github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 02:41:25 +00:00
Code Issues Projects Releases Wiki Activity

fix flake on TestQuotaLimitService

Browse Source
This commit is contained in:
jlsong01 2021-12-31 21:36:27 +08:00
parent 6f896dec4f
commit 3006aa534b
3 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
test/integration/auth/auth_test.go
View File

@ -62,6 +62,7 @@ import (
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
v1 "k8s.io/client-go/tools/clientcmd/api/v1" v1 "k8s.io/client-go/tools/clientcmd/api/v1"
resttransport "k8s.io/client-go/transport"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/apis/autoscaling" "k8s.io/kubernetes/pkg/apis/autoscaling"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
@ -555,11 +556,9 @@ func TestAuthModeAlwaysDeny(t *testing.T) {
controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
_, s, closeFn := framework.RunAnAPIServer(controlPlaneConfig) _, s, closeFn := framework.RunAnAPIServer(controlPlaneConfig)
defer closeFn() defer closeFn()
ns := framework.CreateTestingNamespace("auth-always-deny", s, t) ns := framework.CreateTestingNamespace("auth-always-deny", s, t)
defer framework.DeleteTestingNamespace(ns, s, t) defer framework.DeleteTestingNamespace(ns, s, t)
transport := resttransport.NewBearerAuthRoundTripper(framework.UnprivilegedUserToken, http.DefaultTransport)
transport := http.DefaultTransport
for _, r := range getTestRequests(ns.Name) { for _, r := range getTestRequests(ns.Name) {
bodyBytes := bytes.NewReader([]byte(r.body)) bodyBytes := bytes.NewReader([]byte(r.body))

13
test/integration/controlplane/synthetic_controlplane_test.go
View File

@ -38,8 +38,10 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/bearertoken"
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/authorizerfactory"
@ -141,6 +143,15 @@ func TestEmptyList(t *testing.T) {
func initStatusForbiddenControlPlaneConfig() *controlplane.Config { func initStatusForbiddenControlPlaneConfig() *controlplane.Config {
controlPlaneConfig := framework.NewIntegrationTestControlPlaneConfig() controlPlaneConfig := framework.NewIntegrationTestControlPlaneConfig()
controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(
authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
return &authauthenticator.Response{
User: &user.DefaultInfo{
Name: "unprivileged",
Groups: []string{user.AllAuthenticated},
},
}, true, nil
}))
controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() controlPlaneConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
return controlPlaneConfig return controlPlaneConfig
} }
@ -178,7 +189,7 @@ func TestStatus(t *testing.T) {
statusCode: http.StatusForbidden, statusCode: http.StatusForbidden,
reqPath: "/apis", reqPath: "/apis",
reason: "Forbidden", reason: "Forbidden",
message: `forbidden: User "" cannot get path "/apis": Everything is forbidden.`, message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`,
}, },
{ {
name: "401", name: "401",

24
test/integration/framework/controlplane_utils.go
View File

@ -61,6 +61,10 @@ import (
netutils "k8s.io/utils/net" netutils "k8s.io/utils/net"
) )
const (
UnprivilegedUserToken = "unprivileged-user"
)
// Config is a struct of configuration directives for NewControlPlaneComponents. // Config is a struct of configuration directives for NewControlPlaneComponents.
type Config struct { type Config struct {
// If nil, a default is used, partially filled configs will not get populated. // If nil, a default is used, partially filled configs will not get populated.
@ -80,11 +84,16 @@ func (alwaysAllow) Authorize(ctx context.Context, requestAttributes authorizer.A
return authorizer.DecisionAllow, "always allow", nil return authorizer.DecisionAllow, "always allow", nil
} }
// alwaysEmpty simulates "no authentication" for old tests // unsecuredUser simulates requests to the unsecured endpoint for old tests
func alwaysEmpty(req *http.Request) (*authauthenticator.Response, bool, error) { func unsecuredUser(req *http.Request) (*authauthenticator.Response, bool, error) {
auth := req.Header.Get("Authorization")
if len(auth) != 0 {
return nil, false, nil
}
return &authauthenticator.Response{ return &authauthenticator.Response{
User: &user.DefaultInfo{ User: &user.DefaultInfo{
Name: "", Name: "system:unsecured",
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
}, },
}, true, nil }, true, nil
} }
@ -171,12 +180,17 @@ func startAPIServerOrDie(controlPlaneConfig *controlplane.Config, incomingServer
tokens[privilegedLoopbackToken] = &user.DefaultInfo{ tokens[privilegedLoopbackToken] = &user.DefaultInfo{
Name: user.APIServerUser, Name: user.APIServerUser,
UID: uuid.New().String(), UID: uuid.New().String(),
Groups: []string{user.SystemPrivilegedGroup}, Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
}
tokens[UnprivilegedUserToken] = &user.DefaultInfo{
Name: "unprivileged",
UID: uuid.New().String(),
Groups: []string{user.AllAuthenticated},
} }
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, controlPlaneConfig.GenericConfig.Authentication.APIAudiences) tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, controlPlaneConfig.GenericConfig.Authentication.APIAudiences)
if controlPlaneConfig.GenericConfig.Authentication.Authenticator == nil { if controlPlaneConfig.GenericConfig.Authentication.Authenticator == nil {
controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(unsecuredUser))
} else { } else {
controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, controlPlaneConfig.GenericConfig.Authentication.Authenticator) controlPlaneConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, controlPlaneConfig.GenericConfig.Authentication.Authenticator)
} }