(psa) add unit test cases for registry pod config

This PR adds unit tests to test the pod+container securityContext configs introduced in operator-framework#2854 Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 · Sep 14, 2022 · e89aeba · e89aeba
1 parent edffd9c
commit e89aeba
Showing 1 changed file with 78 additions and 17 deletions.
diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 )
@@ -80,26 +81,86 @@ func TestPullPolicy(t *testing.T) {
 }
 
 func TestPodContainerSecurityContext(t *testing.T) {
-	expectedReadOnlyRootFilesystem := false
-	allowPrivilegeEscalation := false
-	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
-	}
 
-	catsrc := &v1alpha1.CatalogSource{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "testns",
+	testcases := []struct {
+		title                            string
+		inputCatsrc                      *v1alpha1.CatalogSource
+		expectedSecurityContext          *corev1.PodSecurityContext
+		expectedContainerSecurityContext *corev1.SecurityContext
+	}{
+		{
+			title: "NoSpecDefined/PodContainsSecurityConfigForPSARestricted",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+			},
+			expectedContainerSecurityContext: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem:   pointer.Bool(false),
+				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
+			expectedSecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				RunAsUser:      pointer.Int64(workloadUserID),
+				RunAsNonRoot:   pointer.Bool(true),
+			},
+		},
+		{
+			title: "SpecDefined/SecurityContextConfig:Restricted/PodContainsSecurityConfigForPSARestricted",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Restricted,
+					},
+				},
+			},
+			expectedContainerSecurityContext: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem:   pointer.Bool(false),
+				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
+			expectedSecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				RunAsUser:      pointer.Int64(workloadUserID),
+				RunAsNonRoot:   pointer.Bool(true),
+			},
+		},
+		{
+			title: "SpecDefined/SecurityContextConfig:Legacy/PodDoesNotContainsSecurityConfig",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Legacy,
+					},
+				},
+			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
 		},
 	}
-
-	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0), int64(workloadUserID))
-	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
-	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
+	for _, testcase := range testcases {
+		outputPod := Pod(testcase.inputCatsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0), int64(workloadUserID))
+		if testcase.expectedSecurityContext != nil {
+			require.Equal(t, testcase.expectedSecurityContext, outputPod.Spec.SecurityContext)
+		}
+		if testcase.expectedContainerSecurityContext != nil {
+			require.Equal(t, testcase.expectedContainerSecurityContext, outputPod.Spec.Containers[0].SecurityContext)
+		}
+	}
 }
 
 // TestPodAvoidsConcurrentWrite is a regression test for