diff --git a/test/e2e/BUILD b/test/e2e/BUILD index 3c088ebad05..73b6ad0d065 100644 --- a/test/e2e/BUILD +++ b/test/e2e/BUILD @@ -64,6 +64,7 @@ go_library( "//staging/src/k8s.io/component-base/logs:go_default_library", "//test/e2e/common:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/ginkgowrapper:go_default_library", "//test/e2e/framework/metrics:go_default_library", "//test/e2e/framework/providers/aws:go_default_library", diff --git a/test/e2e/auth/BUILD b/test/e2e/auth/BUILD index 30ae4a39ebf..0354f9ae46e 100644 --- a/test/e2e/auth/BUILD +++ b/test/e2e/auth/BUILD @@ -53,6 +53,7 @@ go_library( "//staging/src/k8s.io/client-go/util/cert:go_default_library", "//test/e2e/common:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/job:go_default_library", "//test/utils:go_default_library", "//test/utils/image:go_default_library", diff --git a/test/e2e/auth/audit.go b/test/e2e/auth/audit.go index a263ebf7b37..d7fece8c28e 100644 --- a/test/e2e/auth/audit.go +++ b/test/e2e/auth/audit.go @@ -31,14 +31,15 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" auditinternal "k8s.io/apiserver/pkg/apis/audit" - "k8s.io/apiserver/pkg/apis/audit/v1" + auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" - "github.com/evanphx/json-patch" + jsonpatch "github.com/evanphx/json-patch" . "github.com/onsi/ginkgo" ) @@ -652,7 +653,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() { // test authorizer annotations, RBAC is required. It("should audit API calls to get a pod with unauthorized user.", func() { - if !framework.IsRBACEnabled(f) { + if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { framework.Skipf("RBAC not enabled.") } @@ -735,7 +736,7 @@ func expectEvents(f *framework.Framework, expectedEvents []utils.AuditEvent) { return false, err } defer stream.Close() - missingReport, err := utils.CheckAuditLines(stream, expectedEvents, v1.SchemeGroupVersion) + missingReport, err := utils.CheckAuditLines(stream, expectedEvents, auditv1.SchemeGroupVersion) if err != nil { framework.Logf("Failed to observe audit events: %v", err) } else if len(missingReport.MissingEvents) > 0 { diff --git a/test/e2e/auth/audit_dynamic.go b/test/e2e/auth/audit_dynamic.go index e3145fe8c99..db311c43dd6 100644 --- a/test/e2e/auth/audit_dynamic.go +++ b/test/e2e/auth/audit_dynamic.go @@ -35,6 +35,7 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" ) @@ -346,7 +347,7 @@ var _ = SIGDescribe("[Feature:DynamicAudit]", func() { }, } - if framework.IsRBACEnabled(f) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { testCases = append(testCases, annotationTestCases...) } expectedEvents := []utils.AuditEvent{} diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go index 0423e2bad3a..d47cd846fcf 100644 --- a/test/e2e/auth/pod_security_policy.go +++ b/test/e2e/auth/pod_security_policy.go @@ -19,7 +19,7 @@ package auth import ( "fmt" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" policy "k8s.io/api/policy/v1beta1" rbacv1beta1 "k8s.io/api/rbac/v1beta1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -33,6 +33,7 @@ import ( psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" "k8s.io/kubernetes/test/e2e/common" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" imageutils "k8s.io/kubernetes/test/utils/image" utilpointer "k8s.io/utils/pointer" @@ -54,7 +55,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() { if !framework.IsPodSecurityPolicyEnabled(f) { framework.Skipf("PodSecurityPolicy not enabled") } - if !framework.IsRBACEnabled(f) { + if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { framework.Skipf("RBAC not enabled") } ns = f.Namespace.Name @@ -70,8 +71,9 @@ var _ = SIGDescribe("PodSecurityPolicy", func() { framework.ExpectNoError(err) By("Binding the edit role to the default SA") - framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns, + err = auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"}) + framework.ExpectNoError(err) }) It("should forbid pod creation when no PSP is available", func() { @@ -202,7 +204,6 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) { sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid tester(sysadmin) }) - } // createAndBindPSP creates a PSP in the policy API group. @@ -231,12 +232,14 @@ func createAndBindPSP(f *framework.Framework, pspTemplate *policy.PodSecurityPol framework.ExpectNoError(err, "Failed to create PSP role") // Bind the role to the namespace. - framework.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{ + err = auth.