self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 08:43:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Kubernetes Access test plan (#20274)

Browse source 
* Update Kubernetes Access test plan

* update

* add gke auto-discovery
This commit is contained in:
Tiago Silva 2023-02-02 18:01:19 +00:00 committed by GitHub
parent 26c4d6a180
commit b2c2886341
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.github/ISSUE_TEMPLATE/testplan.md vendored
View file

@ -297,6 +297,7 @@ Minikube is the only caveat - it's not reachable publicly so don't run a proxy t
* [ ] Azure AD
* [ ] Azure RBAC
* [ ] Verify that AWS EKS clusters are discovered and enrolled
* [ ] Verify that GCP GKE clusters are discovered and enrolled
* [ ] Verify dynamic registration.
* [ ] Can register a new Kubernetes cluster using `tctl create`.
* [ ] Can update registered Kubernetes cluster using `tctl create -f`.
@ -310,6 +311,22 @@ Minikube is the only caveat - it's not reachable publicly so don't run a proxy t
* [ ] Restart the agent after token TTL expires to see if it reuses the same identity.
* [ ] Force cluster CA rotation
### Kubernetes Pod RBAC
* [ ] Verify the following scenarios for `kubernetes_resources`:
* [ ] `{"kind":"pod","name":"*","namespace":"*"}` - must allow access to every pod.
* [ ] `{"kind":"pod","name":"<somename>","namespace":"*"}` - must allow access to pod `<somename>` in every namespace.
* [ ] `{"kind":"pod","name":"*","namespace":"<somenamespace>"}` - must allow access to any pod in `<somenamespace>` namespace.
* [ ] Verify support for `*` wildcards - `<some-name>-*` and regex for `name` and `namespace` fields.
* [ ] Verify support for delete pods collection - must use `go-client`.
* [ ] Verify scenarios with multiple roles defining `kubernetes_resources`:
* [ ] Validate that the returned list of pods is the union of every role.
* [ ] Validate that access to other pods is denied by RBAC.
* [ ] Validate that the Kubernetes Groups/Users are correctly selected depending on the role that applies to the pod.
* [ ] Test with a `kubernetes_groups` that denies exec into a pod
* [ ] Verify the following scenarios for Resource Access Requests to Pods:
* [ ] Create a valid resource access request and validate if access to other pods is denied.
* [ ] Validate if creating a resource access request with Kubernetes resources denied by `search_as_roles` is not allowed.
### Teleport with FIPS mode