custom-kube-scheduler/kubernetes-v1.15.4/pkg/securitycontext/accessors_test.go

/*
Copyright 2017 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package securitycontext

import (
	"reflect"
	"testing"

	"k8s.io/apimachinery/pkg/util/diff"
	api "k8s.io/kubernetes/pkg/apis/core"
)

func TestPodSecurityContextAccessor(t *testing.T) {
	fsGroup := int64(2)
	runAsUser := int64(1)
	runAsGroup := int64(1)
	runAsNonRoot := true

	testcases := []*api.PodSecurityContext{
		nil,
		{},
		{FSGroup: &fsGroup},
		{HostIPC: true},
		{HostNetwork: true},
		{HostPID: true},
		{RunAsNonRoot: &runAsNonRoot},
		{RunAsUser: &runAsUser},
		{RunAsGroup: &runAsGroup},
		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
		{SupplementalGroups: []int64{1, 2, 3}},
	}

	for i, tc := range testcases {
		expected := tc
		if expected == nil {
			expected = &api.PodSecurityContext{}
		}

		a := NewPodSecurityContextAccessor(tc)

		if v := a.FSGroup(); !reflect.DeepEqual(expected.FSGroup, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.FSGroup, v)
		}
		if v := a.HostIPC(); !reflect.DeepEqual(expected.HostIPC, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.HostIPC, v)
		}
		if v := a.HostNetwork(); !reflect.DeepEqual(expected.HostNetwork, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.HostNetwork, v)
		}
		if v := a.HostPID(); !reflect.DeepEqual(expected.HostPID, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.HostPID, v)
		}
		if v := a.RunAsNonRoot(); !reflect.DeepEqual(expected.RunAsNonRoot, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsNonRoot, v)
		}
		if v := a.RunAsUser(); !reflect.DeepEqual(expected.RunAsUser, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsUser, v)
		}
		if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
		}
		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
		}
		if v := a.SupplementalGroups(); !reflect.DeepEqual(expected.SupplementalGroups, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.SupplementalGroups, v)
		}
	}
}

func TestPodSecurityContextMutator(t *testing.T) {
	testcases := map[string]struct {
		newSC func() *api.PodSecurityContext
	}{
		"nil": {
			newSC: func() *api.PodSecurityContext { return nil },
		},
		"zero": {
			newSC: func() *api.PodSecurityContext { return &api.PodSecurityContext{} },
		},
		"populated": {
			newSC: func() *api.PodSecurityContext {
				return &api.PodSecurityContext{
					HostNetwork:        true,
					HostIPC:            true,
					HostPID:            true,
					SELinuxOptions:     &api.SELinuxOptions{},
					RunAsUser:          nil,
					RunAsGroup:         nil,
					RunAsNonRoot:       nil,
					SupplementalGroups: nil,
					FSGroup:            nil,
				}
			},
		},
	}

	nonNilSC := func(sc *api.PodSecurityContext) *api.PodSecurityContext {
		if sc == nil {
			return &api.PodSecurityContext{}
		}
		return sc
	}

	for k, tc := range testcases {
		{
			sc := tc.newSC()
			originalSC := tc.newSC()
			m := NewPodSecurityContextMutator(sc)

			// no-op sets should not modify the object
			m.SetFSGroup(m.FSGroup())
			m.SetHostNetwork(m.HostNetwork())
			m.SetHostIPC(m.HostIPC())
			m.SetHostPID(m.HostPID())
			m.SetRunAsNonRoot(m.RunAsNonRoot())
			m.SetRunAsUser(m.RunAsUser())
			m.SetRunAsGroup(m.RunAsGroup())
			m.SetSELinuxOptions(m.SELinuxOptions())
			m.SetSupplementalGroups(m.SupplementalGroups())
			if !reflect.DeepEqual(sc, originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, sc, originalSC)
			}
			if !reflect.DeepEqual(m.PodSecurityContext(), originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, m.PodSecurityContext(), originalSC)
			}
		}

		// FSGroup
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			i := int64(1123)
			modifiedSC.FSGroup = &i
			m.SetFSGroup(&i)
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// HostNetwork
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.HostNetwork = !modifiedSC.HostNetwork
			m.SetHostNetwork(!m.HostNetwork())
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// HostIPC
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.HostIPC = !modifiedSC.HostIPC
			m.SetHostIPC(!m.HostIPC())
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// HostPID
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.HostPID = !modifiedSC.HostPID
			m.SetHostPID(!m.HostPID())
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// RunAsNonRoot
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			b := true
			modifiedSC.RunAsNonRoot = &b
			m.SetRunAsNonRoot(&b)
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// RunAsUser
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			i := int64(1123)
			modifiedSC.RunAsUser = &i
			m.SetRunAsUser(&i)
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// RunAsGroup
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			i := int64(1123)
			modifiedSC.RunAsGroup = &i
			m.SetRunAsGroup(&i)
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// SELinuxOptions
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.SELinuxOptions = &api.SELinuxOptions{User: "bob"}
			m.SetSELinuxOptions(&api.SELinuxOptions{User: "bob"})
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}

