mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
PodSecurity: test GA-only cases and alpha/beta fields separately
This commit is contained in:
parent
e87016cf94
commit
ba6b4c5a18
@ -109,6 +109,8 @@ type MutableFeatureGate interface {
|
||||
SetFromMap(m map[string]bool) error
|
||||
// Add adds features to the featureGate.
|
||||
Add(features map[Feature]FeatureSpec) error
|
||||
// GetAll returns a copy of the map of known feature names to feature specs.
|
||||
GetAll() map[Feature]FeatureSpec
|
||||
}
|
||||
|
||||
// featureGate implements FeatureGate as well as pflag.Value for flag parsing.
|
||||
@ -290,6 +292,15 @@ func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetAll returns a copy of the map of known feature names to feature specs.
|
||||
func (f *featureGate) GetAll() map[Feature]FeatureSpec {
|
||||
retval := map[Feature]FeatureSpec{}
|
||||
for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
|
||||
retval[k] = v
|
||||
}
|
||||
return retval
|
||||
}
|
||||
|
||||
// Enabled returns true if the key is enabled. If the key is not known, this call will panic.
|
||||
func (f *featureGate) Enabled(key Feature) bool {
|
||||
if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok {
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"testing"
|
||||
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/component-base/featuregate"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||
"k8s.io/kubernetes/pkg/capabilities"
|
||||
@ -29,21 +30,17 @@ import (
|
||||
)
|
||||
|
||||
func TestPodSecurity(t *testing.T) {
|
||||
// Enable all feature gates needed to allow all fields to be exercised
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
|
||||
// Ensure the PodSecurity feature is enabled
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
|
||||
"--anonymous-auth=false",
|
||||
"--enable-admission-plugins=PodSecurity",
|
||||
"--allow-privileged=true",
|
||||
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
|
||||
}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
// ensure the global is set to allow privileged containers
|
||||
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
|
||||
|
||||
// Start server
|
||||
server := startPodSecurityServer(t)
|
||||
opts := podsecuritytest.Options{
|
||||
ClientConfig: server.ClientConfig,
|
||||
|
||||
// Don't pass in feature-gate info, so all testcases run
|
||||
|
||||
// TODO
|
||||
ExemptClient: nil,
|
||||
ExemptNamespaces: []string{},
|
||||
@ -51,3 +48,38 @@ func TestPodSecurity(t *testing.T) {
|
||||
}
|
||||
podsecuritytest.Run(t, opts)
|
||||
}
|
||||
|
||||
// TestPodSecurityGAOnly ensures policies pass with only GA features enabled
|
||||
func TestPodSecurityGAOnly(t *testing.T) {
|
||||
// Disable all alpha and beta features
|
||||
for k, v := range utilfeature.DefaultFeatureGate.DeepCopy().GetAll() {
|
||||
if v.PreRelease == featuregate.Alpha || v.PreRelease == featuregate.Beta {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, k, false)()
|
||||
}
|
||||
}
|
||||
// Ensure PodSecurity feature is enabled
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
|
||||
// Start server
|
||||
server := startPodSecurityServer(t)
|
||||
|
||||
opts := podsecuritytest.Options{
|
||||
ClientConfig: server.ClientConfig,
|
||||
// Pass in feature gate info so negative test cases depending on alpha or beta features can be skipped
|
||||
Features: utilfeature.DefaultFeatureGate,
|
||||
}
|
||||
podsecuritytest.Run(t, opts)
|
||||
}
|
||||
|
||||
func startPodSecurityServer(t *testing.T) *kubeapiservertesting.TestServer {
|
||||
// ensure the global is set to allow privileged containers
|
||||
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
|
||||
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
|
||||
"--anonymous-auth=false",
|
||||
"--enable-admission-plugins=PodSecurity",
|
||||
"--allow-privileged=true",
|
||||
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
|
||||
}, framework.SharedEtcd())
|
||||
t.Cleanup(server.TearDownFn)
|
||||
return server
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user