Merge pull request #76337 from johnSchnake/frameworkAuthUtilRefactor
[e2e] Refactor of e2e/framework/authorizer_util.go
This commit is contained in:
Kubernetes Prow Robot
@@ -64,6 +64,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/component-base/logs:go_default_library",
|
"//staging/src/k8s.io/component-base/logs:go_default_library",
|
||||||
"//test/e2e/common:go_default_library",
|
"//test/e2e/common:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/ginkgowrapper:go_default_library",
|
"//test/e2e/framework/ginkgowrapper:go_default_library",
|
||||||
"//test/e2e/framework/metrics:go_default_library",
|
"//test/e2e/framework/metrics:go_default_library",
|
||||||
"//test/e2e/framework/providers/aws:go_default_library",
|
"//test/e2e/framework/providers/aws:go_default_library",
|
||||||
|
|||||||
@@ -53,6 +53,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
|
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
|
||||||
"//test/e2e/common:go_default_library",
|
"//test/e2e/common:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/job:go_default_library",
|
"//test/e2e/framework/job:go_default_library",
|
||||||
"//test/utils:go_default_library",
|
"//test/utils:go_default_library",
|
||||||
"//test/utils/image:go_default_library",
|
"//test/utils/image:go_default_library",
|
||||||
|
|||||||
@@ -31,14 +31,15 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
"k8s.io/apiserver/pkg/apis/audit/v1"
|
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/utils"
|
"k8s.io/kubernetes/test/utils"
|
||||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||||
|
|
||||||
"github.com/evanphx/json-patch"
|
jsonpatch "github.com/evanphx/json-patch"
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -652,7 +653,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
|||||||
|
|
||||||
// test authorizer annotations, RBAC is required.
|
// test authorizer annotations, RBAC is required.
|
||||||
It("should audit API calls to get a pod with unauthorized user.", func() {
|
It("should audit API calls to get a pod with unauthorized user.", func() {
|
||||||
if !framework.IsRBACEnabled(f) {
|
if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||||
framework.Skipf("RBAC not enabled.")
|
framework.Skipf("RBAC not enabled.")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -735,7 +736,7 @@ func expectEvents(f *framework.Framework, expectedEvents []utils.AuditEvent) {
|
|||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
defer stream.Close()
|
defer stream.Close()
|
||||||
missingReport, err := utils.CheckAuditLines(stream, expectedEvents, v1.SchemeGroupVersion)
|
missingReport, err := utils.CheckAuditLines(stream, expectedEvents, auditv1.SchemeGroupVersion)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
framework.Logf("Failed to observe audit events: %v", err)
|
framework.Logf("Failed to observe audit events: %v", err)
|
||||||
} else if len(missingReport.MissingEvents) > 0 {
|
} else if len(missingReport.MissingEvents) > 0 {
|
||||||
|
|||||||
@@ -35,6 +35,7 @@ import (
|
|||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/utils"
|
"k8s.io/kubernetes/test/utils"
|
||||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||||
)
|
)
|
||||||
@@ -346,7 +347,7 @@ var _ = SIGDescribe("[Feature:DynamicAudit]", func() {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
if framework.IsRBACEnabled(f) {
|
if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||||
testCases = append(testCases, annotationTestCases...)
|
testCases = append(testCases, annotationTestCases...)
