mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
fix golint failures of test/e2e/auth
This commit is contained in:
SataQiu
@@ -600,7 +600,6 @@ staging/src/k8s.io/sample-apiserver/pkg/registry/wardle/flunder
|
||||
staging/src/k8s.io/sample-controller/pkg/apis/samplecontroller
|
||||
staging/src/k8s.io/sample-controller/pkg/apis/samplecontroller/v1alpha1
|
||||
test/e2e
|
||||
test/e2e/auth
|
||||
test/e2e/autoscaling
|
||||
test/e2e/chaosmonkey
|
||||
test/e2e/common
|
||||
|
||||
@@ -42,7 +42,7 @@ import (
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
jsonpatch "github.com/evanphx/json-patch"
|
||||
. "github.com/onsi/ginkgo"
|
||||
"github.com/onsi/ginkgo"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -62,12 +62,12 @@ var (
|
||||
var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
f := framework.NewDefaultFramework("audit")
|
||||
var namespace string
|
||||
BeforeEach(func() {
|
||||
ginkgo.BeforeEach(func() {
|
||||
framework.SkipUnlessProviderIs("gce")
|
||||
namespace = f.Namespace.Name
|
||||
})
|
||||
|
||||
It("should audit API calls to create, get, update, patch, delete, list, watch pods.", func() {
|
||||
ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch pods.", func() {
|
||||
pod := &apiv1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "audit-pod",
|
||||
@@ -201,7 +201,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should audit API calls to create, get, update, patch, delete, list, watch deployments.", func() {
|
||||
ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch deployments.", func() {
|
||||
podLabels := map[string]string{"name": "audit-deployment-pod"}
|
||||
d := e2edeploy.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), apps.RecreateDeploymentStrategyType)
|
||||
|
||||
@@ -328,7 +328,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should audit API calls to create, get, update, patch, delete, list, watch configmaps.", func() {
|
||||
ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch configmaps.", func() {
|
||||
configMap := &apiv1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "audit-configmap",
|
||||
@@ -461,7 +461,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should audit API calls to create, get, update, patch, delete, list, watch secrets.", func() {
|
||||
ginkgo.It("should audit API calls to create, get, update, patch, delete, list, watch secrets.", func() {
|
||||
secret := &apiv1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "audit-secret",
|
||||
@@ -593,7 +593,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should audit API calls to create and delete custom resource definition.", func() {
|
||||
ginkgo.It("should audit API calls to create and delete custom resource definition.", func() {
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err, "failed to load config")
|
||||
apiExtensionClient, err := apiextensionclientset.NewForConfig(config)
|
||||
@@ -654,12 +654,12 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
|
||||
// test authorizer annotations, RBAC is required.
|
||||
It("should audit API calls to get a pod with unauthorized user.", func() {
|
||||
ginkgo.It("should audit API calls to get a pod with unauthorized user.", func() {
|
||||
if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
|
||||
framework.Skipf("RBAC not enabled.")
|
||||
}
|
||||
|
||||
By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
||||
ginkgo.By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err)
|
||||
config.Impersonate = restclient.ImpersonationConfig{
|
||||
@@ -691,8 +691,8 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should list pods as impersonated user.", func() {
|
||||
By("Creating a kubernetes client that impersonates an authorized user")
|
||||
ginkgo.It("should list pods as impersonated user.", func() {
|
||||
ginkgo.By("Creating a kubernetes client that impersonates an authorized user")
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err)
|
||||
config.Impersonate = restclient.ImpersonationConfig{
|
||||
|
||||
@@ -21,7 +21,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
"github.com/onsi/ginkgo"
|
||||
|
||||
auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1"
|
||||
apiv1 "k8s.io/api/core/v1"
|
||||
@@ -44,10 +44,10 @@ import (
|
||||
var _ = SIGDescribe("[Feature:DynamicAudit]", func() {
|
||||
f := framework.NewDefaultFramework("audit")
|
||||
|
||||
It("should dynamically audit API calls", func() {
|
||||
ginkgo.It("should dynamically audit API calls", func() {
|
||||
namespace := f.Namespace.Name
|
||||
|
||||
By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
||||
ginkgo.By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err, "failed to fetch config")
|
||||
|
||||
|
||||
@@ -31,13 +31,13 @@ import (
|
||||
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
|
||||
"k8s.io/kubernetes/test/utils"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
"github.com/onsi/ginkgo"
|
||||
)
|
||||
|
||||
var _ = SIGDescribe("Certificates API", func() {
|
||||
f := framework.NewDefaultFramework("certificates")
|
||||
|
||||
It("should support building a client with a CSR", func() {
|
||||
ginkgo.It("should support building a client with a CSR", func() {
|
||||
const commonName = "tester-csr"
|
||||
|
||||
pk, err := utils.NewPrivateKey()
|
||||
|
||||
@@ -18,6 +18,7 @@ package auth
|
||||
|
||||
import "github.com/onsi/ginkgo"
|
||||
|
||||
// SIGDescribe annotates the test with the SIG label.
|
||||
func SIGDescribe(text string, body func()) bool {
|
||||
return ginkgo.Describe("[sig-auth] "+text, body)
|
||||
}
|
||||
|
||||
@@ -23,16 +23,16 @@ import (
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
jobutil "k8s.io/kubernetes/test/e2e/framework/job"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
"github.com/onsi/ginkgo"
|
||||
imageutil "k8s.io/kubernetes/test/utils/image"
|
||||
)
|
||||
|
||||
var _ = SIGDescribe("Metadata Concealment", func() {
|
||||
f := framework.NewDefaultFramework("metadata-concealment")
|
||||
|
||||
It("should run a check-metadata-concealment job to completion", func() {
|
||||
ginkgo.It("should run a check-metadata-concealment job to completion", func() {
|
||||
framework.SkipUnlessProviderIs("gce")
|
||||
By("Creating a job")
|
||||
ginkgo.By("Creating a job")
|
||||
job := &batch.Job{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "check-metadata-concealment",
|
||||
@@ -57,7 +57,7 @@ var _ = SIGDescribe("Metadata Concealment", func() {
|
||||
job, err := jobutil.CreateJob(f.ClientSet, f.Namespace.Name, job)
|
||||
framework.ExpectNoError(err, "failed to create job (%s:%s)", f.Namespace.Name, job.Name)
|
||||
|
||||
By("Ensuring job reaches completions")
|
||||
ginkgo.By("Ensuring job reaches completions")
|
||||
err = jobutil.WaitForJobComplete(f.ClientSet, f.Namespace.Name, job.Name, int32(1))
|
||||
framework.ExpectNoError(err, "failed to ensure job completion (%s:%s)", f.Namespace.Name, job.Name)
|
||||
})
|
||||
|
||||
@@ -25,8 +25,8 @@ import (
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var _ = SIGDescribe("[Feature:NodeAuthenticator]", func() {
|
||||
@@ -34,12 +34,12 @@ var _ = SIGDescribe("[Feature:NodeAuthenticator]", func() {
|
||||
f := framework.NewDefaultFramework("node-authn")
|
||||
var ns string
|
||||
var nodeIPs []string
|
||||
BeforeEach(func() {
|
||||
ginkgo.BeforeEach(func() {
|
||||
ns = f.Namespace.Name
|
||||
|
||||
nodeList, err := f.ClientSet.CoreV1().Nodes().List(metav1.ListOptions{})
|
||||
framework.ExpectNoError(err, "failed to list nodes in namespace: %s", ns)
|
||||
Expect(len(nodeList.Items)).NotTo(BeZero())
|
||||
gomega.Expect(len(nodeList.Items)).NotTo(gomega.BeZero())
|
||||
|
||||
pickedNode := nodeList.Items[0]
|
||||
nodeIPs = framework.GetNodeAddresses(&pickedNode, v1.NodeExternalIP)
|
||||
@@ -50,20 +50,20 @@ var _ = SIGDescribe("[Feature:NodeAuthenticator]", func() {
|
||||
saName := "default"
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Get(saName, metav1.GetOptions{})
|
||||
framework.ExpectNoError(err, "failed to retrieve service account (%s:%s)", ns, saName)
|
||||
Expect(len(sa.Secrets)).NotTo(BeZero())
|
||||
gomega.Expect(len(sa.Secrets)).NotTo(gomega.BeZero())
|
||||
})
|
||||
|
||||
It("The kubelet's main port 10250 should reject requests with no credentials", func() {
|
||||
ginkgo.It("The kubelet's main port 10250 should reject requests with no credentials", func() {
|
||||
pod := createNodeAuthTestPod(f)
|
||||
for _, nodeIP := range nodeIPs {
|
||||
// Anonymous authentication is disabled by default
|
||||
result := framework.RunHostCmdOrDie(ns, pod.Name, fmt.Sprintf("curl -sIk -o /dev/null -w '%s' https://%s:%v/metrics", "%{http_code}", nodeIP, ports.KubeletPort))
|
||||
Expect(result).To(Or(Equal("401"), Equal("403")), "the kubelet's main port 10250 should reject requests with no credentials")
|
||||
gomega.Expect(result).To(gomega.Or(gomega.Equal("401"), gomega.Equal("403")), "the kubelet's main port 10250 should reject requests with no credentials")
|
||||
}
|
||||
})
|
||||
|
||||
It("The kubelet can delegate ServiceAccount tokens to the API server", func() {
|
||||
By("create a new ServiceAccount for authentication")
|
||||
ginkgo.It("The kubelet can delegate ServiceAccount tokens to the API server", func() {
|
||||
ginkgo.By("create a new ServiceAccount for authentication")
|
||||
trueValue := true
|
||||
newSA := &v1.ServiceAccount{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
@@ -84,7 +84,7 @@ var _ = SIGDescribe("[Feature:NodeAuthenticator]", func() {
|
||||
"%{http_code}",
|
||||
"cat /var/run/secrets/kubernetes.io/serviceaccount/token",
|
||||
nodeIP, ports.KubeletPort))
|
||||
Expect(result).To(Or(Equal("401"), Equal("403")), "the kubelet can delegate ServiceAccount tokens to the API server")
|
||||
gomega.Expect(result).To(gomega.Or(gomega.Equal("401"), gomega.Equal("403")), "the kubelet can delegate ServiceAccount tokens to the API server")
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
@@ -30,13 +30,13 @@ import (
|
||||
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
const (
|
||||
NodesGroup = "system:nodes"
|
||||
NodeNamePrefix = "system:node:"
|
||||
nodesGroup = "system:nodes"
|
||||
nodeNamePrefix = "system:node:"
|
||||
)
|
||||
|
||||
var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
@@ -48,47 +48,47 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
var asUser string
|
||||
var defaultSaSecret string
|
||||
var nodeName string
|
||||
BeforeEach(func() {
|
||||
ginkgo.BeforeEach(func() {
|
||||
ns = f.Namespace.Name
|
||||
|
||||
nodeList, err := f.ClientSet.CoreV1().Nodes().List(metav1.ListOptions{})
|
||||
framework.ExpectNoError(err, "failed to list nodes in namespace: %s", ns)
|
||||
Expect(len(nodeList.Items)).NotTo(Equal(0))
|
||||
gomega.Expect(len(nodeList.Items)).NotTo(gomega.Equal(0))
|
||||
nodeName = nodeList.Items[0].Name
|
||||
asUser = NodeNamePrefix + nodeName
|
||||
asUser = nodeNamePrefix + nodeName
|
||||
saName := "default"
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Get(saName, metav1.GetOptions{})
|
||||
Expect(len(sa.Secrets)).NotTo(Equal(0))
|
||||
gomega.Expect(len(sa.Secrets)).NotTo(gomega.Equal(0))
|
||||
framework.ExpectNoError(err, "failed to retrieve service account (%s:%s)", ns, saName)
|
||||
defaultSaSecret = sa.Secrets[0].Name
|
||||
By("Creating a kubernetes client that impersonates a node")
|
||||
ginkgo.By("Creating a kubernetes client that impersonates a node")
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err, "failed to load kubernetes client config")
|
||||
config.Impersonate = restclient.ImpersonationConfig{
|
||||
UserName: asUser,
|
||||
Groups: []string{NodesGroup},
|
||||
Groups: []string{nodesGroup},
|
||||
}
|
||||
c, err = clientset.NewForConfig(config)
|
||||
framework.ExpectNoError(err, "failed to create Clientset for the given config: %+v", *config)
|
||||
|
||||
})
|
||||
It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
|
||||
ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
|
||||
_, err := c.CoreV1().Secrets(ns).Get("foo", metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
It("Getting an existing secret should exit with the Forbidden error", func() {
|
||||
ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
|
||||
_, err := c.CoreV1().Secrets(ns).Get(defaultSaSecret, metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
||||
ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
||||
_, err := c.CoreV1().ConfigMaps(ns).Get("foo", metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
It("Getting an existing configmap should exit with the Forbidden error", func() {
|
||||
By("Create a configmap for testing")
|
||||
ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
|
||||
ginkgo.By("Create a configmap for testing")
|
||||
configmap := &v1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: ns,
|
||||
@@ -101,11 +101,11 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(configmap)
|
||||
framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
|
||||
_, err = c.CoreV1().ConfigMaps(ns).Get(configmap.Name, metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
It("Getting a secret for a workload the node has access to should succeed", func() {
|
||||
By("Create a secret for testing")
|
||||
ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
|
||||
ginkgo.By("Create a secret for testing")
|
||||
secret := &v1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: ns,
|
||||
@@ -118,11 +118,11 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
_, err := f.ClientSet.CoreV1().Secrets(ns).Create(secret)
|
||||
framework.ExpectNoError(err, "failed to create secret (%s:%s)", ns, secret.Name)
|
||||
|
||||
By("Node should not get the secret")
|
||||
ginkgo.By("Node should not get the secret")
|
||||
_, err = c.CoreV1().Secrets(ns).Get(secret.Name, metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
|
||||
By("Create a pod that use the secret")
|
||||
ginkgo.By("Create a pod that use the secret")
|
||||
pod := &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "pause",
|
||||
@@ -151,7 +151,7 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
_, err = f.ClientSet.CoreV1().Pods(ns).Create(pod)
|
||||
framework.ExpectNoError(err, "failed to create pod (%s:%s)", ns, pod.Name)
|
||||
|