		// SupplementalGroups
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.SupplementalGroups = []int64{1, 1, 2, 3}
			m.SetSupplementalGroups([]int64{1, 1, 2, 3})
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
				continue
			}
		}
	}
}

func TestContainerSecurityContextAccessor(t *testing.T) {
	privileged := true
	runAsUser := int64(1)
	runAsNonRoot := true
	readOnlyRootFilesystem := true
	allowPrivilegeEscalation := true

	testcases := []*api.SecurityContext{
		nil,
		{},
		{Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}}},
		{Privileged: &privileged},
		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
		{RunAsUser: &runAsUser},
		{RunAsNonRoot: &runAsNonRoot},
		{ReadOnlyRootFilesystem: &readOnlyRootFilesystem},
		{AllowPrivilegeEscalation: &allowPrivilegeEscalation},
	}

	for i, tc := range testcases {
		expected := tc
		if expected == nil {
			expected = &api.SecurityContext{}
		}

		a := NewContainerSecurityContextAccessor(tc)

		if v := a.Capabilities(); !reflect.DeepEqual(expected.Capabilities, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.Capabilities, v)
		}
		if v := a.Privileged(); !reflect.DeepEqual(expected.Privileged, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.Privileged, v)
		}
		if v := a.RunAsNonRoot(); !reflect.DeepEqual(expected.RunAsNonRoot, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsNonRoot, v)
		}
		if v := a.RunAsUser(); !reflect.DeepEqual(expected.RunAsUser, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsUser, v)
		}
		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
		}
		if v := a.ReadOnlyRootFilesystem(); !reflect.DeepEqual(expected.ReadOnlyRootFilesystem, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.ReadOnlyRootFilesystem, v)
		}
		if v := a.AllowPrivilegeEscalation(); !reflect.DeepEqual(expected.AllowPrivilegeEscalation, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.AllowPrivilegeEscalation, v)
		}
	}
}

func TestContainerSecurityContextMutator(t *testing.T) {
	testcases := map[string]struct {
		newSC func() *api.SecurityContext
	}{
		"nil": {
			newSC: func() *api.SecurityContext { return nil },
		},
		"zero": {
			newSC: func() *api.SecurityContext { return &api.SecurityContext{} },
		},
		"populated": {
			newSC: func() *api.SecurityContext {
				return &api.SecurityContext{
					Capabilities:   &api.Capabilities{Drop: []api.Capability{"test"}},
					SELinuxOptions: &api.SELinuxOptions{},
				}
			},
		},
	}

	nonNilSC := func(sc *api.SecurityContext) *api.SecurityContext {
		if sc == nil {
			return &api.SecurityContext{}
		}
		return sc
	}

	for k, tc := range testcases {
		{
			sc := tc.newSC()
			originalSC := tc.newSC()
			m := NewContainerSecurityContextMutator(sc)

			// no-op sets should not modify the object
			m.SetAllowPrivilegeEscalation(m.AllowPrivilegeEscalation())
			m.SetCapabilities(m.Capabilities())
			m.SetPrivileged(m.Privileged())
			m.SetReadOnlyRootFilesystem(m.ReadOnlyRootFilesystem())
			m.SetRunAsNonRoot(m.RunAsNonRoot())
			m.SetRunAsUser(m.RunAsUser())
			m.SetSELinuxOptions(m.SELinuxOptions())
			if !reflect.DeepEqual(sc, originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, sc, originalSC)
			}
			if !reflect.DeepEqual(m.ContainerSecurityContext(), originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, m.ContainerSecurityContext(), originalSC)
			}
		}

