kube_cluster 0.3.8 → 0.3.9

data/lib/kube/cluster/middleware/resource_preset.rb

@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
-if __FILE__ == $0
-  require "bundler/setup"
-  require "kube/cluster"
-end
+require "bundler/setup"
+require "kube/cluster"
 
 module Kube
   module Cluster
@@ -68,185 +66,163 @@ module Kube
   end
 end
 
-if __FILE__ == $0
-  require "minitest/autorun"
-
-  class ResourcePresetMiddlewareTest < Minitest::Test
-    Middleware = Kube::Cluster::Middleware
-
-    def test_injects_small_preset_into_deployment
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/size": "small" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
-
-      assert_equal "500m",   container.dig(:resources, :requests, :cpu)
-      assert_equal "512Mi",  container.dig(:resources, :requests, :memory)
-      assert_equal "750m",   container.dig(:resources, :limits, :cpu)
-      assert_equal "768Mi",  container.dig(:resources, :limits, :memory)
-    end
+test do
+  Middleware = Kube::Cluster::Middleware
 
-    def test_injects_nano_preset
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "tiny"
-        metadata.labels = { "app.kubernetes.io/size": "nano" }
-        spec.selector.matchLabels = { app: "tiny" }
-        spec.template.metadata.labels = { app: "tiny" }
-        spec.template.spec.containers = [
-          { name: "app", image: "app:latest" },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
-
-      assert_equal "100m",  container.dig(:resources, :requests, :cpu)
-      assert_equal "128Mi", container.dig(:resources, :requests, :memory)
-    end
+  it "injects_small_preset_into_deployment" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
 
-    def test_injects_xlarge_preset
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "big"
-        metadata.labels = { "app.kubernetes.io/size": "xlarge" }
-        spec.selector.matchLabels = { app: "big" }
-        spec.template.metadata.labels = { app: "big" }
-        spec.template.spec.containers = [
-          { name: "app", image: "app:latest" },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
-
-      assert_equal "1",      container.dig(:resources, :requests, :cpu)
-      assert_equal "3072Mi", container.dig(:resources, :requests, :memory)
-      assert_equal "3",      container.dig(:resources, :limits, :cpu)
-      assert_equal "6144Mi", container.dig(:resources, :limits, :memory)
-    end
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
 
-    def test_applies_to_all_containers
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "multi"
-        metadata.labels = { "app.kubernetes.io/size": "micro" }
-        spec.selector.matchLabels = { app: "multi" }
-        spec.template.metadata.labels = { app: "multi" }
-        spec.template.spec.containers = [
-          { name: "app", image: "app:latest" },
-          { name: "sidecar", image: "sidecar:latest" },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
-
-      containers.each do |c|
-        assert_equal "250m",  c.dig(:resources, :requests, :cpu)
-        assert_equal "256Mi", c.dig(:resources, :requests, :memory)
-      end
-    end
+    container.dig(:resources, :requests, :cpu).should == "500m"
+  end
 
-    def test_skips_non_pod_bearing_resources
-      resource = Kube::Cluster["ConfigMap"].new {
-        metadata.name = "config"
-        metadata.labels = { "app.kubernetes.io/size": "small" }
-      }
-      m = manifest(resource)
+  it "injects_nano_preset" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "tiny"
+      metadata.labels = { "app.kubernetes.io/size": "nano" }
+      spec.selector.matchLabels = { app: "tiny" }
+      spec.template.metadata.labels = { app: "tiny" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :requests, :cpu).should == "100m"
+  end
 
-      Middleware::ResourcePreset.new.call(m)
+  it "injects_xlarge_preset" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "big"
+      metadata.labels = { "app.kubernetes.io/size": "xlarge" }
+      spec.selector.matchLabels = { app: "big" }
+      spec.template.metadata.labels = { app: "big" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :limits, :cpu).should == "3"
+  end
 
-      assert_equal resource.to_h, m.resources.first.to_h
-    end
+  it "applies_to_all_containers" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "multi"
+      metadata.labels = { "app.kubernetes.io/size": "micro" }
+      spec.selector.matchLabels = { app: "multi" }
+      spec.template.metadata.labels = { app: "multi" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+        { name: "sidecar", image: "sidecar:latest" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+    containers.last.dig(:resources, :requests, :cpu).should == "250m"
+  end
 
-    def test_skips_resources_without_size_label
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
+  it "skips_non_pod_bearing_resources" do
+    resource = Kube::Cluster["ConfigMap"].new {
+      metadata.name = "config"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+    }
+    m = manifest(resource)
 
