github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurity: test GA-only cases and alpha/beta fields separately

Browse Source
This commit is contained in:
Jordan Liggitt 2021-06-30 11:25:13 -04:00
parent e87016cf94
commit ba6b4c5a18
2 changed files with 54 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
staging/src/k8s.io/component-base/featuregate/feature_gate.go
View File

@ -109,6 +109,8 @@ type MutableFeatureGate interface {
SetFromMap(m map[string]bool) error SetFromMap(m map[string]bool) error
// Add adds features to the featureGate. // Add adds features to the featureGate.
Add(features map[Feature]FeatureSpec) error Add(features map[Feature]FeatureSpec) error
// GetAll returns a copy of the map of known feature names to feature specs.
GetAll() map[Feature]FeatureSpec
} }
// featureGate implements FeatureGate as well as pflag.Value for flag parsing. // featureGate implements FeatureGate as well as pflag.Value for flag parsing.
@ -290,6 +292,15 @@ func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
return nil return nil
} }
// GetAll returns a copy of the map of known feature names to feature specs.
func (f *featureGate) GetAll() map[Feature]FeatureSpec {
retval := map[Feature]FeatureSpec{}
for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
retval[k] = v
}
return retval
}
// Enabled returns true if the key is enabled. If the key is not known, this call will panic. // Enabled returns true if the key is enabled. If the key is not known, this call will panic.
func (f *featureGate) Enabled(key Feature) bool { func (f *featureGate) Enabled(key Feature) bool {
if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok { if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok {

54
test/integration/auth/podsecurity_test.go
View File

@ -20,6 +20,7 @@ import (
"testing" "testing"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/component-base/featuregate"
featuregatetesting "k8s.io/component-base/featuregate/testing" featuregatetesting "k8s.io/component-base/featuregate/testing"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/capabilities" "k8s.io/kubernetes/pkg/capabilities"
@ -29,21 +30,17 @@ import (
) )
func TestPodSecurity(t *testing.T) { func TestPodSecurity(t *testing.T) {
// Enable all feature gates needed to allow all fields to be exercised
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
// Ensure the PodSecurity feature is enabled
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{ // Start server
"--anonymous-auth=false", server := startPodSecurityServer(t)
"--enable-admission-plugins=PodSecurity",
"--allow-privileged=true",
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
}, framework.SharedEtcd())
defer server.TearDownFn()
// ensure the global is set to allow privileged containers
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
opts := podsecuritytest.Options{ opts := podsecuritytest.Options{
ClientConfig: server.ClientConfig, ClientConfig: server.ClientConfig,
// Don't pass in feature-gate info, so all testcases run
// TODO // TODO
ExemptClient: nil, ExemptClient: nil,
ExemptNamespaces: []string{}, ExemptNamespaces: []string{},
@ -51,3 +48,38 @@ func TestPodSecurity(t *testing.T) {
} }
podsecuritytest.Run(t, opts) podsecuritytest.Run(t, opts)
} }
// TestPodSecurityGAOnly ensures policies pass with only GA features enabled
func TestPodSecurityGAOnly(t *testing.T) {
// Disable all alpha and beta features
for k, v := range utilfeature.DefaultFeatureGate.DeepCopy().GetAll() {
if v.PreRelease == featuregate.Alpha || v.PreRelease == featuregate.Beta {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, k, false)()
}
}
// Ensure PodSecurity feature is enabled
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
// Start server
server := startPodSecurityServer(t)
opts := podsecuritytest.Options{
ClientConfig: server.ClientConfig,
// Pass in feature gate info so negative test cases depending on alpha or beta features can be skipped
Features: utilfeature.DefaultFeatureGate,
}
podsecuritytest.Run(t, opts)
}
func startPodSecurityServer(t *testing.T) *kubeapiservertesting.TestServer {
// ensure the global is set to allow privileged containers
capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
"--anonymous-auth=false",
"--enable-admission-plugins=PodSecurity",
"--allow-privileged=true",
// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
}, framework.SharedEtcd())
t.Cleanup(server.TearDownFn)
return server
}