Merge pull request #6542 from s-urbaniak/pod-security-admission

k8s-ci-robot · web-flow · commit dbb243f825cf · 2022-03-25T08:21:59.000-07:00
e2e-tests: describe pod security admission
diff --git a/contributors/devel/sig-testing/e2e-tests.md b/contributors/devel/sig-testing/e2e-tests.md
@@ -604,6 +604,32 @@ Note that advanced testing parameters, and hierarchichally defined parameters, a
 
 In time, it is our intent to add or autogenerate a sample viper configuration that includes all e2e parameters, to ship with Kubernetes.
 
+### Pod Security Admission
+
+With introducing Pod Security admission in Kubernetes by default, it is desired to execute e2e tests within bounded pod security policy levels. The default pod security policy in e2e tests is [restricted](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels). This is set in https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/framework.go. This ensures that e2e tests follow best practices for hardening pods by default.
+
+Two helper functions are available for returning a minimal [restricted pod security context](https://github.com/kubernetes/kubernetes/blob/d7e6eab87d0fd005b238e3ec9b088e37d41a15d3/test/e2e/framework/pod/utils.go#L119) and a [restricted container security context](https://github.com/kubernetes/kubernetes/blob/d7e6eab87d0fd005b238e3ec9b088e37d41a15d3/test/e2e/framework/pod/utils.go#L127). These can be used to initialize pod or container specs to ensure adherence for the most restricted pod security policy.
+
+If pods need to elevate privileges to either `baseline` or `privileged` a new field - `NamespacePodSecurityEnforceLevel` - was introduced to the e2e framework to specify the necessary namespace enforcement level. Note that namespaces get created in the `BeforeEach()` phase of ginkgo tests.
+
+```
+import (
+...
+  admissionapi "k8s.io/pod-security-admission/api"
+...
+)
+
+
+var _ = SIGDescribe("Test", func() {
+  ...
+  f := framework.NewDefaultFramework("test")
+  f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+  ...
+}
+```
+
+This ensures that the namespace returned by `f.Namespace.Name` includes the configured pod security policy level. Note that creating custom namespace names is not encouraged and will not include the configured settings.
+
 ### Conformance tests
 
 For more information on Conformance tests please see the [Conformance Testing](../sig-architecture/conformance-tests.md)
