Skip to content

Commit

Permalink
KEP-3619: sort SupplementalGroups field to make the assertion stable
Browse files Browse the repository at this point in the history
  • Loading branch information
@everpeace
everpeace committed Jul 23, 2024
1 parent c45cf82 commit c9678f4
Show file tree
Hide file tree
Showing 8 changed files with 20 additions and 723 deletions.
37 changes: 20 additions & 17 deletions pkg/validate/security_context_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ import (

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
. "github.com/onsi/gomega/gstruct"
"golang.org/x/sys/unix"
internalapi "k8s.io/cri-api/pkg/apis"
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
Expand Down Expand Up @@ -640,14 +639,16 @@ var _ = framework.KubeDescribe("Security Context", func() {
// - 1000: self
// - 1234: SupplementalGroups
// - 50000: groups defined in the container image (/etc/group)
g.Expect(containerStatus.User).To(PointTo(MatchFields(IgnoreExtras, Fields{
"Linux": PointTo(MatchFields(IgnoreExtras, Fields{
"Uid": Equal(imagePredefinedGroupUID),
"Gid": Equal(imagePredefinedGroupUID),
// we can not assume the order of gids
"SupplementalGroups": And(ContainElements(imagePredefinedGroupUID, supplementalGroup, imagePredefinedGroupGID), HaveLen(3)),
})),
})))
if containerStatus.User != nil && containerStatus.User.Linux != nil {
slices.Sort(containerStatus.User.Linux.SupplementalGroups)
}
g.Expect(containerStatus.User).To(BeEquivalentTo(&runtimeapi.ContainerUser{
Linux: &runtimeapi.LinuxContainerUser{
Uid: imagePredefinedGroupUID,
Gid: imagePredefinedGroupUID,
SupplementalGroups: []int64{imagePredefinedGroupUID, supplementalGroup, imagePredefinedGroupGID},
},
}))
g.Expect(parseLogLine(podConfig, logPath)).NotTo(BeEmpty())
}, time.Minute, time.Second*4).Should(Succeed())

Expand Down Expand Up @@ -706,14 +707,16 @@ var _ = framework.KubeDescribe("Security Context", func() {
// - supplementary groups
// - 1000: self
// - 1234: SupplementalGroups
g.Expect(containerStatus.User).To(PointTo(MatchFields(IgnoreExtras, Fields{
"Linux": PointTo(MatchFields(IgnoreExtras, Fields{
"Uid": Equal(imagePredefinedGroupUID),
"Gid": Equal(imagePredefinedGroupUID),
// we can not assume the order of gids
"SupplementalGroups": And(ContainElements(imagePredefinedGroupUID, supplementalGroup), HaveLen(2)),
})),
})))
if containerStatus.User != nil && containerStatus.User.Linux != nil {
slices.Sort(containerStatus.User.Linux.SupplementalGroups)
}
g.Expect(containerStatus.User).To(BeEquivalentTo(&runtimeapi.ContainerUser{
Linux: &runtimeapi.LinuxContainerUser{
Uid: imagePredefinedGroupUID,
Gid: imagePredefinedGroupUID,
SupplementalGroups: []int64{imagePredefinedGroupUID, supplementalGroup},
},
}))
g.Expect(parseLogLine(podConfig, logPath)).NotTo(BeEmpty())
}, time.Minute, time.Second*4).Should(Succeed())

Expand Down
231 changes: 0 additions & 231 deletions vendor/github.com/onsi/gomega/gstruct/elements.go
View file

This file was deleted.

72 changes: 0 additions & 72 deletions vendor/github.com/onsi/gomega/gstruct/errors/nested_types.go
View file

This file was deleted.

Loading

0 comments on commit c9678f4

Please sign in to comment.