(t *testing.T)
| 199 | } |
| 200 | |
| 201 | func TestExemption(t *testing.T) { |
| 202 | c := conf.Configuration{ |
| 203 | Checks: map[string]conf.Severity{ |
| 204 | "hostIPCSet": conf.SeverityDanger, |
| 205 | "hostNetworkSet": conf.SeverityWarning, |
| 206 | "hostPIDSet": conf.SeverityDanger, |
| 207 | "hostPortSet": conf.SeverityDanger, |
| 208 | }, |
| 209 | Exemptions: []conf.Exemption{ |
| 210 | { |
| 211 | Rules: []string{"hostIPCSet"}, |
| 212 | ControllerNames: []string{"foo"}, |
| 213 | }, |
| 214 | }, |
| 215 | } |
| 216 | |
| 217 | p := test.MockPod() |
| 218 | p.Spec.HostIPC = true |
| 219 | p.ObjectMeta = metav1.ObjectMeta{ |
| 220 | Name: "foo", |
| 221 | } |
| 222 | workload, err := kube.NewGenericResourceFromPod(p, nil) |
| 223 | assert.NoError(t, err) |
| 224 | expectedSum := CountSummary{ |
| 225 | Successes: uint(3), |
| 226 | Warnings: uint(0), |
| 227 | Dangers: uint(0), |
| 228 | } |
| 229 | expectedResults := ResultSet{ |
| 230 | "hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"}, |
| 231 | "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, |
| 232 | } |
| 233 | |
| 234 | actualPodResult, err := applyControllerSchemaChecks(context.Background(), &c, nil, workload) |
| 235 | if err != nil { |
| 236 | panic(err) |
| 237 | } |
| 238 | |
| 239 | assert.Equal(t, 1, len(actualPodResult.PodResult.ContainerResults), "should be equal") |
| 240 | assert.EqualValues(t, expectedSum, actualPodResult.GetSummary()) |
| 241 | assert.EqualValues(t, expectedResults, actualPodResult.PodResult.Results) |
| 242 | } |
nothing calls this directly
no test coverage detected