kubernetes
/
community
mirror of https://github.com/kubernetes/community.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6542 from s-urbaniak/pod-security-admission 

e2e-tests: describe pod security admission
This commit is contained in:
Kubernetes Prow Robot 2022-03-25 08:21:59 -07:00 committed by GitHub
parent 6dcbc5471e 43a08f9d49
commit dbb243f825
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
contributors/devel/sig-testing/e2e-tests.md
View File

@ -604,6 +604,32 @@ Note that advanced testing parameters, and hierarchichally defined parameters, a
In time, it is our intent to add or autogenerate a sample viper configuration that includes all e2e parameters, to ship with Kubernetes.
### Pod Security Admission
With introducing Pod Security admission in Kubernetes by default, it is desired to execute e2e tests within bounded pod security policy levels. The default pod security policy in e2e tests is [restricted](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels). This is set in https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/framework.go. This ensures that e2e tests follow best practices for hardening pods by default.
Two helper functions are available for returning a minimal [restricted pod security context](https://github.com/kubernetes/kubernetes/blob/d7e6eab87d0fd005b238e3ec9b088e37d41a15d3/test/e2e/framework/pod/utils.go#L119) and a [restricted container security context](https://github.com/kubernetes/kubernetes/blob/d7e6eab87d0fd005b238e3ec9b088e37d41a15d3/test/e2e/framework/pod/utils.go#L127). These can be used to initialize pod or container specs to ensure adherence for the most restricted pod security policy.
If pods need to elevate privileges to either `baseline` or `privileged` a new field - `NamespacePodSecurityEnforceLevel` - was introduced to the e2e framework to specify the necessary namespace enforcement level. Note that namespaces get created in the `BeforeEach()` phase of ginkgo tests.
```
import (
...
admissionapi "k8s.io/pod-security-admission/api"
...
)
var _ = SIGDescribe("Test", func() {
...
f := framework.NewDefaultFramework("test")
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
...
}
```
This ensures that the namespace returned by `f.Namespace.Name` includes the configured pod security policy level. Note that creating custom namespace names is not encouraged and will not include the configured settings.
### Conformance tests
For more information on Conformance tests please see the [Conformance Testing](../sig-architecture/conformance-tests.md)