From 8bacdc73a05c427e9a0b20f4ab95ebd35eb60146 Mon Sep 17 00:00:00 2001 From: Varsha Varadarajan Date: Wed, 26 Jun 2019 09:25:07 -0400 Subject: [PATCH] Change desc assertion in all tests, rename variables to conform to convention --- checks/basic/fully_qualified_image_test.go | 66 +++++++++---------- checks/basic/hostpath_test.go | 24 +++---- checks/basic/latest_tag_test.go | 58 ++++++++-------- checks/basic/namespace_test.go | 16 ++--- checks/basic/pod_status_test.go | 28 ++++---- checks/doks/node_name_pod_selector_test.go | 20 +++--- checks/security/privileged_containers_test.go | 36 +++++----- 7 files changed, 124 insertions(+), 124 deletions(-) diff --git a/checks/basic/fully_qualified_image_test.go b/checks/basic/fully_qualified_image_test.go index 2ffb62c..67f4461 100644 --- a/checks/basic/fully_qualified_image_test.go +++ b/checks/basic/fully_qualified_image_test.go @@ -11,120 +11,120 @@ import ( func TestFullyQualifiedImageCheckMeta(t *testing.T) { fullyQualifiedImageCheck := fullyQualifiedImageCheck{} assert.Equal(t, "fully-qualified-image", fullyQualifiedImageCheck.Name()) - assert.Equal(t, "Checks if containers have fully qualified image names", fullyQualifiedImageCheck.Description()) assert.Equal(t, []string{"basic"}, fullyQualifiedImageCheck.Groups()) + assert.NotEmpty(t, fullyQualifiedImageCheck.Description()) } func TestFullyQualifiedImageCheckRegistration(t *testing.T) { fullyQualifiedImageCheck := &fullyQualifiedImageCheck{} check, err := checks.Get("fully-qualified-image") + assert.NoError(t, err) assert.Equal(t, check, fullyQualifiedImageCheck) - assert.Nil(t, err) } func TestFullyQualifiedImageWarning(t *testing.T) { const message = "Use fully qualified image for container 'bar'" const severity = checks.Warning - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no pods", - arg: initPod(), + objs: initPod(), expected: nil, }, { name: "pod with container image - k8s.gcr.io/busybox:latest", - arg: container("k8s.gcr.io/busybox:1.2.3"), + objs: container("k8s.gcr.io/busybox:1.2.3"), expected: nil, }, { name: "pod with container image - busybox:latest", - arg: container("busybox:latest"), + objs: container("busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - k8s.gcr.io/busybox", - arg: container("k8s.gcr.io/busybox"), + objs: container("k8s.gcr.io/busybox"), expected: nil, }, { name: "pod with container image - busybox", - arg: container("busybox"), + objs: container("busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - k8s.gcr.io/busybox:latest", - arg: initContainer("k8s.gcr.io/busybox:1.2.3"), + objs: initContainer("k8s.gcr.io/busybox:1.2.3"), expected: nil, }, { name: "pod with container image - busybox:latest", - arg: initContainer("busybox:latest"), + objs: initContainer("busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - k8s.gcr.io/busybox", - arg: initContainer("k8s.gcr.io/busybox"), + objs: initContainer("k8s.gcr.io/busybox"), expected: nil, }, { name: "pod with container image - busybox", - arg: initContainer("busybox"), + objs: initContainer("busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: issues(severity, message, checks.Pod), }, } fullyQualifiedImageCheck := fullyQualifiedImageCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := fullyQualifiedImageCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := fullyQualifiedImageCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } @@ -132,29 +132,29 @@ func TestFullyQualifiedImageWarning(t *testing.T) { func TestMalformedImageError(t *testing.T) { const message = "Malformed image name for container 'bar'" const severity = checks.Error - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "container with image : test:5000/repo/image@sha256:digest", - arg: container("test:5000/repo/image@sha256:digest"), + objs: container("test:5000/repo/image@sha256:digest"), expected: issues(severity, message, checks.Pod), }, { name: "init container with image : test:5000/repo/image@sha256:digest", - arg: initContainer("test:5000/repo/image@sha256:digest"), + objs: initContainer("test:5000/repo/image@sha256:digest"), expected: issues(severity, message, checks.Pod), }, } fullyQualifiedImageCheck := fullyQualifiedImageCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := fullyQualifiedImageCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := fullyQualifiedImageCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/basic/hostpath_test.go b/checks/basic/hostpath_test.go index 4735cc5..bcc5b23 100644 --- a/checks/basic/hostpath_test.go +++ b/checks/basic/hostpath_test.go @@ -12,43 +12,43 @@ import ( func TestHostpathCheckMeta(t *testing.T) { hostPathCheck := hostPathCheck{} assert.Equal(t, "hostpath-volume", hostPathCheck.Name()) - assert.Equal(t, "Check if there are pods using hostpath volumes", hostPathCheck.Description()) assert.Equal(t, []string{"basic"}, hostPathCheck.Groups()) + assert.NotEmpty(t, hostPathCheck.Description()) } func TestHostpathCheckRegistration(t *testing.T) { hostPathCheck := &hostPathCheck{} check, err := checks.Get("hostpath-volume") + assert.NoError(t, err) assert.Equal(t, check, hostPathCheck) - assert.Nil(t, err) } func TestHostpathVolumeError(t *testing.T) { - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no pods", - arg: initPod(), + objs: initPod(), expected: nil, }, { name: "pod with no volumes", - arg: container("docker.io/nginx:foo"), + objs: container("docker.io/nginx:foo"), expected: nil, }, { name: "pod with other volume", - arg: volume(corev1.VolumeSource{ + objs: volume(corev1.VolumeSource{ GitRepo: &corev1.GitRepoVolumeSource{Repository: "boo"}, }), expected: nil, }, { name: "pod with hostpath volume", - arg: volume(corev1.VolumeSource{ + objs: volume(corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{Path: "/tmp"}, }), expected: []checks.Diagnostic{ @@ -65,11 +65,11 @@ func TestHostpathVolumeError(t *testing.T) { hostPathCheck := hostPathCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := hostPathCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := hostPathCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/basic/latest_tag_test.go b/checks/basic/latest_tag_test.go index ce6cc03..bcc700b 100644 --- a/checks/basic/latest_tag_test.go +++ b/checks/basic/latest_tag_test.go @@ -11,141 +11,141 @@ import ( func TestLatestTagCheckMeta(t *testing.T) { latestTagCheck := latestTagCheck{} assert.Equal(t, "latest-tag", latestTagCheck.Name()) - assert.Equal(t, "Checks if there are pods with container images having latest tag", latestTagCheck.Description()) assert.Equal(t, []string{"basic"}, latestTagCheck.Groups()) + assert.NotEmpty(t, latestTagCheck.Description()) } func TestLatestTagCheckRegistration(t *testing.T) { latestTagCheck := &latestTagCheck{} check, err := checks.Get("latest-tag") + assert.NoError(t, err) assert.Equal(t, check, latestTagCheck) - assert.Nil(t, err) } func TestLatestTagWarning(t *testing.T) { const message = "Avoid using latest tag for container 'bar'" const severity = checks.Warning - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no pods", - arg: initPod(), + objs: initPod(), expected: nil, }, { name: "pod with container image - k8s.gcr.io/busybox:latest", - arg: container("k8s.gcr.io/busybox:latest"), + objs: container("k8s.gcr.io/busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - busybox:latest", - arg: container("busybox:latest"), + objs: container("busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - k8s.gcr.io/busybox", - arg: container("k8s.gcr.io/busybox"), + objs: container("k8s.gcr.io/busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - busybox", - arg: container("busybox"), + objs: container("busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - private:5000/busybox", - arg: container("private:5000/repo/busybox"), + objs: container("private:5000/repo/busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - private:5000/busybox:latest", - arg: container("private:5000/repo/busybox:latest"), + objs: container("private:5000/repo/busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: container("test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: container("test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - busybox:v1.2.3", - arg: container("busybox:v1.2.3"), + objs: container("busybox:v1.2.3"), expected: nil, }, { name: "pod with init container image - k8s.gcr.io/busybox:latest", - arg: initContainer("k8s.gcr.io/busybox:latest"), + objs: initContainer("k8s.gcr.io/busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with init container image - busybox:latest", - arg: initContainer("busybox:latest"), + objs: initContainer("busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with init container image - k8s.gcr.io/busybox", - arg: initContainer("k8s.gcr.io/busybox"), + objs: initContainer("k8s.gcr.io/busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with init container image - busybox", - arg: initContainer("busybox"), + objs: initContainer("busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - private:5000/busybox", - arg: container("private:5000/repo/busybox"), + objs: