github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

Make controlplane integation tests coexist with default API server config

Browse Source
This commit is contained in:
Jordan Liggitt 2022-09-20 13:52:34 -04:00
parent e5c4c9b2c0
commit 6473f8c7e3
No known key found for this signature in database
2 changed files with 31 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
test/integration/controlplane/synthetic_controlplane_test.go
View File

@ -39,20 +39,11 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait"
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
clientset "k8s.io/client-go/kubernetes"
clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
restclient "k8s.io/client-go/rest"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/controlplane"
"k8s.io/kubernetes/test/integration"
"k8s.io/kubernetes/test/integration/framework"
)
@ -63,15 +54,6 @@ const (
BobToken string = "xyz987" // username: bob. Present in token file.
)
type allowAliceAuthorizer struct{}
func (allowAliceAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
if a.GetUser() != nil && a.GetUser().GetName() == "alice" {
return authorizer.DecisionAllow, "", nil
}
return authorizer.DecisionNoOpinion, "I can't allow that. Go ask alice.", nil
}
func testPrefix(t *testing.T, prefix string) {
server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
defer server.TearDownFn()
@ -163,68 +145,54 @@ func TestEmptyList(t *testing.T) {
}
}
func initStatusForbiddenControlPlaneConfig(config *controlplane.Config) {
config.GenericConfig.Authentication.Authenticator = authenticatorunion.New(
authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
return &authauthenticator.Response{
User: &user.DefaultInfo{
Name: "unprivileged",
Groups: []string{user.AllAuthenticated},
},
}, true, nil
}))
config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
func initStatusForbiddenControlPlaneConfig(options *options.ServerRunOptions) {
options.Authorization.Modes = []string{"AlwaysDeny"}
}
func initUnauthorizedControlPlaneConfig(config *controlplane.Config) {
tokenAuthenticator := tokentest.New()
tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
config.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
config.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
func initUnauthorizedControlPlaneConfig(options *options.ServerRunOptions) {
options.Authentication.Anonymous.Allow = false
}
func TestStatus(t *testing.T) {
testCases := []struct {
name string
modifyConfig func(*controlplane.Config)
statusCode int
reqPath string
reason string
message string
name string
modifyOptions func(*options.ServerRunOptions)
statusCode int
reqPath string
reason string
message string
}{
{
name: "404",
modifyConfig: nil,
statusCode: http.StatusNotFound,
reqPath: "/apis/batch/v1/namespaces/default/jobs/foo",
reason: "NotFound",
message: `jobs.batch "foo" not found`,
name: "404",
statusCode: http.StatusNotFound,
reqPath: "/apis/batch/v1/namespaces/default/jobs/foo",
reason: "NotFound",
message: `jobs.batch "foo" not found`,
},
{
name: "403",
modifyConfig: initStatusForbiddenControlPlaneConfig,
statusCode: http.StatusForbidden,
reqPath: "/apis",
reason: "Forbidden",
message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`,
name: "403",
modifyOptions: initStatusForbiddenControlPlaneConfig,
statusCode: http.StatusForbidden,
reqPath: "/apis",
reason: "Forbidden",
message: `forbidden: User "system:anonymous" cannot get path "/apis": Everything is forbidden.`,
},
{
name: "401",
modifyConfig: initUnauthorizedControlPlaneConfig,
statusCode: http.StatusUnauthorized,
reqPath: "/apis",
reason: "Unauthorized",
message: `Unauthorized`,
name: "401",
modifyOptions: initUnauthorizedControlPlaneConfig,
statusCode: http.StatusUnauthorized,
reqPath: "/apis",
reason: "Unauthorized",
message: `Unauthorized`,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
_, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
ModifyServerConfig: func(config *controlplane.Config) {
if tc.modifyConfig != nil {
tc.modifyConfig(config)
ModifyServerRunOptions: func(options *options.ServerRunOptions) {
if tc.modifyOptions != nil {
tc.modifyOptions(options)
}
},
})
@ -232,7 +200,7 @@ func TestStatus(t *testing.T) {
// When modifying authenticator and authorizer, don't use
// bearer token than will be always authorized.
if tc.modifyConfig != nil {
if tc.modifyOptions != nil {
kubeConfig.BearerToken = ""
}
transport, err := restclient.TransportFor(kubeConfig)

1
vendor/modules.txt vendored
View File

@ -1627,7 +1627,6 @@ k8s.io/apiserver/plugin/pkg/audit/log
k8s.io/apiserver/plugin/pkg/audit/truncate
k8s.io/apiserver/plugin/pkg/audit/webhook
k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
k8s.io/apiserver/plugin/pkg/authorizer/webhook
# k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime