diff --git a/pkg/server/options/encryptionconfig/testdata/valid-configs/aes/README.md b/pkg/server/options/encryptionconfig/testdata/valid-configs/aes/README.md
new file mode 100644
index 000000000..47ed17175
--- /dev/null
+++ b/pkg/server/options/encryptionconfig/testdata/valid-configs/aes/README.md
@@ -0,0 +1 @@
+Keys and secrets in this directory are generated for testing purposes only.
diff --git a/pkg/server/options/testdata/README.md b/pkg/server/options/testdata/README.md
new file mode 100644
index 000000000..a78ddfbd0
--- /dev/null
+++ b/pkg/server/options/testdata/README.md
@@ -0,0 +1 @@
+Keys in this directory are generated for testing purposes only.
diff --git a/plugin/pkg/authenticator/token/oidc/oidc_test.go b/plugin/pkg/authenticator/token/oidc/oidc_test.go
index 3f5db497e..14826000f 100644
--- a/plugin/pkg/authenticator/token/oidc/oidc_test.go
+++ b/plugin/pkg/authenticator/token/oidc/oidc_test.go
@@ -1546,7 +1546,7 @@ func TestToken(t *testing.T) {
 
 func TestUnmarshalClaimError(t *testing.T) {
 	// Ensure error strings returned by unmarshaling claims don't include the claim.
-	const token = "96bb299a-02e9-11e8-8673-54ee7553240e"
+	const token = "96bb299a-02e9-11e8-8673-54ee7553240e" // Fake token for testing.
 	payload := fmt.Sprintf(`{
 		"token": "%s"
 	}`, token)
diff --git a/plugin/pkg/authenticator/token/webhook/webhook_v1_test.go b/plugin/pkg/authenticator/token/webhook/webhook_v1_test.go
index 518cf7063..884317242 100644
--- a/plugin/pkg/authenticator/token/webhook/webhook_v1_test.go
+++ b/plugin/pkg/authenticator/token/webhook/webhook_v1_test.go
@@ -479,7 +479,7 @@ func TestV1WebhookTokenAuthenticator(t *testing.T) {
 			expectedAuthenticated: false,
 		},
 	}
-	token := "my-s3cr3t-t0ken"
+	token := "my-s3cr3t-t0ken" // Fake token for testing.
 	for _, tt := range tests {
 		t.Run(tt.description, func(t *testing.T) {
 			wh, err := newV1TokenAuthenticator(s.URL, clientCert, clientKey, caCert, 0, tt.implicitAuds)
diff --git a/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go b/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go
index 5c228b690..514fd9df3 100644
--- a/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go
+++ b/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go
@@ -481,7 +481,7 @@ func TestV1beta1WebhookTokenAuthenticator(t *testing.T) {
 			expectedAuthenticated: false,
 		},
 	}
-	token := "my-s3cr3t-t0ken"
+	token := "my-s3cr3t-t0ken" // Fake token for testing.
 	for _, tt := range tests {
 		t.Run(tt.description, func(t *testing.T) {
 			wh, err := newV1beta1TokenAuthenticator(s.URL, clientCert, clientKey, caCert, 0, tt.implicitAuds)