mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
address comment
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
This commit is contained in:
parent
04ac6df8a9
commit
06482b6bd3
@ -21,7 +21,6 @@ import (
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
"slices"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
@ -178,131 +177,11 @@ func TestBootstrapClusterRoles(t *testing.T) {
|
||||
testObjects(t, list, "cluster-roles.yaml")
|
||||
}
|
||||
|
||||
func TestBootstrapClusterRolesWithFeatureGateEnabled(t *testing.T) {
|
||||
expectedDiff := map[string]string{
|
||||
"system:monitoring": ` &v1.ClusterRole{
|
||||
TypeMeta: {},
|
||||
ObjectMeta: {Name: "system:monitoring", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
|
||||
Rules: []v1.PolicyRule{
|
||||
{Verbs: {"get"}, NonResourceURLs: {"/healthz", "/healthz/*", "/livez", "/livez/*", ...}},
|
||||
+ {Verbs: []string{"get"}, NonResourceURLs: []string{"/flagz"}},
|
||||
+ {Verbs: []string{"get"}, NonResourceURLs: []string{"/statusz"}},
|
||||
},
|
||||
AggregationRule: nil,
|
||||
}`,
|
||||
"system:aggregate-to-view": ` &v1.ClusterRole{
|
||||
TypeMeta: {},
|
||||
ObjectMeta: {Name: "system:aggregate-to-view", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-view": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
|
||||
Rules: []v1.PolicyRule{
|
||||
... // 8 identical elements
|
||||
{Verbs: {"get", "list", "watch"}, APIGroups: {"policy"}, Resources: {"poddisruptionbudgets", "poddisruptionbudgets/status"}},
|
||||
{Verbs: {"get", "list", "watch"}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "ingresses/status", "networkpolicies"}},
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "watch"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceclaims", "resourceclaims/status", "resourceclaimtemplates"},
|
||||
+ },
|
||||
},
|
||||
AggregationRule: nil,
|
||||
}
|
||||
`,
|
||||
"system:aggregate-to-edit": `&v1.ClusterRole{
|
||||
TypeMeta: {},
|
||||
ObjectMeta: {Name: "system:aggregate-to-edit", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-edit": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
|
||||
Rules: []v1.PolicyRule{
|
||||
... // 11 identical elements
|
||||
{Verbs: {"create", "delete", "deletecollection", "patch", ...}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "networkpolicies"}},
|
||||
{Verbs: {"create", "delete", "deletecollection", "get", ...}, APIGroups: {"coordination.k8s.io"}, Resources: {"leases"}},
|
||||
+ {
|
||||
+ Verbs: []string{"create", "delete", "deletecollection", "patch", "update"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceclaims", "resourceclaimtemplates"},
|
||||
+ },
|
||||
},
|
||||
AggregationRule: nil,
|
||||
}
|
||||
`,
|
||||
"system:node": ` &v1.ClusterRole{
|
||||
TypeMeta: {},
|
||||
ObjectMeta: {Name: "system:node", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
|
||||
Rules: []v1.PolicyRule{
|
||||
... // 20 identical elements
|
||||
{Verbs: {"create", "delete", "get", "patch", ...}, APIGroups: {"storage.k8s.io"}, Resources: {"csinodes"}},
|
||||
{Verbs: {"get", "list", "watch"}, APIGroups: {"node.k8s.io"}, Resources: {"runtimeclasses"}},
|
||||
+ {
|
||||
+ Verbs: []string{"get"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceclaims"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"deletecollection"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceslices"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "watch"},
|
||||
+ APIGroups: []string{"certificates.k8s.io"},
|
||||
+ Resources: []string{"clustertrustbundles"},
|
||||
+ },
|
||||
},
|
||||
AggregationRule: nil,
|
||||
}
|
||||
`,
|
||||
"system:kube-scheduler": ` &v1.ClusterRole{
|
||||
TypeMeta: {},
|
||||
ObjectMeta: {Name: "system:kube-scheduler", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
|
||||
Rules: []v1.PolicyRule{
|
||||
... // 18 identical elements
|
||||
{Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csidrivers"}},
|
||||
{Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csistoragecapacities"}},
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "watch"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"deviceclasses"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "patch", "update", "watch"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceclaims"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "patch", "update", "watch"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceclaims/status"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "patch", "update", "watch"},
|
||||
+ APIGroups: []string{""},
|
||||
+ Resources: []string{"pods/finalizers"},
|
||||
+ },
|
||||
+ {
|
||||
+ Verbs: []string{"get", "list", "watch"},
|
||||
+ APIGroups: []string{"resource.k8s.io"},
|
||||
+ Resources: []string{"resourceslices"},
|
||||
+ },
|
||||
},
|
||||
AggregationRule: nil,
|
||||
}
|
||||
`,
|
||||
"system:cluster-trust-bundle-discovery": ` any(
|
||||
+ s"&ClusterRole{ObjectMeta:{system:cluster-trust-bundle-discovery 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[kubernetes.io/bootstrapping:rbac-defaults] map[rbac.authorization.kubernetes.io/autoupdate:true] [] [] []},Rules:[]PolicyRule{PolicyRule{Ver"...,
|
||||
)
|
||||
`,
|
||||
}
|
||||
|
||||
names := sets.NewString()
|
||||
roles := map[string]runtime.Object{}
|
||||
bootstrapRoles := bootstrappolicy.ClusterRoles()
|
||||
for i := range bootstrapRoles {
|
||||
role := bootstrapRoles[i]
|
||||
names.Insert(role.Name)
|
||||
roles[role.Name] = &role
|
||||
}
|
||||
|
||||
func TestBootstrapClusterRolesWithFeatureGatesEnabled(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)
|
||||
|
||||
bootstrapRoles = bootstrappolicy.ClusterRoles()
|
||||
bootstrapRoles := bootstrappolicy.ClusterRoles()
|
||||
featureGateList := &api.List{}
|
||||
featureGateNames := sets.NewString()
|
||||
featureGateRoles := map[string]runtime.Object{}
|
||||
@ -310,20 +189,12 @@ func TestBootstrapClusterRolesWithFeatureGateEnabled(t *testing.T) {
|
||||
role := bootstrapRoles[i]
|
||||
featureGateNames.Insert(role.Name)
|
||||
featureGateRoles[role.Name] = &role
|
||||
actualDiff := cmp.Diff(roles[role.Name], featureGateRoles[role.Name])
|
||||
//normalize whitespace
|
||||
expectedDiffNormalized := strings.Join(strings.Fields(expectedDiff[role.Name]), " ")
|
||||
actualDiffNormalized := strings.Join(strings.Fields(actualDiff), " ")
|
||||
if expectedDiffNormalized != actualDiffNormalized {
|
||||
t.Errorf("RoleName '%s', diff between regular and feature gate. Expected: [%s], Actual: [%s]", role.Name, expectedDiff[role.Name], actualDiff)
|
||||
}
|
||||
}
|
||||
for _, featureGateName := range featureGateNames.List() {
|
||||
featureGateList.Items = append(featureGateList.Items, featureGateRoles[featureGateName])
|
||||
}
|
||||
|
||||
testObjects(t, featureGateList, "cluster-roles-featuregates.yaml")
|
||||
|
||||
}
|
||||
|
||||
func TestBootstrapClusterRoleBindings(t *testing.T) {
|
||||
|
@ -1235,6 +1235,12 @@ items:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- get
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
Loading…
Reference in New Issue
Block a user