Skip to content

Commit

Permalink
Added the test cases for the security context
Browse files Browse the repository at this point in the history
Signed-off-by: Anish Bista <[email protected]>
  • Loading branch information
anishbista60 committed Sep 13, 2024
1 parent 5d30468 commit 57f61ca
Showing 1 changed file with 97 additions and 0 deletions.
97 changes: 97 additions & 0 deletions pkg/testing/helm/helm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,9 +196,106 @@ func (h *HelmTestSuite) TestSelectedDeploymentAttrFromKanisterHelmDryRunInstall(

c.Assert(obj.Spec.Template.Spec.NodeSelector, DeepEquals, tc.expectedNodeSelector)
c.Assert(obj.Spec.Template.Spec.Tolerations, DeepEquals, tc.expectedTolerations)

}
}

// Test for Pod and Container-level securityContext in the Helm chart
func (h *HelmTestSuite) TestSecurityContextInHelmChart(c *C) {
podSecurity := corev1.PodSecurityContext{
RunAsUser: intPtr(1000),
FSGroup: intPtr(2000),
RunAsNonRoot: boolPtr(true),
}

containerSecurity := corev1.SecurityContext{
RunAsNonRoot: boolPtr(true),
ReadOnlyRootFilesystem: boolPtr(true),
AllowPrivilegeEscalation: boolPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}
var testCases = []struct {
testName string
helmValues map[string]string
expectedPodSecurity *corev1.PodSecurityContext
expectedContainerSecurity *corev1.SecurityContext
}{
{
testName: "Pod and Container security context are set",
helmValues: map[string]string{
"podSecurityContext.runAsUser": "1000",
"podSecurityContext.fsGroup": "2000",
"podSecurityContext.runAsNonRoot": "true",
"containerSecurityContext.capabilities.drop[0]": "ALL",
"containerSecurityContext.runAsNonRoot": "true",
"containerSecurityContext.readOnlyRootFilesystem": "true",
"containerSecurityContext.allowPrivilegeEscalation": "false",
},
expectedPodSecurity: &podSecurity,
expectedContainerSecurity: &containerSecurity,
},
{
testName: "Only Container security context is set",
helmValues: map[string]string{
"containerSecurityContext.capabilities.drop[0]": "ALL",
"containerSecurityContext.runAsNonRoot": "true",
"containerSecurityContext.readOnlyRootFilesystem": "true",
"containerSecurityContext.allowPrivilegeEscalation": "false",
},
expectedPodSecurity: &corev1.PodSecurityContext{},
expectedContainerSecurity: &containerSecurity,
},
{
testName: "Only Pod security context is set",
helmValues: map[string]string{
"podSecurityContext.runAsUser": "1000",
"podSecurityContext.fsGroup": "2000",
"podSecurityContext.runAsNonRoot": "true",
},
expectedPodSecurity: &podSecurity,
expectedContainerSecurity: &corev1.SecurityContext{},
},
}

for _, tc := range testCases {
c.Logf("Test name: %s", tc.testName)
defer func() {
h.helmApp.dryRun = false
}()

testApp, err := NewHelmApp(tc.helmValues, kanisterName, "../../../helm/kanister-operator", kanisterName, "", true)
c.Assert(err, IsNil)

out, err := testApp.Install()
c.Assert(err, IsNil)

resources := helm.ResourcesFromRenderedManifest(out, func(kind helm.K8sObjectType) bool {
return kind == helm.K8sObjectTypeDeployment
})
c.Assert(len(resources) > 0, Equals, true)

deployments, err := helm.K8sObjectsFromRenderedResources[*appsv1.Deployment](resources)
c.Assert(err, IsNil)

var obj = deployments[h.deploymentName]
c.Assert(obj, NotNil)

c.Assert(obj.Spec.Template.Spec.SecurityContext, DeepEquals, tc.expectedPodSecurity)
c.Assert(obj.Spec.Template.Spec.Containers[0].SecurityContext, DeepEquals, tc.expectedContainerSecurity)
c.Assert(obj.Spec.Template.Spec.Containers[1].SecurityContext, DeepEquals, tc.expectedContainerSecurity)
}
}

func boolPtr(b bool) *bool {
return &b
}

func intPtr(i int64) *int64 {
return &i
}

func (h *HelmTestSuite) TearDownSuite(c *C) {
c.Log("Uninstalling chart")
err := h.helmApp.Uninstall()
Expand Down

0 comments on commit 57f61ca

Please sign in to comment.