package test

import "k8s.io/pod-security-admission/test"

Package test contains tests for PodSecurity admission

Index ¶

• func DefaultCreateNamespace(client kubernetes.Interface, name string, labels map[string]string) (*corev1.Namespace, error)
• func GetMinimalValidLinuxPod(level api.Level, version api.Version) (*corev1.Pod, error)
• func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, error)
• func GetMinimalValidWindowsPod(level api.Level, version api.Version) (*corev1.Pod, error)
• func Run(t *testing.T, opts Options)
• type Options

Functions ¶

func DefaultCreateNamespace ¶

func DefaultCreateNamespace(client kubernetes.Interface, name string, labels map[string]string) (*corev1.Namespace, error)

func GetMinimalValidLinuxPod ¶

func GetMinimalValidLinuxPod(level api.Level, version api.Version) (*corev1.Pod, error)

GetMinimalValidLinuxPod returns a minimal valid linux pod for the specified level and version.

func GetMinimalValidPod ¶

func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, error)

GetMinimalValidPod returns a minimal valid OS neutral pod for the specified level and version.

func GetMinimalValidWindowsPod ¶

func GetMinimalValidWindowsPod(level api.Level, version api.Version) (*corev1.Pod, error)

GetMinimalValidWindowsPod returns a minimal valid windows pod for the specified level and version.

func Run ¶

func Run(t *testing.T, opts Options)

and ensures pod fixtures expected to pass and fail against that level/version work as expected.

Types ¶

type Options ¶

type Options struct {
	// ClientConfig is a client configuration with sufficient permission to create, update, and delete
	// namespaces, pods, and pod-template-containing objects.
	// Required.
	ClientConfig *rest.Config

	// Features optionally provides information about which feature gates are enabled.
	// This is used to skip failure cases for negative tests of data in alpha/beta fields.
	// If unset, all testcases are run.
	Features featuregate.FeatureGate

	// CreateNamespace is an optional stub for creating a namespace with the given name and labels.
	// Returning an error fails the test.
	// If nil, DefaultCreateNamespace is used.
	CreateNamespace func(client kubernetes.Interface, name string, labels map[string]string) (*corev1.Namespace, error)

	// These are the check ids/starting versions to exercise.
	// If unset, policy.DefaultChecks() are used.
	Checks []policy.Check

	// ExemptClient is an optional client interface to exercise behavior of an exempt client.
	ExemptClient kubernetes.Interface
	// ExemptNamespaces are optional namespaces not expected to have PodSecurity controls enforced.
	ExemptNamespaces []string
	// ExemptRuntimeClasses are optional runtimeclasses not expected to have PodSecurity controls enforced.
	ExemptRuntimeClasses []string
}

Options hold configuration for running integration tests against an existing server.

Source Files ¶

doc.go fixtures.go fixtures_allowPrivilegeEscalation.go fixtures_appArmorProfile.go fixtures_capabilities_baseline.go fixtures_capabilities_restricted.go fixtures_hostNamespaces.go fixtures_hostPathVolumes.go fixtures_hostPorts.go fixtures_privileged.go fixtures_procMount.go fixtures_restrictedVolumes.go fixtures_runAsNonRoot.go fixtures_runAsUser.go fixtures_seLinuxOptions.go fixtures_seccompProfile_baseline.go fixtures_seccompProfile_restricted.go fixtures_sysctls.go fixtures_windowsHostProcess.go helpers.go helpers_seccomp.go run.go