sundowndev
/
clusterlint
mirror of https://github.com/sundowndev/clusterlint.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #23 from digitalocean/varsha/test-refactor 

Change desc assertion in all tests, rename variables to conform to convention
varsha/versions
Varsha Varadarajan 2019-06-26 09:26:17 -04:00 committed by GitHub
parent 8f324cf6d9 8bacdc73a0
commit 4c228b9a01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 124 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
checks/basic/fully_qualified_image_test.go
View File

@ -11,120 +11,120 @@ import (
func TestFullyQualifiedImageCheckMeta(t *testing.T) {
fullyQualifiedImageCheck := fullyQualifiedImageCheck{}
assert.Equal(t, "fully-qualified-image", fullyQualifiedImageCheck.Name())
assert.Equal(t, "Checks if containers have fully qualified image names", fullyQualifiedImageCheck.Description())
assert.Equal(t, []string{"basic"}, fullyQualifiedImageCheck.Groups())
assert.NotEmpty(t, fullyQualifiedImageCheck.Description())
}
func TestFullyQualifiedImageCheckRegistration(t *testing.T) {
fullyQualifiedImageCheck := &fullyQualifiedImageCheck{}
check, err := checks.Get("fully-qualified-image")
assert.NoError(t, err)
assert.Equal(t, check, fullyQualifiedImageCheck)
assert.Nil(t, err)
}
func TestFullyQualifiedImageWarning(t *testing.T) {
const message = "Use fully qualified image for container 'bar'"
const severity = checks.Warning
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no pods",
arg: initPod(),
objs: initPod(),
expected: nil,
},
{
name: "pod with container image - k8s.gcr.io/busybox:latest",
arg: container("k8s.gcr.io/busybox:1.2.3"),
objs: container("k8s.gcr.io/busybox:1.2.3"),
expected: nil,
},
{
name: "pod with container image - busybox:latest",
arg: container("busybox:latest"),
objs: container("busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - k8s.gcr.io/busybox",
arg: container("k8s.gcr.io/busybox"),
objs: container("k8s.gcr.io/busybox"),
expected: nil,
},
{
name: "pod with container image - busybox",
arg: container("busybox"),
objs: container("busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - k8s.gcr.io/busybox:latest",
arg: initContainer("k8s.gcr.io/busybox:1.2.3"),
objs: initContainer("k8s.gcr.io/busybox:1.2.3"),
expected: nil,
},
{
name: "pod with container image - busybox:latest",
arg: initContainer("busybox:latest"),
objs: initContainer("busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - k8s.gcr.io/busybox",
arg: initContainer("k8s.gcr.io/busybox"),
objs: initContainer("k8s.gcr.io/busybox"),
expected: nil,
},
{
name: "pod with container image - busybox",
arg: initContainer("busybox"),
objs: initContainer("busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: issues(severity, message, checks.Pod),
},
}
fullyQualifiedImageCheck := fullyQualifiedImageCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := fullyQualifiedImageCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := fullyQualifiedImageCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}
@ -132,29 +132,29 @@ func TestFullyQualifiedImageWarning(t *testing.T) {
func TestMalformedImageError(t *testing.T) {
const message = "Malformed image name for container 'bar'"
const severity = checks.Error
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "container with image : test:5000/repo/image@sha256:digest",
arg: container("test:5000/repo/image@sha256:digest"),
objs: container("test:5000/repo/image@sha256:digest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "init container with image : test:5000/repo/image@sha256:digest",
arg: initContainer("test:5000/repo/image@sha256:digest"),
objs: initContainer("test:5000/repo/image@sha256:digest"),
expected: issues(severity, message, checks.Pod),
},
}
fullyQualifiedImageCheck := fullyQualifiedImageCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := fullyQualifiedImageCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := fullyQualifiedImageCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

