Skip to content

Multi Tenancy E2E Tests Plan and Progress

Jump to bottom
chenqianfzh edited this page Aug 18, 2020 · 33 revisions

Goal as of 8/30/2020

Cover the multi-tenancy features checked in as of 7/30/2020 with e2e tests.

System Tenant Basic Functioning Tests

  • kube-dns and virtlet are running

  • kubectl commands

    Done: create, get, describe, run, delete, cp, exec, apply, scale, patch, create job, label, autoscale, diff, cluster-info, expose

Multi-Tenancy Resource Models

  • the field of metadata.tenant exists in object definition
  • the value of metadata.tenant and metadata.namespace are set properly for objects of different scopes (namespace-scope, tenant-scope and cluster scope)
  • multi-tenancy self-link

Tenant Initialization & Deleter Tests

  • system tenant is created automatically. System tenant cannot be deleted.
  • resources (namespaces, service accounts, clusterroles, clsuterrolebindings) created automatically at tenant initialization
  • multi-tenancy namespace deleter
  • tenant deleter deletes all the resources under the tenant
  • the tenant context is no longer working when a tenant is deleted

Multi-tenancy Kubectl Commands

This test suite verifies the kubectl can operate on the multi-tenancy objects.

All the tests should be done by

  • a regular tenant with the tenant-admin-context specified
  • a system tenant user with "--tenant" option

Tests for verbs:

  • create
  • get
  • config (together verification of setup_client.sh)
  • describe
  • run
  • delete
  • cp
  • exec
  • apply
  • scale
  • patch
  • create job
  • label
  • autoscale
  • diff
  • cluster-info
  • expose
  • annotate
  • port-forward
  • set
  • edit
  • rollout
  • history
  • taint
  • logs
  • attach
  • replace
  • wait
  • api-resources
  • api-versions

Multi-Tenancy Controllers

  • deployment controller
  • replicaset controller
  • serviceaccount controller
  • token controller
  • endpoints controller
  • job controller
  • cronjob controller
  • daemonset controller
  • per-tenant resource quota controller
  • service controller
  • statefulset controller
  • persistentvolume controller
  • NodeLifeCycle controller

Access Control

  • regular tenants can not visit system-tenant-only resources, like nodes, tenants, etc.
  • regular tenant can not visit resources under a different tenant (including system)

Multi-Tenancy CRD

per-tenant CRD

  • CRD resource discovery
  • CRD isolation
  • CRD deleter deletes all the custom resources

system forced CRD

  • CRD visible to all the tenants
  • Regular tenants cannot overwrite/update/delete such CRDs
  • System Tenant can list the custom resources of all the tenants, while a regular tenant can only list his own
  • regular-tenant deleter

Miscellaneous ( including protection on fixed bugs if not covered in the above suites)

Clone this wiki locally