|
||||||
}
|
}
|
||||||
expectedEvents := []utils.AuditEvent{}
|
expectedEvents := []utils.AuditEvent{}
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ package auth
|
|||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
policy "k8s.io/api/policy/v1beta1"
|
policy "k8s.io/api/policy/v1beta1"
|
||||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||||
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
||||||
@@ -33,6 +33,7 @@ import (
|
|||||||
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
|
||||||
"k8s.io/kubernetes/test/e2e/common"
|
"k8s.io/kubernetes/test/e2e/common"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||||
utilpointer "k8s.io/utils/pointer"
|
utilpointer "k8s.io/utils/pointer"
|
||||||
|
|
||||||
@@ -54,7 +55,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
|||||||
if !framework.IsPodSecurityPolicyEnabled(f) {
|
if !framework.IsPodSecurityPolicyEnabled(f) {
|
||||||
framework.Skipf("PodSecurityPolicy not enabled")
|
framework.Skipf("PodSecurityPolicy not enabled")
|
||||||
}
|
}
|
||||||
if !framework.IsRBACEnabled(f) {
|
if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||||
framework.Skipf("RBAC not enabled")
|
framework.Skipf("RBAC not enabled")
|
||||||
}
|
}
|
||||||
ns = f.Namespace.Name
|
ns = f.Namespace.Name
|
||||||
@@ -70,8 +71,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
|||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
By("Binding the edit role to the default SA")
|
By("Binding the edit role to the default SA")
|
||||||
framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns,
|
err = auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns,
|
||||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
|
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
|
||||||
|
framework.ExpectNoError(err)
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should forbid pod creation when no PSP is available", func() {
|
It("should forbid pod creation when no PSP is available", func() {
|
||||||
@@ -202,7 +204,6 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
|
|||||||
sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
|
sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
|
||||||
tester(sysadmin)
|
tester(sysadmin)
|
||||||
})
|
})
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// createAndBindPSP creates a PSP in the policy API group.
|
// createAndBindPSP creates a PSP in the policy API group.
|
||||||
@@ -231,12 +232,14 @@ func createAndBindPSP(f *framework.Framework, pspTemplate *policy.PodSecurityPol
|
|||||||
framework.ExpectNoError(err, "Failed to create PSP role")
|
framework.ExpectNoError(err, "Failed to create PSP role")
|
||||||
|
|
||||||
// Bind the role to the namespace.
|
// Bind the role to the namespace.
|
||||||
framework.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{
|
err = auth.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{
|
||||||
Kind: rbacv1beta1.ServiceAccountKind,
|
Kind: rbacv1beta1.ServiceAccountKind,
|
||||||
Namespace: ns,
|
Namespace: ns,
|
||||||
Name: "default",
|
Name: "default",
|
||||||
})
|
})
|
||||||
framework.ExpectNoError(framework.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
|
framework.ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(ns, "default"), ns, "use", name,
|
serviceaccount.MakeUsername(ns, "default"), ns, "use", name,
|
||||||
schema.GroupResource{Group: "policy", Resource: "podsecuritypolicies"}, true))
|
schema.GroupResource{Group: "policy", Resource: "podsecuritypolicies"}, true))
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ import (
|
|||||||
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
||||||
commonutils "k8s.io/kubernetes/test/e2e/common"
|
commonutils "k8s.io/kubernetes/test/e2e/common"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/testfiles"
|
"k8s.io/kubernetes/test/e2e/framework/testfiles"
|
||||||
|
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
@@ -51,10 +52,11 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() {
|
|||||||
|
|
||||||
// this test wants powerful permissions. Since the namespace names are unique, we can leave this
|
// this test wants powerful permissions. Since the namespace names are unique, we can leave this
|
||||||
// lying around so we don't have to race any caches
|
// lying around so we don't have to race any caches
|
||||||
framework.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name,
|
err := auth.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name,
|
||||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
|
err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
||||||
f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
|
f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
|
|||||||
@@ -5,7 +5,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
|||||||
go_library(
|
go_library(
|
||||||
name = "go_default_library",
|
name = "go_default_library",
