(t *testing.T)
| 141 | } |
| 142 | |
| 143 | func TestHostNetworkPodForTraceSecurityContext(t *testing.T) { |
| 144 | config := TraceConfig{ |
| 145 | RetinaShellImage: "test-image:v1", |
| 146 | } |
| 147 | |
| 148 | pod := hostNetworkPodForTrace(config, "default", "test-node") |
| 149 | container := pod.Spec.Containers[0] |
| 150 | secCtx := container.SecurityContext |
| 151 | |
| 152 | t.Run("not privileged", func(t *testing.T) { |
| 153 | if secCtx.Privileged != nil && *secCtx.Privileged { |
| 154 | t.Error("Pod should use capabilities, not privileged mode") |
| 155 | } |
| 156 | }) |
| 157 | |
| 158 | t.Run("drops all capabilities", func(t *testing.T) { |
| 159 | if secCtx.Capabilities == nil { |
| 160 | t.Fatal("Expected Capabilities to be set") |
| 161 | } |
| 162 | |
| 163 | foundDropAll := false |
| 164 | for _, drop := range secCtx.Capabilities.Drop { |
| 165 | if string(drop) == "ALL" { |
| 166 | foundDropAll = true |
| 167 | break |
| 168 | } |
| 169 | } |
| 170 | if !foundDropAll { |
| 171 | t.Error("Expected to drop ALL capabilities first") |
| 172 | } |
| 173 | }) |
| 174 | |
| 175 | t.Run("adds required capabilities", func(t *testing.T) { |
| 176 | if secCtx.Capabilities == nil { |
| 177 | t.Fatal("Expected Capabilities to be set") |
| 178 | } |
| 179 | |
| 180 | addedCaps := make(map[string]bool) |
| 181 | for _, cap := range secCtx.Capabilities.Add { |
| 182 | addedCaps[string(cap)] = true |
| 183 | } |
| 184 | |
| 185 | requiredCaps := TraceCapabilities() |
| 186 | for _, required := range requiredCaps { |
| 187 | if !addedCaps[required] { |
| 188 | t.Errorf("Missing required capability: %s", required) |
| 189 | } |
| 190 | } |
| 191 | }) |
| 192 | |
| 193 | t.Run("seccomp unconfined", func(t *testing.T) { |
| 194 | if secCtx.SeccompProfile == nil { |
| 195 | t.Fatal("Expected SeccompProfile to be set") |
| 196 | } |
| 197 | if secCtx.SeccompProfile.Type != v1.SeccompProfileTypeUnconfined { |
| 198 | t.Errorf("Expected Seccomp Unconfined, got %s", secCtx.SeccompProfile.Type) |
| 199 | } |
| 200 | }) |
nothing calls this directly
no test coverage detected