KEP-3325: Promote SelfSubjectReview to Beta (#116274)

* Promote SelfSubjectReview to Beta Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Fix whoami API Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Fixes according to code review Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> --------- Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2023-03-09 00:42:33 +01:00
parent 0a5310fe9a
commit c1431af4f8
37 changed files with 2088 additions and 170 deletions
--- a/test/e2e/auth/selfsubjectreviews.go
+++ b/test/e2e/auth/selfsubjectreviews.go
@@ -21,9 +21,12 @@ import (
 	"fmt"

 	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
 	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
@@ -33,98 +36,131 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

 	/*
-		Release: v1.24
-		Testname: SelfSubjectReview API
-		Description:
-		The authentication.k8s.io API group MUST exist in the /apis discovery document.
-		The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
-		The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
-		The selfsubjectreviews resource must support create.
+			Release: v1.27
+			Testname: SelfSubjectReview API
+			Description:
+			The authentication.k8s.io API group MUST exist in the /apis discovery document.
+			The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
+		    The authentication.k8s.io/v1beta1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
+			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
+			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1beta1 discovery document.
+			The selfsubjectreviews resource MUST support create.
 	*/
 	ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) {
-		// Setup
-		ssarAPIVersion := "v1alpha1"
+		ginkgo.DescribeTable(
+			"testing SSR in different API groups",
+			func(apiVersion, gv string) {
+				// Discovery
+				ginkgo.By("getting /apis")
+				{
+					discoveryGroups, err := f.ClientSet.Discovery().ServerGroups()
+					framework.ExpectNoError(err)
+					found := false
+					for _, group := range discoveryGroups.Groups {
+						if group.Name == authenticationv1alpha1.GroupName {
+							for _, version := range group.Versions {
+								if version.Version == apiVersion {
+									found = true
+									break
+								}
+							}
+						}
+					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API group/version, got %#v", discoveryGroups.Groups))
+					}
+				}

-		// Discovery
-		ginkgo.By("getting /apis")
-		{
-			discoveryGroups, err := f.ClientSet.Discovery().ServerGroups()
-			framework.ExpectNoError(err)
-			found := false
-			for _, group := range discoveryGroups.Groups {
-				if group.Name == authenticationv1alpha1.GroupName {
+				ginkgo.By("getting /apis/authentication.k8s.io")
+				{
+					group := &metav1.APIGroup{}
+					err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/authentication.k8s.io").Do(ctx).Into(group)
+					framework.ExpectNoError(err)
+					found := false
 					for _, version := range group.Versions {
-						if version.Version == ssarAPIVersion {
+						if version.Version == apiVersion {
 							found = true
 							break
 						}
 					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API version, got %#v", group.Versions))
+					}
 				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API group/version, got %#v", discoveryGroups.Groups))
-			}
-		}

-		ginkgo.By("getting /apis/authentication.k8s.io")
-		{
-			group := &metav1.APIGroup{}
-			err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/authentication.k8s.io").Do(ctx).Into(group)
-			framework.ExpectNoError(err)
-			found := false
-			for _, version := range group.Versions {
-				if version.Version == ssarAPIVersion {
-					found = true
-					break
+				ginkgo.By("getting /apis/authentication.k8s.io/" + apiVersion)
+				{
+					resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(gv)
+					framework.ExpectNoError(err)
+					found := false
+					for _, resource := range resources.APIResources {
+						switch resource.Name {
+						case "selfsubjectreviews":
+							found = true
+						}
+					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected selfsubjectreviews, got %#v", resources.APIResources))
+					}
 				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API version, got %#v", group.Versions))
-			}
-		}
-
-		ginkgo.By("getting /apis/authentication.k8s.io/" + ssarAPIVersion)
-		{
-			resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(authenticationv1alpha1.SchemeGroupVersion.String())
-			framework.ExpectNoError(err)
-			found := false
-			for _, resource := range resources.APIResources {
-				switch resource.Name {
-				case "selfsubjectreviews":
-					found = true
-				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected selfsubjectreviews, got %#v", resources.APIResources))
-			}
-		}
+			},
+			ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()),
+			ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()),
+		)

 		// Check creating
-		ginkgo.By("creating")
+		ginkgo.By("creating SSR authentication/v1alpha1")
 		{
 			// Use impersonate to make user attributes predictable
-			config := f.ClientConfig()
-			config.Impersonate.UserName = "jane-doe"
-			config.Impersonate.UID = "uniq-id"
-			config.Impersonate.Groups = []string{"system:authenticated", "developers"}
-			config.Impersonate.Extra = map[string][]string{
-				"known-languages": {"python", "javascript"},
-			}
+			config := restConfig(f)

 			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews()
 			res, err := ssrClient.Create(ctx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
 			framework.ExpectNoError(err)

