s

Author: haircommander

security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml

@@ -0,0 +1,107 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "SecurityContextConstraints"
+crdName: securitycontextconstraints.security.openshift.io
+featureGates:
+- UserNamespacesPodSecurityStandards
+tests:
+  onCreate:
+    - name: Should be able to create a minimal SecurityContextConstraints with featuregate enabled
+      initial: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+      expected: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        userNamespaceLevel: "AllowHostLevel"
+        volumes: []
+
+    - name: Should be able to set userNamespaceLevel to AllowHostLevel
+      initial: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "AllowHostLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+      expected: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "AllowHostLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+
+    - name: Should be able to set userNamespaceLevel to RequirePodLevel
+      initial: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "RequirePodLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+      expected: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "RequirePodLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []