1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

fix: add missing unit tests for podSecurity.hostpathVolume check (#9845)

* fix: add missing unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: update pinned lib

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: uncomment code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2024-03-04 23:23:06 +08:00 committed by GitHub
parent cc7934f42a
commit bc2f50ae13
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 105 additions and 5 deletions

2
go.mod
View file

@ -382,4 +382,4 @@ require (
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
)
replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2
replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7

4
go.sum
View file

@ -85,8 +85,8 @@ github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0k
github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2 h1:fU6MSdWY9ny1k+lWzCav7bBp/Is/uK/PAuLSn8SrVrs=
github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7 h1:UxexVr0r4aF4YpgQEEC18Y9h0lVzJ8VflXrLDpFVFfo=
github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=

View file

@ -1690,6 +1690,86 @@ var baseline_capabilities = []testCase{
}
var baseline_hostPath_volumes = []testCase{
{
name: "baseline_hostPath_volumes_exclude_path_true",
rawRule: []byte(`
{
"level": "baseline",
"version": "v1.24",
"exclude": [
{
"controlName": "HostPath Volumes",
"restrictedField": "spec.volumes[*].hostPath",
"values": [
"/etc/nginx"
]
}
]
}`),
rawPod: []byte(`
{
"kind": "Pod",
"metadata": {
"name": "test"
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"volumes": [
{
"hostPath": {
"path": "/etc/nginx"
}
}
]
}
}`),
allowed: true,
},
{
name: "baseline_hostPath_volumes_exclude_path_false",
rawRule: []byte(`
{
"level": "baseline",
"version": "v1.24",
"exclude": [
{
"controlName": "HostPath Volumes",
"restrictedField": "spec.volumes[*].hostPath",
"values": [
"/etc/nginx"
]
}
]
}`),
rawPod: []byte(`
{
"kind": "Pod",
"metadata": {
"name": "test"
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"volumes": [
{
"hostPath": {
"path": "/var/lib1"
}
}
]
}
}`),
allowed: false,
},
{
name: "baseline_hostPath_volumes_violate_true",
rawRule: []byte(`

View file

@ -17,4 +17,4 @@ spec:
- controlName: "HostPath Volumes"
restrictedField: "spec.volumes[*].hostPath"
values:
- "path"
- "/var/lib1"

View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
spec:
volumes:
- name: host
hostPath:
path: /var/lib2
containers:
- name: nginx
image: nginx
args:
- sleep
- 1d

View file

@ -17,3 +17,8 @@ spec:
file: excluded-pod.yaml
- apply:
file: good-pod.yaml
- apply:
expect:
- check:
($error != null): true
file: bad-pod.yaml

View file

@ -20,4 +20,4 @@ spec:
- controlName: "HostPath Volumes"
restrictedField: "spec.volumes[*].hostPath"
values:
- "path"
- "/var/lib1"