Merge pull request #103365 from liggitt/podsecurity-feature-test

PodSecurity: make failure integration tests feature-aware
2025-07-23 11:50:44 +00:00 · 2021-07-01 00:05:54 -07:00 · 2021-07-01 00:05:54 -07:00 · dbfea1e2aa
commit dbfea1e2aa
parent c14017b270 ba6b4c5a18
6 changed files with 88 additions and 11 deletions
--- a/staging/publishing/import-restrictions.yaml
+++ b/staging/publishing/import-restrictions.yaml
@ -271,4 +271,5 @@
  - k8s.io/client-go
  - k8s.io/klog
  - k8s.io/pod-security-admission
+  - k8s.io/component-base/featuregate
  - k8s.io/utils
--- a/staging/src/k8s.io/component-base/featuregate/feature_gate.go
+++ b/staging/src/k8s.io/component-base/featuregate/feature_gate.go
@ -109,6 +109,8 @@ type MutableFeatureGate interface {
 	SetFromMap(m map[string]bool) error
 	// Add adds features to the featureGate.
 	Add(features map[Feature]FeatureSpec) error
+	// GetAll returns a copy of the map of known feature names to feature specs.
+	GetAll() map[Feature]FeatureSpec
 }

 // featureGate implements FeatureGate as well as pflag.Value for flag parsing.
@ -290,6 +292,15 @@ func (f *featureGate) Add(features map[Feature]FeatureSpec) error {
 	return nil
 }

+// GetAll returns a copy of the map of known feature names to feature specs.
+func (f *featureGate) GetAll() map[Feature]FeatureSpec {
+	retval := map[Feature]FeatureSpec{}
+	for k, v := range f.known.Load().(map[Feature]FeatureSpec) {
+		retval[k] = v
+	}
+	return retval
+}
+
 // Enabled returns true if the key is enabled.  If the key is not known, this call will panic.
 func (f *featureGate) Enabled(key Feature) bool {
 	if v, ok := f.enabled.Load().(map[Feature]bool)[key]; ok {
--- a/staging/src/k8s.io/pod-security-admission/go.mod
+++ b/staging/src/k8s.io/pod-security-admission/go.mod
@ -11,6 +11,7 @@ require (
 	k8s.io/apimachinery v0.0.0
 	k8s.io/apiserver v0.0.0
 	k8s.io/client-go v0.0.0
+	k8s.io/component-base v0.0.0
 	k8s.io/klog/v2 v2.9.0
 	k8s.io/utils v0.0.0-20210521133846-da695404a2bc
 	sigs.k8s.io/yaml v1.2.0
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures.go
@ -20,6 +20,7 @@ import (
 	"fmt"

 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/component-base/featuregate"
 	"k8s.io/pod-security-admission/api"
 	"k8s.io/pod-security-admission/policy"
 	"k8s.io/utils/pointer"
@ -90,6 +91,13 @@ type fixtureGenerator struct {
 	// expectErrorSubstring is a substring to expect in the error message for failed pods.
 	// if empty, the check ID is used.
 	expectErrorSubstring string
+
+	// failRequiresFeatures lists feature gates that must all be enabled for failure cases to fail properly.
+	// This allows failure cases depending on rejecting data populated in alpha or beta fields to be skipped when those features are not enabled.
+	// If empty, failure test cases are always run.
+	// Pass cases are not allowed to be feature-gated (pass cases must only depend on data existing in GA fields).
+	failRequiresFeatures []featuregate.Feature
+
 	// generatePass transforms a minimum valid pod into one or more valid pods.
 	// pods do not need to populate metadata.name.
 	generatePass func(*corev1.Pod) []*corev1.Pod
@ -102,6 +110,12 @@ type fixtureGenerator struct {
 type fixtureData struct {
 	expectErrorSubstring string

+	// failRequiresFeatures lists feature gates that must all be enabled for failure cases to fail properly.
+	// This allows failure cases depending on rejecting data populated in alpha or beta fields to be skipped when those features are not enabled.
+	// If empty, failure test cases are always run.
+	// Pass cases are not allowed to be feature-gated (pass cases must only depend on data existing in GA fields).
+	failRequiresFeatures []featuregate.Feature
+
 	pass []*corev1.Pod
 	fail []*corev1.Pod
 }
@ -148,6 +162,7 @@ func getFixtures(key fixtureKey) (fixtureData, error) {
 		if generator, exists := fixtureGenerators[key]; exists {
 			data := fixtureData{
 				expectErrorSubstring: generator.expectErrorSubstring,
+				failRequiresFeatures: generator.failRequiresFeatures,

 				pass: generator.generatePass(validPodForLevel.DeepCopy()),
 				fail: generator.generateFail(validPodForLevel.DeepCopy()),
--- a/staging/src/k8s.io/pod-security-admission/test/run.go
+++ b/staging/src/k8s.io/pod-security-admission/test/run.go
@ -30,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	"k8s.io/component-base/featuregate"
 	"k8s.io/pod-security-admission/api"
 	"k8s.io/pod-security-admission/policy"
 )
@ -41,6 +42,11 @@ type Options struct {
 	// Required.
 	ClientConfig *rest.Config