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{ Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default", }) - framework.ExpectNoError(framework.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + framework.ExpectNoError(err) + + framework.ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(ns, "default"), ns, "use", name, schema.GroupResource{Group: "policy", Resource: "podsecuritypolicies"}, true)) diff --git a/test/e2e/examples.go b/test/e2e/examples.go index ec50cc4288f..950691b4dbe 100644 --- a/test/e2e/examples.go +++ b/test/e2e/examples.go @@ -30,6 +30,7 @@ import ( podutil "k8s.io/kubernetes/pkg/api/v1/pod" commonutils "k8s.io/kubernetes/test/e2e/common" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/e2e/framework/testfiles" . "github.com/onsi/ginkgo" @@ -51,10 +52,11 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() { // this test wants powerful permissions. Since the namespace names are unique, we can leave this // lying around so we don't have to race any caches - framework.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name, + err := auth.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + framework.ExpectNoError(err) - err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/framework/BUILD b/test/e2e/framework/BUILD index 84e11ce9ada..c142c1420b7 100644 --- a/test/e2e/framework/BUILD +++ b/test/e2e/framework/BUILD @@ -5,7 +5,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = [ - "authorizer_util.go", "cleanup.go", "create.go", "deployment_util.go", @@ -68,7 +67,6 @@ go_library( "//pkg/volume/util:go_default_library", "//staging/src/k8s.io/api/apps/v1:go_default_library", "//staging/src/k8s.io/api/apps/v1beta2:go_default_library", - "//staging/src/k8s.io/api/authorization/v1beta1:go_default_library", "//staging/src/k8s.io/api/batch/v1:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/extensions/v1beta1:go_default_library", @@ -103,9 +101,7 @@ go_library( "//staging/src/k8s.io/client-go/dynamic:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/restmapper:go_default_library", "//staging/src/k8s.io/client-go/scale:go_default_library", @@ -116,6 +112,7 @@ go_library( "//staging/src/k8s.io/client-go/tools/watch:go_default_library", "//staging/src/k8s.io/client-go/util/retry:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/ginkgowrapper:go_default_library", "//test/e2e/framework/metrics:go_default_library", "//test/e2e/framework/testfiles:go_default_library", @@ -148,6 +145,7 @@ filegroup( name = "all-srcs", srcs = [ ":package-srcs", + "//test/e2e/framework/auth:all-srcs", "//test/e2e/framework/config:all-srcs", "//test/e2e/framework/ginkgowrapper:all-srcs", "//test/e2e/framework/gpu:all-srcs", diff --git a/test/e2e/framework/auth/BUILD b/test/e2e/framework/auth/BUILD new file mode 100644 index 00000000000..f459c20f3eb --- /dev/null +++ b/test/e2e/framework/auth/BUILD @@ -0,0 +1,34 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["helpers.go"], + importpath = "k8s.io/kubernetes/test/e2e/framework/auth", + visibility = ["//visibility:public"], + deps = [ + "//staging/src/k8s.io/api/authorization/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library", + "//vendor/github.com/onsi/ginkgo:go_default_library", + "//vendor/github.com/pkg/errors:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/test/e2e/framework/authorizer_util.go b/test/e2e/framework/auth/helpers.go similarity index 59% rename from test/e2e/framework/authorizer_util.go rename to test/e2e/framework/auth/helpers.go index 0bc7b678e21..5b3c9ac8d29 100644 --- a/test/e2e/framework/authorizer_util.go +++ b/test/e2e/framework/auth/helpers.go @@ -14,13 +14,15 @@ See the License for the specific language governing permissions and limitations under the License. */ -package framework +package auth import ( - "k8s.io/klog" + "fmt" "sync" "time" + "github.com/onsi/ginkgo" + "github.com/pkg/errors" authorizationv1beta1 "k8s.io/api/authorization/v1beta1" rbacv1beta1 "k8s.io/api/rbac/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -36,6 +38,12 @@ const ( policyCachePollTimeout = 5 * time.Second ) +type bindingsGetter interface { + v1beta1rbac.RoleBindingsGetter + v1beta1rbac.ClusterRoleBindingsGetter + v1beta1rbac.ClusterRolesGetter +} + // WaitForAuthorizationUpdate checks if the given user can perform the named verb and action. // If policyCachePollTimeout is reached without the expected condition matching, an error is returned func WaitForAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error { @@ -57,12 +65,15 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews User: user, }, } + err := wait.Poll(policyCachePollInterval, policyCachePollTimeout, func() (bool, error) { response, err := c.SubjectAccessReviews().Create(review) // GKE doesn't enable the SAR endpoint. Without this endpoint, we cannot determine if the policy engine // has adjusted as expected. In this case, simply wait one second and hope it's up to date + // TODO: Should have a check for the provider here but that introduces too tight of + // coupling with the `framework` package. See: https://github.com/kubernetes/kubernetes/issues/76726 if apierrors.IsNotFound(err) { - klog.Info("SubjectAccessReview endpoint is missing") + logf("SubjectAccessReview endpoint is missing") time.Sleep(1 * time.Second) return true, nil } @@ -77,8 +88,13 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews return err } -// BindClusterRole binds the cluster role at the cluster scope -func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) { +// BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil +// is returned with no action. +func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error { + if !IsRBACEnabled(c) { + return nil + } + // Since the namespace names are unique, we can leave this lying around so we don't have to race any caches _, err := c.ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ @@ -92,23 +108,30 @@ func BindClusterRole(c v1beta1rbac.ClusterRoleBindingsGetter, clusterRole, ns st Subjects: subjects, }) - // if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled. if err != nil { - klog.Errorf("Error binding clusterrole/%s for %q for %v\n", clusterRole, ns, subjects) + return errors.Wrapf(err, "binding clusterrole/%s for %q for %v", clusterRole, ns, subjects) } + + return nil } -// BindClusterRoleInNamespace binds the cluster role at the namespace scope -func BindClusterRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) { - bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...) +// BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil +// is returned with no action. +func BindClusterRoleInNamespace(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error { + return bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...) } -// BindRoleInNamespace binds the role at the namespace scope -func BindRoleInNamespace(c v1beta1rbac.RoleBindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) { - bindInNamespace(c, "Role", role, ns, subjects...) +// BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil +// is returned with no action. +func BindRoleInNamespace(c bindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) error { + return bindInNamespace(c, "Role", role, ns, subjects...) } -func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) { +func bindInNamespace(c bindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) error { + if !IsRBACEnabled(c) { + return nil + } + // Since the namespace names are unique, we can leave this lying around so we don't have to race any caches _, err := c.RoleBindings(ns).Create(&rbacv1beta1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ @@ -122,10 +145,11 @@ func bindInNamespace(c v1beta1rbac.RoleBindingsGetter, roleType, role, ns string Subjects: subjects, }) - // if we failed, don't fail the entire test because it may still work. RBAC may simply be disabled. if err != nil { - klog.Errorf("Error binding %s/%s into %q for %v\n", roleType, role, ns, subjects) + return errors.Wrapf(err, "binding %s/%s into %q for %v", roleType, role, ns, subjects) } + + return nil } var ( @@ -134,19 +158,41 @@ var ( ) // IsRBACEnabled returns true if RBAC is enabled. Otherwise false. -func IsRBACEnabled(f *Framework) bool { +func IsRBACEnabled(crGetter v1beta1rbac.ClusterRolesGetter) bool { isRBACEnabledOnce.Do(func() { - crs, err := f.ClientSet.RbacV1().ClusterRoles().List(metav1.ListOptions{}) + crs, err := crGetter.ClusterRoles().List(metav1.ListOptions{}) if err != nil { - Logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err) + logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err) isRBACEnabled = false } else if crs == nil || len(crs.Items) == 0 { - Logf("No ClusterRoles found; assuming RBAC is disabled.") + logf("No ClusterRoles found; assuming RBAC is disabled.") isRBACEnabled = false } else { - Logf("Found ClusterRoles; assuming RBAC is enabled.") + logf("Found