From e8a9047b9b43a569ce259e708fd76e95b0b2d801 Mon Sep 17 00:00:00 2001 From: Slava Semushin Date: Tue, 14 Nov 2017 19:00:23 +0100 Subject: [PATCH] admission_test.go(saExactSCC): extract function. --- pkg/security/admission/admission_test.go | 92 +++++++++--------------- 1 file changed, 34 insertions(+), 58 deletions(-) diff --git a/pkg/security/admission/admission_test.go b/pkg/security/admission/admission_test.go index 78d9a9a9b1e3..34192d441ab4 100644 --- a/pkg/security/admission/admission_test.go +++ b/pkg/security/admission/admission_test.go @@ -201,35 +201,7 @@ func TestAdmitSuccess(t *testing.T) { // service accounts to test that even though this has matching priorities (0) and a // lower point value score (which will cause it to be sorted in front of scc-sa) it should not // validate the requests so we should try scc-sa. - var exactUID int64 = 999 - saExactSCC := &securityapi.SecurityContextConstraints{ - ObjectMeta: metav1.ObjectMeta{ - Name: "scc-sa-exact", - }, - RunAsUser: securityapi.RunAsUserStrategyOptions{ - Type: securityapi.RunAsUserStrategyMustRunAs, - UID: &exactUID, - }, - SELinuxContext: securityapi.SELinuxContextStrategyOptions{ - Type: securityapi.SELinuxStrategyMustRunAs, - SELinuxOptions: &kapi.SELinuxOptions{ - Level: "s9:z0,z1", - }, - }, - FSGroup: securityapi.FSGroupStrategyOptions{ - Type: securityapi.FSGroupStrategyMustRunAs, - Ranges: []securityapi.IDRange{ - {Min: 999, Max: 999}, - }, - }, - SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{ - Type: securityapi.SupplementalGroupsStrategyMustRunAs, - Ranges: []securityapi.IDRange{ - {Min: 999, Max: 999}, - }, - }, - Groups: []string{"system:serviceaccounts"}, - } + saExactSCC := saExactSCC() lister := createSCCLister(t, []*securityapi.SecurityContextConstraints{ saExactSCC, @@ -387,35 +359,7 @@ func TestAdmitFailure(t *testing.T) { // service accounts to test that even though this has matching priorities (0) and a // lower point value score (which will cause it to be sorted in front of scc-sa) it should not // validate the requests so we should try scc-sa. - var exactUID int64 = 999 - saExactSCC := &securityapi.SecurityContextConstraints{ - ObjectMeta: metav1.ObjectMeta{ - Name: "scc-sa-exact", - }, - RunAsUser: securityapi.RunAsUserStrategyOptions{ - Type: securityapi.RunAsUserStrategyMustRunAs, - UID: &exactUID, - }, - SELinuxContext: securityapi.SELinuxContextStrategyOptions{ - Type: securityapi.SELinuxStrategyMustRunAs, - SELinuxOptions: &kapi.SELinuxOptions{ - Level: "s9:z0,z1", - }, - }, - FSGroup: securityapi.FSGroupStrategyOptions{ - Type: securityapi.FSGroupStrategyMustRunAs, - Ranges: []securityapi.IDRange{ - {Min: 999, Max: 999}, - }, - }, - SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{ - Type: securityapi.SupplementalGroupsStrategyMustRunAs, - Ranges: []securityapi.IDRange{ - {Min: 999, Max: 999}, - }, - }, - Groups: []string{"system:serviceaccounts"}, - } + saExactSCC := saExactSCC() lister, indexer := createSCCListerAndIndexer(t, []*securityapi.SecurityContextConstraints{ saExactSCC, @@ -1139,6 +1083,38 @@ func restrictiveSCC() *securityapi.SecurityContextConstraints { } } +func saExactSCC() *securityapi.SecurityContextConstraints { + var exactUID int64 = 999 + return &securityapi.SecurityContextConstraints{ + ObjectMeta: metav1.ObjectMeta{ + Name: "scc-sa-exact", + }, + RunAsUser: securityapi.RunAsUserStrategyOptions{ + Type: securityapi.RunAsUserStrategyMustRunAs, + UID: &exactUID, + }, + SELinuxContext: securityapi.SELinuxContextStrategyOptions{ + Type: securityapi.SELinuxStrategyMustRunAs, + SELinuxOptions: &kapi.SELinuxOptions{ + Level: "s9:z0,z1", + }, + }, + FSGroup: securityapi.FSGroupStrategyOptions{ + Type: securityapi.FSGroupStrategyMustRunAs, + Ranges: []securityapi.IDRange{ + {Min: 999, Max: 999}, + }, + }, + SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{ + Type: securityapi.SupplementalGroupsStrategyMustRunAs, + Ranges: []securityapi.IDRange{ + {Min: 999, Max: 999}, + }, + }, + Groups: []string{"system:serviceaccounts"}, + } +} + // goodPod is empty and should not be used directly for testing since we're providing // two different SCCs. Since no values are specified it would be allowed to match any // SCC when defaults are filled in.