24
checks/basic/hostpath_test.go
View File

@ -12,43 +12,43 @@ import (
func TestHostpathCheckMeta(t *testing.T) {
hostPathCheck := hostPathCheck{}
assert.Equal(t, "hostpath-volume", hostPathCheck.Name())
assert.Equal(t, "Check if there are pods using hostpath volumes", hostPathCheck.Description())
assert.Equal(t, []string{"basic"}, hostPathCheck.Groups())
assert.NotEmpty(t, hostPathCheck.Description())
}
func TestHostpathCheckRegistration(t *testing.T) {
hostPathCheck := &hostPathCheck{}
check, err := checks.Get("hostpath-volume")
assert.NoError(t, err)
assert.Equal(t, check, hostPathCheck)
assert.Nil(t, err)
}
func TestHostpathVolumeError(t *testing.T) {
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no pods",
arg: initPod(),
objs: initPod(),
expected: nil,
},
{
name: "pod with no volumes",
arg: container("docker.io/nginx:foo"),
objs: container("docker.io/nginx:foo"),
expected: nil,
},
{
name: "pod with other volume",
arg: volume(corev1.VolumeSource{
objs: volume(corev1.VolumeSource{
GitRepo: &corev1.GitRepoVolumeSource{Repository: "boo"},
}),
expected: nil,
},
{
name: "pod with hostpath volume",
arg: volume(corev1.VolumeSource{
objs: volume(corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{Path: "/tmp"},
}),
expected: []checks.Diagnostic{
@ -65,11 +65,11 @@ func TestHostpathVolumeError(t *testing.T) {
hostPathCheck := hostPathCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := hostPathCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := hostPathCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

58
checks/basic/latest_tag_test.go
View File

@ -11,141 +11,141 @@ import (
func TestLatestTagCheckMeta(t *testing.T) {
latestTagCheck := latestTagCheck{}
assert.Equal(t, "latest-tag", latestTagCheck.Name())
assert.Equal(t, "Checks if there are pods with container images having latest tag", latestTagCheck.Description())
assert.Equal(t, []string{"basic"}, latestTagCheck.Groups())
assert.NotEmpty(t, latestTagCheck.Description())
}
func TestLatestTagCheckRegistration(t *testing.T) {
latestTagCheck := &latestTagCheck{}
check, err := checks.Get("latest-tag")
assert.NoError(t, err)
assert.Equal(t, check, latestTagCheck)
assert.Nil(t, err)
}
func TestLatestTagWarning(t *testing.T) {
const message = "Avoid using latest tag for container 'bar'"
const severity = checks.Warning
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no pods",
arg: initPod(),
objs: initPod(),
expected: nil,
},
{
name: "pod with container image - k8s.gcr.io/busybox:latest",
arg: container("k8s.gcr.io/busybox:latest"),
objs: container("k8s.gcr.io/busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - busybox:latest",
arg: container("busybox:latest"),
objs: container("busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - k8s.gcr.io/busybox",
arg: container("k8s.gcr.io/busybox"),
objs: container("k8s.gcr.io/busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - busybox",
arg: container("busybox"),
objs: container("busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - private:5000/busybox",
arg: container("private:5000/repo/busybox"),
objs: container("private:5000/repo/busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - private:5000/busybox:latest",
arg: container("private:5000/repo/busybox:latest"),
objs: container("private:5000/repo/busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: container("test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: container("test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - busybox:v1.2.3",
arg: container("busybox:v1.2.3"),
objs: container("busybox:v1.2.3"),
expected: nil,
},
{
name: "pod with init container image - k8s.gcr.io/busybox:latest",
arg: initContainer("k8s.gcr.io/busybox:latest"),
objs: initContainer("k8s.gcr.io/busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with init container image - busybox:latest",
arg: initContainer("busybox:latest"),
objs: initContainer("busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with init container image - k8s.gcr.io/busybox",
arg: initContainer("k8s.gcr.io/busybox"),
objs: initContainer("k8s.gcr.io/busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with init container image - busybox",
arg: initContainer("busybox"),
objs: initContainer("busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - private:5000/busybox",
arg: container("private:5000/repo/busybox"),
objs: container("private:5000/repo/busybox"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - private:5000/busybox:latest",
arg: container("private:5000/repo/busybox:latest"),
objs: container("private:5000/repo/busybox:latest"),
expected: issues(severity, message, checks.Pod),
},
{
name: "pod with container image - test:5000/repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with container image - repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
arg: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
objs: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
expected: nil,
},
{
name: "pod with init container image - busybox:v1.2.3",
arg: initContainer("busybox:v1.2.3"),
objs: initContainer("busybox:v1.2.3"),
expected: nil,
},
}
latestTagCheck := latestTagCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := latestTagCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := latestTagCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

