suite: pod securityContext test templates: - common.yaml tests: - it: should pass with securityContext from "global" set: securityContext: pod: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 1001 sysctls: - name: some_name value: "some_value" - name: some_other_name value: "some_other_value" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 1001 sysctls: - name: some_name value: "some_value" - name: some_other_name value: "some_other_value" - it: should pass with securityContext from "global" and partial override with "pod" set: securityContext: pod: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 1001 sysctls: - name: some_name value: "some_value" - name: some_other_name value: "some_other_value" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: fsGroup: 1001 asserts: - documentIndex: *deploymentDoc isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 1001 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 1001 sysctls: - name: some_name value: "some_value" - name: some_other_name value: "some_other_value" - it: should pass with securityContext from "global" and full override with "pod" set: some_sysctl_name: some_name some_sysctl_value: 2 securityContext: pod: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 1001 sysctls: - name: some_name value: "some_value" - name: some_other_name value: "some_other_value" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 1003 sysctls: - name: "{{ .Values.some_sysctl_name }}" value: "{{ .Values.some_sysctl_value }}" - name: some_other_name value: "some_different_value" asserts: - documentIndex: *deploymentDoc isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 1003 sysctls: - name: some_name value: "2" - name: some_other_name value: "some_different_value" - it: should pass with fsGroup and supplementalGroups with long int set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: fsGroup: 100000514 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 100000514 asserts: - documentIndex: *deploymentDoc isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 100000514 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 100000514 sysctls: [] - it: should pass with sysctls automatically appended based on services set: some_sysctl_name: some_name some_sysctl_value: 2 workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 1003 sysctls: - name: "{{ .Values.some_sysctl_name }}" value: "{{ .Values.some_sysctl_value }}" - name: some_other_name value: "some_different_value" workload-name2: enabled: true type: Deployment podSpec: {} service: service-name1: enabled: true primary: true type: ClusterIP ports: port-name: enabled: true primary: true port: 80 service-name2: enabled: true type: ClusterIP ports: port-name: enabled: true primary: true port: 53 service-name3: enabled: true type: ClusterIP targetSelector: workload-name2 ports: port-name: enabled: true primary: true port: 443 asserts: - documentIndex: *deploymentDoc isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: - 1002 - 1003 sysctls: - name: some_name value: "2" - name: some_other_name value: "some_different_value" - name: net.ipv4.ip_unprivileged_port_start value: "53" - documentIndex: &otherdeploymentDoc 1 isKind: of: Deployment - documentIndex: *otherdeploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "443" - it: should pass with sysctls net.ipv4.ip_unprivileged_port_start NOT appended with hostnet set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: hostNetwork: true workload-name2: enabled: true type: Deployment podSpec: {} service: service-name: enabled: true primary: true type: ClusterIP targetSelector: workload-name2 ports: port-name: enabled: true primary: true port: 443 asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] - it: should pass with fsGroup 0 set: securityContext: pod: fsGroup: 0 workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 0 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] - it: should pass with no sysctls port_start automatically appended based on services when port is higher than 1024 set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} service: service-name1: enabled: true primary: true type: ClusterIP ports: port-name: enabled: true primary: true port: 25000 targetPort: 3000 asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] - it: should pass with with gpu assigned to primary pod set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: supplementalGroups: - 1000 workload-name2: enabled: true primary: false type: Deployment podSpec: {} scaleGPU: - gpu: nvidia: "1" asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 44 - 107 sysctls: [] - documentIndex: &otherDeploymentDoc 1 isKind: of: Deployment - documentIndex: *otherDeploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] - it: should pass with with gpu assigned to specific pod set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: supplementalGroups: - 1000 workload-name2: enabled: true primary: false type: Deployment podSpec: {} scaleGPU: - gpu: nvidia: "1" targetSelector: workload-name1: - container-name1 asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 44 - 107 sysctls: [] - documentIndex: &otherDeploymentDoc 1 isKind: of: Deployment - documentIndex: *otherDeploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] - it: should pass with with gpu assigned to multiple pod set: workload: workload-name1: enabled: true primary: true type: Deployment podSpec: securityContext: supplementalGroups: - 1000 workload-name2: enabled: true primary: false type: Deployment podSpec: {} scaleGPU: - gpu: nvidia: "1" targetSelector: workload-name1: - container-name1 workload-name2: - container-name1 asserts: - documentIndex: &deploymentDoc 0 isKind: of: Deployment - documentIndex: *deploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 1000 - 44 - 107 sysctls: [] - documentIndex: &otherDeploymentDoc 1 isKind: of: Deployment - documentIndex: *otherDeploymentDoc equal: path: spec.template.spec.securityContext value: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: - 44 - 107 sysctls: [] # Failures - it: should fail with empty securityContext from "global" set: securityContext: pod: null workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected non-empty <.Values.securityContext.pod> - it: should fail with empty fsGroup set: securityContext: pod: fsGroup: "" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected non-empty - it: should fail with empty fsGroupChangePolicy set: securityContext: pod: fsGroup: 568 fsGroupChangePolicy: "" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected non-empty - it: should fail with invalid fsGroupChangePolicy set: securityContext: pod: fsGroup: 568 fsGroupChangePolicy: invalid workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected to be one of [Always, OnRootMismatch], but got [invalid] - it: should fail with empty name in sysctls set: securityContext: pod: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch sysctls: - name: "" value: "some_value" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected non-empty in - it: should fail with empty value in sysctls set: securityContext: pod: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch sysctls: - name: some_name value: "" workload: workload-name1: enabled: true primary: true type: Deployment podSpec: {} asserts: - failedTemplate: errorMessage: Pod - Expected non-empty in