Skip to content

Commit 7359ae0

Browse files
committed
Improve testing
1 parent f268788 commit 7359ae0

File tree

1 file changed

+6
-3
lines changed
  • keps/sig-auth/4872-harden-kubelet-cert-validation

1 file changed

+6
-3
lines changed

keps/sig-auth/4872-harden-kubelet-cert-validation/README.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -191,19 +191,21 @@ Existing test coverage for the packages we anticipate modifying:
191191
- `k8s.io/kubernetes/pkg/kubelet/client`: `2024-10-07` - `28.2`
192192
- `k8s.io/client-go/transport`: `2024-10-07` - `59.4`
193193

194+
On top of testing the validation itself, we will test that:
195+
* An error is returned if `--enable-kubelet-cert-cn-validation` is set but `KubeletCertCNValidation` feature flag is not enabled.
196+
* An error is returned if the feature `KubeletCertCNValidation` is enabled, `--enable-kubelet-cert-cn-validation` is set to true but `--kubelet-certificate-authority` is not set.
197+
194198
##### Integration tests
195199

196200
Integration tests will be added to ensure the following:
197-
* An error is returned if `--enable-kubelet-cert-cn-validation` is set but `KubeletCertCNValidation` feature flag is not enabled.
198-
* An error is returned if the feature `KubeletCertCNValidation` is enabled, `--enable-kubelet-cert-cn-validation` is set to true but `--kubelet-certificate-authority` is not set.
199201
* Validation for custom certificates works if feature flag is not enabled.
200202
* Validation for custom certificates works if feature flag enabled and `--enable-kubelet-cert-cn-validation` is not set or set to false.
201203
* Validation for custom certificates fails if feature flag enabled, `--kubelet-certificate-authority` is set and `--enable-kubelet-cert-cn-validation` is set to true.
202204
* Validation for kubernetes issued certificates works if feature flag enabled, `--kubelet-certificate-authority` is set and `--enable-kubelet-cert-cn-validation` is set to true.
203205

204206
##### e2e tests
205207

206-
We believe is likely end-to-end tests won't be needed as unit and integration tests will cover all the scenarios. If it's not possible to cover all the scenarios, we will add e2e tests. It's also quite likely that existing e2e tests will cover the new behavior once the feature gate is enabled, so new tests might only be needed for the transition period.
208+
We will update the alpha kind e2e tests job to exercise this flow to start with, and once the functionality is beta, we will update all kind e2e test jobs to run with this verification.
207209

208210
### Graduation Criteria
209211

@@ -216,6 +218,7 @@ We believe is likely end-to-end tests won't be needed as unit and integration te
216218
#### Beta
217219
* Address user reviews and iterate if needed
218220
* Feature flag on by default
221+
* Validation enabled for all kind e2e test jobs
219222

220223
#### GA
221224
* Remove feature flag

0 commit comments

Comments
 (0)