Fix reviews

jenkinsci · Jun 6, 2024 · 1dcf358 · 1dcf358
1 parent 4018ef2
commit 1dcf358
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 0 deletions.
diff --git a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest.java b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest.java
@@ -25,4 +25,9 @@ public void simple() throws IOException {
     public void multiContainer() throws IOException {
         test("multiContainer");
     }
+
+    @Test
+    public void existingSecurityContext() throws IOException {
+        test("existingSecurityContext");
+    }
 }
diff --git a/...s/plugins/kubernetes/RestrictedPssSecurityInjectorTest/existingSecurityContext-after.yaml b/...s/plugins/kubernetes/RestrictedPssSecurityInjectorTest/existingSecurityContext-after.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: "v1"
+kind: "Pod"
+metadata:
+  name: "simple"
+  namespace: "jenkins"
+spec:
+  containers:
+  - env:
+    - name: "JENKINS_SECRET"
+      value: "my-little-secret"
+    - name: "JENKINS_AGENT_NAME"
+      value: "my-lovely-agent"
+    - name: "REMOTING_OPTS"
+      value: "-noReconnectAfter 1d"
+    - name: "JENKINS_NAME"
+      value: "my-lovely-agent"
+    - name: "JENKINS_AGENT_WORKDIR"
+      value: "/home/jenkins/agent"
+    - name: "JENKINS_URL"
+      value: "http://localhost/"
+    image: "jenkins/inbound-agent"
+    name: "jnlp"
+    resources:
+      limits:
+        cpu: "1"
+        memory: "768Mi"
+      requests:
+        cpu: "1"
+        memory: "768Mi"
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - "ALL"
+      runAsNonRoot: true
+      seccompProfile:
+        type: "Localhost"
+    volumeMounts:
+    - mountPath: "/home/jenkins/agent"
+      name: "workspace-volume"
+      readOnly: false
+  volumes:
+  - emptyDir:
+      medium: ""
+    name: "workspace-volume"
diff --git a/.../plugins/kubernetes/RestrictedPssSecurityInjectorTest/existingSecurityContext-before.yaml b/.../plugins/kubernetes/RestrictedPssSecurityInjectorTest/existingSecurityContext-before.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: "v1"
+kind: "Pod"
+metadata:
+  name: "simple"
+  namespace: "jenkins"
+spec:
+  containers:
+  - env:
+    - name: "JENKINS_SECRET"
+      value: "my-little-secret"
+    - name: "JENKINS_AGENT_NAME"
+      value: "my-lovely-agent"
+    - name: "REMOTING_OPTS"
+      value: "-noReconnectAfter 1d"
+    - name: "JENKINS_NAME"
+      value: "my-lovely-agent"
+    - name: "JENKINS_AGENT_WORKDIR"
+      value: "/home/jenkins/agent"
+    - name: "JENKINS_URL"
+      value: "http://localhost/"
+    image: "jenkins/inbound-agent"
+    name: "jnlp"
+    resources:
+      limits:
+        cpu: "1"
+        memory: "768Mi"
+      requests:
+        cpu: "1"
+        memory: "768Mi"
+    securityContext:
+      allowPrivilegeEscalation: true
+      seccompProfile:
+        type: "Localhost"
+    volumeMounts:
+    - mountPath: "/home/jenkins/agent"
+      name: "workspace-volume"
+      readOnly: false
+  volumes:
+  - emptyDir:
+      medium: ""
+    name: "workspace-volume"
diff --git a/...ez/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest/multiContainer-after.yaml b/...ez/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest/multiContainer-after.yaml
@@ -52,6 +52,7 @@ spec:
         drop:
         - "ALL"
       runAsNonRoot: true
+      runAsUser: 1000
       seccompProfile:
         type: "RuntimeDefault"
     volumeMounts:

diff --git a/...z/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest/multiContainer-before.yaml b/...z/jenkins/plugins/kubernetes/RestrictedPssSecurityInjectorTest/multiContainer-before.yaml
@@ -38,6 +38,8 @@ spec:
     - "sleep"
     image: "maven"
     name: "maven"
+    securityContext:
+      runAsUser: 1000
     volumeMounts:
     - mountPath: "/home/jenkins/agent"
       name: "workspace-volume"