MCPcopy
hub / github.com/microsoft/retina / TestHostNetworkPodForTraceSecurityContext

Function TestHostNetworkPodForTraceSecurityContext

shell/trace_test.go:143–201  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

141}
142
143func TestHostNetworkPodForTraceSecurityContext(t *testing.T) {
144 config := TraceConfig{
145 RetinaShellImage: "test-image:v1",
146 }
147
148 pod := hostNetworkPodForTrace(config, "default", "test-node")
149 container := pod.Spec.Containers[0]
150 secCtx := container.SecurityContext
151
152 t.Run("not privileged", func(t *testing.T) {
153 if secCtx.Privileged != nil && *secCtx.Privileged {
154 t.Error("Pod should use capabilities, not privileged mode")
155 }
156 })
157
158 t.Run("drops all capabilities", func(t *testing.T) {
159 if secCtx.Capabilities == nil {
160 t.Fatal("Expected Capabilities to be set")
161 }
162
163 foundDropAll := false
164 for _, drop := range secCtx.Capabilities.Drop {
165 if string(drop) == "ALL" {
166 foundDropAll = true
167 break
168 }
169 }
170 if !foundDropAll {
171 t.Error("Expected to drop ALL capabilities first")
172 }
173 })
174
175 t.Run("adds required capabilities", func(t *testing.T) {
176 if secCtx.Capabilities == nil {
177 t.Fatal("Expected Capabilities to be set")
178 }
179
180 addedCaps := make(map[string]bool)
181 for _, cap := range secCtx.Capabilities.Add {
182 addedCaps[string(cap)] = true
183 }
184
185 requiredCaps := TraceCapabilities()
186 for _, required := range requiredCaps {
187 if !addedCaps[required] {
188 t.Errorf("Missing required capability: %s", required)
189 }
190 }
191 })
192
193 t.Run("seccomp unconfined", func(t *testing.T) {
194 if secCtx.SeccompProfile == nil {
195 t.Fatal("Expected SeccompProfile to be set")
196 }
197 if secCtx.SeccompProfile.Type != v1.SeccompProfileTypeUnconfined {
198 t.Errorf("Expected Seccomp Unconfined, got %s", secCtx.SeccompProfile.Type)
199 }
200 })

Callers

nothing calls this directly

Calls 4

hostNetworkPodForTraceFunction · 0.85
TraceCapabilitiesFunction · 0.85
RunMethod · 0.65
ErrorMethod · 0.45

Tested by

no test coverage detected