		// AllowPrivilegeEscalation
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			b := true
			modifiedSC.AllowPrivilegeEscalation = &b
			m.SetAllowPrivilegeEscalation(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// Capabilities
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			modifiedSC.Capabilities = &api.Capabilities{Drop: []api.Capability{"test2"}}
			m.SetCapabilities(&api.Capabilities{Drop: []api.Capability{"test2"}})
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// Privileged
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			b := true
			modifiedSC.Privileged = &b
			m.SetPrivileged(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// ReadOnlyRootFilesystem
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			b := true
			modifiedSC.ReadOnlyRootFilesystem = &b
			m.SetReadOnlyRootFilesystem(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// RunAsNonRoot
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			b := true
			modifiedSC.RunAsNonRoot = &b
			m.SetRunAsNonRoot(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// RunAsUser
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			i := int64(1123)
			modifiedSC.RunAsUser = &i
			m.SetRunAsUser(&i)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// SELinuxOptions
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewContainerSecurityContextMutator(tc.newSC())
			modifiedSC.SELinuxOptions = &api.SELinuxOptions{User: "bob"}
			m.SetSELinuxOptions(&api.SELinuxOptions{User: "bob"})
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}
	}
}

func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
	privileged := true
	runAsUser := int64(1)
	runAsUserPod := int64(12)
	runAsGroup := int64(1)
	runAsGroupPod := int64(12)
	runAsNonRoot := true
	runAsNonRootPod := false
	readOnlyRootFilesystem := true
	allowPrivilegeEscalation := true

	testcases := []struct {
		PodSC     *api.PodSecurityContext
		SC        *api.SecurityContext
		Effective *api.SecurityContext
	}{
		{
			PodSC:     nil,
			SC:        nil,
			Effective: nil,
		},
		{
			PodSC:     &api.PodSecurityContext{},
			SC:        &api.SecurityContext{},
			Effective: &api.SecurityContext{},
		},
		{
			PodSC: &api.PodSecurityContext{
				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
				RunAsUser:      &runAsUser,
				RunAsNonRoot:   &runAsNonRoot,
			},
			SC: nil,
			Effective: &api.SecurityContext{
				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
				RunAsUser:      &runAsUser,
				RunAsNonRoot:   &runAsNonRoot,
			},
		},
		{
			PodSC: &api.PodSecurityContext{
				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
				RunAsUser:      &runAsUserPod,
				RunAsNonRoot:   &runAsNonRootPod,
			},
			SC: &api.SecurityContext{},
			Effective: &api.SecurityContext{
				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
				RunAsUser:      &runAsUserPod,
				RunAsNonRoot:   &runAsNonRootPod,
			},
		},
		{
			PodSC: &api.PodSecurityContext{
				SELinuxOptions: &api.SELinuxOptions{User: "bob"},
				RunAsUser:      &runAsUserPod,
				RunAsNonRoot:   &runAsNonRootPod,
			},
			SC: &api.SecurityContext{
				AllowPrivilegeEscalation: &allowPrivilegeEscalation,
				Capabilities:             &api.Capabilities{Drop: []api.Capability{"test"}},
				Privileged:               &privileged,
				ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
				RunAsUser:                &runAsUser,
				RunAsNonRoot:             &runAsNonRoot,
				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
			},
			Effective: &api.SecurityContext{
				AllowPrivilegeEscalation: &allowPrivilegeEscalation,
				Capabilities:             &api.Capabilities{Drop: []api.Capability{"test"}},
				Privileged:               &privileged,
				ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
				RunAsUser:                &runAsUser,
				RunAsNonRoot:             &runAsNonRoot,
				SELinuxOptions:           &api.SELinuxOptions{User: "bob"},
			},
		},
		{
			PodSC: &api.PodSecurityContext{
				RunAsGroup: &runAsGroup,
			},
			SC: nil,
			Effective: &api.SecurityContext{
				RunAsGroup: &runAsGroup,
			},
		},
		{
			PodSC: &api.PodSecurityContext{
				RunAsGroup: &runAsGroupPod,
			},
			SC: &api.SecurityContext{
				RunAsGroup: &runAsGroup,
			},
			Effective: &api.SecurityContext{
				RunAsGroup: &runAsGroup,
			},
		},
	}

	for i, tc := range testcases {
		expected := tc.Effective
		if expected == nil {
			expected = &api.SecurityContext{}
		}

		a := NewEffectiveContainerSecurityContextAccessor(
			NewPodSecurityContextAccessor(tc.PodSC),
			NewContainerSecurityContextMutator(tc.SC),
		)

