fix: add missing unit tests for podSecurity.hostpathVolume check (#9845)

* fix: add missing unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update pinned lib Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: uncomment code Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2024-03-04 23:23:06 +08:00 · 2024-03-04 23:23:06 +08:00 · bc2f50ae13
commit bc2f50ae13
parent cc7934f42a
7 changed files with 105 additions and 5 deletions
--- a/go.mod
+++ b/go.mod
@ -382,4 +382,4 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 )

-replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2
+replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7
--- a/go.sum
+++ b/go.sum
@ -85,8 +85,8 @@ github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0k
 github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
-github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2 h1:fU6MSdWY9ny1k+lWzCav7bBp/Is/uK/PAuLSn8SrVrs=
-github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
+github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7 h1:UxexVr0r4aF4YpgQEEC18Y9h0lVzJ8VflXrLDpFVFfo=
+github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
 github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
--- a/pkg/pss/evaluate_test.go
+++ b/pkg/pss/evaluate_test.go
@ -1690,6 +1690,86 @@ var baseline_capabilities = []testCase{
 }

 var baseline_hostPath_volumes = []testCase{
+	{
+		name: "baseline_hostPath_volumes_exclude_path_true",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.24",
+			"exclude": [
+				{
+					"controlName": "HostPath Volumes",
+					"restrictedField": "spec.volumes[*].hostPath",
+					"values": [
+						"/etc/nginx"
+					]
+				}
+			]
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				],
+				"volumes": [
+					{
+						"hostPath": {
+							"path": "/etc/nginx"
+						}
+					}
+				]
+			}
+		}`),
+		allowed: true,
+	},
+	{
+		name: "baseline_hostPath_volumes_exclude_path_false",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.24",
+			"exclude": [
+				{
+					"controlName": "HostPath Volumes",
+					"restrictedField": "spec.volumes[*].hostPath",
+					"values": [
+						"/etc/nginx"
+					]
+				}
+			]
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				],
+				"volumes": [
+					{
+						"hostPath": {
+							"path": "/var/lib1"
+						}
+					}
+				]
+			}
+		}`),
+		allowed: false,
+	},
 	{
 		name: "baseline_hostPath_volumes_violate_true",
 		rawRule: []byte(`
--- a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml
@ -17,4 +17,4 @@ spec:
    - controlName: "HostPath Volumes"
      restrictedField: "spec.volumes[*].hostPath"
      values:
-      - "path"
+      - "/var/lib1"
--- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/bad-pod.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/bad-pod.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-pod
+spec:
+  volumes:
+  - name: host
+    hostPath:
+      path: /var/lib2
+  containers:
+  - name: nginx
+    image: nginx
+    args:
+    - sleep
+    - 1d
--- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml
@ -17,3 +17,8 @@ spec:
        file: excluded-pod.yaml
    - apply:
        file: good-pod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-pod.yaml
--- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml
@ -20,4 +20,4 @@ spec:
        - controlName: "HostPath Volumes"
          restrictedField: "spec.volumes[*].hostPath"
          values:
-          - "path"
+          - "/var/lib1"