From 9bc8d3622e5077305aa61d7d7e29a12cc19c9c70 Mon Sep 17 00:00:00 2001 From: Anish Bista Date: Fri, 13 Sep 2024 12:20:24 +0530 Subject: [PATCH] Added the test cases for the security context Signed-off-by: Anish Bista --- pkg/testing/helm/helm_test.go | 95 +++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/pkg/testing/helm/helm_test.go b/pkg/testing/helm/helm_test.go index 029483fa75..a909da16a0 100644 --- a/pkg/testing/helm/helm_test.go +++ b/pkg/testing/helm/helm_test.go @@ -199,6 +199,101 @@ func (h *HelmTestSuite) TestSelectedDeploymentAttrFromKanisterHelmDryRunInstall( } } +// Test for Pod and Container-level securityContext in the Helm chart +func (h *HelmTestSuite) TestSecurityContextInHelmChart(c *check.C) { + podSecurity := corev1.PodSecurityContext{ + RunAsUser: intPtr(1000), + FSGroup: intPtr(2000), + RunAsNonRoot: boolPtr(true), + } + + containerSecurity := corev1.SecurityContext{ + RunAsNonRoot: boolPtr(true), + ReadOnlyRootFilesystem: boolPtr(true), + AllowPrivilegeEscalation: boolPtr(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + } + var testCases = []struct { + testName string + helmValues map[string]string + expectedPodSecurity *corev1.PodSecurityContext + expectedContainerSecurity *corev1.SecurityContext + }{ + { + testName: "Pod and Container security context are set", + helmValues: map[string]string{ + "controller.podSecurityContext.runAsUser": "1000", + "controller.podSecurityContext.fsGroup": "2000", + "controller.podSecurityContext.runAsNonRoot": "true", + "controller.containerSecurityContext.capabilities.drop[0]": "ALL", + "controller.containerSecurityContext.runAsNonRoot": "true", + "controller.containerSecurityContext.readOnlyRootFilesystem": "true", + "controller.containerSecurityContext.allowPrivilegeEscalation": "false", + }, + expectedPodSecurity: &podSecurity, + expectedContainerSecurity: &containerSecurity, + }, + { + testName: "Only Container security context is set", + helmValues: map[string]string{ + "controller.containerSecurityContext.capabilities.drop[0]": "ALL", + "controller.containerSecurityContext.runAsNonRoot": "true", + "controller.containerSecurityContext.readOnlyRootFilesystem": "true", + "controller.containerSecurityContext.allowPrivilegeEscalation": "false", + }, + expectedPodSecurity: nil, + expectedContainerSecurity: &containerSecurity, + }, + { + testName: "Only Pod security context is set", + helmValues: map[string]string{ + "controller.podSecurityContext.runAsUser": "1000", + "controller.podSecurityContext.fsGroup": "2000", + "controller.podSecurityContext.runAsNonRoot": "true", + }, + expectedPodSecurity: &podSecurity, + expectedContainerSecurity: nil, + }, + } + + for _, tc := range testCases { + c.Logf("Test name: %s", tc.testName) + defer func() { + h.helmApp.dryRun = false + }() + + testApp, err := NewHelmApp(tc.helmValues, kanisterName, "../../../helm/kanister-operator", kanisterName, "", true) + c.Assert(err, check.IsNil) + + out, err := testApp.Install() + c.Assert(err, check.IsNil) + + resources := helm.ResourcesFromRenderedManifest(out, func(kind helm.K8sObjectType) bool { + return kind == helm.K8sObjectTypeDeployment + }) + c.Assert(len(resources), check.Equals, 1) + + deployments, err := helm.K8sObjectsFromRenderedResources[*appsv1.Deployment](resources) + c.Assert(err, check.IsNil) + + var obj = deployments[h.deploymentName] + c.Assert(obj, check.NotNil) + + c.Assert(obj.Spec.Template.Spec.SecurityContext, check.DeepEquals, tc.expectedPodSecurity) + c.Assert(obj.Spec.Template.Spec.Containers[0].SecurityContext, check.DeepEquals, tc.expectedContainerSecurity) + } +} + +func boolPtr(b bool) *bool { + return &b +} + +func intPtr(i int64) *int64 { + return &i +} + func (h *HelmTestSuite) TearDownSuite(c *check.C) { c.Log("Uninstalling chart") err := h.helmApp.Uninstall()