123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902 |
- /*
- Copyright 2017 The Kubernetes Authors.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package pod
- import (
- "fmt"
- "reflect"
- "strings"
- "testing"
- "k8s.io/apimachinery/pkg/api/resource"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/util/diff"
- "k8s.io/apimachinery/pkg/util/sets"
- "k8s.io/apimachinery/pkg/util/validation/field"
- utilfeature "k8s.io/apiserver/pkg/util/feature"
- featuregatetesting "k8s.io/component-base/featuregate/testing"
- api "k8s.io/kubernetes/pkg/apis/core"
- "k8s.io/kubernetes/pkg/features"
- "k8s.io/kubernetes/pkg/security/apparmor"
- )
- func TestVisitContainers(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
- testCases := []struct {
- description string
- haveSpec *api.PodSpec
- wantNames []string
- }{
- {
- "empty podspec",
- &api.PodSpec{},
- []string{},
- },
- {
- "regular containers",
- &api.PodSpec{
- Containers: []api.Container{
- {Name: "c1"},
- {Name: "c2"},
- },
- },
- []string{"c1", "c2"},
- },
- {
- "init containers",
- &api.PodSpec{
- InitContainers: []api.Container{
- {Name: "i1"},
- {Name: "i2"},
- },
- },
- []string{"i1", "i2"},
- },
- {
- "regular and init containers",
- &api.PodSpec{
- Containers: []api.Container{
- {Name: "c1"},
- {Name: "c2"},
- },
- InitContainers: []api.Container{
- {Name: "i1"},
- {Name: "i2"},
- },
- },
- []string{"i1", "i2", "c1", "c2"},
- },
- {
- "ephemeral containers",
- &api.PodSpec{
- Containers: []api.Container{
- {Name: "c1"},
- {Name: "c2"},
- },
- EphemeralContainers: []api.EphemeralContainer{
- {EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
- },
- },
- []string{"c1", "c2", "e1"},
- },
- {
- "all container types",
- &api.PodSpec{
- Containers: []api.Container{
- {Name: "c1"},
- {Name: "c2"},
- },
- InitContainers: []api.Container{
- {Name: "i1"},
- {Name: "i2"},
- },
- EphemeralContainers: []api.EphemeralContainer{
- {EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
- {EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e2"}},
- },
- },
- []string{"i1", "i2", "c1", "c2", "e1", "e2"},
- },
- {
- "dropping fields",
- &api.PodSpec{
- Containers: []api.Container{
- {Name: "c1"},
- {Name: "c2", SecurityContext: &api.SecurityContext{}},
- },
- InitContainers: []api.Container{
- {Name: "i1"},
- {Name: "i2", SecurityContext: &api.SecurityContext{}},
- },
- EphemeralContainers: []api.EphemeralContainer{
- {EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
- {EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e2", SecurityContext: &api.SecurityContext{}}},
- },
- },
- []string{"i1", "i2", "c1", "c2", "e1", "e2"},
- },
- }
- for _, tc := range testCases {
- gotNames := []string{}
- VisitContainers(tc.haveSpec, func(c *api.Container) bool {
- gotNames = append(gotNames, c.Name)
- if c.SecurityContext != nil {
- c.SecurityContext = nil
- }
- return true
- })
- if !reflect.DeepEqual(gotNames, tc.wantNames) {
- t.Errorf("VisitContainers() for test case %q visited containers %q, wanted to visit %q", tc.description, gotNames, tc.wantNames)
- }
- for _, c := range tc.haveSpec.Containers {
- if c.SecurityContext != nil {
- t.Errorf("VisitContainers() for test case %q: got SecurityContext %#v for container %v, wanted nil", tc.description, c.SecurityContext, c.Name)
- }
- }
- for _, c := range tc.haveSpec.InitContainers {
- if c.SecurityContext != nil {
- t.Errorf("VisitContainers() for test case %q: got SecurityContext %#v for init container %v, wanted nil", tc.description, c.SecurityContext, c.Name)
- }
- }
- for _, c := range tc.haveSpec.EphemeralContainers {
- if c.SecurityContext != nil {
- t.Errorf("VisitContainers() for test case %q: got SecurityContext %#v for ephemeral container %v, wanted nil", tc.description, c.SecurityContext, c.Name)
- }
- }
- }
- }
- func TestPodSecrets(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
- // Stub containing all possible secret references in a pod.
- // The names of the referenced secrets match struct paths detected by reflection.
