Merge pull request #8 from kubesphere/dev-ll

add pod testCode
2020-12-23 11:35:59 +08:00 · 2020-12-23 11:35:59 +08:00 · 668d831d04
parent 3c7d3f1e81 96e1a88d84
commit 668d831d04
6 changed files with 105 additions and 5 deletions
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,6 @@ require (
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.5.1
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
 	k8s.io/api v0.18.6
 	k8s.io/apimachinery v0.18.6
 	k8s.io/client-go v0.18.6
--- a/go.sum
+++ b/go.sum
@ -496,8 +496,6 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/pkg/validator/container.go
+++ b/pkg/validator/container.go
@ -51,6 +51,7 @@ func ValidateAllContainers(ctx context.Context, conf *config.Configuration, cont
 			return nil, err
 		}

+		// delete success results
 		for key, deleteTrue := range result.Results {
 			if true == deleteTrue.Success {
 				delete(result.Results, key)
--- a/pkg/validator/output.go
+++ b/pkg/validator/output.go
@ -70,6 +70,7 @@ type PodResult struct {
 	Message          []string          `yaml:"message" json:"message,omitempty"`
 	ContainerResults []ContainerResult `yaml:"containerResults" json:"containerResults,omitempty"`
 	Severity         config.Severity   `yaml:"severity" json:"severity,omitempty"`
+	Results          ResultSet
 }

 type ContainerResult struct {
--- a/pkg/validator/pod.go
+++ b/pkg/validator/pod.go
@ -38,9 +38,15 @@ func ValidatePods(ctx context.Context, conf *config.Configuration, kubeResource
 		if len(result.ContainerResults[0].Results) == 0 || result.ContainerResults == nil {
 			continue
 		}
+
 		for key, _ := range result.ContainerResults[0].Results {
 			messages = append(messages, key)
 		}
+		for key1, value1 := range result.Results {
+			if value1.Success == false {
+				messages = append(messages, key1)
+			}
+		}
 		result.Message = messages
 		result.Severity = "Warning"
 		results = append(results, result)
@ -49,12 +55,13 @@ func ValidatePods(ctx context.Context, conf *config.Configuration, kubeResource
 }

 func ValidatePod(ctx context.Context, c *config.Configuration, pod kube.GenericWorkload) (PodResult, error) {
-	_, err := applyPodSchemaChecks(c, pod)
+	podResults, err := applyPodSchemaChecks(c, pod)
 	if err != nil {
 		return PodResult{}, err
 	}
+
 	pRes := PodResult{
-		//Results:          podResults,
+		Results:          podResults,
 		ContainerResults: []ContainerResult{},
 	}

@ -69,6 +76,7 @@ func ValidatePod(ctx context.Context, c *config.Configuration, pod kube.GenericW
 		Name:             pod.ObjectMeta.GetName(),
 		Namespace:        pod.ObjectMeta.GetNamespace(),
 		ContainerResults: pRes.ContainerResults,
+		Results:          podResults,
 		Severity:         "Warning",
 	}
 	return result, nil
--- a/pkg/validator/pod_test.go
+++ b/pkg/validator/pod_test.go
@ -1 +1,94 @@
 package validator
+
+import (
+	"context"
+	"github.com/stretchr/testify/assert"
+	conf "kubeye/pkg/config"
+	"kubeye/pkg/kube"
+	"kubeye/test"
+	"testing"
+)
+
+func TestInvalidIPCPod(t *testing.T) {
+	c := conf.Configuration{
+		Checks: map[string]conf.Severity{
+			"hostIPCSet": conf.SeverityWarning,
+		},
+	}
+
+	k8s, _ := test.SetupTestAPI()
+	k8s = test.SetupAddControllers(context.Background(), k8s, "test")
+	p := test.MockPod()
+	p.Spec.HostIPC = true
+	workload, err := kube.NewGenericWorkloadFromPod(p, nil)
+	assert.NoError(t, err)
+
+	expectedResults := ResultSet{
+		"hostIPCSet": {ID: "hostIPCSet", Message: "Host IPC should not be configured", Success: false, Severity: "warning", Category: "Security"},
+	}
+
+	actualPodResult, err := ValidatePod(context.Background(), &c, workload)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(t, 1, len(actualPodResult.ContainerResults), "should be equal")
+	assert.EqualValues(t, 1, len(actualPodResult.Results.GetWarnings()))
+	assert.EqualValues(t, expectedResults, actualPodResult.Results)
+}
+
+func TestInvalidNeworkPod(t *testing.T) {
+	c := conf.Configuration{
+		Checks: map[string]conf.Severity{
+			"hostNetworkSet": conf.SeverityWarning,
+		},
+	}
+
+	k8s, _ := test.SetupTestAPI()
+	k8s = test.SetupAddControllers(context.Background(), k8s, "test")
+	p := test.MockPod()
+	p.Spec.HostNetwork = true
+	workload, err := kube.NewGenericWorkloadFromPod(p, nil)
+	assert.NoError(t, err)
+
+	expectedResults := ResultSet{
+		"hostNetworkSet": {ID: "hostNetworkSet", Message: "Host network should not be configured", Success: false, Severity: "warning", Category: "Networking"},
+	}
+
+	actualPodResult, err := ValidatePod(context.Background(), &c, workload)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(t, 1, len(actualPodResult.ContainerResults), "should be equal")
+	assert.EqualValues(t, 1, len(actualPodResult.Results.GetWarnings()))
+	assert.EqualValues(t, expectedResults, actualPodResult.Results)
+}
+
+func TestInvalidPIDPod(t *testing.T) {
+	c := conf.Configuration{
+		Checks: map[string]conf.Severity{
+			"hostPIDSet": conf.SeverityWarning,
+		},
+	}
+
+	k8s, _ := test.SetupTestAPI()
+	k8s = test.SetupAddControllers(context.Background(), k8s, "test")
+	p := test.MockPod()
+	p.Spec.HostPID = true
+	workload, err := kube.NewGenericWorkloadFromPod(p, nil)
+	assert.NoError(t, err)
+
+	expectedResults := ResultSet{
+		"hostPIDSet": {ID: "hostPIDSet", Message: "Host PID should not be configured", Success: false, Severity: "warning", Category: "Security"},
+	}
+
+	actualPodResult, err := ValidatePod(context.Background(), &c, workload)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(t, 1, len(actualPodResult.ContainerResults), "should be equal")
+	assert.EqualValues(t, 1, len(actualPodResult.Results.GetWarnings()))
+	assert.EqualValues(t, expectedResults, actualPodResult.Results)
+}