mirror of
https://github.com/truenas/charts.git
synced 2026-04-29 13:02:54 +08:00
5b1abdd839
* fix
* fix
* some more
* somefixs
* whops
* initial structure
* finish up configmap
* secret class
* runtest secret
* move files arround
* ignore
* make clear on call template that need root context
* imagePullSecret (minus targetSelector)
* move out of the way
* clean up comment
* deployment basic spec
* daemonset basic spec
* statefulset spec
* split file
* docs
* update values
* job spec
* job docs
* cronJob basic spec
* job in cron test
* add common version
* podsepc
* whoopsis
* selectorlabels and pod metadata
* job and cron pod metadata
* update docs
* consistent order
* get ready for pod
* first targetSelector
* remove todo
* update docs
* add hostnet and enableservicelinks
* update selector logic
* update docs
* add tests for restartpolicy
* schedulerName
* priorityclassname
* hostname
* termperiodsec
* nodeselector
* add fail case
* host aliases
* dns policy
* dns config
* tolerations
* serviceaccoutn class, spawner, saname selector
* add pod todo
* update some tests
* add runtimeclassname
* controllers -> workload and plurar to singular
* require at least 1 primary on enabled SAs
* fix script
* remove wrong comment
* update naming scheme
* update rbac values ref
* rbac docs
* rbac's
* append short name, for future use
* update comments
* initial service wireframe
* shorten line
* simplify labels and update tests
* service selectors
* simplify error messages
* finish clusterIP type
* loadbalancer
* noedport
* externalname
* external ip
* update service
* fix highlighting
* session affinity
* add comment
* update comments
* service ports
* fix indentation
* externalname can have no ports
* fixup externalIP
* add pvc class and spawner and tests
* add nfs and emptyDir vols
* example
* extend docs a bit
* not create pvc if existing claim is set
* helm... you are dumb really. how this fixes an unrelated test
* add configmap
* add secret vol
* add pvc vol
* add hostpath
* finish volumes
* initial podsec
* podsec context with some todo's to check
* automatic sysctls
* remove todo
* update doc struct
* split docs
* split service docs
* initial container plumbing
* fix tests
* fix test
* rename to class
* command and args
* termination
* add lifecycle
* int value from tpl
* another case
* fix service protocol tpl
* update readme
* ports
* update todo
* cleanup values a bit
* only add sysctl when port is bellow 1024
* whops, thats a different range
* update avlue
* move some old docs to the "to be deleted" dir
* externalinteface validation
* update an error message and apply externalinterface annotations to workloads
* external interfaces
* TZ - TIMEZONE
* update rdoc
* reduce code duple
* device vol type
* initial certificate plumbing
* update comments
* finish secret creation of certificate
* cert dosc
* volumeMounts
* scale certs
* doc
* add tests for volMounts
* values updates
* update todo
* add test case
* remove some todo
* update todos
* vct
* remove tdoo
* restore default
* rename function
* make selectorlabels a bit better
* trim
* some cleanup
* update some ci values
* update ci
* rollingup defaults
* rename dir
* fix nil pointers
* check the same strategy var
* whops
* fix tests
* typo
* not a good day for copy paste
* move check
* move another check
* fix some tests for upcoming probes
* one mroe
* split docs
* add default probes for `main` and docs
* add probes and some ci testruns
* whops
* fix an edge case
* add an error for edge case
* runtests
* runtest updaets
* update
* check if podvalues exist first
* force types
* force only one of the 2
* quote labels and annotaions values
* job/cron have auto gen selectors
* remove false test
* fix maxsureg
* fix end
* different fix
* fix some tests
* fix rollUp
* try to fix 3.9.4 helm
* move file to helpers
* use capital types in probes and lifecycle
* Revert "use capital types in probes and lifecycle"
This reverts commit 380ebd5f1f.
* typo
* use lowercase for protocol everywhere
* rbac runtest
* prune old
* add resources
* add resources
* fix rbc
* fix sa naming in pod
* fix test
* 44 suppl group on gpu
* remove todo
* extract function in another file
* whops
* add securityContext implementation
* add fail cases
* add rest of the tests
* remove todo
* envFrom
* minify
* env list
* add env
* add envdupe check tests
* add fixed envs
* replace containers with callers
* add callers
* add initContainer
* add init run test
* reset default test val
* add name tests
* add some more tests
* rename
* validate workload type only if enabled
* lint fix for 3.9.4
* add tpl on init enabled
* whops
* fix init
* echo
* echo
* args...