- pod := &api.Pod{
- Spec: api.PodSpec{
- Containers: []api.Container{{
- EnvFrom: []api.EnvFromSource{{
- SecretRef: &api.SecretEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Containers[*].EnvFrom[*].SecretRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- SecretKeyRef: &api.SecretKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Containers[*].Env[*].ValueFrom.SecretKeyRef"}}}}}}},
- ImagePullSecrets: []api.LocalObjectReference{{
- Name: "Spec.ImagePullSecrets"}},
- InitContainers: []api.Container{{
- EnvFrom: []api.EnvFromSource{{
- SecretRef: &api.SecretEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.InitContainers[*].EnvFrom[*].SecretRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- SecretKeyRef: &api.SecretKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.InitContainers[*].Env[*].ValueFrom.SecretKeyRef"}}}}}}},
- Volumes: []api.Volume{{
- VolumeSource: api.VolumeSource{
- AzureFile: &api.AzureFileVolumeSource{
- SecretName: "Spec.Volumes[*].VolumeSource.AzureFile.SecretName"}}}, {
- VolumeSource: api.VolumeSource{
- CephFS: &api.CephFSVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.CephFS.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- Cinder: &api.CinderVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.Cinder.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- FlexVolume: &api.FlexVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.FlexVolume.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- Projected: &api.ProjectedVolumeSource{
- Sources: []api.VolumeProjection{{
- Secret: &api.SecretProjection{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.Projected.Sources[*].Secret"}}}}}}}, {
- VolumeSource: api.VolumeSource{
- RBD: &api.RBDVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.RBD.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- Secret: &api.SecretVolumeSource{
- SecretName: "Spec.Volumes[*].VolumeSource.Secret.SecretName"}}}, {
- VolumeSource: api.VolumeSource{
- Secret: &api.SecretVolumeSource{
- SecretName: "Spec.Volumes[*].VolumeSource.Secret"}}}, {
- VolumeSource: api.VolumeSource{
- ScaleIO: &api.ScaleIOVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.ScaleIO.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- ISCSI: &api.ISCSIVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.ISCSI.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- StorageOS: &api.StorageOSVolumeSource{
- SecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef"}}}}, {
- VolumeSource: api.VolumeSource{
- CSI: &api.CSIVolumeSource{
- NodePublishSecretRef: &api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef"}}}}},
- EphemeralContainers: []api.EphemeralContainer{{
- EphemeralContainerCommon: api.EphemeralContainerCommon{
- EnvFrom: []api.EnvFromSource{{
- SecretRef: &api.SecretEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.EphemeralContainers[*].EphemeralContainerCommon.EnvFrom[*].SecretRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- SecretKeyRef: &api.SecretKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.EphemeralContainers[*].EphemeralContainerCommon.Env[*].ValueFrom.SecretKeyRef"}}}}}}}},
- },
- }
- extractedNames := sets.NewString()
- VisitPodSecretNames(pod, func(name string) bool {
- extractedNames.Insert(name)
- return true
- })
- // excludedSecretPaths holds struct paths to fields with "secret" in the name that are not actually references to secret API objects
- excludedSecretPaths := sets.NewString(
- "Spec.Volumes[*].VolumeSource.CephFS.SecretFile",
- )
- // expectedSecretPaths holds struct paths to fields with "secret" in the name that are references to secret API objects.
- // every path here should be represented as an example in the Pod stub above, with the secret name set to the path.
- expectedSecretPaths := sets.NewString(
- "Spec.Containers[*].EnvFrom[*].SecretRef",
- "Spec.Containers[*].Env[*].ValueFrom.SecretKeyRef",
- "Spec.EphemeralContainers[*].EphemeralContainerCommon.EnvFrom[*].SecretRef",
- "Spec.EphemeralContainers[*].EphemeralContainerCommon.Env[*].ValueFrom.SecretKeyRef",
- "Spec.ImagePullSecrets",
- "Spec.InitContainers[*].EnvFrom[*].SecretRef",
- "Spec.InitContainers[*].Env[*].ValueFrom.SecretKeyRef",
- "Spec.Volumes[*].VolumeSource.AzureFile.SecretName",
- "Spec.Volumes[*].VolumeSource.CephFS.SecretRef",
- "Spec.Volumes[*].VolumeSource.Cinder.SecretRef",
- "Spec.Volumes[*].VolumeSource.FlexVolume.SecretRef",
- "Spec.Volumes[*].VolumeSource.Projected.Sources[*].Secret",
- "Spec.Volumes[*].VolumeSource.RBD.SecretRef",
- "Spec.Volumes[*].VolumeSource.Secret",
- "Spec.Volumes[*].VolumeSource.Secret.SecretName",
- "Spec.Volumes[*].VolumeSource.ScaleIO.SecretRef",
- "Spec.Volumes[*].VolumeSource.ISCSI.SecretRef",
- "Spec.Volumes[*].VolumeSource.StorageOS.SecretRef",
- "Spec.Volumes[*].VolumeSource.CSI.NodePublishSecretRef",
- )
- secretPaths := collectResourcePaths(t, "secret", nil, "", reflect.TypeOf(&api.Pod{}))
- secretPaths = secretPaths.Difference(excludedSecretPaths)
- if missingPaths := expectedSecretPaths.Difference(secretPaths); len(missingPaths) > 0 {
- t.Logf("Missing expected secret paths:\n%s", strings.Join(missingPaths.List(), "\n"))
- t.Error("Missing expected secret paths. Verify VisitPodSecretNames() is correctly finding the missing paths, then correct expectedSecretPaths")
- }
- if extraPaths := secretPaths.Difference(expectedSecretPaths); len(extraPaths) > 0 {
- t.Logf("Extra secret paths:\n%s", strings.Join(extraPaths.List(), "\n"))
- t.Error("Extra fields with 'secret' in the name found. Verify VisitPodSecretNames() is including these fields if appropriate, then correct expectedSecretPaths")
- }
- if missingNames := expectedSecretPaths.Difference(extractedNames); len(missingNames) > 0 {
- t.Logf("Missing expected secret names:\n%s", strings.Join(missingNames.List(), "\n"))
- t.Error("Missing expected secret names. Verify the pod stub above includes these references, then verify VisitPodSecretNames() is correctly finding the missing names")
- }
- if extraNames := extractedNames.Difference(expectedSecretPaths); len(extraNames) > 0 {
- t.Logf("Extra secret names:\n%s", strings.Join(extraNames.List(), "\n"))
- t.Error("Extra secret names extracted. Verify VisitPodSecretNames() is correctly extracting secret names")
- }
- }
- // collectResourcePaths traverses the object, computing all the struct paths that lead to fields with resourcename in the name.
- func collectResourcePaths(t *testing.T, resourcename string, path *field.Path, name string, tp reflect.Type) sets.String {
- resourcename = strings.ToLower(resourcename)
- resourcePaths := sets.NewString()
- if tp.Kind() == reflect.Ptr {
- resourcePaths.Insert(collectResourcePaths(t, resourcename, path, name, tp.Elem()).List()...)
- return resourcePaths
- }
- if strings.Contains(strings.ToLower(name), resourcename) {
- resourcePaths.Insert(path.String())
- }
- switch tp.Kind() {
- case reflect.Ptr:
- resourcePaths.Insert(collectResourcePaths(t, resourcename, path, name, tp.Elem()).List()...)
- case reflect.Struct:
- // ObjectMeta is generic and therefore should never have a field with a specific resource's name;
- // it contains cycles so it's easiest to just skip it.
- if name == "ObjectMeta" {
- break
- }
- for i := 0; i < tp.NumField(); i++ {
- field := tp.Field(i)
- resourcePaths.Insert(collectResourcePaths(t, resourcename, path.Child(field.Name), field.Name, field.Type).List()...)
- }
- case reflect.Interface:
- t.Errorf("cannot find %s fields in interface{} field %s", resourcename, path.String())
- case reflect.Map:
- resourcePaths.Insert(collectResourcePaths(t, resourcename, path.Key("*"), "", tp.Elem()).List()...)
- case reflect.Slice:
- resourcePaths.Insert(collectResourcePaths(t, resourcename, path.Key("*"), "", tp.Elem()).List()...)
- default:
- // all primitive types
- }
- return resourcePaths
- }
- func TestPodConfigmaps(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
- // Stub containing all possible ConfigMap references in a pod.
- // The names of the referenced ConfigMaps match struct paths detected by reflection.
- pod := &api.Pod{
- Spec: api.PodSpec{
- Containers: []api.Container{{
- EnvFrom: []api.EnvFromSource{{
- ConfigMapRef: &api.ConfigMapEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Containers[*].EnvFrom[*].ConfigMapRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- ConfigMapKeyRef: &api.ConfigMapKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Containers[*].Env[*].ValueFrom.ConfigMapKeyRef"}}}}}}},
- EphemeralContainers: []api.EphemeralContainer{{
- EphemeralContainerCommon: api.EphemeralContainerCommon{
- EnvFrom: []api.EnvFromSource{{
- ConfigMapRef: &api.ConfigMapEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.EphemeralContainers[*].EphemeralContainerCommon.EnvFrom[*].ConfigMapRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- ConfigMapKeyRef: &api.ConfigMapKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.EphemeralContainers[*].EphemeralContainerCommon.Env[*].ValueFrom.ConfigMapKeyRef"}}}}}}}},
- InitContainers: []api.Container{{
- EnvFrom: []api.EnvFromSource{{
- ConfigMapRef: &api.ConfigMapEnvSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.InitContainers[*].EnvFrom[*].ConfigMapRef"}}}},
- Env: []api.EnvVar{{
- ValueFrom: &api.EnvVarSource{
- ConfigMapKeyRef: &api.ConfigMapKeySelector{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.InitContainers[*].Env[*].ValueFrom.ConfigMapKeyRef"}}}}}}},
- Volumes: []api.Volume{{
- VolumeSource: api.VolumeSource{
- Projected: &api.ProjectedVolumeSource{
- Sources: []api.VolumeProjection{{
- ConfigMap: &api.ConfigMapProjection{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.Projected.Sources[*].ConfigMap"}}}}}}}, {
- VolumeSource: api.VolumeSource{
- ConfigMap: &api.ConfigMapVolumeSource{
- LocalObjectReference: api.LocalObjectReference{
- Name: "Spec.Volumes[*].VolumeSource.ConfigMap"}}}}},
- },
- }
- extractedNames := sets.NewString()
- VisitPodConfigmapNames(pod, func(name string) bool {
- extractedNames.Insert(name)
- return true
- })
- // expectedPaths holds struct paths to fields with "ConfigMap" in the name that are references to ConfigMap API objects.
- // every path here should be represented as an example in the Pod stub above, with the ConfigMap name set to the path.
- expectedPaths := sets.NewString(
- "Spec.Containers[*].EnvFrom[*].ConfigMapRef",
- "Spec.Containers[*].Env[*].ValueFrom.ConfigMapKeyRef",
- "Spec.EphemeralContainers[*].EphemeralContainerCommon.EnvFrom[*].ConfigMapRef",
- "Spec.EphemeralContainers[*].EphemeralContainerCommon.Env[*].ValueFrom.ConfigMapKeyRef",
- "Spec.InitContainers[*].EnvFrom[*].ConfigMapRef",
- "Spec.InitContainers[*].Env[*].ValueFrom.ConfigMapKeyRef",
- "Spec.Volumes[*].VolumeSource.Projected.Sources[*].ConfigMap",
- "Spec.Volumes[*].VolumeSource.ConfigMap",
- )
- collectPaths := collectResourcePaths(t, "ConfigMap", nil, "", reflect.TypeOf(&api.Pod{}))
- if missingPaths := expectedPaths.Difference(collectPaths); len(missingPaths) > 0 {
- t.Logf("Missing expected paths:\n%s", strings.Join(missingPaths.List(), "\n"))
- t.Error("Missing expected paths. Verify VisitPodConfigmapNames() is correctly finding the missing paths, then correct expectedPaths")
- }
- if extraPaths := collectPaths.Difference(expectedPaths); len(extraPaths) > 0 {
- t.Logf("Extra paths:\n%s", strings.Join(extraPaths.List(), "\n"))
- t.Error("Extra fields with resource in the name found. Verify VisitPodConfigmapNames() is including these fields if appropriate, then correct expectedPaths")
- }
- if missingNames := expectedPaths.Difference(extractedNames); len(missingNames) > 0 {
- t.Logf("Missing expected names:\n%s", strings.Join(missingNames.List(), "\n"))
- t.Error("Missing expected names. Verify the pod stub above includes these references, then verify VisitPodConfigmapNames() is correctly finding the missing names")
- }
- if extraNames := extractedNames.Difference(expectedPaths); len(extraNames) > 0 {
- t.Logf("Extra names:\n%s", strings.Join(extraNames.List(), "\n"))
- t.Error("Extra names extracted. Verify VisitPodConfigmapNames() is correctly extracting resource names")
- }
- }
- func TestDropAlphaVolumeDevices(t *testing.T) {
- podWithVolumeDevices := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{
- {
- Name: "container1",
- Image: "testimage",
- VolumeDevices: []api.VolumeDevice{
- {
- Name: "myvolume",
- DevicePath: "/usr/test",
- },
- },
- },
- },
- InitContainers: []api.Container{
- {
- Name: "container1",
- Image: "testimage",
- VolumeDevices: []api.VolumeDevice{
- {
- Name: "myvolume",
- DevicePath: "/usr/test",
- },
- },
- },
- },
- Volumes: []api.Volume{
- {
- Name: "myvolume",
- VolumeSource: api.VolumeSource{
- HostPath: &api.HostPathVolumeSource{
- Path: "/dev/xvdc",
- },
- },
- },
- },
- },
- }
- }
- podWithoutVolumeDevices := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{
- {
- Name: "container1",
- Image: "testimage",
- },
- },
- InitContainers: []api.Container{
- {
- Name: "container1",
- Image: "testimage",
- },
- },
- Volumes: []api.Volume{
- {
- Name: "myvolume",
- VolumeSource: api.VolumeSource{
- HostPath: &api.HostPathVolumeSource{