+	// Features optionally provides information about which feature gates are enabled.
+	// This is used to skip failure cases for negative tests of data in alpha/beta fields.
+	// If unset, all testcases are run.
+	Features featuregate.FeatureGate
+
 	// CreateNamespace is an optional stub for creating a namespace with the given name and labels.
 	// Returning an error fails the test.
 	// If nil, DefaultCreateNamespace is used.
@ -278,7 +284,18 @@ func Run(t *testing.T, opts Options) {
 						createController(t, i, pod, true, "")
 					}
 				})
+
+				// see if any features required for failure cases are disabled
+				var disabledRequiredFeatures []featuregate.Feature
+				for _, f := range checkData.failRequiresFeatures {
+					if opts.Features != nil && !opts.Features.Enabled(f) {
+						disabledRequiredFeatures = append(disabledRequiredFeatures, f)
+					}
+				}
 				t.Run(ns+"_fail_"+checkID, func(t *testing.T) {
+					if len(disabledRequiredFeatures) > 0 {
+						t.Skipf("features required for failure cases are disabled: %v", disabledRequiredFeatures)
+					}
 					for i, pod := range checkData.fail {
 						createPod(t, i, pod, false, checkData.expectErrorSubstring)
 						createController(t, i, pod, false, checkData.expectErrorSubstring)
--- a/test/integration/auth/podsecurity_test.go
+++ b/test/integration/auth/podsecurity_test.go
@ -20,6 +20,7 @@ import (
 	"testing"

 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/capabilities"
@ -29,21 +30,17 @@ import (
 )

 func TestPodSecurity(t *testing.T) {
+	// Enable all feature gates needed to allow all fields to be exercised
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)()
+	// Ensure the PodSecurity feature is enabled
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
-	server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
-		"--anonymous-auth=false",
-		"--enable-admission-plugins=PodSecurity",
-		"--allow-privileged=true",
-		// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
-	}, framework.SharedEtcd())
-	defer server.TearDownFn()
-
-	// ensure the global is set to allow privileged containers
-	capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
-
+	// Start server
+	server := startPodSecurityServer(t)
 	opts := podsecuritytest.Options{
 		ClientConfig: server.ClientConfig,

+		// Don't pass in feature-gate info, so all testcases run
+
 		// TODO
 		ExemptClient:         nil,
 		ExemptNamespaces:     []string{},
@ -51,3 +48,38 @@ func TestPodSecurity(t *testing.T) {
 	}
 	podsecuritytest.Run(t, opts)
 }
+
+// TestPodSecurityGAOnly ensures policies pass with only GA features enabled
+func TestPodSecurityGAOnly(t *testing.T) {
+	// Disable all alpha and beta features
+	for k, v := range utilfeature.DefaultFeatureGate.DeepCopy().GetAll() {
+		if v.PreRelease == featuregate.Alpha || v.PreRelease == featuregate.Beta {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, k, false)()
+		}
+	}
+	// Ensure PodSecurity feature is enabled
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodSecurity, true)()
+	// Start server
+	server := startPodSecurityServer(t)
+
+	opts := podsecuritytest.Options{
+		ClientConfig: server.ClientConfig,
+		// Pass in feature gate info so negative test cases depending on alpha or beta features can be skipped
+		Features: utilfeature.DefaultFeatureGate,
+	}
+	podsecuritytest.Run(t, opts)
+}
+
+func startPodSecurityServer(t *testing.T) *kubeapiservertesting.TestServer {
+	// ensure the global is set to allow privileged containers
+	capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})
+
+	server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{
+		"--anonymous-auth=false",
+		"--enable-admission-plugins=PodSecurity",
+		"--allow-privileged=true",
+		// TODO: "--admission-control-config-file=" + admissionConfigFile.Name(),
+	}, framework.SharedEtcd())
+	t.Cleanup(server.TearDownFn)
+	return server
+}