Refactor of e2e/framework/authorizer_util.go

- moves these helper functions into e2e/framework/auth - removes logging from helper functions - in some cases explicitly returns errors that were implicitly ignored/logged. In the situations where they should be ignored, we explicitly check that the condition is met before ignoring it. - fixes references of these methods to use the right package and return values
2025-07-22 11:21:47 +00:00 · 2019-04-09 11:52:36 -05:00 · 2019-04-09 11:52:36 -05:00 · 028df0451d
commit 028df0451d
parent 18b4e1b84c
18 changed files with 156 additions and 54 deletions
--- a/test/e2e/BUILD
+++ b/test/e2e/BUILD
@ -64,6 +64,7 @@ go_library(
        "//staging/src/k8s.io/component-base/logs:go_default_library",
        "//test/e2e/common:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/ginkgowrapper:go_default_library",
        "//test/e2e/framework/metrics:go_default_library",
        "//test/e2e/framework/providers/aws:go_default_library",
--- a/test/e2e/auth/BUILD
+++ b/test/e2e/auth/BUILD
@ -53,6 +53,7 @@ go_library(
        "//staging/src/k8s.io/client-go/util/cert:go_default_library",
        "//test/e2e/common:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/job:go_default_library",
        "//test/utils:go_default_library",
        "//test/utils/image:go_default_library",
--- a/test/e2e/auth/audit.go
+++ b/test/e2e/auth/audit.go
@ -31,14 +31,15 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
-	"k8s.io/apiserver/pkg/apis/audit/v1"
+	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/utils"
 	imageutils "k8s.io/kubernetes/test/utils/image"

-	"github.com/evanphx/json-patch"
+	jsonpatch "github.com/evanphx/json-patch"
 	. "github.com/onsi/ginkgo"
 )

@ -652,7 +653,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() {

 	// test authorizer annotations, RBAC is required.
 	It("should audit API calls to get a pod with unauthorized user.", func() {
-		if !framework.IsRBACEnabled(f) {
+		if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
 			framework.Skipf("RBAC not enabled.")
 		}

@ -735,7 +736,7 @@ func expectEvents(f *framework.Framework, expectedEvents []utils.AuditEvent) {
 			return false, err
 		}
 		defer stream.Close()
-		missingReport, err := utils.CheckAuditLines(stream, expectedEvents, v1.SchemeGroupVersion)
+		missingReport, err := utils.CheckAuditLines(stream, expectedEvents, auditv1.SchemeGroupVersion)
 		if err != nil {
 			framework.Logf("Failed to observe audit events: %v", err)
 		} else if len(missingReport.MissingEvents) > 0 {
--- a/test/e2e/auth/audit_dynamic.go
+++ b/test/e2e/auth/audit_dynamic.go
@ -35,6 +35,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/utils"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 )
@ -346,7 +347,7 @@ var _ = SIGDescribe("[Feature:DynamicAudit]", func() {
 			},
 		}

-		if framework.IsRBACEnabled(f) {
+		if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
 			testCases = append(testCases, annotationTestCases...)
 		}
 		expectedEvents := []utils.AuditEvent{}
--- a/test/e2e/auth/pod_security_policy.go
+++ b/test/e2e/auth/pod_security_policy.go
@ -19,7 +19,7 @@ package auth
 import (
 	"fmt"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1beta1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@ -33,6 +33,7 @@ import (
 	psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"
 	"k8s.io/kubernetes/test/e2e/common"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	utilpointer "k8s.io/utils/pointer"

@ -54,7 +55,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
 		if !framework.IsPodSecurityPolicyEnabled(f) {
 			framework.Skipf("PodSecurityPolicy not enabled")
 		}
-		if !framework.IsRBACEnabled(f) {
+		if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
 			framework.Skipf("RBAC not enabled")
 		}
 		ns = f.Namespace.Name
@ -70,8 +71,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
 		framework.ExpectNoError(err)