- Path: "/dev/xvdc",
- },
- },
- },
- },
- },
- }
- }
- podInfo := []struct {
- description string
- hasVolumeDevices bool
- pod func() *api.Pod
- }{
- {
- description: "has VolumeDevices",
- hasVolumeDevices: true,
- pod: podWithVolumeDevices,
- },
- {
- description: "does not have VolumeDevices",
- hasVolumeDevices: false,
- pod: podWithoutVolumeDevices,
- },
- {
- description: "is nil",
- hasVolumeDevices: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasVolumeDevices, oldPod := oldPodInfo.hasVolumeDevices, oldPodInfo.pod()
- newPodHasVolumeDevices, newPod := newPodInfo.hasVolumeDevices, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.BlockVolume, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasVolumeDevices:
- // new pod should not be changed if the feature is enabled, or if the old pod had VolumeDevices
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasVolumeDevices:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have VolumeDevices
- if !reflect.DeepEqual(newPod, podWithoutVolumeDevices()) {
- t.Errorf("new pod had VolumeDevices: %v", diff.ObjectReflectDiff(newPod, podWithoutVolumeDevices()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropSubPath(t *testing.T) {
- podWithSubpaths := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPath: "foo"}, {Name: "a", SubPath: "foo2"}, {Name: "a", SubPath: "foo3"}}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPath: "foo"}, {Name: "a", SubPath: "foo2"}}}},
- Volumes: []api.Volume{{Name: "a", VolumeSource: api.VolumeSource{HostPath: &api.HostPathVolumeSource{Path: "/dev/xvdc"}}}},
- },
- }
- }
- podWithoutSubpaths := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPath: ""}, {Name: "a", SubPath: ""}, {Name: "a", SubPath: ""}}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPath: ""}, {Name: "a", SubPath: ""}}}},
- Volumes: []api.Volume{{Name: "a", VolumeSource: api.VolumeSource{HostPath: &api.HostPathVolumeSource{Path: "/dev/xvdc"}}}},
- },
- }
- }
- podInfo := []struct {
- description string
- hasSubpaths bool
- pod func() *api.Pod
- }{
- {
- description: "has subpaths",
- hasSubpaths: true,
- pod: podWithSubpaths,
- },
- {
- description: "does not have subpaths",
- hasSubpaths: false,
- pod: podWithoutSubpaths,
- },
- {
- description: "is nil",
- hasSubpaths: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasSubpaths, oldPod := oldPodInfo.hasSubpaths, oldPodInfo.pod()
- newPodHasSubpaths, newPod := newPodInfo.hasSubpaths, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.VolumeSubpath, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasSubpaths:
- // new pod should not be changed if the feature is enabled, or if the old pod had subpaths
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasSubpaths:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have subpaths
- if !reflect.DeepEqual(newPod, podWithoutSubpaths()) {
- t.Errorf("new pod had subpaths: %v", diff.ObjectReflectDiff(newPod, podWithoutSubpaths()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropRuntimeClass(t *testing.T) {
- runtimeClassName := "some_container_engine"
- podWithoutRuntimeClass := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RuntimeClassName: nil,
- },
- }
- }
- podWithRuntimeClass := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RuntimeClassName: &runtimeClassName,
- },
- }
- }
- podInfo := []struct {
- description string
- hasPodRuntimeClassName bool
- pod func() *api.Pod
- }{
- {
- description: "pod Without RuntimeClassName",
- hasPodRuntimeClassName: false,
- pod: podWithoutRuntimeClass,
- },
- {
- description: "pod With RuntimeClassName",
- hasPodRuntimeClassName: true,
- pod: podWithRuntimeClass,
- },
- {
- description: "is nil",
- hasPodRuntimeClassName: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasRuntimeClassName, oldPod := oldPodInfo.hasPodRuntimeClassName, oldPodInfo.pod()
- newPodHasRuntimeClassName, newPod := newPodInfo.hasPodRuntimeClassName, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RuntimeClass, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasRuntimeClassName:
- // new pod should not be changed if the feature is enabled, or if the old pod had RuntimeClass
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasRuntimeClassName:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have RuntimeClass
- if !reflect.DeepEqual(newPod, podWithoutRuntimeClass()) {
- t.Errorf("new pod had PodRuntimeClassName: %v", diff.ObjectReflectDiff(newPod, podWithoutRuntimeClass()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropProcMount(t *testing.T) {
- procMount := api.UnmaskedProcMount
- defaultProcMount := api.DefaultProcMount
- podWithProcMount := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &procMount}}},
- },
- }
- }
- podWithDefaultProcMount := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: &defaultProcMount}}},
- },
- }
- }
- podWithoutProcMount := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: &api.SecurityContext{ProcMount: nil}}},
- },
- }
- }
- podInfo := []struct {
- description string
- hasProcMount bool
- pod func() *api.Pod
- }{
- {
- description: "has ProcMount",
- hasProcMount: true,
- pod: podWithProcMount,
- },
- {
- description: "has default ProcMount",
- hasProcMount: false,
- pod: podWithDefaultProcMount,
- },
- {
- description: "does not have ProcMount",
- hasProcMount: false,
- pod: podWithoutProcMount,
- },
- {
- description: "is nil",
- hasProcMount: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasProcMount, oldPod := oldPodInfo.hasProcMount, oldPodInfo.pod()
- newPodHasProcMount, newPod := newPodInfo.hasProcMount, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasProcMount:
- // new pod should not be changed if the feature is enabled, or if the old pod had ProcMount
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasProcMount:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have ProcMount
- if procMountInUse(&newPod.Spec) {
- t.Errorf("new pod had ProcMount: %#v", &newPod.Spec)
