update testrunner for examples/best_practices/policy_validate_container_security_context.yaml

2025-03-29 10:55:05 +00:00 · 2019-09-06 18:54:19 -07:00 · 2019-09-06 18:54:19 -07:00 · b667c47587
commit b667c47587
parent bc087d7918
4 changed files with 46 additions and 18 deletions
--- a/examples/best_practices/policy_validate_container_security_context.yaml
+++ b/examples/best_practices/policy_validate_container_security_context.yaml
@ -20,12 +20,6 @@ spec:
      - spec:
          securityContext:
            runAsNonRoot: true
-      # pattern:
-      #   spec:
-      #     containers:
-      #     - name: "*"
-      #       securityContext:
-      #         runAsNonRoot: true
  - name: check-privilege
    exclude:
      resources:
@ -37,15 +31,10 @@ spec:
        - Pod
    validate:
      message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
-      anyPattern:
-      - spec:
-        securityContext:
-          allowPrivilegeEscalation: false
-          privileged: false
-      # pattern:
-      #   spec:
-      #     containers:
-      #     - name: "*"
-      #       securityContext:
-      #         allowPrivilegeEscalation: false
-      #         privileged: false
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            securityContext:
+              allowPrivilegeEscalation: false
+              privileged: false
--- a/examples/best_practices/resources/resource_validate_container_security_context.yaml
+++ b/examples/best_practices/resources/resource_validate_container_security_context.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: check-container-security-context
+spec:
+  securityContext:
+    runAsNonRoot: true
+  containers:
+  - name: check-container-security-context
+    image: nginxinc/nginx-unprivileged
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: false
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -18,6 +18,10 @@ func Test_validate_containerSecurityContext(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
 }

+func Test_validate_checkContainerSecurityContext(t *testing.T) {
+	testScenario(t, "/test/scenarios/test/scenario_validate_container_security_context.yaml")
+}
+
 func Test_validate_healthChecks(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
 }
--- a/test/scenarios/test/scenario_validate_container_security_context.yaml
+++ b/test/scenarios/test/scenario_validate_container_security_context.yaml
@ -0,0 +1,22 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_container_security_context.yaml
+  resource: examples/best_practices/resources/resource_validate_container_security_context.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: check-container-security-context
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: check-container-security-context
+      rules:
+        - name: check-root-user
+          type: Validation
+          message: "Validation rule 'check-root-user' anyPattern[0] succesfully validated"
+          success: true
+        - name: check-privilege
+          type: Validation
+          message: "Validation rule 'check-privilege' failed at '/spec/containers/0/securityContext/allowPrivilegeEscalation/' for resource Pod//check-container-security-context. Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
+          success: false