-
Notifications
You must be signed in to change notification settings - Fork 46
Test Plan
The test cases described in this document pretend to be standalone tests. So, it may have duplicate steps which can be optimize when writing the actual tests in the CI pipeline.
Test based on the Quick start documentation.
Kubernetes cluster up and running
- Run the commands to install Kubewarden using the Helm charts.
helm repo add kubewarden https://charts.kubewarden.io
helm install --namespace kubewarden --create-namespace kubewarden-controller kubewarden/kubewarden-controller- Wait installation to finish
- Check if the Kubewarden controller pod running
kubectl get pods- Check if the
ClusterAdmissionPolicycustom resource definition is installed
kubectl get crds- Check if there is a
defaultPolicyServer up and running
The Kubewarden stack should be installed and properly configured in the Kubernetes cluster
A Kubernetes cluster with Kubewarden installed.
- Define a
ClusterAdimissionPolicy
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.5
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
EOF- Check if the policy is listed as a
ClusterAdimissionPolicy
kubectl get clusteradmissionpolicy.policies.kubewarden.io- Check if the policy server is up and running
kubectl get podsThe policy should be installed in the cluster and active
A Kubernetes cluster with Kubewarden installed.
- Define a
ClusterAdmissionPolicy
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.5
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
EOF- Wait policy to be active
- Try to deploy a pod which violates the policy previously defined. It should fail.
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
privileged: true
EOFThe kubectl command used to create the pod should fail.
A Kubernetes cluster with Kubewarden installed.
- Define a
ClusterAdmissionPolicy
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.5
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
EOF- Wait policy to be active
- Try to deploy a pod which violates the policy previously defined. It should not fail.
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: unprivileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
EOFThe kubectl command used to create the pod should not fail and the pod should be created.
A Kubernetes cluster with Kubewarden installed and a policy defined.
- Delete the policy defined in the cluster
kubectl delete -f "privileged-policy.yaml" - Check if the policy is not listed as a
ClusterAdimissionPolicy
kubectl get clusteradmissionpolicy.policies.kubewarden.io- Check if the policy server is up and running
kubectl get podsThe policy should be removed from the cluster
Test based on the Quick start documentation.
A Kubernetes cluster with Kubewarden installed.
- Delete all
ClusterAdimissionPolicyresources - Wait for the for the kubewarden-controller to remove all the Kubernetes
ValidatingWebhookConfigurationand theMutatingWebhookConfigurationresources it created. - Uninstall the Helm chart
After the deinstallation process all the Kubewarden stack should be removed.