| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497 |
- suite: pod securityContext test
- templates:
- - common.yaml
- tests:
- - it: should pass with securityContext from "global"
- set:
- securityContext:
- pod:
- fsGroup: 1000
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 1001
- sysctls:
- - name: some_name
- value: "some_value"
- - name: some_other_name
- value: "some_other_value"
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - documentIndex: &deploymentDoc 0
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 1000
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 1001
- sysctls:
- - name: some_name
- value: "some_value"
- - name: some_other_name
- value: "some_other_value"
- - it: should pass with securityContext from "global" and partial override with "pod"
- set:
- securityContext:
- pod:
- fsGroup: 1000
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 1001
- sysctls:
- - name: some_name
- value: "some_value"
- - name: some_other_name
- value: "some_other_value"
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- fsGroup: 1001
- asserts:
- - documentIndex: *deploymentDoc
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 1001
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 1001
- sysctls:
- - name: some_name
- value: "some_value"
- - name: some_other_name
- value: "some_other_value"
- - it: should pass with securityContext from "global" and full override with "pod"
- set:
- some_sysctl_name: some_name
- some_sysctl_value: 2
- securityContext:
- pod:
- fsGroup: 1000
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 1001
- sysctls:
- - name: some_name
- value: "some_value"
- - name: some_other_name
- value: "some_other_value"
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- fsGroup: 1001
- fsGroupChangePolicy: Always
- supplementalGroups:
- - 1002
- - 1003
- sysctls:
- - name: "{{ .Values.some_sysctl_name }}"
- value: "{{ .Values.some_sysctl_value }}"
- - name: some_other_name
- value: "some_different_value"
- asserts:
- - documentIndex: *deploymentDoc
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 1001
- fsGroupChangePolicy: Always
- supplementalGroups:
- - 1002
- - 1003
- sysctls:
- - name: some_name
- value: "2"
- - name: some_other_name
- value: "some_different_value"
- - it: should pass with sysctls automatically appended based on services
- set:
- some_sysctl_name: some_name
- some_sysctl_value: 2
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- fsGroup: 1001
- fsGroupChangePolicy: Always
- supplementalGroups:
- - 1002
- - 1003
- sysctls:
- - name: "{{ .Values.some_sysctl_name }}"
- value: "{{ .Values.some_sysctl_value }}"
- - name: some_other_name
- value: "some_different_value"
- workload-name2:
- enabled: true
- type: Deployment
- podSpec: {}
- service:
- service-name1:
- enabled: true
- primary: true
- type: ClusterIP
- ports:
- port-name:
- enabled: true
- primary: true
- port: 80
- service-name2:
- enabled: true
- type: ClusterIP
- ports:
- port-name:
- enabled: true
- primary: true
- port: 53
- service-name3:
- enabled: true
- type: ClusterIP
- targetSelector: workload-name2
- ports:
- port-name:
- enabled: true
- primary: true
- port: 443
- asserts:
- - documentIndex: *deploymentDoc
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 1001
- fsGroupChangePolicy: Always
- supplementalGroups:
- - 1002
- - 1003
- sysctls:
- - name: some_name
- value: "2"
- - name: some_other_name
- value: "some_different_value"
- - name: net.ipv4.ip_unprivileged_port_start
- value: "53"
- - documentIndex: &otherdeploymentDoc 1
- isKind:
- of: Deployment
- - documentIndex: *otherdeploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups: []
- sysctls:
- - name: net.ipv4.ip_unprivileged_port_start
- value: "443"
- - it: should pass with no sysctls port_start automatically appended based on services when port is higher than 1024
- set:
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- service:
- service-name1:
- enabled: true
- primary: true
- type: ClusterIP
- ports:
- port-name:
- enabled: true
- primary: true
- port: 25000
- targetPort: 3000
- asserts:
- - documentIndex: &deploymentDoc 0
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups: []
- sysctls: []
- - it: should pass with with gpu assigned to primary pod
- set:
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- supplementalGroups:
- - 1000
- workload-name2:
- enabled: true
- primary: false
- type: Deployment
- podSpec: {}
- scaleGPU:
- - gpu:
- nvidia: "1"
- asserts:
- - documentIndex: &deploymentDoc 0
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 44
- sysctls: []
- - documentIndex: &otherDeploymentDoc 1
- isKind:
- of: Deployment
- - documentIndex: *otherDeploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups: []
- sysctls: []
- - it: should pass with with gpu assigned to specific pod
- set:
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- supplementalGroups:
- - 1000
- workload-name2:
- enabled: true
- primary: false
- type: Deployment
- podSpec: {}
- scaleGPU:
- - gpu:
- nvidia: "1"
- targetSelector:
- workload-name1:
- - container-name1
- asserts:
- - documentIndex: &deploymentDoc 0
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 44
- sysctls: []
- - documentIndex: &otherDeploymentDoc 1
- isKind:
- of: Deployment
- - documentIndex: *otherDeploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups: []
- sysctls: []
- - it: should pass with with gpu assigned to multiple pod
- set:
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec:
- securityContext:
- supplementalGroups:
- - 1000
- workload-name2:
- enabled: true
- primary: false
- type: Deployment
- podSpec: {}
- scaleGPU:
- - gpu:
- nvidia: "1"
- targetSelector:
- workload-name1:
- - container-name1
- workload-name2:
- - container-name1
- asserts:
- - documentIndex: &deploymentDoc 0
- isKind:
- of: Deployment
- - documentIndex: *deploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 1000
- - 44
- sysctls: []
- - documentIndex: &otherDeploymentDoc 1
- isKind:
- of: Deployment
- - documentIndex: *otherDeploymentDoc
- equal:
- path: spec.template.spec.securityContext
- value:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- supplementalGroups:
- - 44
- sysctls: []
- # Failures
- - it: should fail with empty securityContext from "global"
- set:
- securityContext:
- pod: null
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected non-empty <.Values.securityContext.pod>
- - it: should fail with empty fsGroup
- set:
- securityContext:
- pod:
- fsGroup: ""
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected non-empty <fsGroup>
- - it: should fail with empty fsGroupChangePolicy
- set:
- securityContext:
- pod:
- fsGroup: 568
- fsGroupChangePolicy: ""
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected non-empty <fsGroupChangePolicy>
- - it: should fail with invalid fsGroupChangePolicy
- set:
- securityContext:
- pod:
- fsGroup: 568
- fsGroupChangePolicy: invalid
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected <fsGroupChangePolicy> to be one of [Always, OnRootMismatch], but got [invalid]
- - it: should fail with empty name in sysctls
- set:
- securityContext:
- pod:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- sysctls:
- - name: ""
- value: "some_value"
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected non-empty <name> in <sysctls>
- - it: should fail with empty value in sysctls
- set:
- securityContext:
- pod:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- sysctls:
- - name: some_name
- value: ""
- workload:
- workload-name1:
- enabled: true
- primary: true
- type: Deployment
- podSpec: {}
- asserts:
- - failedTemplate:
- errorMessage: Pod - Expected non-empty <value> in <sysctls>
|
