mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-20 10:20:51 +00:00
test/e2e/auth: enhance assertions
This commit is contained in:
parent
b15d3b629f
commit
6791ba2590
@ -243,7 +243,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
||||
}
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(found, true, fmt.Sprintf("expected certificates API group/version, got %#v", discoveryGroups.Groups))
|
||||
if !found {
|
||||
framework.Failf("expected certificates API group/version, got %#v", discoveryGroups.Groups)
|
||||
}
|
||||
}
|
||||
|
||||
ginkgo.By("getting /apis/certificates.k8s.io")
|
||||
@ -258,7 +260,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
||||
break
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(found, true, fmt.Sprintf("expected certificates API version, got %#v", group.Versions))
|
||||
if !found {
|
||||
framework.Failf("expected certificates API version, got %#v", group.Versions)
|
||||
}
|
||||
}
|
||||
|
||||
ginkgo.By("getting /apis/certificates.k8s.io/" + csrVersion)
|
||||
@ -276,9 +280,15 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
||||
foundStatus = true
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(foundCSR, true, fmt.Sprintf("expected certificatesigningrequests, got %#v", resources.APIResources))
|
||||
framework.ExpectEqual(foundApproval, true, fmt.Sprintf("expected certificatesigningrequests/approval, got %#v", resources.APIResources))
|
||||
framework.ExpectEqual(foundStatus, true, fmt.Sprintf("expected certificatesigningrequests/status, got %#v", resources.APIResources))
|
||||
if !foundCSR {
|
||||
framework.Failf("expected certificatesigningrequests, got %#v", resources.APIResources)
|
||||
}
|
||||
if !foundApproval {
|
||||
framework.Failf("expected certificatesigningrequests/approval, got %#v", resources.APIResources)
|
||||
}
|
||||
if !foundStatus {
|
||||
framework.Failf("expected certificatesigningrequests/status, got %#v", resources.APIResources)
|
||||
}
|
||||
}
|
||||
|
||||
// Main resource create/read/update/watch operations
|
||||
@ -323,10 +333,14 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
||||
for sawAnnotations := false; !sawAnnotations; {
|
||||
select {
|
||||
case evt, ok := <-csrWatch.ResultChan():
|
||||
framework.ExpectEqual(ok, true, "watch channel should not close")
|
||||
if !ok {
|
||||
framework.Fail("watch channel should not close")
|
||||
}
|
||||
framework.ExpectEqual(evt.Type, watch.Modified)
|
||||
watchedCSR, isCSR := evt.Object.(*certificatesv1.CertificateSigningRequest)
|
||||
framework.ExpectEqual(isCSR, true, fmt.Sprintf("expected CSR, got %T", evt.Object))
|
||||
if !isCSR {
|
||||
framework.Failf("expected CSR, got %T", evt.Object)
|
||||
}
|
||||
if watchedCSR.Annotations["patched"] == "true" {
|
||||
framework.Logf("saw patched and updated annotations")
|
||||
sawAnnotations = true
|
||||
@ -404,7 +418,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
|
||||
err = csrClient.Delete(context.TODO(), createdCSR.Name, metav1.DeleteOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
_, err = csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsNotFound(err), true, fmt.Sprintf("expected 404, got %#v", err))
|
||||
if !apierrors.IsNotFound(err) {
|
||||
framework.Failf("expected 404, got %#v", err)
|
||||
}
|
||||
csrs, err = csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})
|
||||
framework.ExpectNoError(err)
|
||||
framework.ExpectEqual(len(csrs.Items), 2, "filtered list should have 2 items")
|
||||
|
@ -19,10 +19,10 @@ package auth
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"time"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
@ -69,7 +69,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
})
|
||||
ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
|
||||
_, err := c.CoreV1().Secrets(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
|
||||
@ -84,12 +86,16 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
_, err := f.ClientSet.CoreV1().Secrets(ns).Create(context.TODO(), secret, metav1.CreateOptions{})
|
||||
framework.ExpectNoError(err, "failed to create secret (%s:%s) %+v", ns, secret.Name, *secret)
|
||||
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
||||
_, err := c.CoreV1().ConfigMaps(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
|
||||
@ -106,7 +112,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configmap, metav1.CreateOptions{})
|
||||
framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
|
||||
_, err = c.CoreV1().ConfigMaps(ns).Get(context.TODO(), configmap.Name, metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
|
||||
@ -125,7 +133,9 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
|
||||
ginkgo.By("Node should not get the secret")
|
||||
_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
|
||||
ginkgo.By("Create a pod that use the secret")
|
||||
pod := &v1.Pod{
|
||||
@ -187,12 +197,16 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
defer func() {
|
||||
f.ClientSet.CoreV1().Nodes().Delete(context.TODO(), node.Name, metav1.DeleteOptions{})
|
||||
}()
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("A node shouldn't be able to delete another node", func() {
|
||||
ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
err := c.CoreV1().Nodes().Delete(context.TODO(), "foo", metav1.DeleteOptions{})
|
||||
framework.ExpectEqual(apierrors.IsForbidden(err), true)
|
||||
if !apierrors.IsForbidden(err) {
|
||||
framework.Failf("should be a forbidden error, got %#v", err)
|
||||
}
|
||||
})
|
||||
})
|
||||
|
@ -113,13 +113,21 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
tokenReview := &authenticationv1.TokenReview{Spec: authenticationv1.TokenReviewSpec{Token: mountedToken}}
|
||||
tokenReview, err = f.ClientSet.AuthenticationV1().TokenReviews().Create(context.TODO(), tokenReview, metav1.CreateOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
framework.ExpectEqual(tokenReview.Status.Authenticated, true)
|
||||
if !tokenReview.Status.Authenticated {
|
||||
framework.Fail("tokenReview is not authenticated")
|
||||
}
|
||||
framework.ExpectEqual(tokenReview.Status.Error, "")
|
||||
framework.ExpectEqual(tokenReview.Status.User.Username, "system:serviceaccount:"+f.Namespace.Name+":"+sa.Name)
|
||||
groups := sets.NewString(tokenReview.Status.User.Groups...)
|
||||
framework.ExpectEqual(groups.Has("system:authenticated"), true, fmt.Sprintf("expected system:authenticated group, had %v", groups.List()))
|
||||
framework.ExpectEqual(groups.Has("system:serviceaccounts"), true, fmt.Sprintf("expected system:serviceaccounts group, had %v", groups.List()))
|
||||
framework.ExpectEqual(groups.Has("system:serviceaccounts:"+f.Namespace.Name), true, fmt.Sprintf("expected system:serviceaccounts:"+f.Namespace.Name+" group, had %v", groups.List()))
|
||||
if !groups.Has("system:authenticated") {
|
||||
framework.Failf("expected system:authenticated group, had %v", groups.List())
|
||||
}
|
||||
if !groups.Has("system:serviceaccounts") {
|
||||
framework.Failf("expected system:serviceaccounts group, had %v", groups.List())
|
||||
}
|
||||
if !groups.Has("system:serviceaccounts:" + f.Namespace.Name) {
|
||||
framework.Failf("expected system:serviceaccounts:%s group, had %v", f.Namespace.Name, groups.List())
|
||||
}
|
||||
})
|
||||
|
||||
/*
|
||||
@ -671,8 +679,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
break
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Added)
|
||||
|
||||
if !eventFound {
|
||||
framework.Failf("failed to find %v event", watch.Added)
|
||||
}
|
||||
ginkgo.By("patching the ServiceAccount")
|
||||
boolFalse := false
|
||||
testServiceAccountPatchData, err := json.Marshal(v1.ServiceAccount{
|
||||
@ -688,8 +697,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
break
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Modified)
|
||||
|
||||
if !eventFound {
|
||||
framework.Failf("failed to find %v event", watch.Modified)
|
||||
}
|
||||
ginkgo.By("finding ServiceAccount in list of all ServiceAccounts (by LabelSelector)")
|
||||
serviceAccountList, err := f.ClientSet.CoreV1().ServiceAccounts("").List(context.TODO(), metav1.ListOptions{LabelSelector: testServiceAccountStaticLabelsFlat})
|
||||
framework.ExpectNoError(err, "failed to list ServiceAccounts by LabelSelector")
|
||||
@ -700,8 +710,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
break
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(foundServiceAccount, true, "failed to find the created ServiceAccount")
|
||||
|
||||
if !foundServiceAccount {
|
||||
framework.Fail("failed to find the created ServiceAccount")
|
||||
}
|
||||
ginkgo.By("deleting the ServiceAccount")
|
||||
err = f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).DeleteCollection(context.TODO(), metav1.DeleteOptions{}, metav1.ListOptions{})
|
||||
framework.ExpectNoError(err, "failed to delete the ServiceAccount by Collection")
|
||||
@ -712,7 +723,9 @@ var _ = SIGDescribe("ServiceAccounts", func() {
|
||||
break
|
||||
}
|
||||
}
|
||||
framework.ExpectEqual(eventFound, true, "failed to find %v event", watch.Deleted)
|
||||
if !eventFound {
|
||||
framework.Failf("failed to find %v event", watch.Deleted)
|
||||
}
|
||||
})
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user