|
||||||
srcs = [
|
srcs = [
|
||||||
"authorizer_util.go",
|
|
||||||
"cleanup.go",
|
"cleanup.go",
|
||||||
"create.go",
|
"create.go",
|
||||||
"deployment_util.go",
|
"deployment_util.go",
|
||||||
@@ -68,7 +67,6 @@ go_library(
|
|||||||
"//pkg/volume/util:go_default_library",
|
"//pkg/volume/util:go_default_library",
|
||||||
"//staging/src/k8s.io/api/apps/v1:go_default_library",
|
"//staging/src/k8s.io/api/apps/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/api/apps/v1beta2:go_default_library",
|
"//staging/src/k8s.io/api/apps/v1beta2:go_default_library",
|
||||||
"//staging/src/k8s.io/api/authorization/v1beta1:go_default_library",
|
|
||||||
"//staging/src/k8s.io/api/batch/v1:go_default_library",
|
"//staging/src/k8s.io/api/batch/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
|
"//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
|
||||||
@@ -103,9 +101,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/dynamic:go_default_library",
|
"//staging/src/k8s.io/client-go/dynamic:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library",
|
|
||||||
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library",
|
|
||||||
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/restmapper:go_default_library",
|
"//staging/src/k8s.io/client-go/restmapper:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/scale:go_default_library",
|
"//staging/src/k8s.io/client-go/scale:go_default_library",
|
||||||
@@ -116,6 +112,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/tools/watch:go_default_library",
|
"//staging/src/k8s.io/client-go/tools/watch:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/util/retry:go_default_library",
|
"//staging/src/k8s.io/client-go/util/retry:go_default_library",
|
||||||
"//staging/src/k8s.io/component-base/cli/flag:go_default_library",
|
"//staging/src/k8s.io/component-base/cli/flag:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/ginkgowrapper:go_default_library",
|
"//test/e2e/framework/ginkgowrapper:go_default_library",
|
||||||
"//test/e2e/framework/metrics:go_default_library",
|
"//test/e2e/framework/metrics:go_default_library",
|
||||||
"//test/e2e/framework/testfiles:go_default_library",
|
"//test/e2e/framework/testfiles:go_default_library",
|
||||||
@@ -148,6 +145,7 @@ filegroup(
|
|||||||
name = "all-srcs",
|
name = "all-srcs",
|
||||||
srcs = [
|
srcs = [
|
||||||
":package-srcs",
|
":package-srcs",
|
||||||
|
"//test/e2e/framework/auth:all-srcs",
|
||||||
"//test/e2e/framework/config:all-srcs",
|
"//test/e2e/framework/config:all-srcs",
|
||||||
"//test/e2e/framework/ginkgowrapper:all-srcs",
|
"//test/e2e/framework/ginkgowrapper:all-srcs",
|
||||||
"//test/e2e/framework/gpu:all-srcs",
|
"//test/e2e/framework/gpu:all-srcs",
|
||||||
|
|||||||
34
test/e2e/framework/auth/BUILD
Normal file
34
test/e2e/framework/auth/BUILD
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||||
|
|
||||||
|
go_library(
|
||||||
|
name = "go_default_library",
|
||||||
|
srcs = ["helpers.go"],
|
||||||
|
importpath = "k8s.io/kubernetes/test/e2e/framework/auth",
|
||||||
|
visibility = ["//visibility:public"],
|
||||||
|
deps = [
|
||||||
|
"//staging/src/k8s.io/api/authorization/v1beta1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||||
|
"//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library",
|
||||||
|
"//vendor/github.com/onsi/ginkgo:go_default_library",
|
||||||
|
"//vendor/github.com/pkg/errors:go_default_library",
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
filegroup(
|
||||||
|
name = "package-srcs",
|
||||||
|
srcs = glob(["**"]),
|
||||||
|
tags = ["automanaged"],
|
||||||
|
visibility = ["//visibility:private"],
|
||||||
|
)
|
||||||
|
|
||||||
|
filegroup(
|
||||||
|
name = "all-srcs",
|
||||||
|
srcs = [":package-srcs"],
|
||||||
|
tags = ["automanaged"],
|
||||||
|
visibility = ["//visibility:public"],
|
||||||
|
)
|
||||||
@@ -14,13 +14,15 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package framework
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"k8s.io/klog"
|
"fmt"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/onsi/ginkgo"
|
||||||
|
"github.com/pkg/errors"
|
||||||
authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
|
authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
|
||||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
@@ -36,6 +38,12 @@ const (
|
|||||||
policyCachePollTimeout = 5 * time.Second
|
policyCachePollTimeout = 5 * time.Second
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type bindingsGetter interface {
|
||||||
|
v1beta1rbac.RoleBindingsGetter
|
||||||
|
v1beta1rbac.ClusterRoleBindingsGetter
|
||||||
|
v1beta1rbac.ClusterRolesGetter
|
||||||
|
}
|
||||||
|
|
||||||
// WaitForAuthorizationUpdate checks if the given user can perform the named verb and action.
|
// WaitForAuthorizationUpdate checks if the given user can perform the named verb and action.