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropEmptyDirSizeLimit(t *testing.T) {
- sizeLimit := resource.MustParse("1Gi")
- podWithEmptyDirSizeLimit := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Volumes: []api.Volume{
- {
- Name: "a",
- VolumeSource: api.VolumeSource{
- EmptyDir: &api.EmptyDirVolumeSource{
- Medium: "memory",
- SizeLimit: &sizeLimit,
- },
- },
- },
- },
- },
- }
- }
- podWithoutEmptyDirSizeLimit := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Volumes: []api.Volume{
- {
- Name: "a",
- VolumeSource: api.VolumeSource{
- EmptyDir: &api.EmptyDirVolumeSource{
- Medium: "memory",
- },
- },
- },
- },
- },
- }
- }
- podInfo := []struct {
- description string
- hasEmptyDirSizeLimit bool
- pod func() *api.Pod
- }{
- {
- description: "has EmptyDir Size Limit",
- hasEmptyDirSizeLimit: true,
- pod: podWithEmptyDirSizeLimit,
- },
- {
- description: "does not have EmptyDir Size Limit",
- hasEmptyDirSizeLimit: false,
- pod: podWithoutEmptyDirSizeLimit,
- },
- {
- description: "is nil",
- hasEmptyDirSizeLimit: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasEmptyDirSizeLimit, oldPod := oldPodInfo.hasEmptyDirSizeLimit, oldPodInfo.pod()
- newPodHasEmptyDirSizeLimit, newPod := newPodInfo.hasEmptyDirSizeLimit, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LocalStorageCapacityIsolation, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasEmptyDirSizeLimit:
- // new pod should not be changed if the feature is enabled, or if the old pod had EmptyDir SizeLimit
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasEmptyDirSizeLimit:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have EmptyDir SizeLimit
- if !reflect.DeepEqual(newPod, podWithoutEmptyDirSizeLimit()) {
- t.Errorf("new pod had EmptyDir SizeLimit: %v", diff.ObjectReflectDiff(newPod, podWithoutEmptyDirSizeLimit()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropAppArmor(t *testing.T) {
- podWithAppArmor := func() *api.Pod {
- return &api.Pod{
- ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", apparmor.ContainerAnnotationKeyPrefix + "foo": "default"}},
- Spec: api.PodSpec{},
- }
- }
- podWithoutAppArmor := func() *api.Pod {
- return &api.Pod{
- ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1"}},
- Spec: api.PodSpec{},
- }
- }
- podInfo := []struct {
- description string
- hasAppArmor bool
- pod func() *api.Pod
- }{
- {
- description: "has AppArmor",
- hasAppArmor: true,
- pod: podWithAppArmor,
- },
- {
- description: "does not have AppArmor",
- hasAppArmor: false,
- pod: podWithoutAppArmor,
- },
- {
- description: "is nil",
- hasAppArmor: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasAppArmor, oldPod := oldPodInfo.hasAppArmor, oldPodInfo.pod()
- newPodHasAppArmor, newPod := newPodInfo.hasAppArmor, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, enabled)()
- DropDisabledPodFields(newPod, oldPod)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasAppArmor:
- // new pod should not be changed if the feature is enabled, or if the old pod had AppArmor
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasAppArmor:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have AppArmor
- if !reflect.DeepEqual(newPod, podWithoutAppArmor()) {
- t.Errorf("new pod had EmptyDir SizeLimit: %v", diff.ObjectReflectDiff(newPod, podWithoutAppArmor()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropTokenRequestProjection(t *testing.T) {
- podWithoutTRProjection := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- Volumes: []api.Volume{{
- VolumeSource: api.VolumeSource{
- Projected: &api.ProjectedVolumeSource{
- Sources: []api.VolumeProjection{{
- ServiceAccountToken: nil,
- }},
- }}},
- },
- },
- }
- }
- podWithoutProjectedVolumeSource := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- Volumes: []api.Volume{
- {VolumeSource: api.VolumeSource{
- ConfigMap: &api.ConfigMapVolumeSource{},
- }},
- },
- },
- }
- }
- podWithTRProjection := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- Volumes: []api.Volume{{
- VolumeSource: api.VolumeSource{
- Projected: &api.ProjectedVolumeSource{
- Sources: []api.VolumeProjection{{
- ServiceAccountToken: &api.ServiceAccountTokenProjection{
- Audience: "api",
- ExpirationSeconds: 3600,
- Path: "token",
- }},
- }},
- },
- },
- },
- }}
- }
- podInfo := []struct {
- description string
- hasTRProjection bool
- pod func() *api.Pod
- }{
- {
- description: "has TokenRequestProjection",
- hasTRProjection: true,
- pod: podWithTRProjection,
- },
- {
- description: "does not have TokenRequestProjection",
- hasTRProjection: false,
- pod: podWithoutTRProjection,
- },
- {
- description: "does not have ProjectedVolumeSource",
- hasTRProjection: false,
- pod: podWithoutProjectedVolumeSource,
- },
- {
- description: "is nil",
- hasTRProjection: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodhasTRProjection, oldPod := oldPodInfo.hasTRProjection, oldPodInfo.pod()
- newPodhasTRProjection, newPod := newPodInfo.hasTRProjection, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequestProjection, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodhasTRProjection:
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodhasTRProjection:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("%v", oldPod)
- t.Errorf("%v", newPod)
- t.Errorf("new pod was not changed")
- }
- if !reflect.DeepEqual(newPod, podWithoutTRProjection()) {
- t.Errorf("new pod had Tokenrequestprojection: %v", diff.ObjectReflectDiff(newPod, podWithoutTRProjection()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropRunAsGroup(t *testing.T) {
- group := func() *int64 {
- testGroup := int64(1000)
- return &testGroup
- }
- defaultProcMount := api.DefaultProcMount
- defaultSecurityContext := func() *api.SecurityContext {
- return &api.SecurityContext{ProcMount: &defaultProcMount}
- }
- securityContextWithRunAsGroup := func() *api.SecurityContext {
- return &api.SecurityContext{ProcMount: &defaultProcMount, RunAsGroup: group()}
