Added the test cases for the security context

Signed-off-by: Anish Bista <[email protected]>
kanisterio · Sep 26, 2024 · 0620f25 · 0620f25
1 parent 698d580
commit 0620f25
Showing 1 changed file with 95 additions and 0 deletions.
diff --git a/pkg/testing/helm/helm_test.go b/pkg/testing/helm/helm_test.go
@@ -199,6 +199,101 @@ func (h *HelmTestSuite) TestSelectedDeploymentAttrFromKanisterHelmDryRunInstall(
 	}
 }
 
+// Test for Pod and Container-level securityContext in the Helm chart
+func (h *HelmTestSuite) TestSecurityContextInHelmChart(c *check.C) {
+	podSecurity := corev1.PodSecurityContext{
+		RunAsUser:    intPtr(1000),
+		FSGroup:      intPtr(2000),
+		RunAsNonRoot: boolPtr(true),
+	}
+
+	containerSecurity := corev1.SecurityContext{
+		RunAsNonRoot:             boolPtr(true),
+		ReadOnlyRootFilesystem:   boolPtr(true),
+		AllowPrivilegeEscalation: boolPtr(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+	var testCases = []struct {
+		testName                  string
+		helmValues                map[string]string
+		expectedPodSecurity       *corev1.PodSecurityContext
+		expectedContainerSecurity *corev1.SecurityContext
+	}{
+		{
+			testName: "Pod and Container security context are set",
+			helmValues: map[string]string{
+				"controller.podSecurityContext.runAsUser":                      "1000",
+				"controller.podSecurityContext.fsGroup":                        "2000",
+				"controller.podSecurityContext.runAsNonRoot":                   "true",
+				"controller.containerSecurityContext.capabilities.drop[0]":     "ALL",
+				"controller.containerSecurityContext.runAsNonRoot":             "true",
+				"controller.containerSecurityContext.readOnlyRootFilesystem":   "true",
+				"controller.containerSecurityContext.allowPrivilegeEscalation": "false",
+			},
+			expectedPodSecurity:       &podSecurity,
+			expectedContainerSecurity: &containerSecurity,
+		},
+		{
+			testName: "Only Container security context is set",
+			helmValues: map[string]string{
+				"controller.containerSecurityContext.capabilities.drop[0]":     "ALL",
+				"controller.containerSecurityContext.runAsNonRoot":             "true",
+				"controller.containerSecurityContext.readOnlyRootFilesystem":   "true",
+				"controller.containerSecurityContext.allowPrivilegeEscalation": "false",
+			},
+			expectedPodSecurity:       nil,
+			expectedContainerSecurity: &containerSecurity,
+		},
+		{
+			testName: "Only Pod security context is set",
+			helmValues: map[string]string{
+				"controller.podSecurityContext.runAsUser":    "1000",
+				"controller.podSecurityContext.fsGroup":      "2000",
+				"controller.podSecurityContext.runAsNonRoot": "true",
+			},
+			expectedPodSecurity:       &podSecurity,
+			expectedContainerSecurity: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		c.Logf("Test name: %s", tc.testName)
+		defer func() {
+			h.helmApp.dryRun = false
+		}()
+
+		testApp, err := NewHelmApp(tc.helmValues, kanisterName, "../../../helm/kanister-operator", kanisterName, "", true)
+		c.Assert(err, check.IsNil)
+
+		out, err := testApp.Install()
+		c.Assert(err, check.IsNil)
+
+		resources := helm.ResourcesFromRenderedManifest(out, func(kind helm.K8sObjectType) bool {
+			return kind == helm.K8sObjectTypeDeployment
+		})
+		c.Assert(len(resources), check.Equals, 1)
+
+		deployments, err := helm.K8sObjectsFromRenderedResources[*appsv1.Deployment](resources)
+		c.Assert(err, check.IsNil)
+
+		var obj = deployments[h.deploymentName]
+		c.Assert(obj, check.NotNil)
+
+		c.Assert(obj.Spec.Template.Spec.SecurityContext, check.DeepEquals, tc.expectedPodSecurity)
+		c.Assert(obj.Spec.Template.Spec.Containers[0].SecurityContext, check.DeepEquals, tc.expectedContainerSecurity)
+	}
+}
+
+func boolPtr(b bool) *bool {
+	return &b
+}
+
+func intPtr(i int64) *int64 {
+	return &i
+}
+
 func (h *HelmTestSuite) TearDownSuite(c *check.C) {
 	c.Log("Uninstalling chart")
 	err := h.helmApp.Uninstall()