PR with unit tests for PodSecurityContext param in PodOptions (#1731)

* Add PodSecurity and ContainerSecurity params to PodOptions structure * Add context suffix to avoid confusion in understanding the parameters purpose * Add comments * Update comments to new fields Co-authored-by: Vivek Singh <vsingh.ggits.2010@gmail.com> * Apply gofmt * Simple tests for SecurityContext setting * Fix linter issue Co-authored-by: Vivek Singh <vsingh.ggits.2010@gmail.com> Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
kanisterio · Nov 22, 2022 · b48647f · b48647f
1 parent e956100
commit b48647f
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/pkg/kube/pod_test.go b/pkg/kube/pod_test.go
@@ -730,3 +730,54 @@ func (s *PodSuite) TestGetPodReadyWaitTimeout(c *C) {
 	// Check without ENV set
 	c.Assert(GetPodReadyWaitTimeout(), Equals, DefaultPodReadyWaitTimeout)
 }
+
+func (s *PodSuite) TestSetPodSecurityContext(c *C) {
+	po := &PodOptions{
+		Namespace:    s.namespace,
+		GenerateName: "test-",
+		Image:        consts.LatestKanisterToolsImage,
+		Command:      []string{"sh", "-c", "tail -f /dev/null"},
+		PodSecurityContext: &v1.PodSecurityContext{
+			RunAsUser:    &[]int64{1000}[0],
+			RunAsGroup:   &[]int64{1000}[0],
+			RunAsNonRoot: &[]bool{true}[0],
+		},
+	}
+
+	pod, err := CreatePod(context.Background(), s.cli, po)
+	c.Assert(err, IsNil)
+	runAsNonRootExpected := true
+	c.Assert(pod.Spec.SecurityContext.RunAsNonRoot, DeepEquals, &runAsNonRootExpected)
+	var uidAndGidExpected int64 = 1000
+	c.Assert(*pod.Spec.SecurityContext.RunAsUser, DeepEquals, uidAndGidExpected)
+	c.Assert(*pod.Spec.SecurityContext.RunAsGroup, DeepEquals, uidAndGidExpected)
+}
+
+func (s *PodSuite) TestSetPodSecurityContextOverridesPodOverride(c *C) {
+	po := &PodOptions{
+		Namespace:    s.namespace,
+		GenerateName: "test-",
+		Image:        consts.LatestKanisterToolsImage,
+		Command:      []string{"sh", "-c", "tail -f /dev/null"},
+		PodSecurityContext: &v1.PodSecurityContext{
+			RunAsUser:    &[]int64{1000}[0],
+			RunAsGroup:   &[]int64{1000}[0],
+			RunAsNonRoot: &[]bool{true}[0],
+		},
+		PodOverride: crv1alpha1.JSONMap{
+			"securityContext": map[string]interface{}{
+				"runAsUser":    2000,
+				"runAsGroup":   2000,
+				"runAsNonRoot": false,
+			},
+		},
+	}
+
+	pod, err := CreatePod(context.Background(), s.cli, po)
+	c.Assert(err, IsNil)
+	runAsNonRootExpected := true
+	c.Assert(pod.Spec.SecurityContext.RunAsNonRoot, DeepEquals, &runAsNonRootExpected)
+	var uidAndGidExpected int64 = 1000
+	c.Assert(*pod.Spec.SecurityContext.RunAsUser, DeepEquals, uidAndGidExpected)
+	c.Assert(*pod.Spec.SecurityContext.RunAsGroup, DeepEquals, uidAndGidExpected)
+}