(t *testing.T)
| 69 | } |
| 70 | |
| 71 | func TestInvalidIPCPod(t *testing.T) { |
| 72 | c := conf.Configuration{ |
| 73 | Checks: map[string]conf.Severity{ |
| 74 | "hostIPCSet": conf.SeverityDanger, |
| 75 | "hostPIDSet": conf.SeverityDanger, |
| 76 | "hostNetworkSet": conf.SeverityWarning, |
| 77 | "hostPortSet": conf.SeverityDanger, |
| 78 | "hostPathSet": conf.SeverityWarning, |
| 79 | "procMount": conf.SeverityWarning, |
| 80 | "hostProcess": conf.SeverityWarning, |
| 81 | }, |
| 82 | } |
| 83 | |
| 84 | p := test.MockPod() |
| 85 | p.Spec.HostIPC = true |
| 86 | p.Spec.Volumes = append(p.Spec.Volumes, v1.Volume{ |
| 87 | Name: "hostpath", |
| 88 | VolumeSource: v1.VolumeSource{ |
| 89 | HostPath: &v1.HostPathVolumeSource{ |
| 90 | Path: "/var/run/docker.sock", |
| 91 | }, |
| 92 | }, |
| 93 | }) |
| 94 | procMount := v1.UnmaskedProcMount |
| 95 | p.Spec.Containers[0].SecurityContext = &v1.SecurityContext{ |
| 96 | ProcMount: &procMount, |
| 97 | } |
| 98 | hostProcess := true |
| 99 | p.Spec.Containers[0].SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{ |
| 100 | HostProcess: &hostProcess, |
| 101 | } |
| 102 | |
| 103 | workload, err := kube.NewGenericResourceFromPod(p, nil) |
| 104 | assert.NoError(t, err) |
| 105 | expectedSum := CountSummary{ |
| 106 | Successes: uint(3), |
| 107 | Warnings: uint(3), |
| 108 | Dangers: uint(1), |
| 109 | } |
| 110 | expectedResults := ResultSet{ |
| 111 | "hostIPCSet": {ID: "hostIPCSet", Message: "Host IPC should not be configured", Success: false, Severity: "danger", Category: "Security"}, |
| 112 | "hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network is not configured", Success: true, Severity: "warning", Category: "Security"}, |
| 113 | "hostPIDSet": {ID: "hostPIDSet", Message: "Host PID is not configured", Success: true, Severity: "danger", Category: "Security"}, |
| 114 | "hostPathSet": {ID: "hostPathSet", Message: "HostPath volumes must be forbidden", Success: false, Severity: "warning", Category: "Security"}, |
| 115 | "procMount": {ID: "procMount", Message: "Proc mount must not be changed from the default", Success: false, Severity: "warning", Category: "Security"}, |
| 116 | "hostProcess": {ID: "hostProcess", Message: "Privileged access to the host is disallowed", Success: false, Severity: "warning", Category: "Security"}, |
| 117 | } |
| 118 | |
| 119 | actualPodResult, err := applyControllerSchemaChecks(context.Background(), &c, nil, workload) |
| 120 | if err != nil { |
| 121 | panic(err) |
| 122 | } |
| 123 | |
| 124 | assert.Equal(t, 1, len(actualPodResult.PodResult.ContainerResults), "should be equal") |
| 125 | assert.EqualValues(t, expectedSum, actualPodResult.GetSummary()) |
| 126 | assert.EqualValues(t, expectedResults, actualPodResult.PodResult.Results) |
| 127 | } |
| 128 |
nothing calls this directly
no test coverage detected