 		By("Binding the edit role to the default SA")
-		framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns,
+		err = auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
+		framework.ExpectNoError(err)
 	})

 	It("should forbid pod creation when no PSP is available", func() {
@ -202,7 +204,6 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
 		sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
 		tester(sysadmin)
 	})
-
 }

 // createAndBindPSP creates a PSP in the policy API group.
@ -231,12 +232,14 @@ func createAndBindPSP(f *framework.Framework, pspTemplate *policy.PodSecurityPol
 	framework.ExpectNoError(err, "Failed to create PSP role")

 	// Bind the role to the namespace.
-	framework.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{
+	err = auth.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{
 		Kind:      rbacv1beta1.ServiceAccountKind,
 		Namespace: ns,
 		Name:      "default",
 	})
-	framework.ExpectNoError(framework.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
+	framework.ExpectNoError(err)
+
+	framework.ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 		serviceaccount.MakeUsername(ns, "default"), ns, "use", name,
 		schema.GroupResource{Group: "policy", Resource: "podsecuritypolicies"}, true))

--- a/test/e2e/examples.go
+++ b/test/e2e/examples.go
@ -30,6 +30,7 @@ import (
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	commonutils "k8s.io/kubernetes/test/e2e/common"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/e2e/framework/testfiles"

 	. "github.com/onsi/ginkgo"
@ -51,10 +52,11 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() {

 		// this test wants powerful permissions.  Since the namespace names are unique, we can leave this
 		// lying around so we don't have to race any caches
-		framework.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name,
+		err := auth.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
+		framework.ExpectNoError(err)

-		err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
+		err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/e2e/framework/BUILD
+++ b/test/e2e/framework/BUILD
@ -5,7 +5,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
 go_library(
    name = "go_default_library",
    srcs = [
-        "authorizer_util.go",
        "cleanup.go",
        "create.go",
        "deployment_util.go",
@ -68,7 +67,6 @@ go_library(
        "//pkg/volume/util:go_default_library",
        "//staging/src/k8s.io/api/apps/v1:go_default_library",
        "//staging/src/k8s.io/api/apps/v1beta2:go_default_library",
-        "//staging/src/k8s.io/api/authorization/v1beta1:go_default_library",
        "//staging/src/k8s.io/api/batch/v1:go_default_library",
        "//staging/src/k8s.io/api/core/v1:go_default_library",
        "//staging/src/k8s.io/api/extensions/v1beta1:go_default_library",
@ -103,9 +101,7 @@ go_library(
        "//staging/src/k8s.io/client-go/dynamic:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library",
        "//staging/src/k8s.io/client-go/rest:go_default_library",
        "//staging/src/k8s.io/client-go/restmapper:go_default_library",
        "//staging/src/k8s.io/client-go/scale:go_default_library",
@ -116,6 +112,7 @@ go_library(
        "//staging/src/k8s.io/client-go/tools/watch:go_default_library",
        "//staging/src/k8s.io/client-go/util/retry:go_default_library",
        "//staging/src/k8s.io/component-base/cli/flag:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/ginkgowrapper:go_default_library",
        "//test/e2e/framework/metrics:go_default_library",
        "//test/e2e/framework/testfiles:go_default_library",
@ -148,6 +145,7 @@ filegroup(
    name = "all-srcs",
    srcs = [
        ":package-srcs",
+        "//test/e2e/framework/auth:all-srcs",
        "//test/e2e/framework/config:all-srcs",
        "//test/e2e/framework/ginkgowrapper:all-srcs",
        "//test/e2e/framework/gpu:all-srcs",
--- a/test/e2e/framework/auth/BUILD
+++ b/test/e2e/framework/auth/BUILD
@ -0,0 +1,34 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["helpers.go"],
+    importpath = "k8s.io/kubernetes/test/e2e/framework/auth",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//staging/src/k8s.io/api/authorization/v1beta1:go_default_library",
+        "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library",
+        "//vendor/github.com/onsi/ginkgo:go_default_library",
+        "//vendor/github.com/pkg/errors:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/test/e2e/framework/authorizer_util.go
+++ b/test/e2e/framework/authorizer_util.go
@ -14,13 +14,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package framework
+package auth

 import (
-	"k8s.io/klog"
+	"fmt"
 	"sync"
 	"time"

