Merge pull request #108694 from mikedanese/metadata-conceal
remove metadata-concealment related testing
This commit is contained in:
		| @@ -211,20 +211,6 @@ dependencies: | |||||||
|     - path: build/common.sh |     - path: build/common.sh | ||||||
|       match: __default_setcap_version= |       match: __default_setcap_version= | ||||||
|  |  | ||||||
|   # metadata-concealment: bump this one first |  | ||||||
|   - name: "metadata-concealment" |  | ||||||
|     version: "1.6" |  | ||||||
|     refPaths: |  | ||||||
|     - path: test/images/metadata-concealment/VERSION |  | ||||||
|       match: \d.\d |  | ||||||
|  |  | ||||||
|   # then after merge and successful postsubmit image push / promotion, bump this |  | ||||||
|   - name: "metadata-concealment: dependents" |  | ||||||
|     version: "1.6" |  | ||||||
|     refPaths: |  | ||||||
|     - path: test/utils/image/manifest.go |  | ||||||
|       match: configs\[CheckMetadataConcealment\] = Config{list\.PromoterE2eRegistry, "metadata-concealment", "\d+\.\d+"} |  | ||||||
|  |  | ||||||
|   # cadvisor |   # cadvisor | ||||||
|   - name: "gcr.io/cadvisor/cadvisor: dependents" |   - name: "gcr.io/cadvisor/cadvisor: dependents" | ||||||
|     version: "v0.43.0" |     version: "v0.43.0" | ||||||
|   | |||||||
| @@ -1,65 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2017 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package auth |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	batchv1 "k8s.io/api/batch/v1" |  | ||||||
| 	"k8s.io/api/core/v1" |  | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |  | ||||||
| 	"k8s.io/kubernetes/test/e2e/framework" |  | ||||||
| 	e2ejob "k8s.io/kubernetes/test/e2e/framework/job" |  | ||||||
| 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" |  | ||||||
|  |  | ||||||
| 	"github.com/onsi/ginkgo" |  | ||||||
| 	imageutil "k8s.io/kubernetes/test/utils/image" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| var _ = SIGDescribe("Metadata Concealment", func() { |  | ||||||
| 	f := framework.NewDefaultFramework("metadata-concealment") |  | ||||||
|  |  | ||||||
| 	ginkgo.It("should run a check-metadata-concealment job to completion", func() { |  | ||||||
| 		e2eskipper.SkipUnlessProviderIs("gce") |  | ||||||
| 		ginkgo.By("Creating a job") |  | ||||||
| 		job := &batchv1.Job{ |  | ||||||
| 			ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 				Name: "check-metadata-concealment", |  | ||||||
| 			}, |  | ||||||
| 			Spec: batchv1.JobSpec{ |  | ||||||
| 				Template: v1.PodTemplateSpec{ |  | ||||||
| 					ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 						Name: "check-metadata-concealment", |  | ||||||
| 					}, |  | ||||||
| 					Spec: v1.PodSpec{ |  | ||||||
| 						Containers: []v1.Container{ |  | ||||||
| 							{ |  | ||||||
| 								Name:  "check-metadata-concealment", |  | ||||||
| 								Image: imageutil.GetE2EImage(imageutil.CheckMetadataConcealment), |  | ||||||
| 							}, |  | ||||||
| 						}, |  | ||||||
| 						RestartPolicy: v1.RestartPolicyOnFailure, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			}, |  | ||||||
| 		} |  | ||||||
| 		job, err := e2ejob.CreateJob(f.ClientSet, f.Namespace.Name, job) |  | ||||||
| 		framework.ExpectNoError(err, "failed to create job (%s:%s)", f.Namespace.Name, job.Name) |  | ||||||
|  |  | ||||||
| 		ginkgo.By("Ensuring job reaches completions") |  | ||||||
| 		err = e2ejob.WaitForJobComplete(f.ClientSet, f.Namespace.Name, job.Name, int32(1)) |  | ||||||
| 		framework.ExpectNoError(err, "failed to ensure job completion (%s:%s)", f.Namespace.Name, job.Name) |  | ||||||
| 	}) |  | ||||||
| }) |  | ||||||
| @@ -1,19 +0,0 @@ | |||||||
| # Copyright 2021 The Kubernetes Authors. |  | ||||||
| # |  | ||||||
| # Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| # you may not use this file except in compliance with the License. |  | ||||||
| # You may obtain a copy of the License at |  | ||||||
| # |  | ||||||
| #     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
| # |  | ||||||
| # Unless required by applicable law or agreed to in writing, software |  | ||||||
| # distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| # See the License for the specific language governing permissions and |  | ||||||
| # limitations under the License. |  | ||||||
|  |  | ||||||
| FROM scratch |  | ||||||
|  |  | ||||||
| COPY check_metadata_concealment / |  | ||||||
|  |  | ||||||
| ENTRYPOINT ["/check_metadata_concealment"] |  | ||||||
| @@ -1,27 +0,0 @@ | |||||||
| # Copyright 2016 The Kubernetes Authors. |  | ||||||
| # |  | ||||||
| # Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| # you may not use this file except in compliance with the License. |  | ||||||
| # You may obtain a copy of the License at |  | ||||||
