From c70d834fee987842ca2271d16576ed02b417a666 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Wed, 15 Nov 2023 10:56:27 +0100 Subject: [PATCH] test: add missing fields to e2e fixtures Signed-off-by: Flavio Castelli --- e2e.bats | 44 +++++++-- ..._pod_with_allowed_capabilities_accept.json | 78 ++++++++------- ..._pod_with_allowed_capabilities_reject.json | 92 +++++++++--------- ...ilities_in_required_drop_capabilities.json | 92 +++++++++--------- .../req_pod_with_mutate_capabilities.json | 92 +++++++++--------- ...th_mutate_capabilities_for_deployment.json | 94 ++++++++++--------- 6 files changed, 274 insertions(+), 218 deletions(-) diff --git a/e2e.bats b/e2e.bats index 093af2b..b2f4439 100644 --- a/e2e.bats +++ b/e2e.bats @@ -1,25 +1,39 @@ @test "Accept all capabilities when star in allowed capabilities" { run kwctl run --request-path test_data/req_pod_with_allowed_capabilities_accept.json --settings-json '{"allowed_capabilities": ["*"]}' annotated-policy.wasm + + # this prints the output when one the checks below fails + echo "output = ${output}" + [ "$status" -eq 0 ] - echo "$output" [ $(expr "$output" : '.*"allowed":true.*') -ne 0 ] + run kwctl run --request-path test_data/req_pod_with_allowed_capabilities_reject.json --settings-json '{"allowed_capabilities": ["*"]}' annotated-policy.wasm - echo "$output" + + # this prints the output when one the checks below fails + echo "output = ${output}" + + [ "$status" -eq 0 ] [ $(expr "$output" : '.*"allowed":true.*') -ne 0 ] } @test "Reject when star in allowed capabilities and capabilities in required_drop_capabilities" { run kwctl run --request-path test_data/req_pod_with_allowed_capabilities_reject.json --settings-json '{"allowed_capabilities": ["*"], "required_drop_capabilities": ["BPF"]}' annotated-policy.wasm + + # this prints the output when one the checks below fails + echo "output = ${output}" + [ "$status" -eq 0 ] - echo "$output" [ $(expr "$output" : '.*"allowed":false.*') -ne 0 ] [ $(expr "$output" : '.*"message":"PSP capabilities policies doesn'\''t allow these capabilities to be added*') -ne 0 ] } @test "Reject capabilities in required_drop_capabilities" { run kwctl run --request-path test_data/req_pod_with_capabilities_in_required_drop_capabilities.json --settings-json '{"required_drop_capabilities": ["NET_ADMIN"]}' annotated-policy.wasm + + # this prints the output when one the checks below fails + echo "output = ${output}" + [ "$status" -eq 0 ] - echo "$output" [ $(expr "$output" : '.*"allowed":false.*') -ne 0 ] [ $(expr "$output" : '.*"message":"PSP capabilities policies doesn'\''t allow these capabilities to be added*') -ne 0 ] } @@ -27,29 +41,43 @@ @test "Accept capabilities in allowed capabilities" { run kwctl run --request-path test_data/req_pod_with_allowed_capabilities_accept.json --settings-json '{"allowed_capabilities": ["CHOWN", "KILL"]}' annotated-policy.wasm + + # this prints the output when one the checks below fails + echo "output = ${output}" + [ "$status" -eq 0 ] - echo "$output" [ $(expr "$output" : '.*"allowed":true.*') -ne 0 ] } @test "Reject capabilities not in allowed capabilities" { run kwctl run --request-path test_data/req_pod_with_allowed_capabilities_reject.json --settings-json '{"allowed_capabilities": ["CHOWN", "KILL"]}' annotated-policy.wasm + + # this prints the output when one the checks below fails + echo "output = ${output}" + [ "$status" -eq 0 ] - echo "$output" [ $(expr "$output" : '.*"allowed":false.*') -ne 0 ] [ $(expr "$output" : '.*"message":"PSP capabilities policies doesn'\''t allow these capabilities to be added*') -ne 0 ] } @test "Mutate pods" { run kwctl run --request-path test_data/req_pod_with_mutate_capabilities.json --settings-json '{"allowed_capabilities": ["CHOWN", "KILL"], "required_drop_capabilities":["NET_ADMIN"], "default_add_capabilities":["CHOWN"]}' annotated-policy.wasm - echo "$output" + + # this prints the output when one the checks below fails + echo "output = ${output}" + + [ "$status" -eq 0 ] [ $(expr "$output" : '.*"allowed":true.*') -ne 0 ] [ $(expr "$output" : '.