KEP-3325: Promote SelfSubjectReview to GA

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2026-01-16 06:49:38 +00:00 · 2023-05-02 01:26:20 +02:00
parent 46852cab7f
commit 40de26dcff
28 changed files with 1394 additions and 106 deletions
--- a/test/cmd/auth_whoami.sh
+++ b/test/cmd/auth_whoami.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Runs tests for kubectl diff
+run_kubectl_events_tests() {
+    set -o nounset
+    set -o errexit
+
+    create_and_use_new_namespace
+    kube::log::status "Testing kubectl auth whoami"
+
+    ### Create a new namespace
+    # Command
+    output_message=$(kubectl auth whoami -o json 2>&1)
+
+    # Post-condition: should return user attributes.
+    kube::test::if_has_string "${output_message}" '"kind": "SelfSubjectReview"'
+
+    set +o nounset
+    set +o errexit
+}
--- a/test/e2e/auth/selfsubjectreviews.go
+++ b/test/e2e/auth/selfsubjectreviews.go
@@ -22,6 +22,7 @@ import (

 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
 	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -105,6 +106,7 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
 		},
 		ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()),
 		ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()),
+		ginkgo.Entry("authentication/v1", "v1", authenticationv1.SchemeGroupVersion.String()),
 	)

 	ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) {
@@ -149,6 +151,26 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {

 			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
 		}
+
+		ginkgo.By("creating SSR authentication/v1")
+		{
+			config := restConfig(f)
+
+			ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1().SelfSubjectReviews()
+			res, err := ssrClient.Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+			framework.ExpectNoError(err)
+
+			gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
+			gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
+			gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
+
+			extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
+			for k, v := range res.Status.UserInfo.Extra {
+				extra[k] = v
+			}
+
+			gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
+		}
 	})
 })

--- a/test/integration/apiserver/admissionwebhook/admission_test.go
+++ b/test/integration/apiserver/admissionwebhook/admission_test.go
@@ -158,6 +158,7 @@ var (
 		gvr("authentication.k8s.io", "v1beta1", "tokenreviews"):             `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
 		gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"):      `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
 		gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"):       `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
+		gvr("authentication.k8s.io", "v1", "selfsubjectreviews"):            `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
 		gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"):      `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "subjectaccessreviews"):           `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`,
 		gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"):       `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`,
--- a/test/integration/auth/selfsubjectreview_test.go
+++ b/test/integration/auth/selfsubjectreview_test.go
@@ -99,6 +99,7 @@ func TestGetsSelfAttributes(t *testing.T) {
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -172,6 +173,33 @@ func TestGetsSelfAttributes(t *testing.T) {
 			if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) {
 				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
 			}
+
+			res3, err := kubeClient.AuthenticationV1().
+				SelfSubjectReviews().
+				Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if res3 == nil {
+				t.Fatalf("empty response")
+			}
+
+			if res3.Status.UserInfo.Username != tc.expectedName {
+				t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
+			}
+
+			if res3.Status.UserInfo.UID != tc.expectedUID {
+				t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
+			}
+
+			if !reflect.DeepEqual(res3.Status.UserInfo.Groups, tc.expectedGroups) {
+				t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
+			}
+
+			if !reflect.DeepEqual(res3.Status.UserInfo.Extra, tc.expectedExtra) {
+				t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
+			}
 		})
 	}

@@ -187,6 +215,7 @@ func TestGetsSelfAttributesError(t *testing.T) {
 		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
 			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
+			opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
 			opts.Authorization.Modes = []string{"AlwaysAllow"}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
@@ -240,4 +269,20 @@ func TestGetsSelfAttributesError(t *testing.T) {
 			t.Fatalf("expected error: %v, got %v", expected, err)
 		}
 	}
+
+	{ // v1
+		toggle.Store(!toggle.Load().(bool))
+
+		_, err := kubeClient.AuthenticationV1().
+			SelfSubjectReviews().
+			Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+		if err == nil {
+			t.Fatalf("expected error: %v, got nil", err)
+		}
+
+		toggle.Store(!toggle.Load().(bool))
+		if expected.Error() != err.Error() {
+			t.Fatalf("expected error: %v, got %v", expected, err)
+		}
+	}
 }