API Machinery, Kubectl and tests

2019-01-16 21:14:42 -08:00
parent 5869ce6dfe
commit 0e1d50e70f
89 changed files with 2908 additions and 278 deletions
--- a/test/integration/auth/BUILD
+++ b/test/integration/auth/BUILD
@@ -72,6 +72,7 @@ go_test(
        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature/testing:go_default_library",
--- a/test/integration/auth/rbac_test.go
+++ b/test/integration/auth/rbac_test.go
@@ -27,8 +27,6 @@ import (
 	"testing"
 	"time"

-	"k8s.io/klog"
-
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -37,12 +35,16 @@ import (
 	"k8s.io/apiserver/pkg/authentication/token/tokenfile"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericfeatures "k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/registry/generic"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	utilfeaturetesting "k8s.io/apiserver/pkg/util/feature/testing"
 	externalclientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	watchtools "k8s.io/client-go/tools/watch"
 	"k8s.io/client-go/transport"
 	csiclientset "k8s.io/csi-api/pkg/client/clientset/versioned"
+	"k8s.io/klog"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/api/testapi"
 	api "k8s.io/kubernetes/pkg/apis/core"
@@ -292,6 +294,8 @@ var (
 )

 func TestRBAC(t *testing.T) {
+	defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.ServerSideApply, true)()
+
 	superUser := "admin/system:masters"

 	tests := []struct {
@@ -478,6 +482,40 @@ func TestRBAC(t *testing.T) {
 				{"limitrange-updater", "PUT", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusOK},
 			},
 		},
+		// {
+		// 	bootstrapRoles: bootstrapRoles{
+		// 		clusterRoles: []rbacapi.ClusterRole{
+		// 			{
+		// 				ObjectMeta: metav1.ObjectMeta{Name: "allow-all"},
+		// 				Rules:      []rbacapi.PolicyRule{ruleAllowAll},
+		// 			},
+		// 			{
+		// 				ObjectMeta: metav1.ObjectMeta{Name: "patch-limitranges"},
+		// 				Rules: []rbacapi.PolicyRule{
+		// 					rbacapi.NewRule("patch").Groups("").Resources("limitranges").RuleOrDie(),
+		// 				},
+		// 			},
+		// 		},
+		// 		clusterRoleBindings: []rbacapi.ClusterRoleBinding{
+		// 			{
+		// 				ObjectMeta: metav1.ObjectMeta{Name: "patch-limitranges"},
+		// 				Subjects: []rbacapi.Subject{
+		// 					{Kind: "User", Name: "limitrange-patcher"},
+		// 				},
+		// 				RoleRef: rbacapi.RoleRef{Kind: "ClusterRole", Name: "patch-limitranges"},
+		// 			},
+		// 		},
+		// 	},
+		// 	requests: []request{
+		// 		// Create the namespace used later in the test
+		// 		{superUser, "POST", "", "namespaces", "", "", limitRangeNamespace, http.StatusCreated},
+
+		// 		{"limitrange-patcher", "PATCH", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusForbidden},
+		// 		{superUser, "PATCH", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusCreated},
+		// 		{superUser, "PATCH", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusOK},
+		// 		{"limitrange-patcher", "PATCH", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusOK},
+		// 	},
+		// },
 	}

 	for i, tc := range tests {
@@ -494,6 +532,7 @@ func TestRBAC(t *testing.T) {
 			"nonescalating-rolebinding-writer": {Name: "nonescalating-rolebinding-writer"},
 			"pod-reader":                       {Name: "pod-reader"},
 			"limitrange-updater":               {Name: "limitrange-updater"},
+			"limitrange-patcher":               {Name: "limitrange-patcher"},
 			"user-with-no-permissions":         {Name: "user-with-no-permissions"},
 		}))
 		_, s, closeFn := framework.RunAMaster(masterConfig)
@@ -530,6 +569,12 @@ func TestRBAC(t *testing.T) {
 			}

 			req, err := http.NewRequest(r.verb, s.URL+path, body)
+			// TODO: Un-comment this when Apply works again
+			// if r.verb == "PATCH" {
+			// 	// For patch operations, use the apply content type
+			// 	req.Header.Add("Content-Type", string(types.ApplyPatchType))
+			// }
+
 			if err != nil {
 				t.Fatalf("failed to create request: %v", err)
 			}