KEP-3325: Promote SelfSubjectReview to Beta (#116274)

* Promote SelfSubjectReview to Beta Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Fix whoami API Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Fixes according to code review Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> --------- Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2023-03-09 00:42:33 +01:00
parent 0a5310fe9a
commit c1431af4f8
37 changed files with 2088 additions and 170 deletions
--- a/test/e2e/auth/selfsubjectreviews.go
+++ b/test/e2e/auth/selfsubjectreviews.go
@@ -21,9 +21,12 @@ import (
 	"fmt"

 	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
 	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
@@ -33,98 +36,131 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

 	/*
-		Release: v1.24
-		Testname: SelfSubjectReview API
-		Description:
-		The authentication.k8s.io API group MUST exist in the /apis discovery document.
-		The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
-		The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
-		The selfsubjectreviews resource must support create.
+			Release: v1.27
+			Testname: SelfSubjectReview API
+			Description:
+			The authentication.k8s.io API group MUST exist in the /apis discovery document.
+			The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
+		    The authentication.k8s.io/v1beta1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
+			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
+			The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1beta1 discovery document.
+			The selfsubjectreviews resource MUST support create.
 	*/
 	ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) {
-		// Setup
-		ssarAPIVersion := "v1alpha1"
+		ginkgo.DescribeTable(
+			"testing SSR in different API groups",
+			func(apiVersion, gv string) {
+				// Discovery
+				ginkgo.By("getting /apis")
+				{
+					discoveryGroups, err := f.ClientSet.Discovery().ServerGroups()
+					framework.ExpectNoError(err)
+					found := false
+					for _, group := range discoveryGroups.Groups {
+						if group.Name == authenticationv1alpha1.GroupName {
+							for _, version := range group.Versions {
+								if version.Version == apiVersion {
+									found = true
+									break
+								}
+							}
+						}
+					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API group/version, got %#v", discoveryGroups.Groups))
+					}
+				}

-		// Discovery
-		ginkgo.By("getting /apis")
-		{
-			discoveryGroups, err := f.ClientSet.Discovery().ServerGroups()
-			framework.ExpectNoError(err)
-			found := false
-			for _, group := range discoveryGroups.Groups {
-				if group.Name == authenticationv1alpha1.GroupName {
+				ginkgo.By("getting /apis/authentication.k8s.io")
+				{
+					group := &metav1.APIGroup{}
+					err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/authentication.k8s.io").Do(ctx).Into(group)
+					framework.ExpectNoError(err)
+					found := false
 					for _, version := range group.Versions {
-						if version.Version == ssarAPIVersion {
+						if version.Version == apiVersion {
 							found = true
 							break
 						}
 					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API version, got %#v", group.Versions))
+					}
 				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API group/version, got %#v", discoveryGroups.Groups))
-			}
-		}

-		ginkgo.By("getting /apis/authentication.k8s.io")
-		{
-			group := &metav1.APIGroup{}
-			err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/authentication.k8s.io").Do(ctx).Into(group)
-			framework.ExpectNoError(err)
-			found := false
-			for _, version := range group.Versions {
-				if version.Version == ssarAPIVersion {
-					found = true
-					break
+				ginkgo.By("getting /apis/authentication.k8s.io/" + apiVersion)
+				{
+					resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(gv)
+					framework.ExpectNoError(err)
+					found := false
+					for _, resource := range resources.APIResources {
+						switch resource.Name {
+						case "selfsubjectreviews":
+							found = true
+						}
+					}
+					if !found {
+						ginkgo.Skip(fmt.Sprintf("expected selfsubjectreviews, got %#v", resources.APIResources))
+					}
 				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API version, got %#v", group.Versions))
-			}
-		}
-
-		ginkgo.By("getting /apis/authentication.k8s.io/" + ssarAPIVersion)
-		{
-			resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(authenticationv1alpha1.SchemeGroupVersion.String())
-			framework.ExpectNoError(err)
-			found := false
-			for _, resource := range resources.APIResources {
-				switch resource.Name {
-				case "selfsubjectreviews":
-					found = true
-				}
-			}
-			if !found {
-				ginkgo.Skip(fmt.Sprintf("expected selfsubjectreviews, got %#v", resources.APIResources))
-			}
-		}
+			},
+			ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()),
+			ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()),
+		)

 		// Check creating
-		ginkgo.By("creating")
+		ginkgo.By("creating SSR authentication/v1alpha1")
 		{
 			// Use impersonate to make user attributes predictable
-			config := f.ClientConfig()
-			config.Impersonate.UserName = "jane-doe"
-			config.Impersonate.UID = "uniq-id"
-			config.Impersonate.Groups = []string{"system:authenticated", "developers"}
-			config.Impersonate.Extra = map[string][]string{
-				"known-languages": {"python", "javascript"},
-			}
+			config := restConfig(f)

 			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews()
 			res, err := ssrClient.Create(ctx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
 			framework.ExpectNoError(err)

-			framework.ExpectEqual(config.Impersonate.UserName, res.Status.UserInfo.Username)
-			framework.ExpectEqual(config.Impersonate.UID, res.Status.UserInfo.UID)
-			framework.ExpectEqual(config.Impersonate.Groups, res.Status.UserInfo.Groups)
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))

 			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
 			for k, v := range res.Status.UserInfo.Extra {
 				extra[k] = v
 			}

-			framework.ExpectEqual(config.Impersonate.Extra, extra)
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
+		}
+
+		ginkgo.By("creating SSR authentication/v1beta1")
+		{
+			config := restConfig(f)
+
+			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1beta1().SelfSubjectReviews()
+			res, err := ssrClient.Create(ctx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
+			framework.ExpectNoError(err)
+
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
+
+			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
+			for k, v := range res.Status.UserInfo.Extra {
+				extra[k] = v
+			}
+
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
 		}
 	})
 })
+
+func restConfig(f *framework.Framework) *rest.Config {
+	// Use impersonate to make user attributes predictable
+	config := f.ClientConfig()
+	config.Impersonate.UserName = "jane-doe"
+	config.Impersonate.UID = "uniq-id"
+	config.Impersonate.Groups = []string{"system:authenticated", "developers"}
+	config.Impersonate.Extra = map[string][]string{
+		"known-languages": {"python", "javascript"},
+	}
+
+	return config
+}