Class: SecurityContextMiddlewareTest

Inherits:

Minitest::Test

Object
Minitest::Test
SecurityContextMiddlewareTest

show all

Defined in:: lib/kube/cluster/middleware/security_context.rb

Constant Summary collapse

Middleware =

Kube::Cluster::Middleware

Instance Method Summary collapse

#test_applies_baseline_profile_via_constructor_default ⇒ Object
#test_applies_baseline_profile_via_label ⇒ Object
#test_applies_restricted_profile_by_default ⇒ Object
#test_applies_to_all_containers ⇒ Object
#test_label_overrides_constructor_default ⇒ Object
#test_preserves_existing_pod_security_context ⇒ Object
#test_raises_on_unknown_profile ⇒ Object
#test_skips_non_pod_bearing_resources ⇒ Object

Instance Method Details

#test_applies_baseline_profile_via_constructor_default ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 145

def test_applies_baseline_profile_via_constructor_default
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  Middleware::SecurityContext.new(default: :baseline).call(m)
  h = m.resources.first.to_h
  pod_sc = h.dig(:spec, :template, :spec, :securityContext)

  assert_nil pod_sc[:seccompProfile]
end

#test_applies_baseline_profile_via_label ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 122

def test_applies_baseline_profile_via_label
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    metadata.labels = { "app.kubernetes.io/security": "baseline" }
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  Middleware::SecurityContext.new.call(m)
  h = m.resources.first.to_h
  pod_sc = h.dig(:spec, :template, :spec, :securityContext)
  container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)

  assert_equal true, pod_sc[:runAsNonRoot]
  assert_nil pod_sc[:seccompProfile]

  assert_equal false, container_sc[:allowPrivilegeEscalation]
  assert_nil container_sc[:readOnlyRootFilesystem]
end

#test_applies_restricted_profile_by_default ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 97

def test_applies_restricted_profile_by_default
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  Middleware::SecurityContext.new.call(m)
  h = m.resources.first.to_h
  pod_sc = h.dig(:spec, :template, :spec, :securityContext)
  container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)

  assert_equal true, pod_sc[:runAsNonRoot]
  assert_equal 1000, pod_sc[:runAsUser]
  assert_equal 1000, pod_sc[:fsGroup]
  assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])

  assert_equal false, container_sc[:allowPrivilegeEscalation]
  assert_equal true, container_sc[:readOnlyRootFilesystem]
  assert_equal({ drop: ["ALL"] }, container_sc[:capabilities])
end

#test_applies_to_all_containers ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 180

def test_applies_to_all_containers
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "app", image: "app:latest" },
      { name: "sidecar", image: "sidecar:latest" },
    ]
  })

  Middleware::SecurityContext.new.call(m)
  containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)

  containers.each do |c|
    assert_equal false, c.dig(:securityContext, :allowPrivilegeEscalation)
  end
end

#test_label_overrides_constructor_default ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 162

def test_label_overrides_constructor_default
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    metadata.labels = { "app.kubernetes.io/security": "restricted" }
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  Middleware::SecurityContext.new(default: :baseline).call(m)
  h = m.resources.first.to_h
  pod_sc = h.dig(:spec, :template, :spec, :securityContext)

  assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])
end

#test_preserves_existing_pod_security_context ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 226

def test_preserves_existing_pod_security_context
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.securityContext = { runAsUser: 9999 }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  Middleware::SecurityContext.new.call(m)
  pod_sc = m.resources.first.to_h.dig(:spec, :template, :spec, :securityContext)

  # Existing value wins
  assert_equal 9999, pod_sc[:runAsUser]
  # Middleware fills in missing values
  assert_equal true, pod_sc[:runAsNonRoot]
end

#test_raises_on_unknown_profile ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 208

def test_raises_on_unknown_profile
  m = manifest(Kube::Cluster["Deployment"].new {
    metadata.name = "web"
    metadata.labels = { "app.kubernetes.io/security": "yolo" }
    spec.selector.matchLabels = { app: "web" }
    spec.template.metadata.labels = { app: "web" }
    spec.template.spec.containers = [
      { name: "web", image: "nginx:latest" },
    ]
  })

  error = assert_raises(ArgumentError) do
    Middleware::SecurityContext.new.call(m)
  end

  assert_includes error.message, "yolo"
end

#test_skips_non_pod_bearing_resources ⇒ `Object`

# File 'lib/kube/cluster/middleware/security_context.rb', line 199

def test_skips_non_pod_bearing_resources
  resource = Kube::Cluster["ConfigMap"].new { metadata.name = "config" }
  m = manifest(resource)

  Middleware::SecurityContext.new.call(m)

  assert_equal resource.to_h, m.resources.first.to_h
end

Class: SecurityContextMiddlewareTest

Constant Summary collapse

Instance Method Summary collapse

Instance Method Details

#test_applies_baseline_profile_via_constructor_default ⇒ Object

#test_applies_baseline_profile_via_label ⇒ Object

#test_applies_restricted_profile_by_default ⇒ Object

#test_applies_to_all_containers ⇒ Object

#test_label_overrides_constructor_default ⇒ Object

#test_preserves_existing_pod_security_context ⇒ Object

#test_raises_on_unknown_profile ⇒ Object

#test_skips_non_pod_bearing_resources ⇒ Object

#test_applies_baseline_profile_via_constructor_default ⇒ `Object`

#test_applies_baseline_profile_via_label ⇒ `Object`

#test_applies_restricted_profile_by_default ⇒ `Object`

#test_applies_to_all_containers ⇒ `Object`

#test_label_overrides_constructor_default ⇒ `Object`

#test_preserves_existing_pod_security_context ⇒ `Object`

#test_raises_on_unknown_profile ⇒ `Object`

#test_skips_non_pod_bearing_resources ⇒ `Object`