- }
- podWithoutRunAsGroup := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- SecurityContext: &api.PodSecurityContext{},
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- },
- }
- }
- podWithRunAsGroupInPod := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- SecurityContext: &api.PodSecurityContext{RunAsGroup: group()},
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- },
- }
- }
- podWithRunAsGroupInContainers := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- SecurityContext: &api.PodSecurityContext{},
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: securityContextWithRunAsGroup()}},
- InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- },
- }
- }
- podWithRunAsGroupInInitContainers := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- SecurityContext: &api.PodSecurityContext{},
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultSecurityContext()}},
- InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: securityContextWithRunAsGroup()}},
- },
- }
- }
- podInfo := []struct {
- description string
- hasRunAsGroup bool
- pod func() *api.Pod
- }{
- {
- description: "have RunAsGroup in Pod",
- hasRunAsGroup: true,
- pod: podWithRunAsGroupInPod,
- },
- {
- description: "have RunAsGroup in Container",
- hasRunAsGroup: true,
- pod: podWithRunAsGroupInContainers,
- },
- {
- description: "have RunAsGroup in InitContainer",
- hasRunAsGroup: true,
- pod: podWithRunAsGroupInInitContainers,
- },
- {
- description: "does not have RunAsGroup",
- hasRunAsGroup: false,
- pod: podWithoutRunAsGroup,
- },
- {
- description: "is nil",
- hasRunAsGroup: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasRunAsGroup, oldPod := oldPodInfo.hasRunAsGroup, oldPodInfo.pod()
- newPodHasRunAsGroup, newPod := newPodInfo.hasRunAsGroup, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RunAsGroup, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasRunAsGroup:
- // new pod should not be changed if the feature is enabled, or if the old pod had RunAsGroup
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasRunAsGroup:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("%v", oldPod)
- t.Errorf("%v", newPod)
- t.Errorf("new pod was not changed")
- }
- // new pod should not have RunAsGroup
- if !reflect.DeepEqual(newPod, podWithoutRunAsGroup()) {
- t.Errorf("new pod had RunAsGroup: %v", diff.ObjectReflectDiff(newPod, podWithoutRunAsGroup()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropGMSAFields(t *testing.T) {
- defaultContainerSecurityContextFactory := func() *api.SecurityContext {
- defaultProcMount := api.DefaultProcMount
- return &api.SecurityContext{ProcMount: &defaultProcMount}
- }
- podWithoutWindowsOptionsFactory := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- SecurityContext: &api.PodSecurityContext{},
- Containers: []api.Container{{Name: "container1", Image: "testimage", SecurityContext: defaultContainerSecurityContextFactory()}},
- InitContainers: []api.Container{{Name: "initContainer1", Image: "testimage", SecurityContext: defaultContainerSecurityContextFactory()}},
- },
- }
- }
- type podFactoryInfo struct {
- description string
- hasGMSAField bool
- // this factory should generate the input pod whose spec will be fed to dropDisabledFields
- podFactory func() *api.Pod
- // this factory should generate the expected pod after the GMSA fields have been dropped
- // we can't just use podWithoutWindowsOptionsFactory as is for this, since in some cases
- // we'll be left with a WindowsSecurityContextOptions struct with no GMSA field set, as opposed
- // to a nil pointer in the pod generated by podWithoutWindowsOptionsFactory
- // if this field is not set, it will default to the podFactory
- strippedPodFactory func() *api.Pod
- }
- podFactoryInfos := []podFactoryInfo{
- {
- description: "does not have any GMSA field set",
- hasGMSAField: false,
- podFactory: podWithoutWindowsOptionsFactory,
- },
- {
- description: "has a pod-level WindowsSecurityContextOptions struct with no GMSA field set",
- hasGMSAField: false,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- },
- {
- description: "has a WindowsSecurityContextOptions struct with no GMSA field set on a container",
- hasGMSAField: false,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.Containers[0].SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- },
- {
- description: "has a WindowsSecurityContextOptions struct with no GMSA field set on an init container",
- hasGMSAField: false,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.InitContainers[0].SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- },
- {
- description: "is nil",
- hasGMSAField: false,
- podFactory: func() *api.Pod { return nil },
- },
- }
- toPtr := func(s string) *string {
- return &s
- }
- addGMSACredentialSpecName := func(windowsOptions *api.WindowsSecurityContextOptions) {
- windowsOptions.GMSACredentialSpecName = toPtr("dummy-gmsa-cred-spec-name")
- }
- addGMSACredentialSpec := func(windowsOptions *api.WindowsSecurityContextOptions) {
- windowsOptions.GMSACredentialSpec = toPtr("dummy-gmsa-cred-spec-contents")
- }
- addBothGMSAFields := func(windowsOptions *api.WindowsSecurityContextOptions) {
- addGMSACredentialSpecName(windowsOptions)
- addGMSACredentialSpec(windowsOptions)
- }
- for fieldName, windowsOptionsTransformingFunc := range map[string]func(*api.WindowsSecurityContextOptions){
- "GMSACredentialSpecName field": addGMSACredentialSpecName,
- "GMSACredentialSpec field": addGMSACredentialSpec,
- "both GMSA fields": addBothGMSAFields,
- } {
- // yes, these variables are indeed needed for the closure to work
- // properly, please do NOT remove them
- name := fieldName
- transformingFunc := windowsOptionsTransformingFunc
- windowsOptionsWithGMSAFieldFactory := func() *api.WindowsSecurityContextOptions {
- windowsOptions := &api.WindowsSecurityContextOptions{}
- transformingFunc(windowsOptions)
- return windowsOptions
- }
- podFactoryInfos = append(podFactoryInfos,
- podFactoryInfo{
- description: fmt.Sprintf("has %s in Pod", name),
- hasGMSAField: true,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.SecurityContext.WindowsOptions = windowsOptionsWithGMSAFieldFactory()
- return pod
- },
- strippedPodFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- },
- podFactoryInfo{
- description: fmt.Sprintf("has %s in Container", name),
- hasGMSAField: true,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.Containers[0].SecurityContext.WindowsOptions = windowsOptionsWithGMSAFieldFactory()
- return pod
- },
- strippedPodFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.Containers[0].SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- },
- podFactoryInfo{
- description: fmt.Sprintf("has %s in InitContainer", name),
- hasGMSAField: true,
- podFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.InitContainers[0].SecurityContext.WindowsOptions = windowsOptionsWithGMSAFieldFactory()
- return pod
- },
- strippedPodFactory: func() *api.Pod {
- pod := podWithoutWindowsOptionsFactory()
- pod.Spec.InitContainers[0].SecurityContext.WindowsOptions = &api.WindowsSecurityContextOptions{}
- return pod
- },
- })
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodFactoryInfo := range podFactoryInfos {
- for _, newPodFactoryInfo := range podFactoryInfos {
- newPodHasGMSAField, newPod := newPodFactoryInfo.hasGMSAField, newPodFactoryInfo.podFactory()
- if newPod == nil {
- continue
- }
- oldPodHasGMSAField, oldPod := oldPodFactoryInfo.hasGMSAField, oldPodFactoryInfo.podFactory()
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %s, new pod %s", enabled, oldPodFactoryInfo.description, newPodFactoryInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsGMSA, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodFactoryInfo.podFactory()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodFactoryInfo.podFactory()))
- }
- switch {
- case enabled || oldPodHasGMSAField:
- // new pod should not be changed if the feature is enabled, or if the old pod had any GMSA field set
- if !reflect.DeepEqual(newPod, newPodFactoryInfo.podFactory()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodFactoryInfo.podFactory()))
- }
- case newPodHasGMSAField:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodFactoryInfo.podFactory()) {
- t.Errorf("%v", oldPod)
- t.Errorf("%v", newPod)
- t.Errorf("new pod was not changed")
- }
- // new pod should not have any GMSA field set
- var expectedStrippedPod *api.Pod
- if newPodFactoryInfo.strippedPodFactory == nil {
- expectedStrippedPod = newPodFactoryInfo.podFactory()
- } else {
- expectedStrippedPod = newPodFactoryInfo.strippedPodFactory()
- }
- if !reflect.DeepEqual(newPod, expectedStrippedPod) {
- t.Errorf("new pod had some GMSA field set: %v", diff.ObjectReflectDiff(newPod, expectedStrippedPod))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodFactoryInfo.podFactory()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodFactoryInfo.podFactory()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropPodSysctls(t *testing.T) {
- podWithSysctls := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- SecurityContext: &api.PodSecurityContext{
- Sysctls: []api.Sysctl{{Name: "test", Value: "value"}},
- },
- },
- }
- }
- podWithoutSysctls := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- SecurityContext: &api.PodSecurityContext{},
- },
- }
- }
- podWithoutSecurityContext := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{},
- }
- }
- podInfo := []struct {
- description string
- hasSysctls bool
- pod func() *api.Pod
- }{
- {
- description: "has Sysctls",
- hasSysctls: true,
- pod: podWithSysctls,
- },
- {
- description: "does not have Sysctls",
- hasSysctls: false,
- pod: podWithoutSysctls,
- },
- {
- description: "does not have SecurityContext",
- hasSysctls: false,
- pod: podWithoutSecurityContext,
- },
- {
- description: "is nil",
- hasSysctls: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasSysctls, oldPod := oldPodInfo.hasSysctls, oldPodInfo.pod()
- newPodHasSysctls, newPod := newPodInfo.hasSysctls, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.Sysctls, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasSysctls:
- // new pod should not be changed if the feature is enabled, or if the old pod had Sysctls set
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasSysctls:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have Sysctls
- if !reflect.DeepEqual(newPod, podWithoutSysctls()) {
- t.Errorf("new pod had Sysctls: %v", diff.ObjectReflectDiff(newPod, podWithoutSysctls()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
- func TestDropSubPathExpr(t *testing.T) {
- podWithSubpaths := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPathExpr: "foo"}, {Name: "a", SubPathExpr: "foo2"}, {Name: "a", SubPathExpr: "foo3"}}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPathExpr: "foo"}, {Name: "a", SubPathExpr: "foo2"}}}},
- Volumes: []api.Volume{{Name: "a", VolumeSource: api.VolumeSource{HostPath: &api.HostPathVolumeSource{Path: "/dev/xvdc"}}}},
- },
- }
- }
- podWithoutSubpaths := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- Containers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPathExpr: ""}, {Name: "a", SubPathExpr: ""}, {Name: "a", SubPathExpr: ""}}}},
- InitContainers: []api.Container{{Name: "container1", Image: "testimage", VolumeMounts: []api.VolumeMount{{Name: "a", SubPathExpr: ""}, {Name: "a", SubPathExpr: ""}}}},
- Volumes: []api.Volume{{Name: "a", VolumeSource: api.VolumeSource{HostPath: &api.HostPathVolumeSource{Path: "/dev/xvdc"}}}},
- },
- }
- }
- podInfo := []struct {
- description string
- hasSubpaths bool
- pod func() *api.Pod
- }{
- {
- description: "has subpaths",
- hasSubpaths: true,
- pod: podWithSubpaths,
- },
- {
- description: "does not have subpaths",
- hasSubpaths: false,
- pod: podWithoutSubpaths,
- },
- {
- description: "is nil",
- hasSubpaths: false,
