PodSecurity: benchmark large numbers of owned pods

2025-07-21 10:51:29 +00:00 · 2021-11-01 17:47:03 -04:00 · 2021-11-01 17:47:03 -04:00 · 1bff65e6f8
commit 1bff65e6f8
parent 2a821d787b
1 changed files with 29 additions and 2 deletions
--- a/plugin/pkg/admission/security/podsecurity/admission_test.go
+++ b/plugin/pkg/admission/security/podsecurity/admission_test.go
@ -41,6 +41,7 @@ import (
 	v1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/features"
 	podsecurityadmission "k8s.io/pod-security-admission/admission"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/yaml"
 )

@ -219,6 +220,24 @@ func BenchmarkVerifyNamespace(b *testing.B) {
 	}

 	// https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md#kubernetes-thresholds
+	ownerA := metav1.OwnerReference{
+		APIVersion: "apps/v1",
+		Kind:       "ReplicaSet",
+		Name:       "myapp-123123",
+		UID:        types.UID("7610a7f4-8f80-4f88-95b5-6cefdd8e9dbd"),
+		Controller: pointer.Bool(true),
+	}
+	ownerB := metav1.OwnerReference{
+		APIVersion: "apps/v1",
+		Kind:       "ReplicaSet",
+		Name:       "myapp-234234",
+		UID:        types.UID("7610a7f4-8f80-4f88-95b5-as765as76f55"),
+		Controller: pointer.Bool(true),
+	}
+
+	// number of warnings printed for the entire namespace
+	namespaceWarningCount := 1
+
 	podCount := 3000
 	objects := make([]runtime.Object, 0, podCount+1)
 	objects = append(objects, enforceNamespaceBaselineV1)
@ -227,6 +246,14 @@ func BenchmarkVerifyNamespace(b *testing.B) {
 		v1PodCopy.Name = fmt.Sprintf("pod%d", i)
 		v1PodCopy.UID = types.UID(fmt.Sprintf("pod%d", i))
 		v1PodCopy.Namespace = namespace
+		switch i % 3 {
+		case 0:
+			v1PodCopy.OwnerReferences = []metav1.OwnerReference{ownerA}
+		case 1:
+			v1PodCopy.OwnerReferences = []metav1.OwnerReference{ownerB}
+		default:
+			// no owner references
+		}
 		objects = append(objects, v1PodCopy)
 	}

@ -264,8 +291,8 @@ func BenchmarkVerifyNamespace(b *testing.B) {
 			b.Fatal(err)
 		}
 		// should either be a single aggregated warning, or a unique warning per pod
-		if dc.count != 1 && dc.count != podCount {
-			b.Fatalf("expected either 1 or %d warnings, got %d", podCount, dc.count)
+		if dc.count != (1+namespaceWarningCount) && dc.count != (podCount+namespaceWarningCount) {
+			b.Fatalf("expected either %d or %d warnings, got %d", 1+namespaceWarningCount, podCount+namespaceWarningCount, dc.count)
 		}
 		// warning should contain the runAsNonRoot issue
 		if e, a := "runAsNonRoot", dc.text; !strings.Contains(a, e) {