||||
By("The node should able to access the secret")
|
||||
ginkgo.By("The node should able to access the secret")
|
||||
itv := framework.Poll
|
||||
dur := 1 * time.Minute
|
||||
err = wait.Poll(itv, dur, func() (bool, error) {
|
||||
@@ -165,7 +165,7 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
framework.ExpectNoError(err, "failed to get secret after trying every %v for %v (%s:%s)", itv, dur, ns, secret.Name)
|
||||
})
|
||||
|
||||
It("A node shouldn't be able to create another node", func() {
|
||||
ginkgo.It("A node shouldn't be able to create another node", func() {
|
||||
node := &v1.Node{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
@@ -173,14 +173,14 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
APIVersion: "v1",
|
||||
},
|
||||
}
|
||||
By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
_, err := c.CoreV1().Nodes().Create(node)
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
It("A node shouldn't be able to delete another node", func() {
|
||||
By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
ginkgo.It("A node shouldn't be able to delete another node", func() {
|
||||
ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
err := c.CoreV1().Nodes().Delete("foo", &metav1.DeleteOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
|
||||
})
|
||||
})
|
||||
|
||||
@@ -37,8 +37,8 @@ import (
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
utilpointer "k8s.io/utils/pointer"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
const nobodyUser = int64(65534)
|
||||
@@ -51,7 +51,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
||||
// with reduced privileges.
|
||||
var c clientset.Interface
|
||||
var ns string // Test namespace, for convenience
|
||||
BeforeEach(func() {
|
||||
ginkgo.BeforeEach(func() {
|
||||
if !framework.IsPodSecurityPolicyEnabled(f) {
|
||||
framework.Skipf("PodSecurityPolicy not enabled")
|
||||
}
|
||||
@@ -60,7 +60,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
||||
}
|
||||
ns = f.Namespace.Name
|
||||
|
||||
By("Creating a kubernetes client that impersonates the default service account")
|
||||
ginkgo.By("Creating a kubernetes client that impersonates the default service account")
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err)
|
||||
config.Impersonate = restclient.ImpersonationConfig{
|
||||
@@ -70,24 +70,24 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
||||
c, err = clientset.NewForConfig(config)
|
||||
framework.ExpectNoError(err)
|
||||
|
||||
By("Binding the edit role to the default SA")
|
||||
ginkgo.By("Binding the edit role to the default SA")
|
||||
err = auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns,
|
||||
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
|
||||
framework.ExpectNoError(err)
|
||||
})
|
||||
|
||||
It("should forbid pod creation when no PSP is available", func() {
|
||||
By("Running a restricted pod")
|
||||
ginkgo.It("should forbid pod creation when no PSP is available", func() {
|
||||
ginkgo.By("Running a restricted pod")
|
||||
_, err := c.CoreV1().Pods(ns).Create(restrictedPod("restricted"))
|
||||
expectForbidden(err)
|
||||
})
|
||||
|
||||
It("should enforce the restricted policy.PodSecurityPolicy", func() {
|
||||
By("Creating & Binding a restricted policy for the test service account")
|
||||
ginkgo.It("should enforce the restricted policy.PodSecurityPolicy", func() {
|
||||
ginkgo.By("Creating & Binding a restricted policy for the test service account")
|
||||
_, cleanup := createAndBindPSP(f, restrictedPSP("restrictive"))
|
||||
defer cleanup()
|
||||
|
||||
By("Running a restricted pod")
|
||||
ginkgo.By("Running a restricted pod")
|
||||
pod, err := c.CoreV1().Pods(ns).Create(restrictedPod("allowed"))
|
||||
framework.ExpectNoError(err)
|
||||
framework.ExpectNoError(framework.WaitForPodNameRunningInNamespace(c, pod.Name, pod.Namespace))
|
||||
@@ -98,8 +98,8 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
||||
})
|
||||
})
|
||||
|
||||
It("should allow pods under the privileged policy.PodSecurityPolicy", func() {
|
||||
By("Creating & Binding a privileged policy for the test service account")
|
||||
ginkgo.It("should allow pods under the privileged policy.PodSecurityPolicy", func() {
|
||||
ginkgo.By("Creating & Binding a privileged policy for the test service account")
|
||||
// Ensure that the permissive policy is used even in the presence of the restricted policy.