| # |  | ||||||
| #     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
| # |  | ||||||
| # Unless required by applicable law or agreed to in writing, software |  | ||||||
| # distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| # See the License for the specific language governing permissions and |  | ||||||
| # limitations under the License. |  | ||||||
|  |  | ||||||
| SRCS=check_metadata_concealment |  | ||||||
| OS ?= linux |  | ||||||
| ARCH ?= amd64 |  | ||||||
| TARGET ?= $(CURDIR) |  | ||||||
| GOARM ?= 7 |  | ||||||
| GOLANG_VERSION ?= latest |  | ||||||
| SRC_DIR = $(notdir $(shell pwd)) |  | ||||||
| export |  | ||||||
|  |  | ||||||
| bin: |  | ||||||
| 	../image-util.sh bin $(SRCS) |  | ||||||
|  |  | ||||||
| .PHONY: bin |  | ||||||
| @@ -1,2 +0,0 @@ | |||||||
| approvers: |  | ||||||
|   - dims |  | ||||||
| @@ -1,5 +0,0 @@ | |||||||
| # metadata-concealment |  | ||||||
|  |  | ||||||
| Runs various checks against the GCE metadata API. If the checks pass, the job is run to completion. It fails and stops at the first error encountered. |  | ||||||
|  |  | ||||||
| Only valid if using the GCE provider. |  | ||||||
| @@ -1 +0,0 @@ | |||||||
| 1.6 |  | ||||||
| @@ -1,154 +0,0 @@ | |||||||
| /* |  | ||||||
| Copyright 2017 The Kubernetes Authors. |  | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); |  | ||||||
| you may not use this file except in compliance with the License. |  | ||||||
| You may obtain a copy of the License at |  | ||||||
|  |  | ||||||
|     http://www.apache.org/licenses/LICENSE-2.0 |  | ||||||
|  |  | ||||||
| Unless required by applicable law or agreed to in writing, software |  | ||||||
| distributed under the License is distributed on an "AS IS" BASIS, |  | ||||||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |  | ||||||
| See the License for the specific language governing permissions and |  | ||||||
| limitations under the License. |  | ||||||
| */ |  | ||||||
|  |  | ||||||
| package main |  | ||||||
|  |  | ||||||
| import ( |  | ||||||
| 	"fmt" |  | ||||||
| 	"io/ioutil" |  | ||||||
| 	"log" |  | ||||||
| 	"net/http" |  | ||||||
| 	"os" |  | ||||||
| 	"regexp" |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| var ( |  | ||||||
| 	successEndpoints = []string{ |  | ||||||
| 		// Discovery |  | ||||||
| 		"http://169.254.169.254", |  | ||||||
| 		"http://metadata.google.internal", |  | ||||||
| 		"http://169.254.169.254/", |  | ||||||
| 		"http://metadata.google.internal/", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1", |  | ||||||
| 		// Allowed API versions. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/", |  | ||||||
| 		// Service account token endpoints. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token", |  | ||||||
| 		// Permitted recursive query to SA endpoint. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true", |  | ||||||
| 		// Known query params. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/tags?alt=text", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=false", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&timeout_sec=0", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&last_etag=d34db33f", |  | ||||||
| 	} |  | ||||||
| 	noKubeEnvEndpoints = []string{ |  | ||||||
| 		// Check that these don't get a recursive result. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive%3Dtrue",   // urlencoded |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?re%08ecursive=true", // backspaced |  | ||||||
| 	} |  | ||||||
| 	failureEndpoints = []string{ |  | ||||||
| 		// Other API versions. |  | ||||||
| 		"http://metadata.google.internal/0.2/", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v2/", |  | ||||||
| 		// kube-env. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env", |  | ||||||
| 		// VM identity. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity", |  | ||||||
| 		// Forbidden recursive queries. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?%72%65%63%75%72%73%69%76%65=true", // url-encoded |  | ||||||
| 		// Unknown query param key. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?something=else", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/?unknown", |  | ||||||
| 		// Other. |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/attributes//kube-env", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/attributes/../attributes/kube-env", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts//default/identity", |  | ||||||
| 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/../service-accounts/default/identity", |  | ||||||
| 	} |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func main() { |  | ||||||
| 	success := 0 |  | ||||||
| 	h := map[string][]string{ |  | ||||||
| 		"Metadata-Flavor": {"Google"}, |  | ||||||