+	"github.com/onsi/ginkgo"
+	"github.com/pkg/errors"
 	authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@ -36,6 +38,12 @@ const (
 	policyCachePollTimeout  = 5 * time.Second
 )

+type bindingsGetter interface {
+	v1beta1rbac.RoleBindingsGetter
+	v1beta1rbac.ClusterRoleBindingsGetter
+	v1beta1rbac.ClusterRolesGetter
+}
+
 // WaitForAuthorizationUpdate checks if the given user can perform the named verb and action.
 // If policyCachePollTimeout is reached without the expected condition matching, an error is returned
 func WaitForAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error {
@ -57,12 +65,15 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews
 			User: user,
 		},
 	}
+
 	err := wait.Poll(policyCachePollInterval, policyCachePollTimeout, func() (bool, error) {
 		response, err := c.SubjectAccessReviews().Create(review)
 		// GKE doesn't enable the SAR endpoint.  Without this endpoint, we cannot determine if the policy engine
 		// has adjusted as expected.  In this case, simply wait one second and hope it's up to date
+		// TODO: Should have a check for the provider here but that introduces too tight of
+		// coupling with the `framework` package. See: https://github.com/kubernetes/kubernetes/issues/76726
 		if apierrors.IsNotFound(err) {
-			klog.Info("SubjectAccessReview endpoint is missing")
+			logf("SubjectAccessReview endpoint is missing")
 			time.Sleep(1 * time.Second)
 			return true, nil
 		}
@ -77,8 +88,13 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews
 	return err
 }

-// BindClusterRole binds the cluster role at the cluster scope
-func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) {
+// BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil
+// is returned with no action.
+func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error {
+	if !IsRBACEnabled(c) {
+		return nil
+	}
+
 	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
 	_, err := c.ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
@ -92,23 +108,30 @@ func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns st
 		Subjects: subjects,
 	})

-	// if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled.
 	if err != nil {
-		klog.Errorf("Error binding clusterrole/%s for %q for %v\n", clusterRole, ns, subjects)
+		return errors.Wrapf(err, "binding clusterrole/%s for %q for %v", clusterRole, ns, subjects)
 	}
+
+	return nil
 }

-// BindClusterRoleInNamespace binds the cluster role at the namespace scope
-func BindClusterRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) {
-	bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...)
+// BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil
+// is returned with no action.
+func BindClusterRoleInNamespace(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error {
+	return bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...)
 }

-// BindRoleInNamespace binds the role at the namespace scope
-func BindRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) {
-	bindInNamespace(c, "Role", role, ns, subjects...)
+// BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil
+// is returned with no action.
+func BindRoleInNamespace(c bindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) error {
+	return bindInNamespace(c, "Role", role, ns, subjects...)
 }

-func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) {
+func bindInNamespace(c bindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) error {
+	if !IsRBACEnabled(c) {
+		return nil
+	}
+
 	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
 	_, err := c.RoleBindings(ns).Create(&rbacv1beta1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
@ -122,10 +145,11 @@ func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string
 		Subjects: subjects,
 	})

-	// if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled.
 	if err != nil {
-		klog.Errorf("Error binding %s/%s into %q for %v\n", roleType, role, ns, subjects)
+		return errors.Wrapf(err, "binding %s/%s into %q for %v", roleType, role, ns, subjects)
 	}
+
+	return nil
 }

 var (
@ -134,19 +158,41 @@ var (
 )

