Make controlplane integation tests coexist with default API server config

This commit is contained in:
Jordan Liggitt 2022-09-20 13:52:34 -04:00
parent e5c4c9b2c0
commit 6473f8c7e3
No known key found for this signature in database
2 changed files with 31 additions and 64 deletions

View File

@ -39,20 +39,11 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1" clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/controlplane"
"k8s.io/kubernetes/test/integration" "k8s.io/kubernetes/test/integration"
"k8s.io/kubernetes/test/integration/framework" "k8s.io/kubernetes/test/integration/framework"
) )
@ -63,15 +54,6 @@ const (
BobToken string = "xyz987" // username: bob. Present in token file. BobToken string = "xyz987" // username: bob. Present in token file.
) )
type allowAliceAuthorizer struct{}
func (allowAliceAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
if a.GetUser() != nil && a.GetUser().GetName() == "alice" {
return authorizer.DecisionAllow, "", nil
}
return authorizer.DecisionNoOpinion, "I can't allow that. Go ask alice.", nil
}
func testPrefix(t *testing.T, prefix string) { func testPrefix(t *testing.T, prefix string) {
server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd()) server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
defer server.TearDownFn() defer server.TearDownFn()
@ -163,68 +145,54 @@ func TestEmptyList(t *testing.T) {
} }
} }
func initStatusForbiddenControlPlaneConfig(config *controlplane.Config) { func initStatusForbiddenControlPlaneConfig(options *options.ServerRunOptions) {
config.GenericConfig.Authentication.Authenticator = authenticatorunion.New( options.Authorization.Modes = []string{"AlwaysDeny"}
authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
return &authauthenticator.Response{
User: &user.DefaultInfo{
Name: "unprivileged",
Groups: []string{user.AllAuthenticated},
},
}, true, nil
}))
config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
} }
func initUnauthorizedControlPlaneConfig(config *controlplane.Config) { func initUnauthorizedControlPlaneConfig(options *options.ServerRunOptions) {
tokenAuthenticator := tokentest.New() options.Authentication.Anonymous.Allow = false
tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
config.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
config.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
} }
func TestStatus(t *testing.T) { func TestStatus(t *testing.T) {
testCases := []struct { testCases := []struct {
name string name string
modifyConfig func(*controlplane.Config) modifyOptions func(*options.ServerRunOptions)
statusCode int statusCode int
reqPath string reqPath string
reason string reason string
message string message string
}{ }{
{ {
name: "404", name: "404",
modifyConfig: nil, statusCode: http.StatusNotFound,
statusCode: http.StatusNotFound, reqPath: "/apis/batch/v1/namespaces/default/jobs/foo",
reqPath: "/apis/batch/v1/namespaces/default/jobs/foo", reason: "NotFound",
reason: "NotFound", message: `jobs.batch "foo" not found`,
message: `jobs.batch "foo" not found`,
}, },
{ {
name: "403", name: "403",
modifyConfig: initStatusForbiddenControlPlaneConfig, modifyOptions: initStatusForbiddenControlPlaneConfig,
statusCode: http.StatusForbidden, statusCode: http.StatusForbidden,
reqPath: "/apis", reqPath: "/apis",
reason: "Forbidden", reason: "Forbidden",
message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`, message: `forbidden: User "system:anonymous" cannot get path "/apis": Everything is forbidden.`,
}, },
{ {
name: "401", name: "401",
modifyConfig: initUnauthorizedControlPlaneConfig, modifyOptions: initUnauthorizedControlPlaneConfig,
statusCode: http.StatusUnauthorized, statusCode: http.StatusUnauthorized,
reqPath: "/apis", reqPath: "/apis",
reason: "Unauthorized", reason: "Unauthorized",
message: `Unauthorized`, message: `Unauthorized`,
}, },
} }
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
_, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{ _, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
ModifyServerConfig: func(config *controlplane.Config) { ModifyServerRunOptions: func(options *options.ServerRunOptions) {
if tc.modifyConfig != nil { if tc.modifyOptions != nil {
tc.modifyConfig(config) tc.modifyOptions(options)
} }
}, },
}) })
@ -232,7 +200,7 @@ func TestStatus(t *testing.T) {
// When modifying authenticator and authorizer, don't use // When modifying authenticator and authorizer, don't use
// bearer token than will be always authorized. // bearer token than will be always authorized.
if tc.modifyConfig != nil { if tc.modifyOptions != nil {
kubeConfig.BearerToken = "" kubeConfig.BearerToken = ""
} }
transport, err := restclient.TransportFor(kubeConfig) transport, err := restclient.TransportFor(kubeConfig)

1
vendor/modules.txt vendored
View File

@ -1627,7 +1627,6 @@ k8s.io/apiserver/plugin/pkg/audit/log
k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/truncate
k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/audit/webhook
k8s.io/apiserver/plugin/pkg/authenticator/token/oidc k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook
# k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime # k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime