELinuxOptions.Level, - expectedFSGroup: defaultGroup, - expectedSupGroups: []int64{defaultGroup}, + pod: specifyLabels, + expectedPodSC: podSC(seLinuxLevelFromNamespace, defaultGroup, defaultGroup), + expectedContainerSC: containerSC(seLinuxLevelFromNamespace, 1), }, "specifyFSGroup": { - pod: specifyFSGroupInRange, - expectedUID: 1, - expectedLevel: "s0:c1,c0", - expectedFSGroup: *specifyFSGroupInRange.Spec.SecurityContext.FSGroup, - expectedSupGroups: []int64{defaultGroup}, + pod: specifyFSGroupInRange, + expectedPodSC: podSC(seLinuxLevelFromNamespace, goodFSGroup, defaultGroup), + expectedContainerSC: containerSC(seLinuxLevelFromNamespace, 1), }, "specifySupGroup": { - pod: specifySupGroup, - expectedUID: 1, - expectedLevel: "s0:c1,c0", - expectedFSGroup: defaultGroup, - expectedSupGroups: []int64{specifySupGroup.Spec.SecurityContext.SupplementalGroups[0]}, + pod: specifySupGroup, + expectedPodSC: podSC(seLinuxLevelFromNamespace, defaultGroup, 3), + expectedContainerSC: containerSC(seLinuxLevelFromNamespace, 1), }, "specifyPodLevelSELinuxLevel": { - pod: specifyPodLevelSELinux, - expectedUID: 1, - expectedLevel: "s0:c1,c0", - expectedFSGroup: defaultGroup, - expectedSupGroups: []int64{defaultGroup}, + pod: specifyPodLevelSELinux, + expectedPodSC: podSC(seLinuxLevelFromNamespace, defaultGroup, defaultGroup), + expectedContainerSC: containerSC(seLinuxLevelFromNamespace, 1), }, } @@ -290,28 +280,12 @@ func TestAdmitSuccess(t *testing.T) { t.Errorf("%s should have validated against %s but found %s", k, saSCC.Name, validatedSCC) } - // ensure anything we expected to be defaulted on the container level is set - if *containers[0].SecurityContext.RunAsUser != v.expectedUID { - t.Errorf("%s expected UID %d but found %d", k, v.expectedUID, *containers[0].SecurityContext.RunAsUser) - } - if containers[0].SecurityContext.SELinuxOptions.Level != v.expectedLevel { - t.Errorf("%s expected Level %s but found %s", k, v.expectedLevel, containers[0].SecurityContext.SELinuxOptions.Level) + if !reflect.DeepEqual(v.expectedPodSC, v.pod.Spec.SecurityContext) { + t.Errorf("%s unexpected pod SecurityContext diff:\n%s", k, diff.ObjectGoPrintSideBySide(v.expectedPodSC, v.pod.Spec.SecurityContext)) } - // ensure anything we expected to be defaulted on the pod level is set - if v.pod.Spec.SecurityContext.SELinuxOptions.Level != v.expectedLevel { - t.Errorf("%s expected pod level SELinux Level %s but found %s", k, v.expectedLevel, v.pod.Spec.SecurityContext.SELinuxOptions.Level) - } - if *v.pod.Spec.SecurityContext.FSGroup != v.expectedFSGroup { - t.Errorf("%s expected fsgroup %d but found %d", k, v.expectedFSGroup, *v.pod.Spec.SecurityContext.FSGroup) - } - if len(v.pod.Spec.SecurityContext.SupplementalGroups) != len(v.expectedSupGroups) { - t.Errorf("%s found unexpected supplemental groups. Expected: %v, actual %v", k, v.expectedSupGroups, v.pod.Spec.SecurityContext.SupplementalGroups) - } - for _, g := range v.expectedSupGroups { - if !hasSupGroup(g, v.pod.Spec.SecurityContext.SupplementalGroups) { - t.Errorf("%s expected sup group %d", k, g) - } + if !reflect.DeepEqual(v.expectedContainerSC, containers[0].SecurityContext) { + t.Errorf("%s unexpected container SecurityContext diff:\n%s", k, diff.ObjectGoPrintSideBySide(v.expectedContainerSC, containers[0].SecurityContext)) } } } @@ -441,15 +415,6 @@ func TestAdmitFailure(t *testing.T) { } } -func hasSupGroup(group int64, groups []int64) bool { - for _, g := range groups { - if g == group { - return true - } - } - return false -} - func TestCreateProvidersFromConstraints(t *testing.T) { namespaceValid := &kapi.Namespace{ ObjectMeta: metav1.ObjectMeta{ @@ -1124,6 +1089,27 @@ func goodPod() *kapi.Pod { } } +func containerSC(seLinuxLevel string, uid int64) *kapi.SecurityContext { + no := false + return &kapi.SecurityContext{ + Privileged: &no, + RunAsUser: &uid, + SELinuxOptions: &kapi.SELinuxOptions{ + Level: seLinuxLevel, + }, + } +} + +func podSC(seLinuxLevel string, fsGroup, supGroup int64) *kapi.PodSecurityContext { + return &kapi.PodSecurityContext{ + SELinuxOptions: &kapi.SELinuxOptions{ + Level: seLinuxLevel, + }, + SupplementalGroups: []int64{supGroup}, + FSGroup: &fsGroup, + } +} + func setupClientSet() *clientsetfake.Clientset { // create the annotated namespace and add it to the fake client namespace := admissiontesting.CreateNamespaceForTest()