-			framework.ExpectEqual(config.Impersonate.UserName, res.Status.UserInfo.Username)
-			framework.ExpectEqual(config.Impersonate.UID, res.Status.UserInfo.UID)
-			framework.ExpectEqual(config.Impersonate.Groups, res.Status.UserInfo.Groups)
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))

 			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
 			for k, v := range res.Status.UserInfo.Extra {
 				extra[k] = v
 			}

-			framework.ExpectEqual(config.Impersonate.Extra, extra)
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
+		}
+
+		ginkgo.By("creating SSR authentication/v1beta1")
+		{
+			config := restConfig(f)
+
+			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1beta1().SelfSubjectReviews()
+			res, err := ssrClient.Create(ctx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
+			framework.ExpectNoError(err)
+
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
+
+			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
+			for k, v := range res.Status.UserInfo.Extra {
+				extra[k] = v
+			}
+
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
 		}
 	})
 })
+
+func restConfig(f *framework.Framework) *rest.Config {
+	// Use impersonate to make user attributes predictable
+	config := f.ClientConfig()
+	config.Impersonate.UserName = "jane-doe"
+	config.Impersonate.UID = "uniq-id"
+	config.Impersonate.Groups = []string{"system:authenticated", "developers"}
+	config.Impersonate.Extra = map[string][]string{
+		"known-languages": {"python", "javascript"},
+	}
+
+	return config
+}
--- a/test/integration/apiserver/admissionwebhook/admission_test.go
+++ b/test/integration/apiserver/admissionwebhook/admission_test.go
@@ -156,6 +156,7 @@ var (
 		gvr("authentication.k8s.io", "v1", "tokenreviews"):                  `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
 		gvr("authentication.k8s.io", "v1beta1", "tokenreviews"):             `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
 		gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"):      `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
+		gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"):       `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
 		gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"):      `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "subjectaccessreviews"):           `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"):       `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`,
--- a/test/integration/auth/selfsubjectreview_test.go
+++ b/test/integration/auth/selfsubjectreview_test.go
@@ -27,6 +27,7 @@ import (

 	authenticationv1 "k8s.io/api/authentication/v1"
 	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -97,6 +98,7 @@ func TestGetsSelfAttributes(t *testing.T) {
 	kubeClient, _, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -143,6 +145,33 @@ func TestGetsSelfAttributes(t *testing.T) {
 			if !reflect.DeepEqual(res.Status.UserInfo.Extra, tc.expectedExtra) {
 				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
 			}
+
+			res2, err := kubeClient.AuthenticationV1beta1().
+				SelfSubjectReviews().
+				Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if res2 == nil {
+				t.Fatalf("empty response")
+			}
+
+			if res2.Status.UserInfo.Username != tc.expectedName {
+				t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
+			}
+
+			if res2.Status.UserInfo.UID != tc.expectedUID {
+				t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
+			}
+
+			if !reflect.DeepEqual(res2.Status.UserInfo.Groups, tc.expectedGroups) {
+				t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
+			}
+
+			if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) {
+				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
+			}
 		})
 	}

@@ -157,6 +186,7 @@ func TestGetsSelfAttributesError(t *testing.T) {
 	kubeClient, _, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -178,17 +208,36 @@ func TestGetsSelfAttributesError(t *testing.T) {
 	defer tearDownFn()

 	expected := fmt.Errorf("Unauthorized")
-	toggle.Store(!toggle.Load().(bool))

-	_, err := kubeClient.AuthenticationV1alpha1().
-		SelfSubjectReviews().
-		Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
-	if err == nil {
-		t.Fatalf("expected error: %v, got nil", err)
+	{ // v1alpha1
+		toggle.Store(!toggle.Load().(bool))
+
+		_, err := kubeClient.AuthenticationV1alpha1().
+			SelfSubjectReviews().
+			Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
+		if err == nil {
+			t.Fatalf("expected error: %v, got nil", err)
+		}
+
+		toggle.Store(!toggle.Load().(bool))
+		if expected.Error() != err.Error() {
+			t.Fatalf("expected error: %v, got %v", expected, err)
+		}
 	}

-	toggle.Store(!toggle.Load().(bool))
-	if expected.Error() != err.Error() {
-		t.Fatalf("expected error: %v, got %v", expected, err)
+	{ // v1beta1
+		toggle.Store(!toggle.Load().(bool))
+
+		_, err := kubeClient.AuthenticationV1beta1().
+			SelfSubjectReviews().
+			Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
+		if err == nil {
+			t.Fatalf("expected error: %v, got nil", err)
+		}
+
+		toggle.Store(!toggle.Load().(bool))
+		if expected.Error() != err.Error() {
+			t.Fatalf("expected error: %v, got %v", expected, err)
+		}
 	}
 }