forked from kubevirt/kubevirt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
psa_test.go
114 lines (102 loc) · 3.55 KB
/
psa_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package watch
import (
"encoding/json"
"github.com/golang/mock/gomock"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/types"
k8sv1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
k8sruntime "k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/kubernetes/fake"
"k8s.io/client-go/testing"
"k8s.io/client-go/tools/cache"
"kubevirt.io/client-go/kubecli"
)
var _ = Describe("PSA", func() {
var (
namespaceStore cache.Store
client *kubecli.MockKubevirtClient
kubeClient *fake.Clientset
ctrl *gomock.Controller
notOnOpenshift = false
)
BeforeEach(func() {
namespaceStore = cache.NewStore(cache.DeletionHandlingMetaNamespaceKeyFunc)
ctrl = gomock.NewController(GinkgoT())
client = kubecli.NewMockKubevirtClient(ctrl)
kubeClient = fake.NewSimpleClientset()
client.EXPECT().CoreV1().Return(kubeClient.CoreV1()).AnyTimes()
})
Context("should patch namespace with enforce level", func() {
var (
onOpenshift = true
psaLabels = HaveKeyWithValue(PSALabel, "privileged")
psaLabelsOnOpenshift = And(HaveKeyWithValue(PSALabel, "privileged"), HaveKeyWithValue(OpenshiftPSAsync, "false"))
)
expectLabels := func(expectedLabels types.GomegaMatcher) {
kubeClient.Fake.PrependReactor("patch", "namespaces",
func(action testing.Action) (handled bool, obj k8sruntime.Object, err error) {
patchAction, ok := action.(testing.PatchAction)
Expect(ok).To(BeTrue())
patchBytes := patchAction.GetPatch()
namespace := &k8sv1.Namespace{}
Expect(json.Unmarshal(patchBytes, namespace)).To(Succeed(), string(patchBytes))
Expect(namespace.Labels).To(expectedLabels)
return true, nil, nil
})
}
DescribeTable("when label is missing", func(expectedLabels types.GomegaMatcher, onOpenshift bool) {
expectLabels(expectedLabels)
namespace := &k8sv1.Namespace{
TypeMeta: metav1.TypeMeta{
Kind: "Namespace",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test",
},
}
Expect(namespaceStore.Add(namespace)).NotTo(HaveOccurred())
Expect(escalateNamespace(namespaceStore, client, "test", onOpenshift)).To(Succeed())
},
Entry("on plain Kubernetes", psaLabels, notOnOpenshift),
Entry("on Openshift", psaLabelsOnOpenshift, onOpenshift),
)
DescribeTable("when enforce label is not privileged", func(expectedLabels types.GomegaMatcher, onOpenshift bool) {
expectLabels(expectedLabels)
namespace := &k8sv1.Namespace{
TypeMeta: metav1.TypeMeta{
Kind: "Namespace",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test",
Labels: map[string]string{
PSALabel: "restricted",
},
},
}
Expect(namespaceStore.Add(namespace)).NotTo(HaveOccurred())
Expect(escalateNamespace(namespaceStore, client, "test", onOpenshift)).To(Succeed())
},
Entry("on plain Kubernetes", psaLabels, notOnOpenshift),
Entry("on Openshift", psaLabelsOnOpenshift, onOpenshift),
)
})
It("should not patch namespace when enforce label is set to privileged", func() {
namespace := &k8sv1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
Labels: map[string]string{
PSALabel: "privileged",
},
},
}
Expect(namespaceStore.Add(namespace)).NotTo(HaveOccurred())
kubeClient.Fake.PrependReactor("patch", "namespaces",
func(action testing.Action) (handled bool, obj k8sruntime.Object, err error) {
Expect("Patch namespaces is not expected").To(BeEmpty())
return true, nil, nil
})
Expect(escalateNamespace(namespaceStore, client, "test", notOnOpenshift)).To(Succeed())
})
})