|
||||
_, cleanup := createAndBindPSP(f, restrictedPSP("restrictive"))
|
||||
defer cleanup()
|
||||
@@ -115,26 +115,26 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
|
||||
p, err = c.CoreV1().Pods(ns).Get(p.Name, metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
validated, found := p.Annotations[psputil.ValidatedPSPAnnotation]
|
||||
Expect(found).To(BeTrue(), "PSP annotation not found")
|
||||
Expect(validated).To(Equal(expectedPSP.Name), "Unexpected validated PSP")
|
||||
gomega.Expect(found).To(gomega.BeTrue(), "PSP annotation not found")
|
||||
gomega.Expect(validated).To(gomega.Equal(expectedPSP.Name), "Unexpected validated PSP")
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
func expectForbidden(err error) {
|
||||
Expect(err).To(HaveOccurred(), "should be forbidden")
|
||||
Expect(apierrs.IsForbidden(err)).To(BeTrue(), "should be forbidden error")
|
||||
gomega.Expect(err).To(gomega.HaveOccurred(), "should be forbidden")
|
||||
gomega.Expect(apierrs.IsForbidden(err)).To(gomega.BeTrue(), "should be forbidden error")
|
||||
}
|
||||
|
||||
func testPrivilegedPods(tester func(pod *v1.Pod)) {
|
||||
By("Running a privileged pod", func() {
|
||||
ginkgo.By("Running a privileged pod", func() {
|
||||
privileged := restrictedPod("privileged")
|
||||
privileged.Spec.Containers[0].SecurityContext.Privileged = boolPtr(true)
|
||||
privileged.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
|
||||
tester(privileged)
|
||||
})
|
||||
|
||||
By("Running a HostPath pod", func() {
|
||||
ginkgo.By("Running a HostPath pod", func() {
|
||||
hostpath := restrictedPod("hostpath")
|
||||
hostpath.Spec.Containers[0].VolumeMounts = []v1.VolumeMount{{
|
||||
Name: "hp",
|
||||
@@ -149,26 +149,26 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
|
||||
tester(hostpath)
|
||||
})
|
||||
|
||||
By("Running a HostNetwork pod", func() {
|
||||
ginkgo.By("Running a HostNetwork pod", func() {
|
||||
hostnet := restrictedPod("hostnet")
|
||||
hostnet.Spec.HostNetwork = true
|
||||
tester(hostnet)
|
||||
})
|
||||
|
||||
By("Running a HostPID pod", func() {
|
||||
ginkgo.By("Running a HostPID pod", func() {
|
||||
hostpid := restrictedPod("hostpid")
|
||||
hostpid.Spec.HostPID = true
|
||||
tester(hostpid)
|
||||
})
|
||||
|
||||
By("Running a HostIPC pod", func() {
|
||||
ginkgo.By("Running a HostIPC pod", func() {
|
||||
hostipc := restrictedPod("hostipc")
|
||||
hostipc.Spec.HostIPC = true
|
||||
tester(hostipc)
|
||||
})
|
||||
|
||||
if common.IsAppArmorSupported() {
|
||||
By("Running a custom AppArmor profile pod", func() {
|
||||
ginkgo.By("Running a custom AppArmor profile pod", func() {
|
||||
aa := restrictedPod("apparmor")
|
||||
// Every node is expected to have the docker-default profile.
|
||||
aa.Annotations[apparmor.ContainerAnnotationKeyPrefix+"pause"] = "localhost/docker-default"
|
||||
@@ -176,13 +176,13 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
|
||||
})
|
||||
}
|
||||
|
||||
By("Running an unconfined Seccomp pod", func() {
|
||||
ginkgo.By("Running an unconfined Seccomp pod", func() {
|
||||
unconfined := restrictedPod("seccomp")
|
||||
unconfined.Annotations[v1.SeccompPodAnnotationKey] = "unconfined"
|
||||
tester(unconfined)
|
||||
})
|
||||
|
||||
By("Running a SYS_ADMIN pod", func() {
|
||||
ginkgo.By("Running a SYS_ADMIN pod", func() {
|
||||
sysadmin := restrictedPod("sysadmin")
|
||||
sysadmin.Spec.Containers[0].SecurityContext.Capabilities = &v1.Capabilities{
|
||||
Add: []v1.Capability{"SYS_ADMIN"},
|
||||
@@ -191,14 +191,14 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
|
||||
tester(sysadmin)
|
||||
})
|
||||
|
||||
By("Running a RunAsGroup pod", func() {
|
||||
ginkgo.By("Running a RunAsGroup pod", func() {
|
||||
sysadmin := restrictedPod("runasgroup")
|
||||
gid := int64(0)
|
||||
sysadmin.Spec.Containers[0].SecurityContext.RunAsGroup = &gid
|
||||
tester(sysadmin)
|
||||
})
|
||||
|
||||
By("Running a RunAsUser pod", func() {
|
||||
ginkgo.By("Running a RunAsUser pod", func() {
|
||||
sysadmin := restrictedPod("runasuser")
|
||||
uid := int64(0)
|
||||
sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
|
||||
|
||||
@@ -33,8 +33,8 @@ import (
|
||||
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var mountImage = imageutils.GetE2EImage(imageutils.Mounttest)
|
||||
@@ -42,11 +42,11 @@ var mountImage = imageutils.GetE2EImage(imageutils.Mounttest)
|
||||
var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
f := framework.NewDefaultFramework("svcaccounts")
|
||||
|
||||
It("should ensure a single API token exists", func() {
|
||||
ginkgo.It("should ensure a single API token exists", func() {
|
||||
// wait for the service account to reference a single secret
|
||||
var secrets []v1.ObjectReference
|
||||
framework.ExpectNoError(wait.Poll(time.Millisecond*500, time.Second*10, func() (bool, error) {
|
||||
By("waiting for a single token reference")
|
||||
ginkgo.By("waiting for a single token reference")
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
e2elog.Logf("default service account was not found")
|
||||
@@ -71,20 +71,20 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// make sure the reference doesn't flutter
|
||||
{
|
||||
By("ensuring the single token reference persists")
|
||||
ginkgo.By("ensuring the single token reference persists")
|
||||
time.Sleep(2 * time.Second)
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
Expect(sa.Secrets).To(Equal(secrets))
|
||||
gomega.Expect(sa.Secrets).To(gomega.Equal(secrets))
|
||||
}
|
||||
|
||||
// delete the referenced secret
|
||||
By("deleting the service account token")
|
||||
ginkgo.By("deleting the service account token")
|
||||
framework.ExpectNoError(f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(secrets[0].Name, nil))
|
||||
|
||||
// wait for the referenced secret to be removed, and another one autocreated
|
||||
framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
|
||||
By("waiting for a new token reference")
|
||||
ginkgo.By("waiting for a new token reference")
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
if err != nil {
|
||||
e2elog.Logf("error getting default service account: %v", err)
|
||||
@@ -109,15 +109,15 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// make sure the reference doesn't flutter
|
||||
{
|
||||
By("ensuring the single token reference persists")
|
||||
ginkgo.By("ensuring the single token reference persists")
|
||||
time.Sleep(2 * time.Second)
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
Expect(sa.Secrets).To(Equal(secrets))
|
||||
gomega.Expect(sa.Secrets).To(gomega.Equal(secrets))
|
||||
}
|
||||
|
||||
// delete the reference from the service account
|
||||
By("deleting the reference to the service account token")
|
||||
ginkgo.By("deleting the reference to the service account token")
|
||||
{
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
@@ -128,7 +128,7 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// wait for another one to be autocreated
