You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Added unit tests for updateConfigForHostProcessContainer method
This commit adds thorough unit tests for the updateConfigForHostProcessContainer method. We test the following functionality-
- Reject privileged container in unprivileged sandbox (isolated HPC) — return error when container requests microsoft.com/hostprocess-container=true but the pod lacks it.
- Allow privileged container in privileged sandbox (isolated HPC) — ensure no unexpected mutations when no passthrough annotations are present.
- Block normal process-isolated container in process-isolated HPC pod — enforce constraint that all containers in a process HPC pod must also be job containers (error on mixing).
- Allow normal hypervisor-isolated container in hypervisor-isolated HPC pod.
- Passthrough annotations to privileged containers — propagate HostProcessInheritUser and HostProcessRootfsLocation from pod → container for: hypervisor-isolated HPC pods with privileged containers, and process-isolated HPC pods with privileged containers.
- No passthrough for normal containers — verify annotations aren’t propagated when the container is non-privileged.
- Set SYSTEM user for hypervisor-isolated privileged containers — when HostProcessInheritUser=true, set Process.User.Username to NT AUTHORITY\SYSTEM.
- Do not change user for normal containers — ensure container user remains unchanged even if the pod has HostProcessInheritUser=true.
- Force HostProcessInheritUser to "false" for normal containers — in hypervisor-isolated privileged pods, if a non-privileged container sets the inherit annotation, flip it to "false".
0 commit comments