16
checks/basic/namespace_test.go
View File

@ -13,21 +13,21 @@ import (
func TestNamespaceCheckMeta(t *testing.T) {
defaultNamespaceCheck := defaultNamespaceCheck{}
assert.Equal(t, "default-namespace", defaultNamespaceCheck.Name())
assert.Equal(t, "Checks if there are any user created k8s objects in the default namespace.", defaultNamespaceCheck.Description())
assert.Equal(t, []string{"basic"}, defaultNamespaceCheck.Groups())
assert.NotEmpty(t, defaultNamespaceCheck.Description())
}
func TestNamespaceCheckRegistration(t *testing.T) {
defaultNamespaceCheck := &defaultNamespaceCheck{}
check, err := checks.Get("default-namespace")
assert.NoError(t, err)
assert.Equal(t, check, defaultNamespaceCheck)
assert.Nil(t, err)
}
func TestNamespaceWarning(t *testing.T) {
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{"no objects in cluster", empty(), nil},
@ -36,11 +36,11 @@ func TestNamespaceWarning(t *testing.T) {
namespace := defaultNamespaceCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := namespace.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := namespace.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

28
checks/basic/pod_status_test.go
View File

@ -12,46 +12,46 @@ import (
func TestMeta(t *testing.T) {
podStatusCheck := podStatusCheck{}
assert.Equal(t, "pod-state", podStatusCheck.Name())
assert.Equal(t, "Check if there are unhealthy pods in the cluster", podStatusCheck.Description())
assert.Equal(t, []string{"workload-health"}, podStatusCheck.Groups())
assert.NotEmpty(t, podStatusCheck.Description())
}
func TestPodStateCheckRegistration(t *testing.T) {
podStatusCheck := &podStatusCheck{}
check, err := checks.Get("pod-state")
assert.NoError(t, err)
assert.Equal(t, check, podStatusCheck)
assert.Nil(t, err)
}
func TestPodStateError(t *testing.T) {
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no pods",
arg: initPod(),
objs: initPod(),
expected: nil,
},
{
name: "pod with running status",
arg: status(corev1.PodRunning),
objs: status(corev1.PodRunning),
expected: nil,
},
{
name: "pod with pending status",
arg: status(corev1.PodPending),
objs: status(corev1.PodPending),
expected: nil,
},
{
name: "pod with succeeded status",
arg: status(corev1.PodSucceeded),
objs: status(corev1.PodSucceeded),
expected: nil,
},
{
name: "pod with failed status",
arg: status(corev1.PodFailed),
objs: status(corev1.PodFailed),
expected: []checks.Diagnostic{
{
Severity: checks.Warning,
@ -64,7 +64,7 @@ func TestPodStateError(t *testing.T) {
},
{
name: "pod with unknown status",
arg: status(corev1.PodUnknown),
objs: status(corev1.PodUnknown),
expected: []checks.Diagnostic{
{
Severity: checks.Warning,
@ -79,11 +79,11 @@ func TestPodStateError(t *testing.T) {
podStatusCheck := podStatusCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := podStatusCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := podStatusCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