container("private:5000/repo/busybox"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - private:5000/busybox:latest", - arg: container("private:5000/repo/busybox:latest"), + objs: container("private:5000/repo/busybox:latest"), expected: issues(severity, message, checks.Pod), }, { name: "pod with container image - test:5000/repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("test:5000/repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - test:5000/repo:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("test:5000/repo/image:ignore-tag@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with container image - repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - arg: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + objs: initContainer("repo/image@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), expected: nil, }, { name: "pod with init container image - busybox:v1.2.3", - arg: initContainer("busybox:v1.2.3"), + objs: initContainer("busybox:v1.2.3"), expected: nil, }, } latestTagCheck := latestTagCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := latestTagCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := latestTagCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/basic/namespace_test.go b/checks/basic/namespace_test.go index 0377234..6c95ce6 100644 --- a/checks/basic/namespace_test.go +++ b/checks/basic/namespace_test.go @@ -13,21 +13,21 @@ import ( func TestNamespaceCheckMeta(t *testing.T) { defaultNamespaceCheck := defaultNamespaceCheck{} assert.Equal(t, "default-namespace", defaultNamespaceCheck.Name()) - assert.Equal(t, "Checks if there are any user created k8s objects in the default namespace.", defaultNamespaceCheck.Description()) assert.Equal(t, []string{"basic"}, defaultNamespaceCheck.Groups()) + assert.NotEmpty(t, defaultNamespaceCheck.Description()) } func TestNamespaceCheckRegistration(t *testing.T) { defaultNamespaceCheck := &defaultNamespaceCheck{} check, err := checks.Get("default-namespace") + assert.NoError(t, err) assert.Equal(t, check, defaultNamespaceCheck) - assert.Nil(t, err) } func TestNamespaceWarning(t *testing.T) { - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ {"no objects in cluster", empty(), nil}, @@ -36,11 +36,11 @@ func TestNamespaceWarning(t *testing.T) { namespace := defaultNamespaceCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := namespace.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := namespace.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/basic/pod_status_test.go b/checks/basic/pod_status_test.go index 020e919..2a8bddb 100644 --- a/checks/basic/pod_status_test.go +++ b/checks/basic/pod_status_test.go @@ -12,46 +12,46 @@ import ( func TestMeta(t *testing.T) { podStatusCheck := podStatusCheck{} assert.Equal(t, "pod-state", podStatusCheck.Name()) - assert.Equal(t, "Check if there are unhealthy pods in the cluster", podStatusCheck.Description()) assert.Equal(t, []string{"workload-health"}, podStatusCheck.Groups()) + assert.NotEmpty(t, podStatusCheck.Description()) } func TestPodStateCheckRegistration(t *testing.T) { podStatusCheck := &podStatusCheck{} check, err := checks.Get("pod-state") + assert.NoError(t, err) assert.Equal(t, check, podStatusCheck) - assert.Nil(t, err) } func TestPodStateError(t *testing.T) { - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no pods", - arg: initPod(), + objs: initPod(), expected: nil, }, { name: "pod with running status", - arg: status(corev1.PodRunning), + objs: status(corev1.PodRunning), expected: nil, }, { name: "pod with pending status", - arg: status(corev1.PodPending), + objs: status(corev1.PodPending), expected: nil, }, { name: "pod with succeeded status", - arg: status(corev1.PodSucceeded), + objs: status(corev1.PodSucceeded), expected: nil, }, { name: "pod with failed status", - arg: status(corev1.PodFailed), + objs: status(corev1.PodFailed), expected: []checks.Diagnostic{ { Severity: checks.Warning, @@ -64,7 +64,7 @@ func TestPodStateError(t *testing.T) { }, { name: "pod with unknown status", - arg: status(corev1.PodUnknown), + objs: status(corev1.PodUnknown), expected: []checks.Diagnostic{ { Severity: checks.Warning, @@ -79,11 +79,11 @@ func TestPodStateError(t *testing.T) { podStatusCheck := podStatusCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := podStatusCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := podStatusCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/doks/node_name_pod_selector_test.go b/checks/doks/node_name_pod_selector_test.go index