* list
* comment out disabled persistences
* fix some typos and improve resources `requests` requirement
* improve docs a bit
* require name,description,version,type
* add some wording regarding what Helm Template column means
* add title as requirement
* remove scheduler
* remove priority class name
* remove nfs + externalIP
* remove LB
* remove STS & VCT
* fix a test
* remove nodeselector
* remove DS
* remove pvc
* remove todo
* conditionally print the type, as we might want to use the template to select all objects inthe chart
* add some docs
* docs for notes
* add `tls.` in the certificate secret, according to k8s docs
* add some basic docs around the rest of the options
* clean values.yaml
* catch an edge case
* remove externalName
* set autmountSA on SA to false
* add note about the automountSA
498 lines
13 KiB
YAML
498 lines
13 KiB
YAML
suite: pod securityContext test
|
|
templates:
|
|
- common.yaml
|
|
tests:
|
|
- it: should pass with securityContext from "global"
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
|
|
- it: should pass with securityContext from "global" and partial override with "pod"
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
asserts:
|
|
- documentIndex: *deploymentDoc
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
|
|
- it: should pass with securityContext from "global" and full override with "pod"
|
|
set:
|
|
some_sysctl_name: some_name
|
|
some_sysctl_value: 2
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 1001
|
|
sysctls:
|
|
- name: some_name
|
|
value: "some_value"
|
|
- name: some_other_name
|
|
value: "some_other_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: "{{ .Values.some_sysctl_name }}"
|
|
value: "{{ .Values.some_sysctl_value }}"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
asserts:
|
|
- documentIndex: *deploymentDoc
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: some_name
|
|
value: "2"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
|
|
- it: should pass with sysctls automatically appended based on services
|
|
set:
|
|
some_sysctl_name: some_name
|
|
some_sysctl_value: 2
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: "{{ .Values.some_sysctl_name }}"
|
|
value: "{{ .Values.some_sysctl_value }}"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
workload-name2:
|
|
enabled: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
service:
|
|
service-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 80
|
|
service-name2:
|
|
enabled: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 53
|
|
service-name3:
|
|
enabled: true
|
|
type: ClusterIP
|
|
targetSelector: workload-name2
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 443
|
|
asserts:
|
|
- documentIndex: *deploymentDoc
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 1001
|
|
fsGroupChangePolicy: Always
|
|
supplementalGroups:
|
|
- 1002
|
|
- 1003
|
|
sysctls:
|
|
- name: some_name
|
|
value: "2"
|
|
- name: some_other_name
|
|
value: "some_different_value"
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "53"
|
|
- documentIndex: &otherdeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherdeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups: []
|
|
sysctls:
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "443"
|
|
|
|
- it: should pass with no sysctls port_start automatically appended based on services when port is higher than 1024
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
service:
|
|
service-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: ClusterIP
|
|
ports:
|
|
port-name:
|
|
enabled: true
|
|
primary: true
|
|
port: 25000
|
|
targetPort: 3000
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups: []
|
|
sysctls: []
|
|
|
|
- it: should pass with with gpu assigned to primary pod
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
supplementalGroups:
|
|
- 1000
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec: {}
|
|
scaleGPU:
|
|
- gpu:
|
|
nvidia: "1"
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups: []
|
|
sysctls: []
|
|
|
|
- it: should pass with with gpu assigned to specific pod
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
supplementalGroups:
|
|
- 1000
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec: {}
|
|
scaleGPU:
|
|
- gpu:
|
|
nvidia: "1"
|
|
targetSelector:
|
|
workload-name1:
|
|
- container-name1
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups: []
|
|
sysctls: []
|
|
|
|
- it: should pass with with gpu assigned to multiple pod
|
|
set:
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
securityContext:
|
|
supplementalGroups:
|
|
- 1000
|
|
workload-name2:
|
|
enabled: true
|
|
primary: false
|
|
type: Deployment
|
|
podSpec: {}
|
|
scaleGPU:
|
|
- gpu:
|
|
nvidia: "1"
|
|
targetSelector:
|
|
workload-name1:
|
|
- container-name1
|
|
workload-name2:
|
|
- container-name1
|
|
asserts:
|
|
- documentIndex: &deploymentDoc 0
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *deploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 1000
|
|
- 44
|
|
sysctls: []
|
|
- documentIndex: &otherDeploymentDoc 1
|
|
isKind:
|
|
of: Deployment
|
|
- documentIndex: *otherDeploymentDoc
|
|
equal:
|
|
path: spec.template.spec.securityContext
|
|
value:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
supplementalGroups:
|
|
- 44
|
|
sysctls: []
|
|
|
|
# Failures
|
|
- it: should fail with empty securityContext from "global"
|
|
set:
|
|
securityContext:
|
|
pod: null
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty <.Values.securityContext.pod>
|
|
|
|
- it: should fail with empty fsGroup
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty <fsGroup>
|
|
|
|
- it: should fail with empty fsGroupChangePolicy
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty <fsGroupChangePolicy>
|
|
|
|
- it: should fail with invalid fsGroupChangePolicy
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: invalid
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected <fsGroupChangePolicy> to be one of [Always, OnRootMismatch], but got [invalid]
|
|
|
|
- it: should fail with empty name in sysctls
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
sysctls:
|
|
- name: ""
|
|
value: "some_value"
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty <name> in <sysctls>
|
|
|
|
- it: should fail with empty value in sysctls
|
|
set:
|
|
securityContext:
|
|
pod:
|
|
fsGroup: 568
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
sysctls:
|
|
- name: some_name
|
|
value: ""
|
|
workload:
|
|
workload-name1:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec: {}
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Pod - Expected non-empty <value> in <sysctls>
|