Skip to content

Commit

Permalink
Add test coverage sections
Browse files Browse the repository at this point in the history
  • Loading branch information
tallclair committed May 12, 2022
1 parent da76cd0 commit 32dc2c4
Showing 1 changed file with 41 additions and 35 deletions.
76 changes: 41 additions & 35 deletions keps/sig-auth/2579-psp-replacement/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@
- [Windows Support](#windows-support)
- [Flexible Extension Support](#flexible-extension-support)
- [Test Plan](#test-plan)
- [Prerequisite testing updates](#prerequisite-testing-updates)
- [Unit tests](#unit-tests)
- [Integration tests](#integration-tests)
- [e2e tests](#e2e-tests)
- [Monitoring](#monitoring)
- [Audit Annotations](#audit-annotations)
- [PodSecurityPolicy Migration](#podsecuritypolicy-migration)
Expand Down Expand Up @@ -553,41 +557,43 @@ publish the following tools:

### Test Plan

The admission controller can safely be enabled as a no-op with the default-defaults, i.e. everything
is privileged. This will let us run the admission controller in our standard E2E test jobs, by
relabeling specific test namespaces.

**E2E Tests:** The following tests should be added:

1. Enforce mode tests:
- Test all profile levels
- Test profile version support
2. Warning mode tests:
- Profile levels & version support
3. Namespace policy relabeling
- Ensure labeling completes even when there are warnings
- Test warning on violating pods
- Test dry-run mode

Additionally, we should add tests to the upgrade test suite to ensure that version skew is properly
handled:

- A minimally specified pod (just a container image) should always be allowed by the baseline
policy.
- A privileged pod should never be allowed by baseline or restricted
- A Fully specified pod within the bounds of baseline should be allowed by baseline, and rejected by
restricted.
- A minimally specified restricted pod should be allowed at a pinned version.

**Integration Tests:** Audit mode tests should be added to integration testing, where we have
existing audit logging tests.

**Manual Testing Resources:** Pod resources will be provided covering all dimensions of the baseline
& restricted profiles, for validation of 3rd party policy implementations. These have been drafted
by @JimBugwadia: https://github.com/JimBugwadia/pod-security-tests

**Unit Tests:** Both the library and admission controller implementations will have thorough
coverage of unit tests.
##### Prerequisite testing updates

None.

##### Unit tests

- `k8s.io/pod-security-admission/admission`: `2020-05-12` - `80.7% of statements`
- `k8s.io/pod-security-admission/admission/api`: `2020-05-12` - `1.4% of statements` (mostly boilerplate & generated code)
- `k8s.io/pod-security-admission/admission/api/load`: `2020-05-12` - `88.5% of statements`
- `k8s.io/pod-security-admission/admission/api/scheme`: `2020-05-12` - `100.0% of statements`
- `k8s.io/pod-security-admission/admission/api/v1alpha1`: `2020-05-12` - `1.7% of statements` (generated API)
- `k8s.io/pod-security-admission/admission/api/v1beta1`: `2020-05-12` - `1.7% of statements` (generated API)
- `k8s.io/pod-security-admission/admission/api/validation`: `2020-05-12` - `100.0% of statements`
- `k8s.io/pod-security-admission/api`: `2020-05-12` - `9.3% of statements` **room for improvement**
- `k8s.io/pod-security-admission/cmd/webhook`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration)
- `k8s.io/pod-security-admission/cmd/webhook/server`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration)
- `k8s.io/pod-security-admission/cmd/webhook/server/options`: `2020-05-12` - `no unit tests` (mostly server setup, covered by integration)
- `k8s.io/pod-security-admission/metrics`: `2020-05-12` - `93.8% of statements`
- `k8s.io/pod-security-admission/policy`: `2020-05-12` - `88.3% of statements`
- `k8s.io/pod-security-admission/test`: `2020-05-12` - `73.7% of statements`

##### Integration tests

`k8s.io/kubernetes/test/integration/auth/podsecurity_test.go`
https://storage.googleapis.com/k8s-triage/index.html?test=TestPodSecurity

Pod Security admission has very thorough integration test coverage, including:
- Generated test fixtures for failing & passing pods across every type of check, version and level.
- Tests with only GA feature gates enabled, and the default set.
- Tests running as a built-in admission controller & webhook.
- Tests pods run directly & via a controller

##### e2e tests

There are no Pod Security specific E2E tests (we rely on integration test coverage instead), but the
Pod Security admission controller is enabled in E2E clusters, and all E2E test namespaces are
labeled with the enforcement label for Pod Security.

### Monitoring

Expand Down

0 comments on commit 32dc2c4

Please sign in to comment.