b084768..f459f8b 100644 --- a/checks/doks/node_name_pod_selector_test.go +++ b/checks/doks/node_name_pod_selector_test.go @@ -13,42 +13,42 @@ import ( func TestPodSelectorCheckMeta(t *testing.T) { podSelectorCheck := podSelectorCheck{} assert.Equal(t, "node-name-pod-selector", podSelectorCheck.Name()) - assert.Equal(t, "Checks if there are pods which use kubernetes.io/hostname label in the node selector.", podSelectorCheck.Description()) assert.Equal(t, []string{"doks"}, podSelectorCheck.Groups()) + assert.NotEmpty(t, podSelectorCheck.Description()) } func TestPodSelectorCheckRegistration(t *testing.T) { podSelectorCheck := &podSelectorCheck{} check, err := checks.Get("node-name-pod-selector") + assert.NoError(t, err) assert.Equal(t, check, podSelectorCheck) - assert.Nil(t, err) } func TestNodeNameError(t *testing.T) { - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no node name selector", - arg: empty(), + objs: empty(), expected: nil, }, { name: "node name used in node selector", - arg: invalidPod(), + objs: invalidPod(), expected: errors(invalidPod()), }, } podSelectorCheck := podSelectorCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := podSelectorCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := podSelectorCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } diff --git a/checks/security/privileged_containers_test.go b/checks/security/privileged_containers_test.go index 454e3df..2fdfd32 100644 --- a/checks/security/privileged_containers_test.go +++ b/checks/security/privileged_containers_test.go @@ -13,77 +13,77 @@ import ( func TestPrivilegedContainersCheckMeta(t *testing.T) { privilegedContainerCheck := privilegedContainerCheck{} assert.Equal(t, "privileged-containers", privilegedContainerCheck.Name()) - assert.Equal(t, "Checks if there are pods with containers in privileged mode", privilegedContainerCheck.Description()) assert.Equal(t, []string{"security"}, privilegedContainerCheck.Groups()) + assert.NotEmpty(t, privilegedContainerCheck.Description()) } func TestPrivilegedContainersCheckRegistration(t *testing.T) { privilegedContainerCheck := &privilegedContainerCheck{} check, err := checks.Get("privileged-containers") + assert.NoError(t, err) assert.Equal(t, check, privilegedContainerCheck) - assert.Nil(t, err) } func TestPrivilegedContainerWarning(t *testing.T) { - scenarios := []struct { + tests := []struct { name string - arg *kube.Objects + objs *kube.Objects expected []checks.Diagnostic }{ { name: "no pods", - arg: initPod(), + objs: initPod(), expected: nil, }, { name: "pod with container in privileged mode", - arg: container(true), + objs: container(true), expected: warnings(container(true)), }, { name: "pod with container.SecurityContext = nil", - arg: containerSecurityContextNil(), + objs: containerSecurityContextNil(), expected: nil, }, { name: "pod with container.SecurityContext.Privileged = nil", - arg: containerPrivilegedNil(), + objs: containerPrivilegedNil(), expected: nil, }, { name: "pod with container in regular mode", - arg: container(false), + objs: container(false), expected: nil, }, { name: "pod with init container in privileged mode", - arg: initContainer(true), + objs: initContainer(true), expected: warnings(initContainer(true)), }, { name: "pod with initContainer.SecurityContext = nil", - arg: initContainerSecurityContextNil(), + objs: initContainerSecurityContextNil(), expected: nil, }, { name: "pod with initContainer.SecurityContext.Privileged = nil", - arg: initContainerPrivilegedNil(), + objs: initContainerPrivilegedNil(), expected: nil, }, { name: "pod with init container in regular mode", - arg: initContainer(false), + objs: initContainer(false), expected: nil, }, } privilegedContainerCheck := privilegedContainerCheck{} - for _, scenario := range scenarios { - t.Run(scenario.name, func(t *testing.T) { - d, err := privilegedContainerCheck.Run(scenario.arg) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d, err := privilegedContainerCheck.Run(test.objs) assert.NoError(t, err) - assert.ElementsMatch(t, scenario.expected, d) + assert.ElementsMatch(t, test.expected, d) }) } } @@ -177,7 +177,7 @@ func warnings(objs *kube.Objects) []checks.Diagnostic { d := []checks.Diagnostic{ { Severity: checks.Warning, - Message: "Privileged container '%bar' found. Please ensure that the image is from a trusted source.", + Message: "Privileged container 'bar' found. Please ensure that the image is from a trusted source.", Kind: checks.Pod, Object: &pod.ObjectMeta, Owners: pod.ObjectMeta.GetOwnerReferences(),