MCPcopy
hub / github.com/FairwindsOps/polaris / TestInvalidIPCPod

Function TestInvalidIPCPod

pkg/validator/pod_test.go:71–127  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

69}
70
71func TestInvalidIPCPod(t *testing.T) {
72 c := conf.Configuration{
73 Checks: map[string]conf.Severity{
74 "hostIPCSet": conf.SeverityDanger,
75 "hostPIDSet": conf.SeverityDanger,
76 "hostNetworkSet": conf.SeverityWarning,
77 "hostPortSet": conf.SeverityDanger,
78 "hostPathSet": conf.SeverityWarning,
79 "procMount": conf.SeverityWarning,
80 "hostProcess": conf.SeverityWarning,
81 },
82 }
83
84 p := test.MockPod()
85 p.Spec.HostIPC = true
86 p.Spec.Volumes = append(p.Spec.Volumes, v1.Volume{
87 Name: "hostpath",
88 VolumeSource: v1.VolumeSource{
89 HostPath: &v1.HostPathVolumeSource{
90 Path: "/var/run/docker.sock",
91 },
92 },
93 })
94 procMount := v1.UnmaskedProcMount
95 p.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
96 ProcMount: &procMount,
97 }
98 hostProcess := true
99 p.Spec.Containers[0].SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{
100 HostProcess: &hostProcess,
101 }
102
103 workload, err := kube.NewGenericResourceFromPod(p, nil)
104 assert.NoError(t, err)
105 expectedSum := CountSummary{
106 Successes: uint(3),
107 Warnings: uint(3),
108 Dangers: uint(1),
109 }
110 expectedResults := ResultSet{
111 "hostIPCSet": {ID: "hostIPCSet", Message: "Host IPC should not be configured", Success: false, Severity: "danger", Category: "Security"},
112 "hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"},
113 "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"},
114 "hostPathSet": {ID: "hostPathSet", Message: "HostPath volumes must be forbidden", Success: false, Severity: "warning", Category: "Security"},
115 "procMount": {ID: "procMount", Message: "Proc mount must not be changed from the default", Success: false, Severity: "warning", Category: "Security"},
116 "hostProcess": {ID: "hostProcess", Message: "Privileged access to the host is disallowed", Success: false, Severity: "warning", Category: "Security"},
117 }
118
119 actualPodResult, err := applyControllerSchemaChecks(context.Background(), &c, nil, workload)
120 if err != nil {
121 panic(err)
122 }
123
124 assert.Equal(t, 1, len(actualPodResult.PodResult.ContainerResults), "should be equal")
125 assert.EqualValues(t, expectedSum, actualPodResult.GetSummary())
126 assert.EqualValues(t, expectedResults, actualPodResult.PodResult.Results)
127}
128

Callers

nothing calls this directly

Calls 4

MockPodFunction · 0.92
GetSummaryMethod · 0.45

Tested by

no test coverage detected