|
||||
framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
|
||||
By("waiting for a new token to be created and added")
|
||||
ginkgo.By("waiting for a new token to be created and added")
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
if err != nil {
|
||||
e2elog.Logf("error getting default service account: %v", err)
|
||||
@@ -149,11 +149,11 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// make sure the reference doesn't flutter
|
||||
{
|
||||
By("ensuring the single token reference persists")
|
||||
ginkgo.By("ensuring the single token reference persists")
|
||||
time.Sleep(2 * time.Second)
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("default", metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
Expect(sa.Secrets).To(Equal(secrets))
|
||||
gomega.Expect(sa.Secrets).To(gomega.Equal(secrets))
|
||||
}
|
||||
})
|
||||
|
||||
@@ -174,7 +174,7 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// Standard get, update retry loop
|
||||
framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
|
||||
By("getting the auto-created API token")
|
||||
ginkgo.By("getting the auto-created API token")
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get("mount-test", metav1.GetOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
e2elog.Logf("mount-test service account was not found")
|
||||
@@ -231,19 +231,19 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
framework.ExpectNoError(err)
|
||||
|
||||
// CA and namespace should be identical
|
||||
Expect(mountedCA).To(Equal(rootCAContent))
|
||||
Expect(mountedNamespace).To(Equal(f.Namespace.Name))
|
||||
gomega.Expect(mountedCA).To(gomega.Equal(rootCAContent))
|
||||
gomega.Expect(mountedNamespace).To(gomega.Equal(f.Namespace.Name))
|
||||
// Token should be a valid credential that identifies the pod's service account
|
||||
tokenReview := &authenticationv1.TokenReview{Spec: authenticationv1.TokenReviewSpec{Token: mountedToken}}
|
||||
tokenReview, err = f.ClientSet.AuthenticationV1().TokenReviews().Create(tokenReview)
|
||||
framework.ExpectNoError(err)
|
||||
Expect(tokenReview.Status.Authenticated).To(Equal(true))
|
||||
Expect(tokenReview.Status.Error).To(Equal(""))
|
||||
Expect(tokenReview.Status.User.Username).To(Equal("system:serviceaccount:" + f.Namespace.Name + ":" + sa.Name))
|
||||
gomega.Expect(tokenReview.Status.Authenticated).To(gomega.Equal(true))
|
||||
gomega.Expect(tokenReview.Status.Error).To(gomega.Equal(""))
|
||||
gomega.Expect(tokenReview.Status.User.Username).To(gomega.Equal("system:serviceaccount:" + f.Namespace.Name + ":" + sa.Name))
|
||||
groups := sets.NewString(tokenReview.Status.User.Groups...)
|
||||
Expect(groups.Has("system:authenticated")).To(Equal(true), fmt.Sprintf("expected system:authenticated group, had %v", groups.List()))
|
||||
Expect(groups.Has("system:serviceaccounts")).To(Equal(true), fmt.Sprintf("expected system:serviceaccounts group, had %v", groups.List()))
|
||||
Expect(groups.Has("system:serviceaccounts:"+f.Namespace.Name)).To(Equal(true), fmt.Sprintf("expected system:serviceaccounts:"+f.Namespace.Name+" group, had %v", groups.List()))
|
||||
gomega.Expect(groups.Has("system:authenticated")).To(gomega.Equal(true), fmt.Sprintf("expected system:authenticated group, had %v", groups.List()))
|
||||
gomega.Expect(groups.Has("system:serviceaccounts")).To(gomega.Equal(true), fmt.Sprintf("expected system:serviceaccounts group, had %v", groups.List()))
|
||||
gomega.Expect(groups.Has("system:serviceaccounts:"+f.Namespace.Name)).To(gomega.Equal(true), fmt.Sprintf("expected system:serviceaccounts:"+f.Namespace.Name+" group, had %v", groups.List()))
|
||||
})
|
||||
|
||||
/*
|
||||
@@ -285,7 +285,7 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
|
||||
// Standard get, update retry loop
|
||||
framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
|
||||
By("getting the auto-created API token")
|
||||
ginkgo.By("getting the auto-created API token")
|
||||
sa, err := f.ClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Get(mountSA.Name, metav1.GetOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
e2elog.Logf("mount service account was not found")
|
||||
|
||||
Reference in New Issue
Block a user