mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Make controlplane integation tests coexist with default API server config
This commit is contained in:
parent
e5c4c9b2c0
commit
6473f8c7e3
@ -39,20 +39,11 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
|
|
||||||
"k8s.io/apiserver/pkg/authentication/group"
|
|
||||||
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
|
||||||
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
|
||||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
|
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
|
clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
|
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
|
||||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||||
"k8s.io/kubernetes/pkg/controlplane"
|
|
||||||
"k8s.io/kubernetes/test/integration"
|
"k8s.io/kubernetes/test/integration"
|
||||||
"k8s.io/kubernetes/test/integration/framework"
|
"k8s.io/kubernetes/test/integration/framework"
|
||||||
)
|
)
|
||||||
@ -63,15 +54,6 @@ const (
|
|||||||
BobToken string = "xyz987" // username: bob. Present in token file.
|
BobToken string = "xyz987" // username: bob. Present in token file.
|
||||||
)
|
)
|
||||||
|
|
||||||
type allowAliceAuthorizer struct{}
|
|
||||||
|
|
||||||
func (allowAliceAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
|
|
||||||
if a.GetUser() != nil && a.GetUser().GetName() == "alice" {
|
|
||||||
return authorizer.DecisionAllow, "", nil
|
|
||||||
}
|
|
||||||
return authorizer.DecisionNoOpinion, "I can't allow that. Go ask alice.", nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func testPrefix(t *testing.T, prefix string) {
|
func testPrefix(t *testing.T, prefix string) {
|
||||||
server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
|
server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
|
||||||
defer server.TearDownFn()
|
defer server.TearDownFn()
|
||||||
@ -163,68 +145,54 @@ func TestEmptyList(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func initStatusForbiddenControlPlaneConfig(config *controlplane.Config) {
|
func initStatusForbiddenControlPlaneConfig(options *options.ServerRunOptions) {
|
||||||
config.GenericConfig.Authentication.Authenticator = authenticatorunion.New(
|
options.Authorization.Modes = []string{"AlwaysDeny"}
|
||||||
authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
|
|
||||||
return &authauthenticator.Response{
|
|
||||||
User: &user.DefaultInfo{
|
|
||||||
Name: "unprivileged",
|
|
||||||
Groups: []string{user.AllAuthenticated},
|
|
||||||
},
|
|
||||||
}, true, nil
|
|
||||||
}))
|
|
||||||
config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func initUnauthorizedControlPlaneConfig(config *controlplane.Config) {
|
func initUnauthorizedControlPlaneConfig(options *options.ServerRunOptions) {
|
||||||
tokenAuthenticator := tokentest.New()
|
options.Authentication.Anonymous.Allow = false
|
||||||
tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
|
|
||||||
tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
|
|
||||||
config.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
|
|
||||||
config.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestStatus(t *testing.T) {
|
func TestStatus(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
name string
|
name string
|
||||||
modifyConfig func(*controlplane.Config)
|
modifyOptions func(*options.ServerRunOptions)
|
||||||
statusCode int
|
statusCode int
|
||||||
reqPath string
|
reqPath string
|
||||||
reason string
|
reason string
|
||||||
message string
|
message string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "404",
|
name: "404",
|
||||||
modifyConfig: nil,
|
statusCode: http.StatusNotFound,
|
||||||
statusCode: http.StatusNotFound,
|
reqPath: "/apis/batch/v1/namespaces/default/jobs/foo",
|
||||||
reqPath: "/apis/batch/v1/namespaces/default/jobs/foo",
|
reason: "NotFound",
|
||||||
reason: "NotFound",
|
message: `jobs.batch "foo" not found`,
|
||||||
message: `jobs.batch "foo" not found`,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "403",
|
name: "403",
|
||||||
modifyConfig: initStatusForbiddenControlPlaneConfig,
|
modifyOptions: initStatusForbiddenControlPlaneConfig,
|
||||||
statusCode: http.StatusForbidden,
|
statusCode: http.StatusForbidden,
|
||||||
reqPath: "/apis",
|
reqPath: "/apis",
|
||||||
reason: "Forbidden",
|
reason: "Forbidden",
|
||||||
message: `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`,
|
message: `forbidden: User "system:anonymous" cannot get path "/apis": Everything is forbidden.`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "401",
|
name: "401",
|
||||||
modifyConfig: initUnauthorizedControlPlaneConfig,
|
modifyOptions: initUnauthorizedControlPlaneConfig,
|
||||||
statusCode: http.StatusUnauthorized,
|
statusCode: http.StatusUnauthorized,
|
||||||
reqPath: "/apis",
|
reqPath: "/apis",
|
||||||
reason: "Unauthorized",
|
reason: "Unauthorized",
|
||||||
message: `Unauthorized`,
|
message: `Unauthorized`,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range testCases {
|
for _, tc := range testCases {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
_, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
|
_, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
|
||||||
ModifyServerConfig: func(config *controlplane.Config) {
|
ModifyServerRunOptions: func(options *options.ServerRunOptions) {
|
||||||
if tc.modifyConfig != nil {
|
if tc.modifyOptions != nil {
|
||||||
tc.modifyConfig(config)
|
tc.modifyOptions(options)
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
@ -232,7 +200,7 @@ func TestStatus(t *testing.T) {
|
|||||||
|
|
||||||
// When modifying authenticator and authorizer, don't use
|
// When modifying authenticator and authorizer, don't use
|
||||||
// bearer token than will be always authorized.
|
// bearer token than will be always authorized.
|
||||||
if tc.modifyConfig != nil {
|
if tc.modifyOptions != nil {
|
||||||
kubeConfig.BearerToken = ""
|
kubeConfig.BearerToken = ""
|
||||||
}
|
}
|
||||||
transport, err := restclient.TransportFor(kubeConfig)
|
transport, err := restclient.TransportFor(kubeConfig)
|
||||||
|
1
vendor/modules.txt
vendored
1
vendor/modules.txt
vendored
@ -1627,7 +1627,6 @@ k8s.io/apiserver/plugin/pkg/audit/log
|
|||||||
k8s.io/apiserver/plugin/pkg/audit/truncate
|
k8s.io/apiserver/plugin/pkg/audit/truncate
|
||||||
k8s.io/apiserver/plugin/pkg/audit/webhook
|
k8s.io/apiserver/plugin/pkg/audit/webhook
|
||||||
k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
|
k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
|
||||||
k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest
|
|
||||||
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
|
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
|
||||||
k8s.io/apiserver/plugin/pkg/authorizer/webhook
|
k8s.io/apiserver/plugin/pkg/authorizer/webhook
|
||||||
# k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime
|
# k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime
|
||||||
|
Loading…
Reference in New Issue
Block a user