github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 10:19:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #129186 from liggitt/cleanup-authorization

Browse Source 
Clean up v1alpha1 serving for authentication APIs
This commit is contained in:
Kubernetes Prow Robot 2024-12-17 18:52:52 +01:00 committed by GitHub
commit 58aafb61d4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 21 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/registry/authentication/rest/storage_authentication.go
View File

@ -18,7 +18,6 @@ package rest
import ( import (
authenticationv1 "k8s.io/api/authentication/v1" authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1" authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic"
@ -46,10 +45,6 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities. // If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
// TODO refactor the plumbing to provide the information in the APIGroupInfo // TODO refactor the plumbing to provide the information in the APIGroupInfo
if storageMap := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
apiGroupInfo.VersionedResourcesStorageMap[authenticationv1alpha1.SchemeGroupVersion.Version] = storageMap
}
if storageMap := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 { if storageMap := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
apiGroupInfo.VersionedResourcesStorageMap[authenticationv1beta1.SchemeGroupVersion.Version] = storageMap apiGroupInfo.VersionedResourcesStorageMap[authenticationv1beta1.SchemeGroupVersion.Version] = storageMap
} }
@ -77,17 +72,6 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
return storage return storage
} }
func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
storage := map[string]rest.Storage{}
// selfsubjectreviews
if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
}
return storage
}
func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage { func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
storage := map[string]rest.Storage{} storage := map[string]rest.Storage{}

88
test/integration/auth/selfsubjectreview_test.go
View File

@ -26,7 +26,6 @@ import (
"testing" "testing"
authenticationv1 "k8s.io/api/authentication/v1" authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1" authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
@ -39,7 +38,7 @@ import (
func TestGetsSelfAttributes(t *testing.T) { func TestGetsSelfAttributes(t *testing.T) {
// KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests // KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE allows for APIs pending removal to not block tests
// TODO: Remove this line once authentication v1alpha1 types to be removed in 1.32 are fully removed // TODO: Remove this line when oldest emulation version is 1.34, along with removal of v1beta1 SelfSubjectReview (unservable by default but still servable via this envvar in 1.33)
t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true") t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
tests := []struct { tests := []struct {
@ -98,7 +97,6 @@ func TestGetsSelfAttributes(t *testing.T) {
kubeClient, _, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{ kubeClient, _, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
ModifyServerRunOptions: func(opts *options.ServerRunOptions) { ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
opts.Authorization.Modes = []string{"AlwaysAllow"} opts.Authorization.Modes = []string{"AlwaysAllow"}
@ -121,85 +119,58 @@ func TestGetsSelfAttributes(t *testing.T) {
response = tc.userInfo response = tc.userInfo
respMu.Unlock() respMu.Unlock()
res, err := kubeClient.AuthenticationV1alpha1(). resBeta, err := kubeClient.AuthenticationV1beta1().
SelfSubjectReviews().
Create(tCtx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if res == nil {
t.Fatalf("empty response")
}
if res.Status.UserInfo.Username != tc.expectedName {
t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
}
if res.Status.UserInfo.UID != tc.expectedUID {
t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
}
if !reflect.DeepEqual(res.Status.UserInfo.Groups, tc.expectedGroups) {
t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
}
if !reflect.DeepEqual(res.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
}
res2, err := kubeClient.AuthenticationV1beta1().
SelfSubjectReviews(). SelfSubjectReviews().
Create(tCtx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{}) Create(tCtx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error: %v", err) t.Fatalf("unexpected error: %v", err)
} }
if res2 == nil { if resBeta == nil {
t.Fatalf("empty response") t.Fatalf("empty response")
} }
if res2.Status.UserInfo.Username != tc.expectedName { if resBeta.Status.UserInfo.Username != tc.expectedName {
t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username) t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, resBeta.Status.UserInfo.Username)
} }
if res2.Status.UserInfo.UID != tc.expectedUID { if resBeta.Status.UserInfo.UID != tc.expectedUID {
t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID) t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, resBeta.Status.UserInfo.UID)
} }
if !reflect.DeepEqual(res2.Status.UserInfo.Groups, tc.expectedGroups) { if !reflect.DeepEqual(resBeta.Status.UserInfo.Groups, tc.expectedGroups) {
t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups) t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, resBeta.Status.UserInfo.Groups)
} }
if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) { if !reflect.DeepEqual(resBeta.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra) t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, resBeta.Status.UserInfo.Extra)
} }
res3, err := kubeClient.AuthenticationV1(). resV1, err := kubeClient.AuthenticationV1().
SelfSubjectReviews(). SelfSubjectReviews().
Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{}) Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error: %v", err) t.Fatalf("unexpected error: %v", err)
} }
if res3 == nil { if resV1 == nil {
t.Fatalf("empty response") t.Fatalf("empty response")
} }
if res3.Status.UserInfo.Username != tc.expectedName { if resV1.Status.UserInfo.Username != tc.expectedName {
t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username) t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, resV1.Status.UserInfo.Username)
} }
if res3.Status.UserInfo.UID != tc.expectedUID { if resV1.Status.UserInfo.UID != tc.expectedUID {
t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID) t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, resV1.Status.UserInfo.UID)
} }
if !reflect.DeepEqual(res3.Status.UserInfo.Groups, tc.expectedGroups) { if !reflect.DeepEqual(resV1.Status.UserInfo.Groups, tc.expectedGroups) {
t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups) t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, resV1.Status.UserInfo.Groups)
} }
if !reflect.DeepEqual(res3.Status.UserInfo.Extra, tc.expectedExtra) { if !reflect.DeepEqual(resV1.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra) t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, resV1.Status.UserInfo.Extra)
} }
}) })
} }
@ -212,7 +183,6 @@ func TestGetsSelfAttributesError(t *testing.T) {
tCtx := ktesting.Init(t) tCtx := ktesting.Init(t)
kubeClient, _, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{ kubeClient, _, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
ModifyServerRunOptions: func(opts *options.ServerRunOptions) { ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
opts.Authorization.Modes = []string{"AlwaysAllow"} opts.Authorization.Modes = []string{"AlwaysAllow"}
@ -237,22 +207,6 @@ func TestGetsSelfAttributesError(t *testing.T) {
expected := fmt.Errorf("Unauthorized") expected := fmt.Errorf("Unauthorized")
{ // v1alpha1
toggle.Store(!toggle.Load().(bool))
_, err := kubeClient.AuthenticationV1alpha1().
SelfSubjectReviews().
Create(tCtx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
if err == nil {
t.Fatalf("expected error: %v, got nil", err)
}
toggle.Store(!toggle.Load().(bool))
if expected.Error() != err.Error() {
t.Fatalf("expected error: %v, got %v", expected, err)
}
}
{ // v1beta1 { // v1beta1
toggle.Store(!toggle.Load().(bool)) toggle.Store(!toggle.Load().(bool))