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+    Middleware::ResourcePreset.new.call(m)
 
-      assert_nil container[:resources]
-    end
+    m.resources.first.to_h.should == resource.to_h
+  end
 
-    def test_raises_on_unknown_size
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/size": "potato" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      error = assert_raises(ArgumentError) do
-        Middleware::ResourcePreset.new.call(m)
-      end
+  it "skips_resources_without_size_label" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
 
-      assert_includes error.message, "potato"
-      assert_includes error.message, "Valid sizes"
-    end
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
 
-    def test_applies_to_statefulset
-      m = manifest(Kube::Cluster["StatefulSet"].new {
-        metadata.name = "db"
-        metadata.labels = { "app.kubernetes.io/size": "medium" }
-        spec.selector.matchLabels = { app: "db" }
-        spec.template.metadata.labels = { app: "db" }
-        spec.template.spec.containers = [
-          { name: "postgres", image: "postgres:16" },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
-
-      assert_equal "500m",   container.dig(:resources, :requests, :cpu)
-      assert_equal "1024Mi", container.dig(:resources, :requests, :memory)
-    end
+    container[:resources].should.be.nil
+  end
 
-    def test_preserves_existing_container_resources_via_deep_merge
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/size": "small" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          {
-            name: "web", image: "nginx:latest",
-            resources: { requests: { cpu: "999m" } },
-          },
-        ]
-      })
-
-      Middleware::ResourcePreset.new.call(m)
-      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
-
-      # The container's explicit value wins over the preset
-      assert_equal "999m", container.dig(:resources, :requests, :cpu)
-      # The preset fills in missing values
-      assert_equal "512Mi", container.dig(:resources, :requests, :memory)
-    end
+  it "raises_on_unknown_size" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "potato" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    lambda { Middleware::ResourcePreset.new.call(m) }.should.raise ArgumentError
+  end
 
-    private
+  it "applies_to_statefulset" do
+    m = manifest(Kube::Cluster["StatefulSet"].new {
+      metadata.name = "db"
+      metadata.labels = { "app.kubernetes.io/size": "medium" }
+      spec.selector.matchLabels = { app: "db" }
+      spec.template.metadata.labels = { app: "db" }
+      spec.template.spec.containers = [
+        { name: "postgres", image: "postgres:16" },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    container.dig(:resources, :requests, :cpu).should == "500m"
+  end
 
-      def manifest(*resources)
-        m = Kube::Cluster::Manifest.new
-        resources.each { |r| m << r }
-        m
-      end
+  it "preserves_existing_container_resources_via_deep_merge" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/size": "small" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        {
+          name: "web", image: "nginx:latest",
+          resources: { requests: { cpu: "999m" } },
+        },
+      ]
+    })
+
+    Middleware::ResourcePreset.new.call(m)
+    container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+    # The container's explicit value wins over the preset
+    container.dig(:resources, :requests, :cpu).should == "999m"
   end
+
+  private
+
+    def manifest(*resources)
+      m = Kube::Cluster::Manifest.new
+      resources.each { |r| m << r }
+      m
+    end
 end

data/lib/kube/cluster/middleware/security_context.rb

@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
-if __FILE__ == $0
-  require "bundler/setup"
-  require "kube/cluster"
-end
+require "bundler/setup"
+require "kube/cluster"
 
 module Kube
   module Cluster
@@ -88,167 +86,142 @@ module Kube
   end
 end
 
-if __FILE__ == $0
-  require "minitest/autorun"
-
-  class SecurityContextMiddlewareTest < Minitest::Test
-    Middleware = Kube::Cluster::Middleware
-
-    def test_applies_restricted_profile_by_default
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new.call(m)
-      h = m.resources.first.to_h
-      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
-      container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)
-
-      assert_equal true, pod_sc[:runAsNonRoot]
-      assert_equal 1000, pod_sc[:runAsUser]
-      assert_equal 1000, pod_sc[:fsGroup]
-      assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])
-
-      assert_equal false, container_sc[:allowPrivilegeEscalation]
-      assert_equal true, container_sc[:readOnlyRootFilesystem]
-      assert_equal({ drop: ["ALL"] }, container_sc[:capabilities])
-    end
+test do
+  Middleware = Kube::Cluster::Middleware
 
-    def test_applies_baseline_profile_via_label
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/security": "baseline" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new.call(m)
-      h = m.resources.first.to_h
-      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
-      container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)
-
-      assert_equal true, pod_sc[:runAsNonRoot]
-      assert_nil pod_sc[:seccompProfile]
-
-      assert_equal false, container_sc[:allowPrivilegeEscalation]
-      assert_nil container_sc[:readOnlyRootFilesystem]
-    end
+  it "applies_restricted_profile_by_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
 
-    def test_applies_baseline_profile_via_constructor_default
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new(default: :baseline).call(m)
-      h = m.resources.first.to_h
-      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
-
-      assert_nil pod_sc[:seccompProfile]
-    end
+    Middleware::SecurityContext.new.call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
 
-    def test_label_overrides_constructor_default
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/security": "restricted" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new(default: :baseline).call(m)
-      h = m.resources.first.to_h
-      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
-
-      assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])
-    end
+    pod_sc[:runAsNonRoot].should == true
+  end
 
-    def test_applies_to_all_containers
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "app", image: "app:latest" },
-          { name: "sidecar", image: "sidecar:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new.call(m)
-      containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
-
-      containers.each do |c|
-        assert_equal false, c.dig(:securityContext, :allowPrivilegeEscalation)
-      end
-    end
+  it "applies_baseline_profile_via_label" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "baseline" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:runAsNonRoot].should == true
+  end
 
-    def test_skips_non_pod_bearing_resources
-      resource = Kube::Cluster["ConfigMap"].new { metadata.name = "config" }
-      m = manifest(resource)
+  it "applies_baseline_profile_via_constructor_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new(default: :baseline).call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:seccompProfile].should.be.nil
+  end
 
-      Middleware::SecurityContext.new.call(m)
+  it "label_overrides_constructor_default" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "restricted" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new(default: :baseline).call(m)
+    h = m.resources.first.to_h
+    pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+    pod_sc[:seccompProfile].should == { type: "RuntimeDefault" }
+  end
 
-      assert_equal resource.to_h, m.resources.first.to_h
-    end
+  it "applies_to_all_containers" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "app", image: "app:latest" },
+        { name: "sidecar", image: "sidecar:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+    containers.last.dig(:securityContext, :allowPrivilegeEscalation).should == false
+  end
 
-    def test_raises_on_unknown_profile
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        metadata.labels = { "app.kubernetes.io/security": "yolo" }
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      error = assert_raises(ArgumentError) do
-        Middleware::SecurityContext.new.call(m)
-      end
+  it "skips_non_pod_bearing_resources" do
+    resource = Kube::Cluster["ConfigMap"].new { metadata.name = "config" }
+    m = manifest(resource)
 
-      assert_includes error.message, "yolo"
-    end
+    Middleware::SecurityContext.new.call(m)
 
-    def test_preserves_existing_pod_security_context
-      m = manifest(Kube::Cluster["Deployment"].new {
-        metadata.name = "web"
-        spec.selector.matchLabels = { app: "web" }
-        spec.template.metadata.labels = { app: "web" }
-        spec.template.spec.securityContext = { runAsUser: 9999 }
-        spec.template.spec.containers = [
-          { name: "web", image: "nginx:latest" },
-        ]
-      })
-
-      Middleware::SecurityContext.new.call(m)
-      pod_sc = m.resources.first.to_h.dig(:spec, :template, :spec, :securityContext)
-
-      # Existing value wins
-      assert_equal 9999, pod_sc[:runAsUser]
-      # Middleware fills in missing values
-      assert_equal true, pod_sc[:runAsNonRoot]
-    end
+    m.resources.first.to_h.should == resource.to_h
+  end
 
-    private
+  it "raises_on_unknown_profile" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      metadata.labels = { "app.kubernetes.io/security": "yolo" }
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    lambda { Middleware::SecurityContext.new.call(m) }.should.raise ArgumentError
+  end
 
-      def manifest(*resources)
-        m = Kube::Cluster::Manifest.new
-        resources.each { |r| m << r }
-        m
-      end
+  it "preserves_existing_pod_security_context" do
+    m = manifest(Kube::Cluster["Deployment"].new {
+      metadata.name = "web"
+      spec.selector.matchLabels = { app: "web" }
+      spec.template.metadata.labels = { app: "web" }
+      spec.template.spec.securityContext = { runAsUser: 9999 }
+      spec.template.spec.containers = [
+        { name: "web", image: "nginx:latest" },
+      ]
+    })
+
+    Middleware::SecurityContext.new.call(m)
+    pod_sc = m.resources.first.to_h.dig(:spec, :template, :spec, :securityContext)
+
+    # Existing value wins
+    pod_sc[:runAsUser].should == 9999
   end
+
+  private
+
+    def manifest(*resources)
+      m = Kube::Cluster::Manifest.new
+      resources.each { |r| m << r }
+      m
+    end
 end