		if v := a.Capabilities(); !reflect.DeepEqual(expected.Capabilities, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.Capabilities, v)
		}
		if v := a.Privileged(); !reflect.DeepEqual(expected.Privileged, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.Privileged, v)
		}
		if v := a.RunAsNonRoot(); !reflect.DeepEqual(expected.RunAsNonRoot, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsNonRoot, v)
		}
		if v := a.RunAsUser(); !reflect.DeepEqual(expected.RunAsUser, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsUser, v)
		}
		if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
		}
		if v := a.ReadOnlyRootFilesystem(); !reflect.DeepEqual(expected.ReadOnlyRootFilesystem, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.ReadOnlyRootFilesystem, v)
		}
		if v := a.AllowPrivilegeEscalation(); !reflect.DeepEqual(expected.AllowPrivilegeEscalation, v) {
			t.Errorf("%d: expected %#v, got %#v", i, expected.AllowPrivilegeEscalation, v)
		}
	}
}

func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
	runAsNonRootPod := false
	runAsUserPod := int64(12)

	testcases := map[string]struct {
		newPodSC func() *api.PodSecurityContext
		newSC    func() *api.SecurityContext
	}{
		"nil": {
			newPodSC: func() *api.PodSecurityContext { return nil },
			newSC:    func() *api.SecurityContext { return nil },
		},
		"zero": {
			newPodSC: func() *api.PodSecurityContext { return &api.PodSecurityContext{} },
			newSC:    func() *api.SecurityContext { return &api.SecurityContext{} },
		},
		"populated pod sc": {
			newPodSC: func() *api.PodSecurityContext {
				return &api.PodSecurityContext{
					SELinuxOptions: &api.SELinuxOptions{User: "poduser"},
					RunAsNonRoot:   &runAsNonRootPod,
					RunAsUser:      &runAsUserPod,
				}
			},
			newSC: func() *api.SecurityContext {
				return &api.SecurityContext{}
			},
		},
		"populated sc": {
			newPodSC: func() *api.PodSecurityContext { return nil },
			newSC: func() *api.SecurityContext {
				return &api.SecurityContext{
					Capabilities:   &api.Capabilities{Drop: []api.Capability{"test"}},
					SELinuxOptions: &api.SELinuxOptions{},
				}
			},
		},
	}

	nonNilSC := func(sc *api.SecurityContext) *api.SecurityContext {
		if sc == nil {
			return &api.SecurityContext{}
		}
		return sc
	}

	for k, tc := range testcases {
		{
			podSC := tc.newPodSC()
			sc := tc.newSC()
			originalPodSC := tc.newPodSC()
			originalSC := tc.newSC()
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(podSC),
				NewContainerSecurityContextMutator(sc),
			)

			// no-op sets should not modify the object
			m.SetAllowPrivilegeEscalation(m.AllowPrivilegeEscalation())
			m.SetCapabilities(m.Capabilities())
			m.SetPrivileged(m.Privileged())
			m.SetReadOnlyRootFilesystem(m.ReadOnlyRootFilesystem())
			m.SetRunAsNonRoot(m.RunAsNonRoot())
			m.SetRunAsUser(m.RunAsUser())
			m.SetSELinuxOptions(m.SELinuxOptions())
			if !reflect.DeepEqual(podSC, originalPodSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, podSC, originalPodSC)
			}
			if !reflect.DeepEqual(sc, originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, sc, originalSC)
			}
			if !reflect.DeepEqual(m.ContainerSecurityContext(), originalSC) {
				t.Errorf("%s: unexpected mutation: %#v, %#v", k, m.ContainerSecurityContext(), originalSC)
			}
		}

		// AllowPrivilegeEscalation
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			b := true
			modifiedSC.AllowPrivilegeEscalation = &b
			m.SetAllowPrivilegeEscalation(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// Capabilities
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			modifiedSC.Capabilities = &api.Capabilities{Drop: []api.Capability{"test2"}}
			m.SetCapabilities(&api.Capabilities{Drop: []api.Capability{"test2"}})
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// Privileged
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			b := true
			modifiedSC.Privileged = &b
			m.SetPrivileged(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// ReadOnlyRootFilesystem
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			b := true
			modifiedSC.ReadOnlyRootFilesystem = &b
			m.SetReadOnlyRootFilesystem(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// RunAsNonRoot
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			b := true
			modifiedSC.RunAsNonRoot = &b
			m.SetRunAsNonRoot(&b)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// RunAsUser
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			i := int64(1123)
			modifiedSC.RunAsUser = &i
			m.SetRunAsUser(&i)
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}

		// SELinuxOptions
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewEffectiveContainerSecurityContextMutator(
				NewPodSecurityContextAccessor(tc.newPodSC()),
				NewContainerSecurityContextMutator(tc.newSC()),
			)
			modifiedSC.SELinuxOptions = &api.SELinuxOptions{User: "bob"}
			m.SetSELinuxOptions(&api.SELinuxOptions{User: "bob"})
			if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
				t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
				continue
			}
		}
	}
}