vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add unit test privilegedSandbox trustedSandbox

Browse source 
Signed-off-by: DeShuai Ma <dma@redhat.com>
This commit is contained in:
DeShuai Ma 2017-11-17 15:33:17 +08:00
parent 7b837b5a1e
commit 91fa09590a
2 changed files with 189 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
server/sandbox_run.go
View file

@ -69,6 +69,9 @@ func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool {
// trustedSandbox returns true if the sandbox will run trusted workloads. // trustedSandbox returns true if the sandbox will run trusted workloads.
func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool { func (s *Server) trustedSandbox(req *pb.RunPodSandboxRequest) bool {
kubeAnnotations := req.GetConfig().GetAnnotations() kubeAnnotations := req.GetConfig().GetAnnotations()
if kubeAnnotations == nil {
return true
}
trustedAnnotation, ok := kubeAnnotations[annotations.TrustedSandbox] trustedAnnotation, ok := kubeAnnotations[annotations.TrustedSandbox]
if !ok { if !ok {

186
server/sandbox_run_test.go Normal file
View file

@ -0,0 +1,186 @@
package server
import (
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
pb "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
"testing"
)
func TestPrivilegedSandbox(t *testing.T) {
testCases := map[string]struct {
req pb.RunPodSandboxRequest
expected bool
}{
"Empty securityContext": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{},
},
},
},
expected: false,
},
"securityContext.Privileged=true": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: true,
NamespaceOptions: &pb.NamespaceOption{},
},
},
},
},
expected: true,
},
"securityContext.Privileged=false": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: false,
},
},
},
},
expected: false,
},
"Empty namespaceOptions": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
NamespaceOptions: &pb.NamespaceOption{},
},
},
},
},
expected: false,
},
"namespaceOptions.HostNetwork=true": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: false,
NamespaceOptions: &pb.NamespaceOption{
HostNetwork: true,
HostPid: false,
HostIpc: false,
},
},
},
},
},
expected: true,
},
"namespaceOptions.HostPid=true": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: false,
NamespaceOptions: &pb.NamespaceOption{
HostNetwork: false,
HostPid: true,
HostIpc: false,
},
},
},
},
},
expected: true,
},
"namespaceOptions.HostIpc=true": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: false,
NamespaceOptions: &pb.NamespaceOption{
HostNetwork: false,
HostPid: false,
HostIpc: true,
},
},
},
},
},
expected: true,
},
"Both privileged & namespaceOptions is false": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Linux: &pb.LinuxPodSandboxConfig{
SecurityContext: &pb.LinuxSandboxSecurityContext{
Privileged: false,
NamespaceOptions: &pb.NamespaceOption{
HostNetwork: false,
HostPid: false,
HostIpc: false,
},
},
},
},
},
expected: false,
},
}
s := &Server{}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
result := s.privilegedSandbox(&tc.req)
if result != tc.expected {
t.Fatalf("%s expected %t but got %t", name, tc.expected, result)
}
})
}
}
func TestTrustedSandbox(t *testing.T) {
testCases := map[string]struct {
req pb.RunPodSandboxRequest
expected bool
}{
"io.kubernetes.cri-o.TrustedSandbox=true": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Annotations: map[string]string{annotations.TrustedSandbox: "true"},
},
},
expected: true,
},
"io.kubernetes.cri-o.TrustedSandbox=false": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Annotations: map[string]string{annotations.TrustedSandbox: "false"},
},
},
expected: false,
},
"A sandbox is trusted by default": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{
Annotations: map[string]string{"test": "test"},
},
},
expected: true,
},
"Annotations is null": {
req: pb.RunPodSandboxRequest{
Config: &pb.PodSandboxConfig{},
},
expected: true,
},
}
s := &Server{}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
result := s.trustedSandbox(&tc.req)
if result != tc.expected {
t.Fatalf("%s expected %t but got %t", name, tc.expected, result)
}
})
}
}