 // IsRBACEnabled returns true if RBAC is enabled. Otherwise false.
-func IsRBACEnabled(f *Framework) bool {
+func IsRBACEnabled(crGetter v1beta1rbac.ClusterRolesGetter) bool {
 	isRBACEnabledOnce.Do(func() {
-		crs, err := f.ClientSet.RbacV1().ClusterRoles().List(metav1.ListOptions{})
+		crs, err := crGetter.ClusterRoles().List(metav1.ListOptions{})
 		if err != nil {
-			Logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
+			logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
 			isRBACEnabled = false
 		} else if crs == nil || len(crs.Items) == 0 {
-			Logf("No ClusterRoles found; assuming RBAC is disabled.")
+			logf("No ClusterRoles found; assuming RBAC is disabled.")
 			isRBACEnabled = false
 		} else {
-			Logf("Found ClusterRoles; assuming RBAC is enabled.")
+			logf("Found ClusterRoles; assuming RBAC is enabled.")
 			isRBACEnabled = true
 		}
 	})
+
 	return isRBACEnabled
 }
+
+// logf logs INFO lines to the GinkgoWriter.
+// TODO: Log functions like these should be put into their own package,
+// see: https://github.com/kubernetes/kubernetes/issues/76728
+func logf(format string, args ...interface{}) {
+	log("INFO", format, args...)
+}
+
+// log prints formatted log messages to the global GinkgoWriter.
+// TODO: Log functions like these should be put into their own package,
+// see: https://github.com/kubernetes/kubernetes/issues/76728
+func log(level string, format string, args ...interface{}) {
+	fmt.Fprintf(ginkgo.GinkgoWriter, nowStamp()+": "+level+": "+format+"\n", args...)
+}
+
+// nowStamp returns the current time formatted for placement in the logs (time.StampMilli).
+// TODO: If only used for logging, this should be put into a logging package,
+// see: https://github.com/kubernetes/kubernetes/issues/76728
+func nowStamp() string {
+	return time.Now().Format(time.StampMilli)
+}
--- a/test/e2e/framework/psp_util.go
+++ b/test/e2e/framework/psp_util.go
@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
+	"k8s.io/kubernetes/test/e2e/framework/auth"

 	"github.com/onsi/ginkgo"
 )
@ -118,7 +119,7 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
 			ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
 		}

-		if IsRBACEnabled(f) {
+		if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
 			// Create the Role to bind it to the namespace.
 			_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
 				ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
@ -135,10 +136,10 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
 		}
 	})

-	if IsRBACEnabled(f) {
+	if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) {
 		ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
 			podSecurityPolicyPrivileged, namespace))
-		BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
+		err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
 			podSecurityPolicyPrivileged,
 			namespace,
 			rbacv1beta1.Subject{
@ -146,7 +147,8 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
 				Namespace: namespace,
 				Name:      "default",
 			})
-		ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
+		ExpectNoError(err)
+		ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
 			schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
 	}
--- a/test/e2e/kubectl/BUILD
+++ b/test/e2e/kubectl/BUILD
@ -31,6 +31,7 @@ go_library(
        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
        "//test/e2e/common:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/job:go_default_library",
        "//test/e2e/framework/testfiles:go_default_library",
        "//test/e2e/scheduling:go_default_library",
--- a/test/e2e/kubectl/kubectl.go
+++ b/test/e2e/kubectl/kubectl.go
@ -42,7 +42,7 @@ import (
 	"github.com/elazarl/goproxy"
 	"sigs.k8s.io/yaml"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
@ -58,6 +58,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	commonutils "k8s.io/kubernetes/test/e2e/common"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	jobutil "k8s.io/kubernetes/test/e2e/framework/job"
 	"k8s.io/kubernetes/test/e2e/framework/testfiles"
 	"k8s.io/kubernetes/test/e2e/scheduling"
@ -606,10 +607,11 @@ var _ = SIGDescribe("Kubectl client", func() {
 		ginkgo.It("should handle in-cluster config", func() {
 			ginkgo.By("adding rbac permissions")
 			// grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace
-			framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name,
+			err := auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name,
 				rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
+			framework.ExpectNoError(err)

