|
24 | 24 | - [Windows Support](#windows-support) |
25 | 25 | - [Flexible Extension Support](#flexible-extension-support) |
26 | 26 | - [Test Plan](#test-plan) |
| 27 | + - [Prerequisite testing updates](#prerequisite-testing-updates) |
| 28 | + - [Unit tests](#unit-tests) |
| 29 | + - [Integration tests](#integration-tests) |
| 30 | + - [e2e tests](#e2e-tests) |
27 | 31 | - [Monitoring](#monitoring) |
28 | 32 | - [Audit Annotations](#audit-annotations) |
29 | 33 | - [PodSecurityPolicy Migration](#podsecuritypolicy-migration) |
@@ -553,41 +557,43 @@ publish the following tools: |
553 | 557 |
|
554 | 558 | ### Test Plan |
555 | 559 |
|
556 | | -The admission controller can safely be enabled as a no-op with the default-defaults, i.e. everything |
557 | | -is privileged. This will let us run the admission controller in our standard E2E test jobs, by |
558 | | -relabeling specific test namespaces. |
559 | | - |
560 | | -**E2E Tests:** The following tests should be added: |
561 | | - |
562 | | -1. Enforce mode tests: |
563 | | - - Test all profile levels |
564 | | - - Test profile version support |
565 | | -2. Warning mode tests: |
566 | | - - Profile levels & version support |
567 | | -3. Namespace policy relabeling |
568 | | - - Ensure labeling completes even when there are warnings |
569 | | - - Test warning on violating pods |
570 | | - - Test dry-run mode |
571 | | - |
572 | | -Additionally, we should add tests to the upgrade test suite to ensure that version skew is properly |
573 | | -handled: |
574 | | - |
575 | | -- A minimally specified pod (just a container image) should always be allowed by the baseline |
576 | | - policy. |
577 | | -- A privileged pod should never be allowed by baseline or restricted |
578 | | -- A Fully specified pod within the bounds of baseline should be allowed by baseline, and rejected by |
579 | | - restricted. |
580 | | -- A minimally specified restricted pod should be allowed at a pinned version. |
581 | | - |
582 | | -**Integration Tests:** Audit mode tests should be added to integration testing, where we have |
583 | | -existing audit logging tests. |
584 | | - |
585 | | -**Manual Testing Resources:** Pod resources will be provided covering all dimensions of the baseline |
586 | | -& restricted profiles, for validation of 3rd party policy implementations. These have been drafted |
587 | | -by @JimBugwadia: https://github.com/JimBugwadia/pod-security-tests |
588 | | - |
589 | | -**Unit Tests:** Both the library and admission controller implementations will have thorough |
590 | | -coverage of unit tests. |
| 560 | +##### Prerequisite testing updates |
| 561 | + |
| 562 | +None. |
| 563 | + |
| 564 | +##### Unit tests |
| 565 | + |
| 566 | +- `k8s.io/pod-security-admission/admission`: `2020-05-12` - `80.7% of statements` |
| 567 | +- `k8s.io/pod-security-admission/admission/api`: `2020-05-12` - `1.4% of statements` (mostly boilerplate & generated code) |
| 568 | +- `k8s.io/pod-security-admission/admission/api/load`: `2020-05-12` - `88.5% of statements` |
| 569 | +- `k8s.io/pod-security-admission/admission/api/scheme`: `2020-05-12` - `100.0% of statements` |
| 570 | +- `k8s.io/pod-security-admission/admission/api/v1alpha1`: `2020-05-12` - `1.7% of statements` (generated API) |
| 571 | +- `k8s.io/pod-security-admission/admission/api/v1beta1`: `2020-05-12` - `1.7% of statements` (generated API) |
| 572 | +- `k8s.io/pod-security-admission/admission/api/validation`: `2020-05-12` - `100.0% of statements` |
| 573 | +- `k8s.io/pod-security-admission/api`: `2020-05-12` - `9.3% of statements` **room for improvement** |
| 574 | +- `k8s.io/pod-security-admission/cmd/webhook`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration) |
| 575 | +- `k8s.io/pod-security-admission/cmd/webhook/server`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration) |
| 576 | +- `k8s.io/pod-security-admission/cmd/webhook/server/options`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration) |
| 577 | +- `k8s.io/pod-security-admission/metrics`: `2020-05-12` - `93.8% of statements` |
| 578 | +- `k8s.io/pod-security-admission/policy`: `2020-05-12` - `88.3% of statements` |
| 579 | +- `k8s.io/pod-security-admission/test`: `2020-05-12` - `73.7% of statements` |
| 580 | + |
| 581 | +##### Integration tests |
| 582 | + |
| 583 | +`k8s.io/kubernetes/test/integration/auth/podsecurity_test.go` |
| 584 | +https://storage.googleapis.com/k8s-triage/index.html?test=TestPodSecurity |
| 585 | + |
| 586 | +Pod Security admission has very thorough integration test coverage, including: |
| 587 | +- Generated test fixtures for failing & passing pods across every type of check, version and level. |
| 588 | +- Tests with only GA feature gates enabled, and the default set. |
| 589 | +- Tests running as a built-in admission controller & webhook. |
| 590 | +- Tests pods run directly & via a controller |
| 591 | + |
| 592 | +##### e2e tests |
| 593 | + |
| 594 | +There are no Pod Security specific E2E tests (we rely on integration test coverage instead), but the |
| 595 | +Pod Security admission controller is enabled in E2E clusters, and all E2E test namespaces are |
| 596 | +labeled with the enforcement label for Pod Security. |
591 | 597 |
|
592 | 598 | ### Monitoring |
593 | 599 |
|
|
0 commit comments