mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 08:43:58 +00:00
Update Kubernetes Access test plan (#20274)
* Update Kubernetes Access test plan * update * add gke auto-discovery
This commit is contained in:
parent
26c4d6a180
commit
b2c2886341
17
.github/ISSUE_TEMPLATE/testplan.md
vendored
17
.github/ISSUE_TEMPLATE/testplan.md
vendored
|
@ -297,6 +297,7 @@ Minikube is the only caveat - it's not reachable publicly so don't run a proxy t
|
|||
* [ ] Azure AD
|
||||
* [ ] Azure RBAC
|
||||
* [ ] Verify that AWS EKS clusters are discovered and enrolled
|
||||
* [ ] Verify that GCP GKE clusters are discovered and enrolled
|
||||
* [ ] Verify dynamic registration.
|
||||
* [ ] Can register a new Kubernetes cluster using `tctl create`.
|
||||
* [ ] Can update registered Kubernetes cluster using `tctl create -f`.
|
||||
|
@ -310,6 +311,22 @@ Minikube is the only caveat - it's not reachable publicly so don't run a proxy t
|
|||
* [ ] Restart the agent after token TTL expires to see if it reuses the same identity.
|
||||
* [ ] Force cluster CA rotation
|
||||
|
||||
### Kubernetes Pod RBAC
|
||||
|
||||
* [ ] Verify the following scenarios for `kubernetes_resources`:
|
||||
* [ ] `{"kind":"pod","name":"*","namespace":"*"}` - must allow access to every pod.
|
||||
* [ ] `{"kind":"pod","name":"<somename>","namespace":"*"}` - must allow access to pod `<somename>` in every namespace.
|
||||
* [ ] `{"kind":"pod","name":"*","namespace":"<somenamespace>"}` - must allow access to any pod in `<somenamespace>` namespace.
|
||||
* [ ] Verify support for `*` wildcards - `<some-name>-*` and regex for `name` and `namespace` fields.
|
||||
* [ ] Verify support for delete pods collection - must use `go-client`.
|
||||
* [ ] Verify scenarios with multiple roles defining `kubernetes_resources`:
|
||||
* [ ] Validate that the returned list of pods is the union of every role.
|
||||
* [ ] Validate that access to other pods is denied by RBAC.
|
||||
* [ ] Validate that the Kubernetes Groups/Users are correctly selected depending on the role that applies to the pod.
|
||||
* [ ] Test with a `kubernetes_groups` that denies exec into a pod
|
||||
* [ ] Verify the following scenarios for Resource Access Requests to Pods:
|
||||
* [ ] Create a valid resource access request and validate if access to other pods is denied.
|
||||
* [ ] Validate if creating a resource access request with Kubernetes resources denied by `search_as_roles` is not allowed.
|
||||
|
||||
### Teleport with FIPS mode
|
||||
|
||||
|
|
Loading…
Reference in a new issue