generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
e2e.bats
49 lines (37 loc) · 1.69 KB
/
e2e.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env bats
@test "accept because pod doesn't list any sysctls" {
run kwctl run annotated-policy.wasm -r test_data/request-pod-no-sysctl.json --settings-json \
'{ "allowedUnsafeSysctls": [], "forbiddenSysctls": [ "kernel.shm_rmid_forced", "net.*" ] }'
# this prints the output when one the checks below fails
echo "output = ${output}"
# request accepted
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*true') -ne 0 ]
}
@test "accept because sysctls are all on safe list" {
run kwctl run annotated-policy.wasm -r test_data/request-pod-safe-sysctls.json --settings-json '{}'
# this prints the output when one the checks below fails
echo "output = ${output}"
# request accepted
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*true') -ne 0 ]
}
@test "accept because net.core.somaxconn is allowed" {
run kwctl run annotated-policy.wasm -r test_data/request-pod-somaxconn.json --settings-json \
'{ "allowedUnsafeSysctls": ["net.core.somaxconn"], "forbiddenSysctls": ["net.*"] }'
# this prints the output when one the checks below fails
echo "output = ${output}"
# request accepted
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*true') -ne 0 ]
}
@test "reject because net.* is forbidden" {
run kwctl run annotated-policy.wasm -r test_data/request-pod-somaxconn.json --settings-json \
'{ "allowedUnsafeSysctls": [], "forbiddenSysctls": [ "kernel.shm_rmid_forced", "net.*" ] }'
# this prints the output when one the checks below fails
echo "output = ${output}"
# request rejected
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*false') -ne 0 ]
[ $(expr "$output" : ".*sysctl net.core.somaxconn is on the forbidden list.*") -ne 0 ]
}