Skip to content

Commit c158048

Browse files
arybolovlevarybolovlev
committed
[WIP] Update deployment test - operator
1 parent e530b2e commit c158048

File tree

1 file changed

+42
-8
lines changed

1 file changed

+42
-8
lines changed

charts/test/unit/deployment_test.go

Lines changed: 42 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -299,14 +299,35 @@ func TestDeploymentOperatorResources(t *testing.T) {
299299
assert.Equal(t, d, deployment)
300300
}
301301

302-
// TODO
303302
func TestDeploymentOperatorSecurityContext(t *testing.T) {
304303
options := &helm.Options{
304+
SetValues: map[string]string{
305+
"operator.securityContext.allowPrivilegeEscalation": "true",
306+
"operator.securityContext.runAsNonRoot": "true",
307+
"operator.securityContext.seccompProfile.type": "Localhost",
308+
"operator.securityContext.capabilities.add": `{NET_BIND_SERVICE}`,
309+
},
305310
Version: helmChartVersion,
306311
}
307312
deployment := renderDeploymentManifest(t, options)
308313
d := defaultDeployment()
309314

315+
d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
316+
AllowPrivilegeEscalation: ptr.To(true),
317+
RunAsNonRoot: ptr.To(true),
318+
Capabilities: &corev1.Capabilities{
319+
Drop: []corev1.Capability{
320+
corev1.Capability("ALL"),
321+
},
322+
Add: []corev1.Capability{
323+
corev1.Capability("NET_BIND_SERVICE"),
324+
},
325+
},
326+
SeccompProfile: &corev1.SeccompProfile{
327+
Type: corev1.SeccompProfileTypeLocalhost,
328+
},
329+
}
330+
310331
assert.Equal(t, d, deployment)
311332
}
312333

@@ -482,21 +503,34 @@ func TestDeploymentKubeRbacProxyImage(t *testing.T) {
482503
assert.Equal(t, d, deployment)
483504
}
484505

485-
// TODO
486506
func TestDeploymentKubeRbacProxySecurityContext(t *testing.T) {
487507
options := &helm.Options{
488-
Version: helmChartVersion,
489508
SetValues: map[string]string{
490-
"kubeRbacProxy.image.repository": "this",
491-
"kubeRbacProxy.image.pullPolicy": string(corev1.PullAlways),
492-
"kubeRbacProxy.image.tag": "0.0.1",
509+
"kubeRbacProxy.securityContext.allowPrivilegeEscalation": "true",
510+
"kubeRbacProxy.securityContext.runAsNonRoot": "true",
511+
"kubeRbacProxy.securityContext.seccompProfile.type": "Localhost",
512+
"kubeRbacProxy.securityContext.capabilities.add": `{NET_BIND_SERVICE}`,
493513
},
514+
Version: helmChartVersion,
494515
}
495516
deployment := renderDeploymentManifest(t, options)
496517
d := defaultDeployment()
497518

498-
d.Spec.Template.Spec.Containers[1].Image = "this:0.0.1"
499-
d.Spec.Template.Spec.Containers[1].ImagePullPolicy = corev1.PullAlways
519+
d.Spec.Template.Spec.Containers[1].SecurityContext = &corev1.SecurityContext{
520+
AllowPrivilegeEscalation: ptr.To(true),
521+
RunAsNonRoot: ptr.To(true),
522+
Capabilities: &corev1.Capabilities{
523+
Drop: []corev1.Capability{
524+
corev1.Capability("ALL"),
525+
},
526+
Add: []corev1.Capability{
527+
corev1.Capability("NET_BIND_SERVICE"),
528+
},
529+
},
530+
SeccompProfile: &corev1.SeccompProfile{
531+
Type: corev1.SeccompProfileTypeLocalhost,
532+
},
533+
}
500534

501535
assert.Equal(t, d, deployment)
502536
}

0 commit comments

Comments
 (0)