-			err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
+			err = auth.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 				serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 				f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true)
 			framework.ExpectNoError(err)
--- a/test/e2e/network/BUILD
+++ b/test/e2e/network/BUILD
@ -58,6 +58,7 @@ go_library(
        "//staging/src/k8s.io/client-go/util/workqueue:go_default_library",
        "//staging/src/k8s.io/cloud-provider:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/ingress:go_default_library",
        "//test/e2e/framework/providers/gce:go_default_library",
        "//test/e2e/network/scale:go_default_library",
--- a/test/e2e/network/ingress.go
+++ b/test/e2e/network/ingress.go
@ -26,7 +26,7 @@ import (

 	compute "google.golang.org/api/compute/v1"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/e2e/framework/ingress"
 	"k8s.io/kubernetes/test/e2e/framework/providers/gce"

@ -62,10 +63,11 @@ var _ = SIGDescribe("Loadbalancing: L7", func() {

 		// this test wants powerful permissions.  Since the namespace names are unique, we can leave this
 		// lying around so we don't have to race any caches
-		framework.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name,
+		err := auth.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
+		framework.ExpectNoError(err)

-		err := framework.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(),
+		err = auth.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			"", "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/e2e/storage/BUILD
+++ b/test/e2e/storage/BUILD
@ -66,6 +66,7 @@ go_library(
        "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
        "//staging/src/k8s.io/cloud-provider/volume/helpers:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/metrics:go_default_library",
        "//test/e2e/framework/providers/gce:go_default_library",
        "//test/e2e/framework/testfiles:go_default_library",
--- a/test/e2e/storage/drivers/BUILD
+++ b/test/e2e/storage/drivers/BUILD
@ -22,6 +22,7 @@ go_library(
        "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
        "//test/e2e/framework:go_default_library",
+        "//test/e2e/framework/auth:go_default_library",
        "//test/e2e/framework/volume:go_default_library",
        "//test/e2e/storage/testpatterns:go_default_library",
        "//test/e2e/storage/testsuites:go_default_library",
--- a/test/e2e/storage/drivers/in_tree.go
+++ b/test/e2e/storage/drivers/in_tree.go
@ -54,6 +54,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/e2e/framework/volume"
 	"k8s.io/kubernetes/test/e2e/storage/testpatterns"
 	"k8s.io/kubernetes/test/e2e/storage/testsuites"
@ -153,10 +154,11 @@ func (n *nfsDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTestConf

 	// TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner
 	// is not enough. We should create new clusterrole for testing.
-	framework.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name,
+	err := auth.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name,
 		rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns.Name, Name: "default"})
+	framework.ExpectNoError(err)

-	err := framework.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(),
+	err = auth.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(),
 		serviceaccount.MakeUsername(ns.Name, "default"),
 		"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
 	framework.ExpectNoError(err, "Failed to update authorization: %v", err)
--- a/test/e2e/storage/volume_provisioning.go
+++ b/test/e2e/storage/volume_provisioning.go
@ -46,6 +46,7 @@ import (
 	volumehelpers "k8s.io/cloud-provider/volume/helpers"
 	storageutil "k8s.io/kubernetes/pkg/apis/storage/v1/util"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/framework/auth"
 	"k8s.io/kubernetes/test/e2e/framework/providers/gce"
 	"k8s.io/kubernetes/test/e2e/storage/testsuites"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
@ -710,10 +711,11 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 				Name:      serviceAccountName,
 			}

-			framework.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject)
+			err := auth.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject)
+			framework.ExpectNoError(err)

 			roleName := "leader-locking-nfs-provisioner"
-			_, err := f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{
+			_, err = f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: roleName,
 				},
@ -725,9 +727,10 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 			})
 			framework.ExpectNoError(err, "Failed to create leader-locking role")

-			framework.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject)
+			err = auth.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject)
+			framework.ExpectNoError(err)

-			err = framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
+			err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
 				serviceaccount.MakeUsername(ns, serviceAccountName),
 				"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
 			framework.ExpectNoError(err, "Failed to update authorization")