|
||||||
// If policyCachePollTimeout is reached without the expected condition matching, an error is returned
|
// If policyCachePollTimeout is reached without the expected condition matching, an error is returned
|
||||||
func WaitForAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error {
|
func WaitForAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error {
|
||||||
@@ -57,12 +65,15 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews
|
|||||||
User: user,
|
User: user,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
err := wait.Poll(policyCachePollInterval, policyCachePollTimeout, func() (bool, error) {
|
err := wait.Poll(policyCachePollInterval, policyCachePollTimeout, func() (bool, error) {
|
||||||
response, err := c.SubjectAccessReviews().Create(review)
|
response, err := c.SubjectAccessReviews().Create(review)
|
||||||
// GKE doesn't enable the SAR endpoint. Without this endpoint, we cannot determine if the policy engine
|
// GKE doesn't enable the SAR endpoint. Without this endpoint, we cannot determine if the policy engine
|
||||||
// has adjusted as expected. In this case, simply wait one second and hope it's up to date
|
// has adjusted as expected. In this case, simply wait one second and hope it's up to date
|
||||||
|
// TODO: Should have a check for the provider here but that introduces too tight of
|
||||||
|
// coupling with the `framework` package. See: https://github.com/kubernetes/kubernetes/issues/76726
|
||||||
if apierrors.IsNotFound(err) {
|
if apierrors.IsNotFound(err) {
|
||||||
klog.Info("SubjectAccessReview endpoint is missing")
|
logf("SubjectAccessReview endpoint is missing")
|
||||||
time.Sleep(1 * time.Second)
|
time.Sleep(1 * time.Second)
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
@@ -77,8 +88,13 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// BindClusterRole binds the cluster role at the cluster scope
|
// BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil
|
||||||
func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) {
|
// is returned with no action.
|
||||||
|
func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error {
|
||||||
|
if !IsRBACEnabled(c) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
|
// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
|
||||||
_, err := c.ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{
|
_, err := c.ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
@@ -92,23 +108,30 @@ func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns st
|
|||||||
Subjects: subjects,
|
Subjects: subjects,
|
||||||
})
|
})
|
||||||
|
|
||||||
// if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled.
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("Error binding clusterrole/%s for %q for %v\n", clusterRole, ns, subjects)
|
return errors.Wrapf(err, "binding clusterrole/%s for %q for %v", clusterRole, ns, subjects)
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// BindClusterRoleInNamespace binds the cluster role at the namespace scope
|
return nil
|
||||||
func BindClusterRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) {
|
|
||||||
bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// BindRoleInNamespace binds the role at the namespace scope
|
// BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil
|
||||||
func BindRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) {
|
// is returned with no action.
|
||||||
bindInNamespace(c, "Role", role, ns, subjects...)
|
func BindClusterRoleInNamespace(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error {
|
||||||
|
return bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil
|
||||||
|
// is returned with no action.
|
||||||
|
func BindRoleInNamespace(c bindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) error {
|
||||||
|
return bindInNamespace(c, "Role", role, ns, subjects...)
|
||||||
|
}
|
||||||
|
|
||||||
|
func bindInNamespace(c bindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) error {
|
||||||
|
if !IsRBACEnabled(c) {
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) {
|
|
||||||
// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
|
// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
|
||||||
_, err := c.RoleBindings(ns).Create(&rbacv1beta1.RoleBinding{
|
_, err := c.RoleBindings(ns).Create(&rbacv1beta1.RoleBinding{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
@@ -122,10 +145,11 @@ func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string
|
|||||||
Subjects: subjects,
|
Subjects: subjects,
|
||||||
})
|
})
|
||||||
|
|
||||||
// if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled.