20
checks/doks/node_name_pod_selector_test.go
View File

@ -13,42 +13,42 @@ import (
func TestPodSelectorCheckMeta(t *testing.T) {
podSelectorCheck := podSelectorCheck{}
assert.Equal(t, "node-name-pod-selector", podSelectorCheck.Name())
assert.Equal(t, "Checks if there are pods which use kubernetes.io/hostname label in the node selector.", podSelectorCheck.Description())
assert.Equal(t, []string{"doks"}, podSelectorCheck.Groups())
assert.NotEmpty(t, podSelectorCheck.Description())
}
func TestPodSelectorCheckRegistration(t *testing.T) {
podSelectorCheck := &podSelectorCheck{}
check, err := checks.Get("node-name-pod-selector")
assert.NoError(t, err)
assert.Equal(t, check, podSelectorCheck)
assert.Nil(t, err)
}
func TestNodeNameError(t *testing.T) {
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no node name selector",
arg: empty(),
objs: empty(),
expected: nil,
},
{
name: "node name used in node selector",
arg: invalidPod(),
objs: invalidPod(),
expected: errors(invalidPod()),
},
}
podSelectorCheck := podSelectorCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := podSelectorCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := podSelectorCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}

36
checks/security/privileged_containers_test.go
View File

@ -13,77 +13,77 @@ import (
func TestPrivilegedContainersCheckMeta(t *testing.T) {
privilegedContainerCheck := privilegedContainerCheck{}
assert.Equal(t, "privileged-containers", privilegedContainerCheck.Name())
assert.Equal(t, "Checks if there are pods with containers in privileged mode", privilegedContainerCheck.Description())
assert.Equal(t, []string{"security"}, privilegedContainerCheck.Groups())
assert.NotEmpty(t, privilegedContainerCheck.Description())
}
func TestPrivilegedContainersCheckRegistration(t *testing.T) {
privilegedContainerCheck := &privilegedContainerCheck{}
check, err := checks.Get("privileged-containers")
assert.NoError(t, err)
assert.Equal(t, check, privilegedContainerCheck)
assert.Nil(t, err)
}
func TestPrivilegedContainerWarning(t *testing.T) {
scenarios := []struct {
tests := []struct {
name string
arg *kube.Objects
objs *kube.Objects
expected []checks.Diagnostic
}{
{
name: "no pods",
arg: initPod(),
objs: initPod(),
expected: nil,
},
{
name: "pod with container in privileged mode",
arg: container(true),
objs: container(true),
expected: warnings(container(true)),
},
{
name: "pod with container.SecurityContext = nil",
arg: containerSecurityContextNil(),
objs: containerSecurityContextNil(),
expected: nil,
},
{
name: "pod with container.SecurityContext.Privileged = nil",
arg: containerPrivilegedNil(),
objs: containerPrivilegedNil(),
expected: nil,
},
{
name: "pod with container in regular mode",
arg: container(false),
objs: container(false),
expected: nil,
},
{
name: "pod with init container in privileged mode",
arg: initContainer(true),
objs: initContainer(true),
expected: warnings(initContainer(true)),
},
{
name: "pod with initContainer.SecurityContext = nil",
arg: initContainerSecurityContextNil(),
objs: initContainerSecurityContextNil(),
expected: nil,
},
{
name: "pod with initContainer.SecurityContext.Privileged = nil",
arg: initContainerPrivilegedNil(),
objs: initContainerPrivilegedNil(),
expected: nil,
},
{
name: "pod with init container in regular mode",
arg: initContainer(false),
objs: initContainer(false),
expected: nil,
},
}
privilegedContainerCheck := privilegedContainerCheck{}
for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) {
d, err := privilegedContainerCheck.Run(scenario.arg)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
d, err := privilegedContainerCheck.Run(test.objs)
assert.NoError(t, err)
assert.ElementsMatch(t, scenario.expected, d)
assert.ElementsMatch(t, test.expected, d)
})
}
}
@ -177,7 +177,7 @@ func warnings(objs *kube.Objects) []checks.Diagnostic {
d := []checks.Diagnostic{
{
Severity: checks.Warning,
Message: "Privileged container '%bar' found. Please ensure that the image is from a trusted source.",
Message: "Privileged container 'bar' found. Please ensure that the image is from a trusted source.",
Kind: checks.Pod,
Object: &pod.ObjectMeta,
Owners: pod.ObjectMeta.GetOwnerReferences(),