diff --git a/test/integration/auth/auth_test.go b/test/integration/auth/auth_test.go index a0ddba6302a..e8db8306317 100644 --- a/test/integration/auth/auth_test.go +++ b/test/integration/auth/auth_test.go @@ -62,6 +62,7 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" v1 "k8s.io/client-go/tools/clientcmd/api/v1" + resttransport "k8s.io/client-go/transport" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" "k8s.io/kubernetes/pkg/apis/autoscaling" api "k8s.io/kubernetes/pkg/apis/core" @@ -555,11 +556,9 @@ func TestAuthModeAlwaysDeny(t *testing.T) { controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() _, s, closeFn := framework.RunAnAPIServer(controlPlaneConfig) defer closeFn() - ns := framework.CreateTestingNamespace("auth-always-deny", s, t) defer framework.DeleteTestingNamespace(ns, s, t) - - transport := http.DefaultTransport + transport := resttransport.NewBearerAuthRoundTripper(framework.UnprivilegedUserToken, http.DefaultTransport) for _, r := range getTestRequests(ns.Name) { bodyBytes := bytes.NewReader([]byte(r.body)) diff --git a/test/integration/controlplane/synthetic_controlplane_test.go b/test/integration/controlplane/synthetic_controlplane_test.go index a37d255cdf2..5d154ea5d4a 100644 --- a/test/integration/controlplane/synthetic_controlplane_test.go +++ b/test/integration/controlplane/synthetic_controlplane_test.go @@ -38,8 +38,10 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" + authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/request/bearertoken" + authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizerfactory" @@ -141,6 +143,15 @@ func TestEmptyList(t *testing.T) { func initStatusForbiddenControlPlaneConfig() *controlplane.Config { controlPlaneConfig := framework.NewIntegrationTestControlPlaneConfig() + controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New( + authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) { + return &authauthenticator.Response{ + User: &user.DefaultInfo{ + Name: "unprivileged", + Groups: []string{user.AllAuthenticated}, + }, + }, true, nil + })) controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() return controlPlaneConfig } @@ -178,7 +189,7 @@ func TestStatus(t *testing.T) { statusCode: http.StatusForbidden, reqPath: "/apis", reason: "Forbidden", - message: `forbidden: User "" cannot get path "/apis": Everything is forbidden.`, + message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`, }, { name: "401", diff --git a/test/integration/framework/controlplane_utils.go b/test/integration/framework/controlplane_utils.go index 4085c473159..9513a9fa4e1 100644 --- a/test/integration/framework/controlplane_utils.go +++ b/test/integration/framework/controlplane_utils.go @@ -61,6 +61,10 @@ import ( netutils "k8s.io/utils/net" ) +const ( + UnprivilegedUserToken = "unprivileged-user" +) + // Config is a struct of configuration directives for NewControlPlaneComponents. type Config struct { // If nil, a default is used, partially filled configs will not get populated. @@ -80,11 +84,16 @@ func (alwaysAllow) Authorize(ctx context.Context, requestAttributes authorizer.A return authorizer.DecisionAllow, "always allow", nil } -// alwaysEmpty simulates "no authentication" for old tests -func alwaysEmpty(req *http.Request) (*authauthenticator.Response, bool, error) { +// unsecuredUser simulates requests to the unsecured endpoint for old tests +func unsecuredUser(req *http.Request) (*authauthenticator.Response, bool, error) { + auth := req.Header.Get("Authorization") + if len(auth) != 0 { + return nil, false, nil + } return &authauthenticator.Response{ User: &user.DefaultInfo{ - Name: "", + Name: "system:unsecured", + Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, }, }, true, nil } @@ -171,12 +180,17 @@ func startAPIServerOrDie(controlPlaneConfig *controlplane.Config, incomingServer tokens[privilegedLoopbackToken] = &user.DefaultInfo{ Name: user.APIServerUser, UID: uuid.New().String(), - Groups: []string{user.SystemPrivilegedGroup}, + Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, + } + tokens[UnprivilegedUserToken] = &user.DefaultInfo{ + Name: "unprivileged", + UID: uuid.New().String(), + Groups: []string{user.AllAuthenticated}, } tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, controlPlaneConfig.GenericConfig.Authentication.APIAudiences) if controlPlaneConfig.GenericConfig.Authentication.Authenticator == nil { - controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) + controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(unsecuredUser)) } else { controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, controlPlaneConfig.GenericConfig.Authentication.Authenticator) }