Skip to content

Commit

Permalink
react to changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@p0lyn0mial
p0lyn0mial committed Aug 30, 2019
1 parent 5c18d0a commit 1825e53
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 32 deletions.
47 changes: 24 additions & 23 deletions pkg/admission/imagepolicy/imagepolicy_test.go
View file
Expand Up @@ -151,7 +151,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql:latest"}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -165,7 +165,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil,false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -179,7 +179,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql@" + goodSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -193,7 +193,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:missingtag"}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -207,7 +207,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:goodtag"}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -221,7 +221,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "integrated.registry/repo/mysql:badtag"}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
t.Logf("%#v", plugin.accepter)
if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) {
Expand All @@ -236,7 +236,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + badSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) {
t.Fatal(err)
Expand All @@ -250,7 +250,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{InitContainers: []kapi.Container{{Image: "index.docker.io/mysql@" + badSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) {
t.Fatal(err)
Expand All @@ -265,7 +265,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -280,7 +280,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err == nil || !kerrors.IsInvalid(err) {
t.Fatal(err)
Expand All @@ -303,7 +303,7 @@ func TestDefaultPolicy(t *testing.T) {
&kapi.Pod{Spec: kapi.PodSpec{Containers: []kapi.Container{{Image: "index.docker.io/mysql@" + goodSHA}}}},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := plugin.Admit(attrs, nil); err != nil {
t.Fatal(err)
Expand All @@ -328,7 +328,7 @@ func TestAdmissionWithoutPodSpec(t *testing.T) {
&kapi.Node{},
nil, schema.GroupVersionKind{Version: "v1", Kind: "Node"},
"", "node1", schema.GroupVersionResource{Version: "v1", Resource: "nodes"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := p.Admit(attrs, nil); !kerrors.IsForbidden(err) || !strings.Contains(err.Error(), "No list of images available for this object") {
t.Fatal(err)
Expand Down Expand Up @@ -389,6 +389,7 @@ func TestAdmissionResolution(t *testing.T) {
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create,
nil,
false,
nil,
)
Expand All @@ -411,7 +412,7 @@ func TestAdmissionResolution(t *testing.T) {
pod,
nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
)
if err := p.Admit(attrs, nil); err != nil {
t.Logf("object: %#v", attrs.GetObject())
Expand Down Expand Up @@ -484,7 +485,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
},
{
Expand All @@ -502,7 +503,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &kapi.Pod{
Expand All @@ -528,7 +529,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod"},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &kapi.Pod{
Expand Down Expand Up @@ -558,7 +559,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "Pod", Group: ""},
"default", "pod1", schema.GroupVersionResource{Version: "v1", Resource: "pods", Group: ""},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &kapi.Pod{
Expand Down Expand Up @@ -592,7 +593,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down Expand Up @@ -629,7 +630,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down Expand Up @@ -668,7 +669,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down Expand Up @@ -718,7 +719,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down Expand Up @@ -767,7 +768,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down Expand Up @@ -816,7 +817,7 @@ func TestAdmissionResolveImages(t *testing.T) {
},
}, nil, schema.GroupVersionKind{Version: "v1", Kind: "ReplicaSet", Group: "extensions"},
"default", "rs1", schema.GroupVersionResource{Version: "v1", Resource: "replicasets", Group: "extensions"},
"", admission.Create, false, nil,
"", admission.Create, nil, false, nil,
),
admit: true,
expect: &apps.ReplicaSet{
Expand Down
2 changes: 1 addition & 1 deletion pkg/admission/quota/clusterresourcequota/accessor.go
View file
Expand Up @@ -9,7 +9,7 @@ import (
"k8s.io/apimachinery/pkg/api/equality"
kapierrors "k8s.io/apimachinery/pkg/api/errors"
utilwait "k8s.io/apimachinery/pkg/util/wait"
//etcd "k8s.io/apiserver/pkg/storage/etcd"
etcd "k8s.io/apiserver/pkg/storage/etcd3"
corev1listers "k8s.io/client-go/listers/core/v1"
utilquota "k8s.io/kubernetes/pkg/quota/v1"

Expand Down
12 changes: 6 additions & 6 deletions pkg/securitycontextconstraints/sccadmission/admission_test.go
View file
Expand Up @@ -59,7 +59,7 @@ func newTestAdmission(lister securityv1listers.SecurityContextConstraintsLister,
func TestFailClosedOnInvalidPod(t *testing.T) {
plugin := newTestAdmission(nil, nil, nil)
pod := &corev1.Pod{}
attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{})
err := plugin.(admission.MutationInterface).Admit(attrs, nil)

if err == nil {
Expand Down Expand Up @@ -189,7 +189,7 @@ func testSCCAdmit(testCaseName string, sccs []*securityv1.SecurityContextConstra
testAuthorizer := &sccTestAuthorizer{t: t}
plugin := newTestAdmission(lister, tc, testAuthorizer)

attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{})
err := plugin.(admission.MutationInterface).Admit(attrs, nil)
if shouldPass && err != nil {
t.Errorf("%s expected no mutating admission errors but received %v", testCaseName, err)
Expand Down Expand Up @@ -426,7 +426,7 @@ func TestAdmitFailure(t *testing.T) {
for i := 0; i < 2; i++ {
for k, v := range testCases {
v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers
attrs := admission.NewAttributesRecord(v.pod, nil, coreapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(v.pod, nil, coreapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{})
err := p.(admission.MutationInterface).Admit(attrs, nil)

if err == nil {
Expand Down Expand Up @@ -675,7 +675,7 @@ func TestCreateProvidersFromConstraints(t *testing.T) {
scc := v.scc()

// create the providers, this method only needs the namespace
attributes := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), v.namespace.Name, "", coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, nil)
attributes := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), v.namespace.Name, "", coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, nil)
_, errs := sccmatching.CreateProvidersFromConstraints(attributes.GetNamespace(), []*securityv1.SecurityContextConstraints{scc}, tc)

if !reflect.DeepEqual(scc, v.scc()) {
Expand Down Expand Up @@ -1065,7 +1065,7 @@ func TestAdmitPreferNonmutatingWhenPossible(t *testing.T) {
testAuthorizer := &sccTestAuthorizer{t: t}
plugin := newTestAdmission(lister, tc, testAuthorizer)

attrs := admission.NewAttributesRecord(testCase.newPod, testCase.oldPod, coreapi.Kind("Pod").WithVersion("version"), testCase.newPod.Namespace, testCase.newPod.Name, coreapi.Resource("pods").WithVersion("version"), "", testCase.operation, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(testCase.newPod, testCase.oldPod, coreapi.Kind("Pod").WithVersion("version"), testCase.newPod.Namespace, testCase.newPod.Name, coreapi.Resource("pods").WithVersion("version"), "", testCase.operation, nil, false, &user.DefaultInfo{})
err := plugin.(admission.MutationInterface).Admit(attrs, nil)

if testCase.shouldPass {
Expand Down Expand Up @@ -1093,7 +1093,7 @@ func TestAdmitPreferNonmutatingWhenPossible(t *testing.T) {
// SCC. Returns true when errors have been encountered.
func testSCCAdmission(pod *coreapi.Pod, plugin admission.Interface, expectedSCC, testName string, t *testing.T) bool {
t.Helper()
attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(pod, nil, coreapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, coreapi.Resource("pods").WithVersion("version"), "", admission.Create, nil, false, &user.DefaultInfo{})
err := plugin.(admission.MutationInterface).Admit(attrs, nil)
if err != nil {
t.Errorf("%s error admitting pod: %v", testName, err)
Expand Down
2 changes: 1 addition & 1 deletion pkg/securitycontextconstraints/sccadmission/scc_exec.go
View file
Expand Up @@ -61,7 +61,7 @@ func (d *sccExecRestrictions) Validate(a admission.Attributes, o admission.Objec

// TODO, if we want to actually limit who can use which service account, then we'll need to add logic here to make sure that
// we're allowed to use the SA the pod is using. Otherwise, user-A creates pod and user-B (who can't use the SA) can exec into it.
createAttributes := admission.NewAttributesRecord(internalPod, nil, coreapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", admission.Create, false, a.GetUserInfo())
createAttributes := admission.NewAttributesRecord(internalPod, nil, coreapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", admission.Create, a.GetOperationOptions(), false, a.GetUserInfo())
// call SCC.Admit instead of SCC.Validate because we accept that a different SCC is chosen. SCC.Validate would require
// that the chosen SCC (stored in the "openshift.io/scc" annotation) does not change.
if err := d.constraintAdmission.Admit(createAttributes, o); err != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/securitycontextconstraints/sccadmission/scc_exec_test.go
View file
Expand Up @@ -99,7 +99,7 @@ func TestExecAdmit(t *testing.T) {
p.constraintAdmission.sccLister = cache
p.SetExternalKubeClientSet(tc)

attrs := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), "namespace", "pod-name", coreapi.Resource(v.resource).WithVersion("version"), v.subresource, v.operation, false, &user.DefaultInfo{})
attrs := admission.NewAttributesRecord(nil, nil, coreapi.Kind("Pod").WithVersion("version"), "namespace", "pod-name", coreapi.Resource(v.resource).WithVersion("version"), v.subresource, v.operation, nil, false, &user.DefaultInfo{})
err := p.Validate(attrs, nil)

if v.shouldAdmit && err != nil {
Expand Down

0 comments on commit 1825e53

Please sign in to comment.