Merge pull request #117713 from flant/ssr-ga

KEP-3325: Promote SelfSubjectReview to GA

test/cmd/auth_whoami.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+run_kubectl_auth_whoami_tests() {
+    set -o nounset
+    set -o errexit
+
+    kube::log::status "Testing kubectl auth whoami"
+
+    # Command
+    output_message=$(kubectl auth whoami -o json 2>&1)
+
+    # Post-condition: should return user attributes.
+    kube::test::if_has_string "${output_message}" '"kind": "SelfSubjectReview"'
+
+    set +o nounset
+    set +o errexit
+}

test/cmd/legacy-script.sh

@@ -29,6 +29,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 # source "${KUBE_ROOT}/hack/lib/test.sh"
 source "${KUBE_ROOT}/test/cmd/apply.sh"
 source "${KUBE_ROOT}/test/cmd/apps.sh"
+source "${KUBE_ROOT}/test/cmd/auth_whoami.sh"
 source "${KUBE_ROOT}/test/cmd/authentication.sh"
 source "${KUBE_ROOT}/test/cmd/authorization.sh"
 source "${KUBE_ROOT}/test/cmd/batch.sh"
@@ -98,6 +99,7 @@ replicasets="replicasets"
 replicationcontrollers="replicationcontrollers"
 roles="roles"
 secrets="secrets"
+selfsubjectreviews="selfsubjectreviews"
 serviceaccounts="serviceaccounts"
 services="services"
 statefulsets="statefulsets"
@@ -816,6 +818,10 @@ runTests() {
   record_command run_exec_credentials_tests
   record_command run_exec_credentials_interactive_tests
 
+  if kube::test::if_supports_resource "${selfsubjectreviews}" ; then
+    record_command run_kubectl_auth_whoami_tests
+  fi
+
   ########################
   # authorization.k8s.io #
   ########################
@@ -895,6 +901,8 @@ runTests() {
     kubectl delete "${kube_flags[@]}" rolebindings,role,clusterroles,clusterrolebindings -n some-other-random -l test-cmd=auth
   fi
 
+
+
   #####################
   # Retrieve multiple #
   #####################

test/conformance/testdata/ineligible_endpoints.yaml

@@ -246,13 +246,13 @@
   link: https://github.com/kubernetes/kubernetes/issues/109379
 - endpoint: deleteCoreV1CollectionNode
   reason: Kubernetes distribution would reasonably not allow this action via the API
-  link: https://github.com/kubernetes/kubernetes/issues/109379 
+  link: https://github.com/kubernetes/kubernetes/issues/109379
 - endpoint: createCoreV1NamespacedBinding
   reason: Endpoint was deprecated in 1.7
-  link: https://github.com/kubernetes/kubernetes/pull/47041  
+  link: https://github.com/kubernetes/kubernetes/pull/47041
 - endpoint: createAuthorizationV1SelfSubjectRulesReview
   reason: Endpoint likely to be deprecated
-  link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626  
+  link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626
 - endpoint: connectCoreV1GetNamespacedPodPortforward
   reason: Explicitly designed to be a debug feature
   link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711
@@ -262,3 +262,6 @@
 - endpoint: connectCoreV1PostNamespacedPodAttach
   reason: Explicitly designed to be a debug feature
   link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711
+- endpoint: createAuthenticationV1SelfSubjectReview
+  reason: Cluster providers are allowed to choose to not serve this API, and the whoami command handles unavailability gracefully.
+  link: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3325-self-subject-attributes-review-api/README.md#ga

test/e2e/auth/selfsubjectreviews.go

@@ -22,8 +22,10 @@ import (
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -31,19 +33,21 @@ import (
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
-var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
+var _ = SIGDescribe("SelfSubjectReview", func() {
 	f := framework.NewDefaultFramework("selfsubjectreviews")
 	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 
 	/*
-			Release: v1.27
+			Release: v1.28
 			Testname: SelfSubjectReview API
 			Description:
 			The authentication.k8s.io API group MUST exist in the /apis discovery document.
 			The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
 		    The authentication.k8s.io/v1beta1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
+			The authentication.k8s.io/v1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
 			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
 			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1beta1 discovery document.
+			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1 discovery document.
 			The selfsubjectreviews resource MUST support create.
 	*/
 	ginkgo.DescribeTable(
@@ -105,6 +109,7 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 		},
 		ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()),
 		ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()),
+		ginkgo.Entry("authentication/v1", "v1", authenticationv1.SchemeGroupVersion.String()),
 	)
 
 	ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) {
@@ -116,8 +121,11 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 
 			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews()
 			res, err := ssrClient.Create(ctx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
-			framework.ExpectNoError(err)
+			if apierrors.IsNotFound(err) {
+				return // Alpha API is disabled
+			}
 
+			framework.ExpectNoError(err)
 			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
 			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
 			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
@@ -136,6 +144,29 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 
 			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1beta1().SelfSubjectReviews()
 			res, err := ssrClient.Create(ctx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
+			if apierrors.IsNotFound(err) {
+				return // Beta API is disabled
+			}
+
+			framework.ExpectNoError(err)
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
+
+			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
+			for k, v := range res.Status.UserInfo.Extra {
+				extra[k] = v
+			}
+
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
+		}
+
+		ginkgo.By("creating SSR authentication/v1")
+		{
+			config := restConfig(f)
+
+			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1().SelfSubjectReviews()
+			res, err := ssrClient.Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
 			framework.ExpectNoError(err)
 
 			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))

test/integration/apiserver/admissionwebhook/admission_test.go

@@ -158,6 +158,7 @@ var (
 		gvr("authentication.k8s.io", "v1beta1", "tokenreviews"):             `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
 		gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"):      `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
 		gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"):       `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
+		gvr("authentication.k8s.io", "v1", "selfsubjectreviews"):            `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
 		gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"):      `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "subjectaccessreviews"):           `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"):       `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`,

test/integration/auth/selfsubjectreview_test.go

@@ -99,6 +99,7 @@ func TestGetsSelfAttributes(t *testing.T) {
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -172,6 +173,33 @@ func TestGetsSelfAttributes(t *testing.T) {
 			if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) {
 				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
 			}
+
+			res3, err := kubeClient.AuthenticationV1().
+				SelfSubjectReviews().
+				Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if res3 == nil {
+				t.Fatalf("empty response")
+			}
+
+			if res3.Status.UserInfo.Username != tc.expectedName {
+				t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
+			}
+
+			if res3.Status.UserInfo.UID != tc.expectedUID {
+				t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
+			}
+
+			if !reflect.DeepEqual(res3.Status.UserInfo.Groups, tc.expectedGroups) {
+				t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
+			}
+
+			if !reflect.DeepEqual(res3.Status.UserInfo.Extra, tc.expectedExtra) {
+				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
+			}
 		})
 	}
 
@@ -187,6 +215,7 @@ func TestGetsSelfAttributesError(t *testing.T) {
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -240,4 +269,20 @@ func TestGetsSelfAttributesError(t *testing.T) {
 			t.Fatalf("expected error: %v, got %v", expected, err)
 		}
 	}
+
+	{ // v1
+		toggle.Store(!toggle.Load().(bool))
+
+		_, err := kubeClient.AuthenticationV1().
+			SelfSubjectReviews().
+			Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+		if err == nil {
+			t.Fatalf("expected error: %v, got nil", err)
+		}
+
+		toggle.Store(!toggle.Load().(bool))
+		if expected.Error() != err.Error() {
+			t.Fatalf("expected error: %v, got %v", expected, err)
+		}
+	}
 }