- pod: func() *api.Pod { return nil },
- },
- }
- enabled := true
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasSubpaths, oldPod := oldPodInfo.hasSubpaths, oldPodInfo.pod()
- newPodHasSubpaths, newPod := newPodInfo.hasSubpaths, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.VolumeSubpathEnvExpansion, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasSubpaths:
- // new pod should not be changed if the feature is enabled, or if the old pod had subpaths
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasSubpaths:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have subpaths
- if !reflect.DeepEqual(newPod, podWithoutSubpaths()) {
- t.Errorf("new pod had subpaths: %v", diff.ObjectReflectDiff(newPod, podWithoutSubpaths()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- // helper creates a podStatus with list of PodIPs
- func makePodStatus(podIPs []api.PodIP) *api.PodStatus {
- return &api.PodStatus{
- PodIPs: podIPs,
- }
- }
- func TestDropStatusPodIPs(t *testing.T) {
- testCases := []struct {
- name string
- podStatus *api.PodStatus
- oldPodStatus *api.PodStatus
- comparePodStatus *api.PodStatus
- enableDualStack bool
- }{
- {
- name: "nil pod ips",
- enableDualStack: false,
- podStatus: makePodStatus(nil),
- oldPodStatus: nil,
- comparePodStatus: makePodStatus(nil),
- },
- {
- name: "empty pod ips",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{}),
- oldPodStatus: nil,
- comparePodStatus: makePodStatus([]api.PodIP{}),
- },
- {
- name: "single family ipv6",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}}),
- },
- {
- name: "single family ipv4",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "1.1.1.1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "1.1.1.1"}}),
- },
- {
- name: "dualstack 4-6",
- enableDualStack: true,
- podStatus: makePodStatus([]api.PodIP{{IP: "1.1.1.1"}, {IP: "::1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "1.1.1.1"}, {IP: "::1"}}),
- },
- {
- name: "dualstack 6-4",
- enableDualStack: true,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- },
- {
- name: "not dualstack 6-4=>4only",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- oldPodStatus: nil,
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}}),
- },
- {
- name: "not dualstack 6-4=>as is (used in old)",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- oldPodStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- },
- {
- name: "not dualstack 6-4=>6only",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- oldPodStatus: nil,
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}}),
- },
- {
- name: "not dualstack 6-4=>as is (used in old)",
- enableDualStack: false,
- podStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- oldPodStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- comparePodStatus: makePodStatus([]api.PodIP{{IP: "::1"}, {IP: "1.1.1.1"}}),
- },
- }
- for _, tc := range testCases {
- func() {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.IPv6DualStack, tc.enableDualStack)()
- dropPodStatusDisabledFields(tc.podStatus, tc.oldPodStatus)
- old := tc.oldPodStatus.DeepCopy()
- // old pod status should never be changed
- if !reflect.DeepEqual(tc.oldPodStatus, old) {
- t.Errorf("%v: old pod status changed: %v", tc.name, diff.ObjectReflectDiff(tc.oldPodStatus, old))
- }
- if !reflect.DeepEqual(tc.podStatus, tc.comparePodStatus) {
- t.Errorf("%v: unexpected pod status: %v", tc.name, diff.ObjectReflectDiff(tc.podStatus, tc.comparePodStatus))
- }
- }()
- }
- }
- func TestDropEphemeralContainers(t *testing.T) {
- podWithEphemeralContainers := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- EphemeralContainers: []api.EphemeralContainer{{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "container1", Image: "testimage"}}},
- },
- }
- }
- podWithoutEphemeralContainers := func() *api.Pod {
- return &api.Pod{
- Spec: api.PodSpec{
- RestartPolicy: api.RestartPolicyNever,
- },
- }
- }
- podInfo := []struct {
- description string
- hasEphemeralContainers bool
- pod func() *api.Pod
- }{
- {
- description: "has subpaths",
- hasEphemeralContainers: true,
- pod: podWithEphemeralContainers,
- },
- {
- description: "does not have subpaths",
- hasEphemeralContainers: false,
- pod: podWithoutEphemeralContainers,
- },
- {
- description: "is nil",
- hasEphemeralContainers: false,
- pod: func() *api.Pod { return nil },
- },
- }
- for _, enabled := range []bool{true, false} {
- for _, oldPodInfo := range podInfo {
- for _, newPodInfo := range podInfo {
- oldPodHasEphemeralContainers, oldPod := oldPodInfo.hasEphemeralContainers, oldPodInfo.pod()
- newPodHasEphemeralContainers, newPod := newPodInfo.hasEphemeralContainers, newPodInfo.pod()
- if newPod == nil {
- continue
- }
- t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
- defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, enabled)()
- var oldPodSpec *api.PodSpec
- if oldPod != nil {
- oldPodSpec = &oldPod.Spec
- }
- dropDisabledFields(&newPod.Spec, nil, oldPodSpec, nil)
- // old pod should never be changed
- if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
- t.Errorf("old pod changed: %v", diff.ObjectReflectDiff(oldPod, oldPodInfo.pod()))
- }
- switch {
- case enabled || oldPodHasEphemeralContainers:
- // new pod should not be changed if the feature is enabled, or if the old pod had subpaths
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- case newPodHasEphemeralContainers:
- // new pod should be changed
- if reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod was not changed")
- }
- // new pod should not have subpaths
- if !reflect.DeepEqual(newPod, podWithoutEphemeralContainers()) {
- t.Errorf("new pod had subpaths: %v", diff.ObjectReflectDiff(newPod, podWithoutEphemeralContainers()))
- }
- default:
- // new pod should not need to be changed
- if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
- t.Errorf("new pod changed: %v", diff.ObjectReflectDiff(newPod, newPodInfo.pod()))
- }
- }
- })
- }
- }
- }
- }
|