aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/api_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api_test.go')
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go15
1 files changed, 15 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index bee199519..f7c6daa52 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -18,6 +18,10 @@ var _ = Describe("Api", func() {
"--profiling=false",
"--repair-malformed-updates=false",
"--service-account-lookup=true",
+ "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass," +
+ "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
+ "ResourceQuota",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -212,5 +216,16 @@ var _ = Describe("Api", func() {
Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("AlwaysAdmit admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsAlwaysAdmitAdmissionControlPluginExcluded(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
+ Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
})
})