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("Error binding %s/%s into %q for %v\n", roleType, role, ns, subjects)
|
return errors.Wrapf(err, "binding %s/%s into %q for %v", roleType, role, ns, subjects)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@@ -134,19 +158,41 @@ var (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// IsRBACEnabled returns true if RBAC is enabled. Otherwise false.
|
// IsRBACEnabled returns true if RBAC is enabled. Otherwise false.
|
||||||
func IsRBACEnabled(f *Framework) bool {
|
func IsRBACEnabled(crGetter v1beta1rbac.ClusterRolesGetter) bool {
|
||||||
isRBACEnabledOnce.Do(func() {
|
isRBACEnabledOnce.Do(func() {
|
||||||
crs, err := f.ClientSet.RbacV1().ClusterRoles().List(metav1.ListOptions{})
|
crs, err := crGetter.ClusterRoles().List(metav1.ListOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
Logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
|
logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
|
||||||
isRBACEnabled = false
|
isRBACEnabled = false
|
||||||
} else if crs == nil || len(crs.Items) == 0 {
|
} else if crs == nil || len(crs.Items) == 0 {
|
||||||
Logf("No ClusterRoles found; assuming RBAC is disabled.")
|
logf("No ClusterRoles found; assuming RBAC is disabled.")
|
||||||
isRBACEnabled = false
|
isRBACEnabled = false
|
||||||
} else {
|
} else {
|
||||||
Logf("Found ClusterRoles; assuming RBAC is enabled.")
|
logf("Found ClusterRoles; assuming RBAC is enabled.")
|
||||||
isRBACEnabled = true
|
isRBACEnabled = true
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
return isRBACEnabled
|
return isRBACEnabled
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// logf logs INFO lines to the GinkgoWriter.
|
||||||
|
// TODO: Log functions like these should be put into their own package,
|
||||||
|
// see: https://github.com/kubernetes/kubernetes/issues/76728
|
||||||
|
func logf(format string, args ...interface{}) {
|
||||||
|
log("INFO", format, args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// log prints formatted log messages to the global GinkgoWriter.
|
||||||
|
// TODO: Log functions like these should be put into their own package,
|
||||||
|
// see: https://github.com/kubernetes/kubernetes/issues/76728
|
||||||
|
func log(level string, format string, args ...interface{}) {
|
||||||
|
fmt.Fprintf(ginkgo.GinkgoWriter, nowStamp()+": "+level+": "+format+"\n", args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// nowStamp returns the current time formatted for placement in the logs (time.StampMilli).
|
||||||
|
// TODO: If only used for logging, this should be put into a logging package,
|
||||||
|
// see: https://github.com/kubernetes/kubernetes/issues/76728
|
||||||
|
func nowStamp() string {
|
||||||
|
return time.Now().Format(time.StampMilli)
|
||||||
|
}
|
||||||
@@ -28,6 +28,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
|
|
||||||
"github.com/onsi/ginkgo"
|
"github.com/onsi/ginkgo"
|
||||||
)
|
)
|
||||||
@@ -118,7 +119,7 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
|
|||||||
ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
|
ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
|
||||||
}
|
}
|
||||||
|
|
||||||
if IsRBACEnabled(f) {
|
if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||||
// Create the Role to bind it to the namespace.
|
// Create the Role to bind it to the namespace.
|
||||||
_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
|
_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
|
ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
|
||||||
@@ -135,10 +136,10 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
if IsRBACEnabled(f) {
|
if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||||
ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
|
ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
|
||||||
podSecurityPolicyPrivileged, namespace))
|
podSecurityPolicyPrivileged, namespace))
|
||||||
BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
|
err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
|
||||||
podSecurityPolicyPrivileged,
|
podSecurityPolicyPrivileged,
|
||||||
namespace,
|
namespace,
|
||||||
rbacv1beta1.Subject{
|
rbacv1beta1.Subject{
|
||||||
@@ -146,7 +147,8 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
|
|||||||
Namespace: namespace,
|
Namespace: namespace,
|
||||||
Name: "default",
|
Name: "default",
|
||||||
})
|
})
|
||||||
ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
ExpectNoError(err)
|
||||||
|
ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
|
serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
|
||||||
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
|
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//test/e2e/common:go_default_library",
|
"//test/e2e/common:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/job:go_default_library",
|
"//test/e2e/framework/job:go_default_library",
|
||||||
"//test/e2e/framework/testfiles:go_default_library",
|
"//test/e2e/framework/testfiles:go_default_library",
|
||||||
"//test/e2e/scheduling:go_default_library",
|
"//test/e2e/scheduling:go_default_library",
|
||||||
|
|||||||
@@ -42,7 +42,7 @@ import (
|
|||||||
"github.com/elazarl/goproxy"
|
"github.com/elazarl/goproxy"
|
||||||
"sigs.k8s.io/yaml"
|
"sigs.k8s.io/yaml"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||||
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
||||||
"k8s.io/apimachinery/pkg/api/resource"
|
"k8s.io/apimachinery/pkg/api/resource"
|
||||||
@@ -58,6 +58,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/controller"
|
"k8s.io/kubernetes/pkg/controller"
|
||||||
commonutils "k8s.io/kubernetes/test/e2e/common"
|
commonutils "k8s.io/kubernetes/test/e2e/common"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
jobutil "k8s.io/kubernetes/test/e2e/framework/job"
|
jobutil "k8s.io/kubernetes/test/e2e/framework/job"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/testfiles"
|
"k8s.io/kubernetes/test/e2e/framework/testfiles"
|
||||||
"k8s.io/kubernetes/test/e2e/scheduling"
|
"k8s.io/kubernetes/test/e2e/scheduling"
|
||||||
@@ -606,10 +607,11 @@ var _ = SIGDescribe("Kubectl client", func() {
|
|||||||
ginkgo.It("should handle in-cluster config", func() {
|
ginkgo.It("should handle in-cluster config", func() {
|
||||||
ginkgo.By("adding rbac permissions")
|
ginkgo.By("adding rbac permissions")
|
||||||
// grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace
|
// grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace
|
||||||
framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name,
|
err := auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name,
|
||||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
err = auth.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
||||||
f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true)
|
f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
|
|||||||
@@ -58,6 +58,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/util/workqueue:go_default_library",
|
"//staging/src/k8s.io/client-go/util/workqueue:go_default_library",
|
||||||
"//staging/src/k8s.io/cloud-provider:go_default_library",
|
"//staging/src/k8s.io/cloud-provider:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/ingress:go_default_library",
|
"//test/e2e/framework/ingress:go_default_library",
|
||||||
"//test/e2e/framework/providers/gce:go_default_library",
|
"//test/e2e/framework/providers/gce:go_default_library",
|
||||||
"//test/e2e/network/scale:go_default_library",
|
"//test/e2e/network/scale:go_default_library",
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ import (
|
|||||||
|
|
||||||
compute "google.golang.org/api/compute/v1"
|
compute "google.golang.org/api/compute/v1"
|
||||||
|
|
||||||
"k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
rbacv1beta1 "k8s.io/api/rbac/v1beta1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
@@ -35,6 +35,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/ingress"
|
"k8s.io/kubernetes/test/e2e/framework/ingress"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/providers/gce"
|
"k8s.io/kubernetes/test/e2e/framework/providers/gce"
|
||||||
|
|
||||||
@@ -62,10 +63,11 @@ var _ = SIGDescribe("Loadbalancing: L7", func() {
|
|||||||
|
|
||||||
// this test wants powerful permissions. Since the namespace names are unique, we can leave this
|
// this test wants powerful permissions. Since the namespace names are unique, we can leave this
|
||||||
// lying around so we don't have to race any caches
|
// lying around so we don't have to race any caches
|
||||||
framework.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name,
|
err := auth.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name,
|
||||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
err := framework.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(),
|
err = auth.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
serviceaccount.MakeUsername(f.Namespace.Name, "default"),
|
||||||
"", "create", schema.GroupResource{Resource: "pods"}, true)
|
"", "create", schema.GroupResource{Resource: "pods"}, true)
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
|
|||||||
@@ -66,6 +66,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/cloud-provider/volume/helpers:go_default_library",
|
"//staging/src/k8s.io/cloud-provider/volume/helpers:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/metrics:go_default_library",
|
"//test/e2e/framework/metrics:go_default_library",
|
||||||
"//test/e2e/framework/providers/gce:go_default_library",