*"patchType":"JSONPatch"') -ne 0 ] } @test "Mutate deployments" { run kwctl run --request-path test_data/req_pod_with_mutate_capabilities_for_deployment.json --settings-json '{"allowed_capabilities": ["CHOWN", "KILL"], "required_drop_capabilities":["NET_ADMIN"], "default_add_capabilities":["CHOWN"]}' annotated-policy.wasm - echo "$output" + + # this prints the output when one the checks below fails + echo "output = ${output}" + + [ "$status" -eq 0 ] [ $(expr "$output" : '.*"allowed":true.*') -ne 0 ] [ $(expr "$output" : '.*"patchType":"JSONPatch"') -ne 0 ] } diff --git a/test_data/req_pod_with_allowed_capabilities_accept.json b/test_data/req_pod_with_allowed_capabilities_accept.json index 698d704..814fcfc 100644 --- a/test_data/req_pod_with_allowed_capabilities_accept.json +++ b/test_data/req_pod_with_allowed_capabilities_accept.json @@ -1,47 +1,53 @@ { "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", "kind": { - "kind": "Pod", - "version": "v1" + "group": "", + "kind": "Pod", + "version": "v1" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" }, "object": { - "metadata": { - "name": "hello" - }, - "spec": { - "containers": [ - { - "command": [ - "sh", - "-c", - "echo 'Hello!' && sleep 1h" - ], - "image": "busybox", - "imagePullPolicy": "Always", - "name": "hello", - "resources": {}, - "securityContext": { - "capabilities": { - "add": [ - "CHOWN" - ] - } - } - - } - ] - } + "metadata": { + "name": "hello" + }, + "spec": { + "containers": [ + { + "command": [ + "sh", + "-c", + "echo 'Hello!' && sleep 1h" + ], + "image": "busybox", + "imagePullPolicy": "Always", + "name": "hello", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "CHOWN" + ] + } + } + } + ] + } }, "operation": "CREATE", "requestKind": { - "kind": "Pod", - "version": "v1" + "group": "", + "kind": "Pod", + "version": "v1" }, "userInfo": { - "groups": [ - "system:masters", - "system:authenticated" - ], - "username": "shiva" + "groups": [ + "system:masters", + "system:authenticated" + ], + "username": "shiva" } -} \ No newline at end of file +} diff --git a/test_data/req_pod_with_allowed_capabilities_reject.json b/test_data/req_pod_with_allowed_capabilities_reject.json index 4f9cf81..ec235e7 100644 --- a/test_data/req_pod_with_allowed_capabilities_reject.json +++ b/test_data/req_pod_with_allowed_capabilities_reject.json @@ -1,47 +1,53 @@ { - "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", - "kind": { - "kind": "Pod", - "version": "v1" + "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", + "kind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "object": { + "metadata": { + "name": "hello" }, - "object": { - "metadata": { - "name": "hello" - }, - "spec": { - "containers": [ - { - "command": [ - "sh", - "-c", - "echo 'Hello!' && sleep 1h" - ], - "image": "busybox", - "imagePullPolicy": "Always", - "name": "hello", - "resources": {}, - "securityContext": { - "capabilities": { - "add": [ - "BPF" - ] - } - } - - } - ] + "spec": { + "containers": [ + { + "command": [ + "sh", + "-c", + "echo 'Hello!' && sleep 1h" + ], + "image": "busybox", + "imagePullPolicy": "Always", + "name": "hello", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "BPF" + ] + } + } } - }, - "operation": "CREATE", - "requestKind": { - "kind": "Pod", - "version": "v1" - }, - "userInfo": { - "groups": [ - "system:masters", - "system:authenticated" - ], - "username": "shiva" + ] } - } \ No newline at end of file + }, + "operation": "CREATE", + "requestKind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "userInfo": { + "groups": [ + "system:masters", + "system:authenticated" + ], + "username": "shiva" + } +} diff --git a/test_data/req_pod_with_capabilities_in_required_drop_capabilities.json b/test_data/req_pod_with_capabilities_in_required_drop_capabilities.json index b56e551..7f8dbe0 100644 --- a/test_data/req_pod_with_capabilities_in_required_drop_capabilities.json +++ b/test_data/req_pod_with_capabilities_in_required_drop_capabilities.json @@ -1,47 +1,53 @@ { - "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", - "kind": { - "kind": "Pod", - "version": "v1" + "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", + "kind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "object": { + "metadata": { + "name": "hello" }, - "object": { - "metadata": { - "name": "hello" - }, - "spec": { - "containers": [ - { - "command": [ - "sh", - "-c", - "echo 'Hello!' && sleep 