From dbc35eb8f49c5caea904874c0768ac388cccd76c Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 10 Oct 2019 12:22:07 -0700 Subject: [PATCH] enable disabled tests --- .../resources/resource_validate_fsgroup.yaml | 2 ++ pkg/testrunner/scenario.go | 8 ++++++++ pkg/testrunner/testrunner_test.go | 14 +++----------- .../policy_validate_user_group_fsgroup_id.yaml | 8 ++++---- ...scenario_validate_container_capabilities.yaml | 2 +- .../test/scenario_validate_fsgroup.yaml | 16 ++++++++++++---- .../test/scenario_validate_sysctl_configs.yaml | 2 +- 7 files changed, 31 insertions(+), 21 deletions(-) diff --git a/examples/best_practices/resources/resource_validate_fsgroup.yaml b/examples/best_practices/resources/resource_validate_fsgroup.yaml index 6da892ed0a..f6b22bbcd4 100644 --- a/examples/best_practices/resources/resource_validate_fsgroup.yaml +++ b/examples/best_practices/resources/resource_validate_fsgroup.yaml @@ -5,6 +5,8 @@ metadata: spec: securityContext: fsGroup: 2000 # directory will have group ID 2000 + runAsUser: 1000 + runAsGroup: 3000 volumes: - name: fsgroup-demo-vol emptyDir: {} diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index f6e481c96b..97234f3840 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -137,8 +137,16 @@ func runTestCase(t *testing.T, tc scaseT) bool { // apply policy // convert policy -> kyverno.Policy policy := loadPolicy(t, tc.Input.Policy) + if policy == nil { + t.Error("Policy no loaded") + t.FailNow() + } // convert resource -> unstructured.Unstructured resource := loadPolicyResource(t, tc.Input.Resource) + if resource == nil { + t.Error("Resources no loaded") + t.FailNow() + } var er engine.EngineResponse // Mutation diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 21409ca3ab..189c8aa019 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -52,14 +52,6 @@ func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml") } -// func Test_validate_image_tag_notspecified_deny(t *testing.T) { -// testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml") -// } - -// func Test_validate_image_tag_notspecified_pass(t *testing.T) { -// testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml") -// } - func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml") } @@ -113,7 +105,7 @@ func Test_validate_disallow_default_serviceaccount(t *testing.T) { } func Test_validate_fsgroup(t *testing.T) { - // testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml") + testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml") } func Test_validate_selinux_context(t *testing.T) { @@ -125,11 +117,11 @@ func Test_validate_proc_mount(t *testing.T) { } func Test_validate_container_capabilities(t *testing.T) { - // testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml") + testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml") } func Test_validate_disallow_sysctl(t *testing.T) { - // testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml") + testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml") } func Test_validate_volume_whitelist(t *testing.T) { diff --git a/samples/additional/policy_validate_user_group_fsgroup_id.yaml b/samples/additional/policy_validate_user_group_fsgroup_id.yaml index 36a2da3ca5..a5df1c748c 100644 --- a/samples/additional/policy_validate_user_group_fsgroup_id.yaml +++ b/samples/additional/policy_validate_user_group_fsgroup_id.yaml @@ -14,7 +14,7 @@ spec: pattern: spec: securityContext: - runAsUser: 1000 + runAsUser: '1000' - name: validate-groupid match: resources: @@ -25,18 +25,18 @@ spec: pattern: spec: securityContext: - runAsGroup: 3000 + runAsGroup: '3000' - name: validate-fsgroup match: resources: kinds: - Pod validate: - message: "fsgroup should be 3000" + message: "fsgroup should be 2000" pattern: spec: securityContext: - fsGroup: 2000 + fsGroup: '2000' # Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively. # fsGroup can be specified to make sure any file created in the volume with have the specified groupID. # The above parameters can also be used in a validate policy to restrict user & group IDs. \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_container_capabilities.yaml b/test/scenarios/test/scenario_validate_container_capabilities.yaml index 7ee9e4e105..2c202da0a7 100644 --- a/test/scenarios/test/scenario_validate_container_capabilities.yaml +++ b/test/scenarios/test/scenario_validate_container_capabilities.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/best_practices/policy_validate_container_capabilities.yaml + policy: samples/additional/policy_validate_container_capabilities.yaml resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml expected: validation: diff --git a/test/scenarios/test/scenario_validate_fsgroup.yaml b/test/scenarios/test/scenario_validate_fsgroup.yaml index 036d713fdd..6fcc9d7101 100644 --- a/test/scenarios/test/scenario_validate_fsgroup.yaml +++ b/test/scenarios/test/scenario_validate_fsgroup.yaml @@ -1,19 +1,27 @@ # file path relative to project root input: - policy: examples/best_practices/policy_validate_fsgroup.yaml + policy: samples/additional/policy_validate_user_group_fsgroup_id.yaml resource: examples/best_practices/resources/resource_validate_fsgroup.yaml expected: validation: policyresponse: - policy: validate-fsgroup + policy: validate-userid-groupid-fsgroup resource: kind: Pod apiVersion: v1 namespace: '' name: fsgroup-demo rules: + - name: validate-userid + type: Validation + message: Validation rule 'validate-userid' succesfully validated + success: true + - name: validate-groupid + type: Validation + message: Validation rule 'validate-groupid' succesfully validated + success: true - name: validate-fsgroup type: Validation - message: "Validation rule 'validate-fsgroup' failed at '/spec/securityContext/fsGroup/' for resource Pod//fsgroup-demo. directory should have group ID 2000" - success: false \ No newline at end of file + message: Validation rule 'validate-fsgroup' succesfully validated + success: true diff --git a/test/scenarios/test/scenario_validate_sysctl_configs.yaml b/test/scenarios/test/scenario_validate_sysctl_configs.yaml index aa40f91538..381a2ded59 100644 --- a/test/scenarios/test/scenario_validate_sysctl_configs.yaml +++ b/test/scenarios/test/scenario_validate_sysctl_configs.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/best_practices/policy_validate_sysctl_configs.yaml + policy: samples/additional/policy_validate_sysctl_configs.yaml resource: examples/best_practices/resources/resource_validate_sysctl_configs.yaml expected: validation: