mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-20 18:31:15 +00:00
test/e2e/auth: enhance assertions
This commit is contained in:
kidddddddddddddddddddddd
parent
b15d3b629f
commit
6791ba2590
@ -243,7 +243,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(found, true, fmt.Sprintf("expected certificates API group/version, got %#v", discoveryGroups.Groups))
|
if !found {
|
||||||
|
framework.Failf("expected certificates API group/version, got %#v", discoveryGroups.Groups)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ginkgo.By("getting /apis/certificates.k8s.io")
|
ginkgo.By("getting /apis/certificates.k8s.io")
|
||||||
@ -258,7 +260,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(found, true, fmt.Sprintf("expected certificates API version, got %#v", group.Versions))
|
if !found {
|
||||||
|
framework.Failf("expected certificates API version, got %#v", group.Versions)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ginkgo.By("getting /apis/certificates.k8s.io/" + csrVersion)
|
ginkgo.By("getting /apis/certificates.k8s.io/" + csrVersion)
|
||||||
@ -276,9 +280,15 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
|||||||
foundStatus = true
|
foundStatus = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(foundCSR, true, fmt.Sprintf("expected certificatesigningrequests, got %#v", resources.APIResources))
|
if !foundCSR {
|
||||||
framework.ExpectEqual(foundApproval, true, fmt.Sprintf("expected certificatesigningrequests/approval, got %#v", resources.APIResources))
|
framework.Failf("expected certificatesigningrequests, got %#v", resources.APIResources)
|
||||||
framework.ExpectEqual(foundStatus, true, fmt.Sprintf("expected certificatesigningrequests/status, got %#v", resources.APIResources))
|
}
|
||||||
|
if !foundApproval {
|
||||||
|
framework.Failf("expected certificatesigningrequests/approval, got %#v", resources.APIResources)
|
||||||
|
}
|
||||||
|
if !foundStatus {
|
||||||
|
framework.Failf("expected certificatesigningrequests/status, got %#v", resources.APIResources)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Main resource create/read/update/watch operations
|
// Main resource create/read/update/watch operations
|
||||||
@ -323,10 +333,14 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
|||||||
for sawAnnotations := false; !sawAnnotations; {
|
for sawAnnotations := false; !sawAnnotations; {
|
||||||
select {
|
select {
|
||||||
case evt, ok := <-csrWatch.ResultChan():
|
case evt, ok := <-csrWatch.ResultChan():
|
||||||
framework.ExpectEqual(ok, true, "watch channel should not close")
|
if !ok {
|
||||||
|
framework.Fail("watch channel should not close")
|
||||||
|
}
|
||||||
framework.ExpectEqual(evt.Type, watch.Modified)
|
framework.ExpectEqual(evt.Type, watch.Modified)
|
||||||
watchedCSR, isCSR := evt.Object.(*certificatesv1.CertificateSigningRequest)
|
watchedCSR, isCSR := evt.Object.(*certificatesv1.CertificateSigningRequest)
|
||||||
framework.ExpectEqual(isCSR, true, fmt.Sprintf("expected CSR, got %T", evt.Object))
|
if !isCSR {
|
||||||
|
framework.Failf("expected CSR, got %T", evt.Object)
|
||||||
|
}
|
||||||
if watchedCSR.Annotations["patched"] == "true" {
|
if watchedCSR.Annotations["patched"] == "true" {
|
||||||
framework.Logf("saw patched and updated annotations")
|
framework.Logf("saw patched and updated annotations")
|
||||||
sawAnnotations = true
|
sawAnnotations = true
|
||||||
@ -404,7 +418,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
|||||||
err = csrClient.Delete(context.TODO(), createdCSR.Name, metav1.DeleteOptions{})
|
err = csrClient.Delete(context.TODO(), createdCSR.Name, metav1.DeleteOptions{})
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
_, err = csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{})
|
_, err = csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsNotFound(err), true, fmt.Sprintf("expected 404, got %#v", err))
|
if !apierrors.IsNotFound(err) {
|
||||||
|
framework.Failf("expected 404, got %#v", err)
|
||||||
|
}
|
||||||
csrs, err = csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})
|
csrs, err = csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
framework.ExpectEqual(len(csrs.Items), 2, "filtered list should have 2 items")
|
framework.ExpectEqual(len(csrs.Items), 2, "filtered list should have 2 items")
|
||||||
|
|||||||
@ -19,10 +19,10 @@ package auth
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
@ -69,7 +69,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
|||||||
})
|
})
|
||||||
ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
|
ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
|
||||||
_, err := c.CoreV1().Secrets(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
_, err := c.CoreV1().Secrets(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
|
ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
|
||||||
@ -84,12 +86,16 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
|||||||
_, err := f.ClientSet.CoreV1().Secrets(ns).Create(context.TODO(), secret, metav1.CreateOptions{})
|
_, err := f.ClientSet.CoreV1().Secrets(ns).Create(context.TODO(), secret, metav1.CreateOptions{})
|
||||||
framework.ExpectNoError(err, "failed to create secret (%s:%s) %+v", ns, secret.Name, *secret)
|
framework.ExpectNoError(err, "failed to create secret (%s:%s) %+v", ns, secret.Name, *secret)
|
||||||
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
||||||
_, err := c.CoreV1().ConfigMaps(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
_, err := c.CoreV1().ConfigMaps(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
|
ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
|
||||||
@ -106,7 +112,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
|||||||
_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configmap, metav1.CreateOptions{})
|
_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configmap, metav1.CreateOptions{})
|
||||||
framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
|
framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
|
||||||
_, err = c.CoreV1().ConfigMaps(ns).Get(context.TODO(), configmap.Name, metav1.GetOptions{})
|
_, err = c.CoreV1().ConfigMaps(ns).Get(context.TODO(), configmap.Name, metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
|
ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
|
||||||
@ -125,7 +133,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
|||||||
|
|
||||||
ginkgo.By("Node should not get the secret")
|
ginkgo.By("Node should not get the secret")
|
||||||
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
|
|
||||||
ginkgo.By("Create a pod that use the secret")
|
ginkgo.By("Create a pod that use the secret")
|
||||||
pod := &v1.Pod{
|
pod := &v1.Pod{
|
||||||
@ -187,12 +197,16 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
|||||||
defer func() {
|
defer func() {
|
||||||
f.ClientSet.CoreV1().Nodes().Delete(context.TODO(), node.Name, metav1.DeleteOptions{})
|
f.ClientSet.CoreV1().Nodes().Delete(context.TODO(), node.Name, metav1.DeleteOptions{})
|
||||||
}()
|
}()
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
ginkgo.It("A node shouldn't be able to delete another node", func() {
|
ginkgo.It("A node shouldn't be able to delete another node", func() {
|
||||||
ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||||
err := c.CoreV1().Nodes().Delete(context.TODO(), "foo", metav1.DeleteOptions{})
|
err := c.CoreV1().Nodes().Delete(context.TODO(), "foo", metav1.DeleteOptions{})
|
||||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
if !apierrors.IsForbidden(err) {
|
||||||
|
framework.Failf("should be a forbidden error, got %#v", err)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|||||||
@ -113,13 +113,21 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
|||||||
tokenReview := &authenticationv1.TokenReview{Spec: authenticationv1.TokenReviewSpec{Token: mountedToken}}
|
tokenReview := &authenticationv1.TokenReview{Spec: authenticationv1.TokenReviewSpec{Token: mountedToken}}
|
||||||
tokenReview, err = f.ClientSet.AuthenticationV1().TokenReviews().Create(context.TODO(), tokenReview, metav1.CreateOptions{})
|
tokenReview, err = f.ClientSet.AuthenticationV1().TokenReviews().Create(context.TODO(), tokenReview, metav1.CreateOptions{})
|
||||||
framework.ExpectNoError(err)
|
framework.ExpectNoError(err)
|
||||||
framework.ExpectEqual(tokenReview.Status.Authenticated, true)
|
if !tokenReview.Status.Authenticated {
|
||||||
|
framework.Fail("tokenReview is not authenticated")
|
||||||
|
}
|
||||||
framework.ExpectEqual(tokenReview.Status.Error, "")
|
framework.ExpectEqual(tokenReview.Status.Error, "")
|
||||||
framework.ExpectEqual(tokenReview.Status.User.Username, "system:serviceaccount:"+f.Namespace.Name+":"+sa.Name)
|
framework.ExpectEqual(tokenReview.Status.User.Username, "system:serviceaccount:"+f.Namespace.Name+":"+sa.Name)
|
||||||
groups := sets.NewString(tokenReview.Status.User.Groups...)
|
groups := sets.NewString(tokenReview.Status.User.Groups...)
|
||||||
framework.ExpectEqual(groups.Has("system:authenticated"), true, fmt.Sprintf("expected system:authenticated group, had %v", groups.List()))
|
if !groups.Has("system:authenticated") {
|
||||||
framework.ExpectEqual(groups.Has("system:serviceaccounts"), true, fmt.Sprintf("expected system:serviceaccounts group, had %v", groups.List()))
|
framework.Failf("expected system:authenticated group, had %v", groups.List())
|
||||||
framework.ExpectEqual(groups.Has("system:serviceaccounts:"+f.Namespace.Name), true, fmt.Sprintf("expected system:serviceaccounts:"+f.Namespace.Name+" group, had %v", groups.List()))
|
}
|
||||||
|
if !groups.Has("system:serviceaccounts") {
|
||||||
|
framework.Failf("expected system:serviceaccounts group, had %v", groups.List())
|
||||||
|
}
|
||||||
|
if !groups.Has("system:serviceaccounts:" + f.Namespace.Name) {
|
||||||
|
framework.Failf("expected system:serviceaccounts:%s group, had %v", f.Namespace.Name, groups.List())
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -671,8 +679,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Added)
|
if !eventFound {
|
||||||
|
framework.Failf("failed to find %v event", watch.Added)
|
||||||
|
}
|
||||||
ginkgo.By("patching the ServiceAccount")
|
ginkgo.By("patching the ServiceAccount")
|
||||||
boolFalse := false
|
boolFalse := false
|
||||||
testServiceAccountPatchData, err := json.Marshal(v1.ServiceAccount{
|
testServiceAccountPatchData, err := json.Marshal(v1.ServiceAccount{
|
||||||
@ -688,8 +697,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Modified)
|
if !eventFound {
|
||||||
|
framework.Failf("failed to find %v event", watch.Modified)
|
||||||
|
}
|
||||||
ginkgo.By("finding ServiceAccount in list of all ServiceAccounts (by LabelSelector)")
|
ginkgo.By("finding ServiceAccount in list of all ServiceAccounts (by LabelSelector)")
|
||||||
serviceAccountList, err := f.ClientSet.CoreV1().ServiceAccounts("").List(context.TODO(), metav1.ListOptions{LabelSelector: testServiceAccountStaticLabelsFlat})
|
serviceAccountList, err := f.ClientSet.CoreV1().ServiceAccounts("").List(context.TODO(), metav1.ListOptions{LabelSelector: testServiceAccountStaticLabelsFlat})
|
||||||
framework.ExpectNoError(err, "failed to list ServiceAccounts by LabelSelector")
|
framework.ExpectNoError(err, "failed to list ServiceAccounts by LabelSelector")
|
||||||
@ -700,8 +710,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(foundServiceAccount, true, "failed to find the created ServiceAccount")
|
if !foundServiceAccount {
|
||||||
|
framework.Fail("failed to find the created ServiceAccount")
|
||||||
|
}
|
||||||
ginkgo.By("deleting the ServiceAccount")
|
ginkgo.By("deleting the ServiceAccount")
|
||||||
err = f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).DeleteCollection(context.TODO(), metav1.DeleteOptions{}, metav1.ListOptions{})
|
err = f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).DeleteCollection(context.TODO(), metav1.DeleteOptions{}, metav1.ListOptions{})
|
||||||
framework.ExpectNoError(err, "failed to delete the ServiceAccount by Collection")
|
framework.ExpectNoError(err, "failed to delete the ServiceAccount by Collection")
|
||||||
@ -712,7 +723,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Deleted)
|
if !eventFound {
|
||||||
|
framework.Failf("failed to find %v event", watch.Deleted)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user