github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 03:57:41 +00:00
Code Issues Projects Releases Wiki Activity

Fix kubelet_authz_test.go

Browse Source
This commit is contained in:
Vinayak Goyal 2025-01-30 19:35:01 +00:00
parent ce7d2130ad
commit 81f09811ca
1 changed files with 46 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
test/e2e_node/kubelet_authz_test.go → test/e2e/node/kubelet_authz.go
View File

@ -14,17 +14,14 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package e2enode package node
import ( import (
"context" "context"
"crypto/tls"
"fmt" "fmt"
"net/http"
"github.com/onsi/ginkgo/v2" "github.com/onsi/ginkgo/v2"
"github.com/onsi/gomega" "github.com/onsi/gomega"
authenticationv1 "k8s.io/api/authentication/v1"
authorizationv1 "k8s.io/api/authorization/v1" authorizationv1 "k8s.io/api/authorization/v1"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
@ -34,34 +31,39 @@ import (
"k8s.io/kubernetes/test/e2e/feature" "k8s.io/kubernetes/test/e2e/feature"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
e2eauth "k8s.io/kubernetes/test/e2e/framework/auth" e2eauth "k8s.io/kubernetes/test/e2e/framework/auth"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
admissionapi "k8s.io/pod-security-admission/api"
) )
var _ = SIGDescribe("Kubelet Authz", feature.KubeletFineGrainedAuthz, func() { var _ = SIGDescribe(feature.KubeletFineGrainedAuthz, func() {
f := framework.NewDefaultFramework("kubelet-authz-test") f := framework.NewDefaultFramework("kubelet-authz-test")
f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
ginkgo.Context("when calling kubelet API", func() { ginkgo.Context("when calling kubelet API", func() {
ginkgo.It("check /healthz enpoint is accessible via nodes/healthz RBAC", func(ctx context.Context) { ginkgo.It("check /healthz enpoint is accessible via nodes/healthz RBAC", func(ctx context.Context) {
sc := runKubeletAuthzTest(ctx, f, "healthz", "healthz") sc := runKubeletAuthzTest(ctx, f, "healthz", "healthz")
gomega.Expect(sc).To(gomega.Equal(http.StatusOK)) gomega.Expect(sc).To(gomega.Equal("200"))
}) })
ginkgo.It("check /healthz enpoint is accessible via nodes/proxy RBAC", func(ctx context.Context) { ginkgo.It("check /healthz enpoint is accessible via nodes/proxy RBAC", func(ctx context.Context) {
sc := runKubeletAuthzTest(ctx, f, "healthz", "proxy") sc := runKubeletAuthzTest(ctx, f, "healthz", "proxy")
gomega.Expect(sc).To(gomega.Equal(http.StatusOK)) gomega.Expect(sc).To(gomega.Equal("200"))
}) })
ginkgo.It("check /healthz enpoint is not accessible via nodes/configz RBAC", func(ctx context.Context) { ginkgo.It("check /healthz enpoint is not accessible via nodes/configz RBAC", func(ctx context.Context) {
sc := runKubeletAuthzTest(ctx, f, "healthz", "configz") sc := runKubeletAuthzTest(ctx, f, "healthz", "configz")
gomega.Expect(sc).To(gomega.Equal(http.StatusUnauthorized)) gomega.Expect(sc).To(gomega.Equal("403"))
}) })
}) })
}) })
func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, authzSubresource string) int { func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, authzSubresource string) string {
ns := f.Namespace.Name ns := f.Namespace.Name
saName := authzSubresource saName := authzSubresource
crName := authzSubresource crName := authzSubresource
verb := "get" verb := "get"
resource := "nodes" resource := "nodes"
ginkgo.By(fmt.Sprintf("Creating Service Account:%s/%s", ns, saName)) ginkgo.By(fmt.Sprintf("Creating Service Account %s/%s", ns, saName))
_, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Create(ctx, &v1.ServiceAccount{ _, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Create(ctx, &v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -112,27 +114,41 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint,
) )
framework.ExpectNoError(err) framework.ExpectNoError(err)
ginkgo.By(fmt.Sprintf("Getting token for ServiceAccount %s/%s.", ns, saName)) pod := e2epod.NewAgnhostPod(ns, fmt.Sprintf("agnhost-pod-%s", authzSubresource), nil, nil, nil)
pod.Spec.ServiceAccountName = saName
tr, err := f.ClientSet.CoreV1().ServiceAccounts(ns).CreateToken(ctx, saName, &authenticationv1.TokenRequest{}, metav1.CreateOptions{}) pod.Spec.Containers[0].Env = []v1.EnvVar{
framework.ExpectNoError(err) {
Name: "NODE_IP",
resp, err := healthCheck(fmt.Sprintf("https://127.0.0.1:%d/%s", ports.KubeletPort, endpoint), tr.Status.Token) ValueFrom: &v1.EnvVarSource{
framework.ExpectNoError(err) FieldRef: &v1.ObjectFieldSelector{
return resp.StatusCode FieldPath: "status.hostIP",
},
},
},
} }
func healthCheck(url, token string) (*http.Response, error) { ginkgo.By(fmt.Sprintf("Creating Pod %s in namespace %s with serviceaccount %s", pod.Name, pod.Namespace, pod.Spec.ServiceAccountName))
insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} _ = e2epod.NewPodClient(f).CreateSync(ctx, pod)
insecureHTTPClient := &http.Client{
Transport: insecureTransport, ginkgo.By("Running command in Pod")
var hostWarpStart, hostWarpEnd string
// IPv6 host must be wrapped within [] if you specify a port.
if framework.TestContext.ClusterIsIPv6() {
hostWarpStart = "["
hostWarpEnd = "]"
} }
req, err := http.NewRequest(http.MethodGet, url, nil) result := e2eoutput.RunHostCmdOrDie(ns,
if err != nil { pod.Name,
return nil, err fmt.Sprintf("curl -XGET -sIk -o /dev/null -w '%s' --header \"Authorization: Bearer `%s`\" https://%s$NODE_IP%s:%d/%s",
} "%{http_code}",
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) "cat /var/run/secrets/kubernetes.io/serviceaccount/token",
return insecureHTTPClient.Do(req) hostWarpStart,
hostWarpEnd,
ports.KubeletPort,
endpoint))
return result
} }