mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-05 11:12:03 +00:00
PodSecurity: test GA-only cases and alpha/beta fields separately
This commit is contained in:
Jordan Liggitt
@@ -20,6 +20,7 @@ import (
|
||||
"testing"
|
||||
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/component-base/featuregate"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||
"k8s.io/kubernetes/pkg/capabilities"
|
||||
@@ -29,21 +30,17 @@ import (
|
||||
)
|
||||
|
||||
func TestPodSecurity(t *testing.T) {
|
||||
// Enable all feature gates needed to allow all fields to be exercised
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
|
||||
// Ensure the PodSecurity feature is enabled
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
|
||||
"--anonymous-auth=false",
|
||||
"--enable-admission-plugins=PodSecurity",
|
||||
"--allow-privileged=true",
|
||||
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
|
||||
}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
// ensure the global is set to allow privileged containers
|
||||
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
|
||||
|
||||
// Start server
|
||||
server := startPodSecurityServer(t)
|
||||
opts := podsecuritytest.Options{
|
||||
ClientConfig: server.ClientConfig,
|
||||
|
||||
// Don't pass in feature-gate info, so all testcases run
|
||||
|
||||
// TODO
|
||||
ExemptClient: nil,
|
||||
ExemptNamespaces: []string{},
|
||||
@@ -51,3 +48,38 @@ func TestPodSecurity(t *testing.T) {
|
||||
}
|
||||
podsecuritytest.Run(t, opts)
|
||||
}
|
||||
|
||||
// TestPodSecurityGAOnly ensures policies pass with only GA features enabled
|
||||
func TestPodSecurityGAOnly(t *testing.T) {
|
||||
// Disable all alpha and beta features
|
||||
for k, v := range utilfeature.DefaultFeatureGate.DeepCopy().GetAll() {
|
||||
if v.PreRelease == featuregate.Alpha || v.PreRelease == featuregate.Beta {
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, k, false)()
|
||||
}
|
||||
}
|
||||
// Ensure PodSecurity feature is enabled
|
||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
|
||||
// Start server
|
||||
server := startPodSecurityServer(t)
|
||||
|
||||
opts := podsecuritytest.Options{
|
||||
ClientConfig: server.ClientConfig,
|
||||
// Pass in feature gate info so negative test cases depending on alpha or beta features can be skipped
|
||||
Features: utilfeature.DefaultFeatureGate,
|
||||
}
|
||||
podsecuritytest.Run(t, opts)
|
||||
}
|
||||
|
||||
func startPodSecurityServer(t *testing.T) *kubeapiservertesting.TestServer {
|
||||
// ensure the global is set to allow privileged containers
|
||||
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
|
||||
|
||||
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
|
||||
"--anonymous-auth=false",
|
||||
"--enable-admission-plugins=PodSecurity",
|
||||
"--allow-privileged=true",
|
||||
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
|
||||
}, framework.SharedEtcd())
|
||||
t.Cleanup(server.TearDownFn)
|
||||
return server
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user