| 	} |  | ||||||
| 	for _, e := range successEndpoints { |  | ||||||
| 		if err := checkURL(e, h, 200, "", ""); err != nil { |  | ||||||
| 			log.Printf("Wrong response for %v: %v", e, err) |  | ||||||
| 			success = 1 |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	for _, e := range noKubeEnvEndpoints { |  | ||||||
| 		if err := checkURL(e, h, 403, "", "kube-env"); err != nil { |  | ||||||
| 			log.Printf("Wrong response for %v: %v", e, err) |  | ||||||
| 			success = 1 |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	for _, e := range failureEndpoints { |  | ||||||
| 		if err := checkURL(e, h, 403, "", ""); err != nil { |  | ||||||
| 			log.Printf("Wrong response for %v: %v", e, err) |  | ||||||
| 			success = 1 |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	xForwardedForHeader := map[string][]string{ |  | ||||||
| 		"X-Forwarded-For": {"Somebody-somewhere"}, |  | ||||||
| 	} |  | ||||||
| 	// Check that success endpoints fail if X-Forwarded-For is present. |  | ||||||
| 	for _, e := range successEndpoints { |  | ||||||
| 		if err := checkURL(e, xForwardedForHeader, 403, "", ""); err != nil { |  | ||||||
| 			log.Printf("Wrong response for %v with X-Forwarded-For: %v", e, err) |  | ||||||
| 			success = 1 |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	os.Exit(success) |  | ||||||
| } |  | ||||||
|  |  | ||||||
| // Checks that a URL with the given headers returns the right code. |  | ||||||
| // If expectedToContain is non-empty, checks that the body contains expectedToContain. |  | ||||||
| // Similarly, if expectedToNotContain is non-empty, checks that the body doesn't contain expectedToNotContain. |  | ||||||
| func checkURL(url string, header http.Header, expectedStatus int, expectedToContain, expectedToNotContain string) error { |  | ||||||
| 	client := &http.Client{} |  | ||||||
| 	req, err := http.NewRequest("GET", url, nil) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	req.Header = header |  | ||||||
| 	resp, err := client.Do(req) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	defer resp.Body.Close() |  | ||||||
| 	if resp.StatusCode != expectedStatus { |  | ||||||
| 		return fmt.Errorf("unexpected response: got %d, want %d", resp.StatusCode, expectedStatus) |  | ||||||
| 	} |  | ||||||
| 	body, err := ioutil.ReadAll(resp.Body) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	if expectedToContain != "" { |  | ||||||
| 		matched, err := regexp.Match(expectedToContain, body) |  | ||||||
| 		if err != nil { |  | ||||||
| 			return err |  | ||||||
| 		} |  | ||||||
| 		if !matched { |  | ||||||
| 			return fmt.Errorf("body didn't contain %q: got %v", expectedToContain, string(body)) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	if expectedToNotContain != "" { |  | ||||||
| 		matched, err := regexp.Match(expectedToNotContain, body) |  | ||||||
| 		if err != nil { |  | ||||||
| 			return err |  | ||||||
| 		} |  | ||||||
| 		if matched { |  | ||||||
| 			return fmt.Errorf("body incorrectly contained %q: got %v", expectedToNotContain, string(body)) |  | ||||||
| 		} |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
| @@ -158,8 +158,6 @@ const ( | |||||||
| 	AuthenticatedWindowsNanoServer | 	AuthenticatedWindowsNanoServer | ||||||
| 	// BusyBox image | 	// BusyBox image | ||||||
| 	BusyBox | 	BusyBox | ||||||
| 	// CheckMetadataConcealment image |  | ||||||
| 	CheckMetadataConcealment |  | ||||||
| 	// CudaVectorAdd image | 	// CudaVectorAdd image | ||||||
| 	CudaVectorAdd | 	CudaVectorAdd | ||||||
| 	// CudaVectorAdd2 image | 	// CudaVectorAdd2 image | ||||||
| @@ -240,7 +238,6 @@ func initImageConfigs(list RegistryList) (map[int]Config, map[int]Config) { | |||||||
| 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.17.5"} | 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.17.5"} | ||||||
| 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} | 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} | ||||||
| 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.29-2"} | 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.29-2"} | ||||||
| 	configs[CheckMetadataConcealment] = Config{list.PromoterE2eRegistry, "metadata-concealment", "1.6"} |  | ||||||
| 	configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"} | 	configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"} | ||||||
| 	configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.2"} | 	configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.2"} | ||||||
| 	configs[DebianIptables] = Config{list.BuildImageRegistry, "debian-iptables", "bullseye-v1.1.0"} | 	configs[DebianIptables] = Config{list.BuildImageRegistry, "debian-iptables", "bullseye-v1.1.0"} | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Kubernetes Prow Robot
					Kubernetes Prow Robot