1h" - ], - "image": "busybox", - "imagePullPolicy": "Always", - "name": "hello", - "resources": {}, - "securityContext": { - "capabilities": { - "add": [ - "NET_ADMIN" - ] - } - } - - } - ] + "spec": { + "containers": [ + { + "command": [ + "sh", + "-c", + "echo 'Hello!' && sleep 1h" + ], + "image": "busybox", + "imagePullPolicy": "Always", + "name": "hello", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN" + ] + } + } } - }, - "operation": "CREATE", - "requestKind": { - "kind": "Pod", - "version": "v1" - }, - "userInfo": { - "groups": [ - "system:masters", - "system:authenticated" - ], - "username": "shiva" + ] } - } \ No newline at end of file + }, + "operation": "CREATE", + "requestKind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "userInfo": { + "groups": [ + "system:masters", + "system:authenticated" + ], + "username": "shiva" + } +} diff --git a/test_data/req_pod_with_mutate_capabilities.json b/test_data/req_pod_with_mutate_capabilities.json index a71198e..fd89df1 100644 --- a/test_data/req_pod_with_mutate_capabilities.json +++ b/test_data/req_pod_with_mutate_capabilities.json @@ -1,47 +1,53 @@ { - "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", - "kind": { - "kind": "Pod", - "version": "v1" + "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", + "kind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "pods" + }, + "object": { + "metadata": { + "name": "hello" }, - "object": { - "metadata": { - "name": "hello" - }, - "spec": { - "containers": [ - { - "command": [ - "sh", - "-c", - "echo 'Hello!' && sleep 1h" - ], - "image": "busybox", - "imagePullPolicy": "Always", - "name": "hello", - "resources": {}, - "securityContext": { - "capabilities": { - "add": [ - "KILL" - ] - } - } - - } - ] + "spec": { + "containers": [ + { + "command": [ + "sh", + "-c", + "echo 'Hello!' && sleep 1h" + ], + "image": "busybox", + "imagePullPolicy": "Always", + "name": "hello", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "KILL" + ] + } + } } - }, - "operation": "CREATE", - "requestKind": { - "kind": "Pod", - "version": "v1" - }, - "userInfo": { - "groups": [ - "system:masters", - "system:authenticated" - ], - "username": "shiva" + ] } - } \ No newline at end of file + }, + "operation": "CREATE", + "requestKind": { + "group": "", + "kind": "Pod", + "version": "v1" + }, + "userInfo": { + "groups": [ + "system:masters", + "system:authenticated" + ], + "username": "shiva" + } +} diff --git a/test_data/req_pod_with_mutate_capabilities_for_deployment.json b/test_data/req_pod_with_mutate_capabilities_for_deployment.json index c0af94f..0e0d2af 100644 --- a/test_data/req_pod_with_mutate_capabilities_for_deployment.json +++ b/test_data/req_pod_with_mutate_capabilities_for_deployment.json @@ -1,53 +1,57 @@ { - "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", - "kind": { - "group": "apps", - "version": "v1", - "kind": "Deployment" + "uid": "f0b8fba3-4f4f-465b-af8c-84d0326a2dc2", + "kind": { + "group": "apps", + "version": "v1", + "kind": "Deployment" + }, + "resource": { + "group": "apps", + "version": "v1", + "resource": "deployments" + }, + "object": { + "metadata": { + "name": "hello" }, - "object": { - "metadata": { - "name": "hello" - }, + "spec": { + "template": { "spec": { - "template": { - "spec": { - "containers": [ - { - "command": [ - "sh", - "-c", - "echo 'Hello!' && sleep 1h" - ], - "image": "busybox", - "imagePullPolicy": "Always", - "name": "hello", - "resources": {}, - "securityContext": { - "capabilities": { - "add": [ - "KILL" - ] - } - } - - } - ] + "containers": [ + { + "command": [ + "sh", + "-c", + "echo 'Hello!' && sleep 1h" + ], + "image": "busybox", + "imagePullPolicy": "Always", + "name": "hello", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "KILL" + ] } + } } + ] } - }, - "operation": "CREATE", - "requestKind": { - "group": "apps", - "version": "v1", - "kind": "Deployment" - }, - "userInfo": { - "groups": [ - "system:masters", - "system:authenticated" - ], - "username": "kemara" + } } + }, + "operation": "CREATE", + "requestKind": { + "group": "apps", + "version": "v1", + "kind": "Deployment" + }, + "userInfo": { + "groups": [ + "system:masters", + "system:authenticated" + ], + "username": "kemara" + } }