ClusterRoles; assuming RBAC is enabled.") isRBACEnabled = true } }) + return isRBACEnabled } + +// logf logs INFO lines to the GinkgoWriter. +// TODO: Log functions like these should be put into their own package, +// see: https://github.com/kubernetes/kubernetes/issues/76728 +func logf(format string, args ...interface{}) { + log("INFO", format, args...) +} + +// log prints formatted log messages to the global GinkgoWriter. +// TODO: Log functions like these should be put into their own package, +// see: https://github.com/kubernetes/kubernetes/issues/76728 +func log(level string, format string, args ...interface{}) { + fmt.Fprintf(ginkgo.GinkgoWriter, nowStamp()+": "+level+": "+format+"\n", args...) +} + +// nowStamp returns the current time formatted for placement in the logs (time.StampMilli). +// TODO: If only used for logging, this should be put into a logging package, +// see: https://github.com/kubernetes/kubernetes/issues/76728 +func nowStamp() string { + return time.Now().Format(time.StampMilli) +} diff --git a/test/e2e/framework/psp_util.go b/test/e2e/framework/psp_util.go index 7558f836567..cb06f91e19c 100644 --- a/test/e2e/framework/psp_util.go +++ b/test/e2e/framework/psp_util.go @@ -28,6 +28,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp" + "k8s.io/kubernetes/test/e2e/framework/auth" "github.com/onsi/ginkgo" ) @@ -118,7 +119,7 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) { ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged) } - if IsRBACEnabled(f) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { // Create the Role to bind it to the namespace. _, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged}, @@ -135,10 +136,10 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) { } }) - if IsRBACEnabled(f) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s", podSecurityPolicyPrivileged, namespace)) - BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), + err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), podSecurityPolicyPrivileged, namespace, rbacv1beta1.Subject{ @@ -146,7 +147,8 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) { Namespace: namespace, Name: "default", }) - ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + ExpectNoError(err) + ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged, schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true)) } diff --git a/test/e2e/kubectl/BUILD b/test/e2e/kubectl/BUILD index e42e36df51b..b776650ed39 100644 --- a/test/e2e/kubectl/BUILD +++ b/test/e2e/kubectl/BUILD @@ -31,6 +31,7 @@ go_library( "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//test/e2e/common:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/job:go_default_library", "//test/e2e/framework/testfiles:go_default_library", "//test/e2e/scheduling:go_default_library", diff --git a/test/e2e/kubectl/kubectl.go b/test/e2e/kubectl/kubectl.go index a8910f3dc34..149491f3de8 100644 --- a/test/e2e/kubectl/kubectl.go +++ b/test/e2e/kubectl/kubectl.go @@ -42,7 +42,7 @@ import ( "github.com/elazarl/goproxy" "sigs.k8s.io/yaml" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" rbacv1beta1 "k8s.io/api/rbac/v1beta1" apierrs "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" @@ -58,6 +58,7 @@ import ( "k8s.io/kubernetes/pkg/controller" commonutils "k8s.io/kubernetes/test/e2e/common" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" jobutil "k8s.io/kubernetes/test/e2e/framework/job" "k8s.io/kubernetes/test/e2e/framework/testfiles" "k8s.io/kubernetes/test/e2e/scheduling" @@ -606,10 +607,11 @@ var _ = SIGDescribe("Kubectl client", func() { ginkgo.It("should handle in-cluster config", func() { ginkgo.By("adding rbac permissions") // grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace - framework.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name, + err := auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + framework.ExpectNoError(err) - err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/network/BUILD b/test/e2e/network/BUILD index 4137c71e581..fd215ea1860 100644 --- a/test/e2e/network/BUILD +++ b/test/e2e/network/BUILD @@ -58,6 +58,7 @@ go_library( "//staging/src/k8s.io/client-go/util/workqueue:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/ingress:go_default_library", "//test/e2e/framework/providers/gce:go_default_library", "//test/e2e/network/scale:go_default_library", diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go index de97a30190e..6ae9f8e8f50 100644 --- a/test/e2e/network/ingress.go +++ b/test/e2e/network/ingress.go @@ -26,7 +26,7 @@ import ( compute "google.golang.org/api/compute/v1" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" rbacv1beta1 "k8s.io/api/rbac/v1beta1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -35,6 +35,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/e2e/framework/ingress" "k8s.io/kubernetes/test/e2e/framework/providers/gce" @@ -62,10 +63,11 @@ var _ = SIGDescribe("Loadbalancing: L7", func() { // this test wants powerful permissions. Since the namespace names are unique, we can leave this // lying around so we don't have to race any caches - framework.