mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: add missing unit tests for podSecurity.hostpathVolume check (#9845)
* fix: add missing unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update pinned lib Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: uncomment code Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
cc7934f42a
commit
bc2f50ae13
7 changed files with 105 additions and 5 deletions
2
go.mod
2
go.mod
|
@ -382,4 +382,4 @@ require (
|
|||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
|
||||
)
|
||||
|
||||
replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2
|
||||
replace k8s.io/pod-security-admission v0.29.2 => github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7
|
||||
|
|
4
go.sum
4
go.sum
|
@ -85,8 +85,8 @@ github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0k
|
|||
github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
|
||||
github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
|
||||
github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
|
||||
github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2 h1:fU6MSdWY9ny1k+lWzCav7bBp/Is/uK/PAuLSn8SrVrs=
|
||||
github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
|
||||
github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7 h1:UxexVr0r4aF4YpgQEEC18Y9h0lVzJ8VflXrLDpFVFfo=
|
||||
github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240304113848-33168815d7c7/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc=
|
||||
github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
|
||||
github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
|
||||
github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
|
||||
|
|
|
@ -1690,6 +1690,86 @@ var baseline_capabilities = []testCase{
|
|||
}
|
||||
|
||||
var baseline_hostPath_volumes = []testCase{
|
||||
{
|
||||
name: "baseline_hostPath_volumes_exclude_path_true",
|
||||
rawRule: []byte(`
|
||||
{
|
||||
"level": "baseline",
|
||||
"version": "v1.24",
|
||||
"exclude": [
|
||||
{
|
||||
"controlName": "HostPath Volumes",
|
||||
"restrictedField": "spec.volumes[*].hostPath",
|
||||
"values": [
|
||||
"/etc/nginx"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`),
|
||||
rawPod: []byte(`
|
||||
{
|
||||
"kind": "Pod",
|
||||
"metadata": {
|
||||
"name": "test"
|
||||
},
|
||||
"spec": {
|
||||
"containers": [
|
||||
{
|
||||
"name": "nginx",
|
||||
"image": "nginx"
|
||||
}
|
||||
],
|
||||
"volumes": [
|
||||
{
|
||||
"hostPath": {
|
||||
"path": "/etc/nginx"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}`),
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "baseline_hostPath_volumes_exclude_path_false",
|
||||
rawRule: []byte(`
|
||||
{
|
||||
"level": "baseline",
|
||||
"version": "v1.24",
|
||||
"exclude": [
|
||||
{
|
||||
"controlName": "HostPath Volumes",
|
||||
"restrictedField": "spec.volumes[*].hostPath",
|
||||
"values": [
|
||||
"/etc/nginx"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`),
|
||||
rawPod: []byte(`
|
||||
{
|
||||
"kind": "Pod",
|
||||
"metadata": {
|
||||
"name": "test"
|
||||
},
|
||||
"spec": {
|
||||
"containers": [
|
||||
{
|
||||
"name": "nginx",
|
||||
"image": "nginx"
|
||||
}
|
||||
],
|
||||
"volumes": [
|
||||
{
|
||||
"hostPath": {
|
||||
"path": "/var/lib1"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}`),
|
||||
allowed: false,
|
||||
},
|
||||
{
|
||||
name: "baseline_hostPath_volumes_violate_true",
|
||||
rawRule: []byte(`
|
||||
|
|
|
@ -17,4 +17,4 @@ spec:
|
|||
- controlName: "HostPath Volumes"
|
||||
restrictedField: "spec.volumes[*].hostPath"
|
||||
values:
|
||||
- "path"
|
||||
- "/var/lib1"
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
spec:
|
||||
volumes:
|
||||
- name: host
|
||||
hostPath:
|
||||
path: /var/lib2
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
|
@ -17,3 +17,8 @@ spec:
|
|||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
|
|
|
@ -20,4 +20,4 @@ spec:
|
|||
- controlName: "HostPath Volumes"
|
||||
restrictedField: "spec.volumes[*].hostPath"
|
||||
values:
|
||||
- "path"
|
||||
- "/var/lib1"
|
||||
|
|
Loading…
Add table
Reference in a new issue