|
"//test/e2e/framework/providers/gce:go_default_library",
|
||||||
"//test/e2e/framework/testfiles:go_default_library",
|
"//test/e2e/framework/testfiles:go_default_library",
|
||||||
|
|||||||
@@ -22,6 +22,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//test/e2e/framework:go_default_library",
|
"//test/e2e/framework:go_default_library",
|
||||||
|
"//test/e2e/framework/auth:go_default_library",
|
||||||
"//test/e2e/framework/volume:go_default_library",
|
"//test/e2e/framework/volume:go_default_library",
|
||||||
"//test/e2e/storage/testpatterns:go_default_library",
|
"//test/e2e/storage/testpatterns:go_default_library",
|
||||||
"//test/e2e/storage/testsuites:go_default_library",
|
"//test/e2e/storage/testsuites:go_default_library",
|
||||||
|
|||||||
@@ -54,6 +54,7 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/volume"
|
"k8s.io/kubernetes/test/e2e/framework/volume"
|
||||||
"k8s.io/kubernetes/test/e2e/storage/testpatterns"
|
"k8s.io/kubernetes/test/e2e/storage/testpatterns"
|
||||||
"k8s.io/kubernetes/test/e2e/storage/testsuites"
|
"k8s.io/kubernetes/test/e2e/storage/testsuites"
|
||||||
@@ -153,10 +154,11 @@ func (n *nfsDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTestConf
|
|||||||
|
|
||||||
// TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner
|
// TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner
|
||||||
// is not enough. We should create new clusterrole for testing.
|
// is not enough. We should create new clusterrole for testing.
|
||||||
framework.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name,
|
err := auth.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name,
|
||||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns.Name, Name: "default"})
|
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns.Name, Name: "default"})
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
err := framework.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(),
|
err = auth.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(ns.Name, "default"),
|
serviceaccount.MakeUsername(ns.Name, "default"),
|
||||||
"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
|
"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
|
||||||
framework.ExpectNoError(err, "Failed to update authorization: %v", err)
|
framework.ExpectNoError(err, "Failed to update authorization: %v", err)
|
||||||
|
|||||||
@@ -46,6 +46,7 @@ import (
|
|||||||
volumehelpers "k8s.io/cloud-provider/volume/helpers"
|
volumehelpers "k8s.io/cloud-provider/volume/helpers"
|
||||||
storageutil "k8s.io/kubernetes/pkg/apis/storage/v1/util"
|
storageutil "k8s.io/kubernetes/pkg/apis/storage/v1/util"
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
|
"k8s.io/kubernetes/test/e2e/framework/auth"
|
||||||
"k8s.io/kubernetes/test/e2e/framework/providers/gce"
|
"k8s.io/kubernetes/test/e2e/framework/providers/gce"
|
||||||
"k8s.io/kubernetes/test/e2e/storage/testsuites"
|
"k8s.io/kubernetes/test/e2e/storage/testsuites"
|
||||||
"k8s.io/kubernetes/test/e2e/storage/utils"
|
"k8s.io/kubernetes/test/e2e/storage/utils"
|
||||||
@@ -710,10 +711,11 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
|
|||||||
Name: serviceAccountName,
|
Name: serviceAccountName,
|
||||||
}
|
}
|
||||||
|
|
||||||
framework.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject)
|
err := auth.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject)
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
roleName := "leader-locking-nfs-provisioner"
|
roleName := "leader-locking-nfs-provisioner"
|
||||||
_, err := f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{
|
_, err = f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: roleName,
|
Name: roleName,
|
||||||
},
|
},
|
||||||
@@ -725,9 +727,10 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
|
|||||||
})
|
})
|
||||||
framework.ExpectNoError(err, "Failed to create leader-locking role")
|
framework.ExpectNoError(err, "Failed to create leader-locking role")
|
||||||
|
|
||||||
framework.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject)
|
err = auth.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject)
|
||||||
|
framework.ExpectNoError(err)
|
||||||
|
|
||||||
err = framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
|
err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
|
||||||
serviceaccount.MakeUsername(ns, serviceAccountName),
|
serviceaccount.MakeUsername(ns, serviceAccountName),
|
||||||
"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
|
"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
|
||||||
framework.ExpectNoError(err, "Failed to update authorization")
|
framework.ExpectNoError(err, "Failed to update authorization")
|
||||||
|
|||||||
Reference in New Issue
Block a user