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name, + err := auth.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + framework.ExpectNoError(err) - err := framework.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), "", "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/storage/BUILD b/test/e2e/storage/BUILD index 3b44b4838c7..902c884f195 100644 --- a/test/e2e/storage/BUILD +++ b/test/e2e/storage/BUILD @@ -66,6 +66,7 @@ go_library( "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", "//staging/src/k8s.io/cloud-provider/volume/helpers:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/metrics:go_default_library", "//test/e2e/framework/providers/gce:go_default_library", "//test/e2e/framework/testfiles:go_default_library", diff --git a/test/e2e/storage/drivers/BUILD b/test/e2e/storage/drivers/BUILD index 7236b560d0d..395075527f8 100644 --- a/test/e2e/storage/drivers/BUILD +++ b/test/e2e/storage/drivers/BUILD @@ -22,6 +22,7 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/auth:go_default_library", "//test/e2e/framework/volume:go_default_library", "//test/e2e/storage/testpatterns:go_default_library", "//test/e2e/storage/testsuites:go_default_library", diff --git a/test/e2e/storage/drivers/in_tree.go b/test/e2e/storage/drivers/in_tree.go index e4502aeb801..e397921f0e4 100644 --- a/test/e2e/storage/drivers/in_tree.go +++ b/test/e2e/storage/drivers/in_tree.go @@ -54,6 +54,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/testpatterns" "k8s.io/kubernetes/test/e2e/storage/testsuites" @@ -153,10 +154,11 @@ func (n *nfsDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTestConf // TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner // is not enough. We should create new clusterrole for testing. - framework.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name, + err := auth.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns.Name, Name: "default"}) + framework.ExpectNoError(err) - err := framework.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(), serviceaccount.MakeUsername(ns.Name, "default"), "", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true) framework.ExpectNoError(err, "Failed to update authorization: %v", err) diff --git a/test/e2e/storage/volume_provisioning.go b/test/e2e/storage/volume_provisioning.go index 609e9c4b172..9f04b514b2d 100644 --- a/test/e2e/storage/volume_provisioning.go +++ b/test/e2e/storage/volume_provisioning.go @@ -46,6 +46,7 @@ import ( volumehelpers "k8s.io/cloud-provider/volume/helpers" storageutil "k8s.io/kubernetes/pkg/apis/storage/v1/util" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/kubernetes/test/e2e/framework/auth" "k8s.io/kubernetes/test/e2e/framework/providers/gce" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" @@ -710,10 +711,11 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() { Name: serviceAccountName, } - framework.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject) + err := auth.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject) + framework.ExpectNoError(err) roleName := "leader-locking-nfs-provisioner" - _, err := f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{ + _, err = f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: roleName, }, @@ -725,9 +727,10 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() { }) framework.ExpectNoError(err, "Failed to create leader-locking role") - framework.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject) + err = auth.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject) + framework.ExpectNoError(err) - err = framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), serviceaccount.MakeUsername(ns, serviceAccountName), "", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true) framework.ExpectNoError(err, "Failed to update authorization")