security: move and modify old tests

zegl · Apr 15, 2019 · 060e834 · 060e834
1 parent c7bed19
commit 060e834
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 31 deletions.
diff --git a/score/score_test.go b/score/score_test.go
@@ -126,26 +126,6 @@ func TestPodContainerPullPolicyAlways(t *testing.T) {
 	testExpectedScore(t, "pod-image-pullpolicy-always.yaml", "Container Image Pull Policy", 10)
 }
 
-func TestContainerSecurityContextPrivilegied(t *testing.T) {
-	testExpectedScore(t, "pod-security-context-privilegied.yaml", "Container Security Context", 1)
-}
-
-func TestContainerSecurityContextNonPrivilegied(t *testing.T) {
-	testExpectedScore(t, "pod-security-context-non-privilegied.yaml", "Container Security Context", 10)
-}
-
-func TestContainerSecurityContextLowUser(t *testing.T) {
-	testExpectedScore(t, "pod-security-context-low-user-id.yaml", "Container Security Context", 1)
-}
-
-func TestContainerSecurityContextLowGroup(t *testing.T) {
-	testExpectedScore(t, "pod-security-context-low-group-id.yaml", "Container Security Context", 1)
-}
-
-func TestContainerSecurityContextHighIds(t *testing.T) {
-	testExpectedScore(t, "pod-security-context-high-ids.yaml", "Container Security Context", 10)
-}
-
 func TestConfigMapMultiDash(t *testing.T) {
 	_, err := testScore(config.Configuration{
 		AllFiles: []io.Reader{testFile("configmap-multi-dash.yaml")},

diff --git a/score/security/security.go b/score/security/security.go
@@ -33,22 +33,22 @@ func containerSecurityContext(podTemplate corev1.PodTemplateSpec) (score scoreca
 
 		if sec.Privileged == nil || *sec.Privileged {
 			hasPrivileged = true
-			score.AddComment(container.Name, "The container is privileged", "Set securityContext.Privileged to false")
+			score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false")
 		}
 
 		if sec.ReadOnlyRootFilesystem == nil || *sec.ReadOnlyRootFilesystem == false  {
 			hasWritableRootFS = true
-			score.AddComment(container.Name, "The pod has a container with a writable root filesystem", "Set securityContext.ReadOnlyFileSystem to true")
+			score.AddComment(container.Name, "The pod has a container with a writable root filesystem", "Set securityContext.readOnlyRootFilesystem to true")
 		}
 
 		if sec.RunAsUser == nil || *sec.RunAsUser < 10000 {
 			hasLowUserID = true
-			score.AddComment(container.Name, "The container is running with a low user ID", "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.RunAsUser to a value > 10000")
+			score.AddComment(container.Name, "The container is running with a low user ID", "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000")
 		}
 
 		if sec.RunAsGroup == nil || *sec.RunAsGroup < 10000 {
 			hasLowGroupID = true
-			score.AddComment(container.Name, "The container running with a low group ID", "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.RunAsGroup to a value > 10000")
+			score.AddComment(container.Name, "The container running with a low group ID", "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000")
 		}
 	}
 

diff --git a/score/security_test.go b/score/security_test.go
@@ -51,7 +51,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The pod has a container with a writable root filesystem",
-				Description: "Set securityContext.ReadOnlyFileSystem to true",
+				Description: "Set securityContext.readOnlyRootFilesystem to true",
 			},
 		},
 		{
@@ -62,7 +62,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The pod has a container with a writable root filesystem",
-				Description: "Set securityContext.ReadOnlyFileSystem to true",
+				Description: "Set securityContext.readOnlyRootFilesystem to true",
 			},
 		},
 
@@ -73,7 +73,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The container is privileged",
-				Description: "Set securityContext.Privileged to false",
+				Description: "Set securityContext.privileged to false",
 			},
 		},
 		// Context is non nul, but has all null values
@@ -83,7 +83,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The pod has a container with a writable root filesystem",
-				Description: "Set securityContext.ReadOnlyFileSystem to true",
+				Description: "Set securityContext.readOnlyRootFilesystem to true",
 			},
 		},
 		// Context is non nul, but has all null values
@@ -93,7 +93,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The container is running with a low user ID",
-				Description: "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.RunAsUser to a value > 10000",
+				Description: "A userid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsUser to a value > 10000",
 			},
 		},
 		// Context is non nul, but has all null values
@@ -103,7 +103,7 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 			expectedComment: &scorecard.TestScoreComment{
 				Path:        "foobar",
 				Summary:     "The container running with a low group ID",
-				Description: "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.RunAsGroup to a value > 10000",
+				Description: "A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000",
 			},
 		},
 	}
@@ -140,3 +140,20 @@ func TestSecurityExplicitlyWritableRootFs(test *testing.T) {
 		}
 	}
 }
+
+func TestContainerSecurityContextPrivilegied(t *testing.T) {
+	testExpectedScore(t, "pod-security-context-privilegied.yaml", "Container Security Context", 1)
+}
+
+func TestContainerSecurityContextLowUser(t *testing.T) {
+	testExpectedScore(t, "pod-security-context-low-user-id.yaml", "Container Security Context", 1)
+}
+
+func TestContainerSecurityContextLowGroup(t *testing.T) {
+	testExpectedScore(t, "pod-security-context-low-group-id.yaml", "Container Security Context", 1)
+}
+
+func TestContainerSecurityContextAllGood(t *testing.T) {
+	c := testExpectedScore(t, "pod-security-context-all-good.yaml", "Container Security Context", 10)
+	assert.Empty(t, c)
+}
diff --git a/...pod-security-context-non-privilegied.yaml → ...stdata/pod-security-context-all-good.yaml b/...pod-security-context-non-privilegied.yaml → ...stdata/pod-security-context-all-good.yaml
@@ -7,4 +7,7 @@ spec:
   - name: foobar
     image: foo/bar:latest
     securityContext:
-      privileged: False
+      privileged: False
+      runAsUser: 30000
+      runAsGroup: 30000
+      readOnlyRootFilesystem: True