Skip to content

Commit ef26eb5

Browse files
committed
test(translator): tighten skills security context assertions
Reduce multi-line comments to single lines. Replace the weak if-not-nil guard with a direct assert.Nil so the test actually fails when the security context is unexpectedly set.
1 parent 40cfdba commit ef26eb5

1 file changed

Lines changed: 3 additions & 13 deletions

File tree

go/core/internal/controller/translator/agent/security_context_test.go

Lines changed: 3 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -275,9 +275,7 @@ func TestSecurityContext_OnlyContainerSecurityContext(t *testing.T) {
275275
assert.Equal(t, int64(3000), *containerSecurityContext.RunAsGroup)
276276
}
277277

278-
// TestSecurityContext_SkillsNoPrivileged verifies that skills alone do NOT set Privileged=true.
279-
// Skills are loaded by the init container; the main container does not need elevated privileges
280-
// for skill loading. Only the BashTool sandbox (cfg.GetExecuteCode()) needs Privileged=true.
278+
// TestSecurityContext_SkillsNoPrivileged verifies that skills alone do not produce any security context.
281279
func TestSecurityContext_SkillsNoPrivileged(t *testing.T) {
282280
ctx := context.Background()
283281

@@ -337,18 +335,10 @@ func TestSecurityContext_SkillsNoPrivileged(t *testing.T) {
337335
require.NotNil(t, deployment)
338336
podTemplate := &deployment.Spec.Template
339337

340-
containerSecurityContext := podTemplate.Spec.Containers[0].SecurityContext
341-
if containerSecurityContext != nil {
342-
assert.True(t, containerSecurityContext.Privileged == nil || !*containerSecurityContext.Privileged,
343-
"skills alone must not set Privileged=true")
344-
}
338+
assert.Nil(t, podTemplate.Spec.Containers[0].SecurityContext, "skills must not set a security context")
345339
}
346340

347-
// TestSecurityContext_SkillsPSSRestricted verifies that when a user explicitly sets
348-
// AllowPrivilegeEscalation=false (PSS Restricted profile), adding skills does NOT
349-
// force Privileged=true — which Kubernetes rejects as an invalid combination.
350-
// srt (Anthropic Sandbox Runtime) falls back to unprivileged user-namespace sandboxing
351-
// on modern kernels (EKS, GKE) that have unprivileged_userns_clone enabled.
341+
// TestSecurityContext_SkillsPSSRestricted verifies that AllowPrivilegeEscalation=false is preserved and skills do not override it.
352342
func TestSecurityContext_SkillsPSSRestricted(t *testing.T) {
353343
ctx := context.Background()
354344

0 commit comments

Comments
 (0)