From 6473f8c7e323bf21b1f4780528facb3bf89f4306 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 20 Sep 2022 13:52:34 -0400 Subject: [PATCH] Make controlplane integation tests coexist with default API server config --- .../synthetic_controlplane_test.go | 94 ++++++------------- vendor/modules.txt | 1 - 2 files changed, 31 insertions(+), 64 deletions(-) diff --git a/test/integration/controlplane/synthetic_controlplane_test.go b/test/integration/controlplane/synthetic_controlplane_test.go index 57d5351c249..c432351d8ef 100644 --- a/test/integration/controlplane/synthetic_controlplane_test.go +++ b/test/integration/controlplane/synthetic_controlplane_test.go @@ -39,20 +39,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/wait" - authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/authentication/group" - "k8s.io/apiserver/pkg/authentication/request/bearertoken" - authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union" - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/apiserver/pkg/authorization/authorizerfactory" - "k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest" clientset "k8s.io/client-go/kubernetes" clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/cmd/kube-apiserver/app/options" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" - "k8s.io/kubernetes/pkg/controlplane" "k8s.io/kubernetes/test/integration" "k8s.io/kubernetes/test/integration/framework" ) @@ -63,15 +54,6 @@ const ( BobToken string = "xyz987" // username: bob. Present in token file. ) -type allowAliceAuthorizer struct{} - -func (allowAliceAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) { - if a.GetUser() != nil && a.GetUser().GetName() == "alice" { - return authorizer.DecisionAllow, "", nil - } - return authorizer.DecisionNoOpinion, "I can't allow that. Go ask alice.", nil -} - func testPrefix(t *testing.T, prefix string) { server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd()) defer server.TearDownFn() @@ -163,68 +145,54 @@ func TestEmptyList(t *testing.T) { } } -func initStatusForbiddenControlPlaneConfig(config *controlplane.Config) { - config.GenericConfig.Authentication.Authenticator = authenticatorunion.New( - authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) { - return &authauthenticator.Response{ - User: &user.DefaultInfo{ - Name: "unprivileged", - Groups: []string{user.AllAuthenticated}, - }, - }, true, nil - })) - config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() +func initStatusForbiddenControlPlaneConfig(options *options.ServerRunOptions) { + options.Authorization.Modes = []string{"AlwaysDeny"} } -func initUnauthorizedControlPlaneConfig(config *controlplane.Config) { - tokenAuthenticator := tokentest.New() - tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"} - tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"} - config.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated}) - config.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} +func initUnauthorizedControlPlaneConfig(options *options.ServerRunOptions) { + options.Authentication.Anonymous.Allow = false } func TestStatus(t *testing.T) { testCases := []struct { - name string - modifyConfig func(*controlplane.Config) - statusCode int - reqPath string - reason string - message string + name string + modifyOptions func(*options.ServerRunOptions) + statusCode int + reqPath string + reason string + message string }{ { - name: "404", - modifyConfig: nil, - statusCode: http.StatusNotFound, - reqPath: "/apis/batch/v1/namespaces/default/jobs/foo", - reason: "NotFound", - message: `jobs.batch "foo" not found`, + name: "404", + statusCode: http.StatusNotFound, + reqPath: "/apis/batch/v1/namespaces/default/jobs/foo", + reason: "NotFound", + message: `jobs.batch "foo" not found`, }, { - name: "403", - modifyConfig: initStatusForbiddenControlPlaneConfig, - statusCode: http.StatusForbidden, - reqPath: "/apis", - reason: "Forbidden", - message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`, + name: "403", + modifyOptions: initStatusForbiddenControlPlaneConfig, + statusCode: http.StatusForbidden, + reqPath: "/apis", + reason: "Forbidden", + message: `forbidden: User "system:anonymous" cannot get path "/apis": Everything is forbidden.`, }, { - name: "401", - modifyConfig: initUnauthorizedControlPlaneConfig, - statusCode: http.StatusUnauthorized, - reqPath: "/apis", - reason: "Unauthorized", - message: `Unauthorized`, + name: "401", + modifyOptions: initUnauthorizedControlPlaneConfig, + statusCode: http.StatusUnauthorized, + reqPath: "/apis", + reason: "Unauthorized", + message: `Unauthorized`, }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { _, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{ - ModifyServerConfig: func(config *controlplane.Config) { - if tc.modifyConfig != nil { - tc.modifyConfig(config) + ModifyServerRunOptions: func(options *options.ServerRunOptions) { + if tc.modifyOptions != nil { + tc.modifyOptions(options) } }, }) @@ -232,7 +200,7 @@ func TestStatus(t *testing.T) { // When modifying authenticator and authorizer, don't use // bearer token than will be always authorized. - if tc.modifyConfig != nil { + if tc.modifyOptions != nil { kubeConfig.BearerToken = "" } transport, err := restclient.TransportFor(kubeConfig) diff --git a/vendor/modules.txt b/vendor/modules.txt index 116a81f7099..b75ab2f92b0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1627,7 +1627,6 @@ k8s.io/apiserver/plugin/pkg/audit/log k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/oidc -k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook # k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime