diff --git a/cluster/addons/kube-proxy/kube-proxy-rbac.yaml b/cluster/addons/kube-proxy/kube-proxy-rbac.yaml index a12ef9d3bfe..0758fd025f0 100644 --- a/cluster/addons/kube-proxy/kube-proxy-rbac.yaml +++ b/cluster/addons/kube-proxy/kube-proxy-rbac.yaml @@ -7,7 +7,7 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:kube-proxy labels: diff --git a/cluster/addons/metrics-server/metrics-apiservice.yaml b/cluster/addons/metrics-server/metrics-apiservice.yaml index 0b4eafd12dd..dc6da046c71 100644 --- a/cluster/addons/metrics-server/metrics-apiservice.yaml +++ b/cluster/addons/metrics-server/metrics-apiservice.yaml @@ -1,4 +1,4 @@ -apiVersion: apiregistration.k8s.io/v1beta1 +apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta1.metrics.k8s.io diff --git a/cluster/addons/prometheus/prometheus-rbac.yaml b/cluster/addons/prometheus/prometheus-rbac.yaml index 390aad046ba..2a5acdec950 100644 --- a/cluster/addons/prometheus/prometheus-rbac.yaml +++ b/cluster/addons/prometheus/prometheus-rbac.yaml @@ -7,7 +7,7 @@ metadata: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus @@ -38,7 +38,7 @@ rules: verbs: - get --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: prometheus diff --git a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml index 5557cf1319e..00b3b46ebb6 100644 --- a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml +++ b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml @@ -1,4 +1,4 @@ -apiVersion: apiregistration.k8s.io/v1beta1 +apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: RESOURCE_NAME diff --git a/staging/src/k8s.io/sample-apiserver/artifacts/example/apiservice.yaml b/staging/src/k8s.io/sample-apiserver/artifacts/example/apiservice.yaml index fa22c81767a..b26d1e44d95 100644 --- a/staging/src/k8s.io/sample-apiserver/artifacts/example/apiservice.yaml +++ b/staging/src/k8s.io/sample-apiserver/artifacts/example/apiservice.yaml @@ -1,4 +1,4 @@ -apiVersion: apiregistration.k8s.io/v1beta1 +apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.wardle.k8s.io diff --git a/test/e2e/BUILD b/test/e2e/BUILD index 33ea5709d42..bba4b602ac1 100644 --- a/test/e2e/BUILD +++ b/test/e2e/BUILD @@ -53,7 +53,7 @@ go_library( "//pkg/api/v1/pod:go_default_library", "//pkg/version:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library", diff --git a/test/e2e/apimachinery/BUILD b/test/e2e/apimachinery/BUILD index df91e7781e2..4d5f15f2019 100644 --- a/test/e2e/apimachinery/BUILD +++ b/test/e2e/apimachinery/BUILD @@ -29,7 +29,7 @@ go_library( importpath = "k8s.io/kubernetes/test/e2e/apimachinery", deps = [ "//pkg/api/v1/pod:go_default_library", - "//pkg/apis/rbac/v1beta1:go_default_library", + "//pkg/apis/rbac/v1:go_default_library", "//pkg/printers:go_default_library", "//pkg/quota/v1/evaluator/core:go_default_library", "//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library", @@ -39,7 +39,6 @@ go_library( "//staging/src/k8s.io/api/batch/v1beta1:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/rbac/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", "//staging/src/k8s.io/api/scheduling/v1:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library", @@ -74,7 +73,7 @@ go_library( "//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library", "//staging/src/k8s.io/client-go/util/workqueue:go_default_library", - "//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1:go_default_library", + "//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset:go_default_library", "//staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1:go_default_library", "//test/e2e/apps:go_default_library", diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go index 396254897ff..5b85ef4d6e0 100644 --- a/test/e2e/apimachinery/aggregator.go +++ b/test/e2e/apimachinery/aggregator.go @@ -26,7 +26,7 @@ import ( apps "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" unstructuredv1 "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -36,9 +36,9 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/discovery" clientset "k8s.io/client-go/kubernetes" - apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1" + apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" - rbacv1beta1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1beta1" + rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" "k8s.io/kubernetes/test/e2e/framework" e2edeploy "k8s.io/kubernetes/test/e2e/framework/deployment" e2elog "k8s.io/kubernetes/test/e2e/framework/log" @@ -102,16 +102,16 @@ var _ = SIGDescribe("Aggregator", func() { func cleanTest(client clientset.Interface, aggrclient *aggregatorclient.Clientset, namespace string) { // delete the APIService first to avoid causing discovery errors - _ = aggrclient.ApiregistrationV1beta1().APIServices().Delete("v1alpha1.wardle.k8s.io", nil) + _ = aggrclient.ApiregistrationV1().APIServices().Delete("v1alpha1.wardle.k8s.io", nil) _ = client.AppsV1().Deployments(namespace).Delete("sample-apiserver-deployment", nil) _ = client.CoreV1().Secrets(namespace).Delete("sample-apiserver-secret", nil) _ = client.CoreV1().Services(namespace).Delete("sample-api", nil) _ = client.CoreV1().ServiceAccounts(namespace).Delete("sample-apiserver", nil) - _ = client.RbacV1beta1().RoleBindings("kube-system").Delete("wardler-auth-reader", nil) - _ = client.RbacV1beta1().ClusterRoleBindings().Delete("wardler:"+namespace+":auth-delegator", nil) - _ = client.RbacV1beta1().ClusterRoles().Delete("sample-apiserver-reader", nil) - _ = client.RbacV1beta1().ClusterRoleBindings().Delete("wardler:"+namespace+":sample-apiserver-reader", nil) + _ = client.RbacV1().RoleBindings("kube-system").Delete("wardler-auth-reader", nil) + _ = client.RbacV1().ClusterRoleBindings().Delete("wardler:"+namespace+":auth-delegator", nil) + _ = client.RbacV1().ClusterRoles().Delete("sample-apiserver-reader", nil) + _ = client.RbacV1().ClusterRoleBindings().Delete("wardler:"+namespace+":sample-apiserver-reader", nil) } // TestSampleAPIServer is a basic test if the sample-apiserver code from 1.10 and compiled against 1.10 @@ -143,26 +143,26 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl framework.ExpectNoError(err, "creating secret %q in namespace %q", secretName, namespace) // kubectl create -f clusterrole.yaml - _, err = client.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ + _, err = client.RbacV1().ClusterRoles().Create(&rbacv1.ClusterRole{ // role for listing ValidatingWebhookConfiguration/MutatingWebhookConfiguration/Namespaces ObjectMeta: metav1.ObjectMeta{Name: "sample-apiserver-reader"}, - Rules: []rbacv1beta1.PolicyRule{ - rbacv1beta1helpers.NewRule("list").Groups("").Resources("namespaces").RuleOrDie(), - rbacv1beta1helpers.NewRule("list").Groups("admissionregistration.k8s.io").Resources("*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("list").Groups("").Resources("namespaces").RuleOrDie(), + rbacv1helpers.NewRule("list").Groups("admissionregistration.k8s.io").Resources("*").RuleOrDie(), }, }) framework.ExpectNoError(err, "creating cluster role %s", "sample-apiserver-reader") - _, err = client.RbacV1beta1().ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{ + _, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "wardler:" + namespace + ":sample-apiserver-reader", }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: "sample-apiserver-reader", }, - Subjects: []rbacv1beta1.Subject{ + Subjects: []rbacv1.Subject{ { APIGroup: "", Kind: "ServiceAccount", @@ -174,16 +174,16 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl framework.ExpectNoError(err, "creating cluster role binding %s", "wardler:"+namespace+":sample-apiserver-reader") // kubectl create -f authDelegator.yaml - _, err = client.RbacV1beta1().ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{ + _, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "wardler:" + namespace + ":auth-delegator", }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: "system:auth-delegator", }, - Subjects: []rbacv1beta1.Subject{ + Subjects: []rbacv1.Subject{ { APIGroup: "", Kind: "ServiceAccount", @@ -297,19 +297,19 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl framework.ExpectNoError(err, "creating service account %s in namespace %s", "sample-apiserver", namespace) // kubectl create -f auth-reader.yaml - _, err = client.RbacV1beta1().RoleBindings("kube-system").Create(&rbacv1beta1.RoleBinding{ + _, err = client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: "wardler-auth-reader", Annotations: map[string]string{ - rbacv1beta1.AutoUpdateAnnotationKey: "true", + rbacv1.AutoUpdateAnnotationKey: "true", }, }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "", Kind: "Role", Name: "extension-apiserver-authentication-reader", }, - Subjects: []rbacv1beta1.Subject{ + Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Name: "default", // "sample-apiserver", @@ -327,10 +327,10 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl framework.ExpectNoError(err, "deploying extension apiserver in namespace %s", namespace) // kubectl create -f apiservice.yaml - _, err = aggrclient.ApiregistrationV1beta1().APIServices().Create(&apiregistrationv1beta1.APIService{ + _, err = aggrclient.ApiregistrationV1().APIServices().Create(&apiregistrationv1.APIService{ ObjectMeta: metav1.ObjectMeta{Name: "v1alpha1.wardle.k8s.io"}, - Spec: apiregistrationv1beta1.APIServiceSpec{ - Service: &apiregistrationv1beta1.ServiceReference{ + Spec: apiregistrationv1.APIServiceSpec{ + Service: &apiregistrationv1.ServiceReference{ Namespace: namespace, Name: "sample-api", Port: pointer.Int32Ptr(aggregatorServicePort), @@ -345,13 +345,13 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl framework.ExpectNoError(err, "creating apiservice %s with namespace %s", "v1alpha1.wardle.k8s.io", namespace) var ( - currentAPIService *apiregistrationv1beta1.APIService + currentAPIService *apiregistrationv1.APIService currentPods *v1.PodList ) err = pollTimed(100*time.Millisecond, 60*time.Second, func() (bool, error) { - currentAPIService, _ = aggrclient.ApiregistrationV1beta1().APIServices().Get("v1alpha1.wardle.k8s.io", metav1.GetOptions{}) + currentAPIService, _ = aggrclient.ApiregistrationV1().APIServices().Get("v1alpha1.wardle.k8s.io", metav1.GetOptions{}) currentPods, _ = client.CoreV1().Pods(namespace).List(metav1.ListOptions{}) request := restClient.Get().AbsPath("/apis/wardle.k8s.io/v1alpha1/namespaces/default/flunders") diff --git a/test/e2e/apimachinery/webhook.go b/test/e2e/apimachinery/webhook.go index 2c4ba66379b..10becbc18e7 100644 --- a/test/e2e/apimachinery/webhook.go +++ b/test/e2e/apimachinery/webhook.go @@ -25,7 +25,7 @@ import ( "k8s.io/api/admissionregistration/v1beta1" apps "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" crdclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" "k8s.io/apimachinery/pkg/api/errors" @@ -278,20 +278,20 @@ func createAuthReaderRoleBinding(f *framework.Framework, namespace string) { ginkgo.By("Create role binding to let webhook read extension-apiserver-authentication") client := f.ClientSet // Create the role binding to allow the webhook read the extension-apiserver-authentication configmap - _, err := client.RbacV1beta1().RoleBindings("kube-system").Create(&rbacv1beta1.RoleBinding{ + _, err := client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: roleBindingName, Annotations: map[string]string{ - rbacv1beta1.AutoUpdateAnnotationKey: "true", + rbacv1.AutoUpdateAnnotationKey: "true", }, }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "", Kind: "Role", Name: "extension-apiserver-authentication-reader", }, // Webhook uses the default service account. - Subjects: []rbacv1beta1.Subject{ + Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Name: "default", @@ -1293,7 +1293,7 @@ func cleanWebhookTest(client clientset.Interface, namespaceName string) { _ = client.CoreV1().Services(namespaceName).Delete(serviceName, nil) _ = client.AppsV1().Deployments(namespaceName).Delete(deploymentName, nil) _ = client.CoreV1().Secrets(namespaceName).Delete(secretName, nil) - _ = client.RbacV1beta1().RoleBindings("kube-system").Delete(roleBindingName, nil) + _ = client.RbacV1().RoleBindings("kube-system").Delete(roleBindingName, nil) } func registerWebhookForCustomResource(f *framework.Framework, context *certContext, testcrd *crd.TestCrd) func() { diff --git a/test/e2e/auth/BUILD b/test/e2e/auth/BUILD index 4219d3639ac..ada6594f6dd 100644 --- a/test/e2e/auth/BUILD +++ b/test/e2e/auth/BUILD @@ -32,7 +32,7 @@ go_library( "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/test/integration/fixtures:go_default_library", diff --git a/test/e2e/auth/audit.go b/test/e2e/auth/audit.go index dcd05853dbd..4df46074088 100644 --- a/test/e2e/auth/audit.go +++ b/test/e2e/auth/audit.go @@ -655,7 +655,7 @@ var _ = SIGDescribe("Advanced Audit [DisabledForLargeClusters][Flaky]", func() { // test authorizer annotations, RBAC is required. ginkgo.It("should audit API calls to get a pod with unauthorized user.", func() { - if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { + if !auth.IsRBACEnabled(f.ClientSet.RbacV1()) { framework.Skipf("RBAC not enabled.") } diff --git a/test/e2e/auth/audit_dynamic.go b/test/e2e/auth/audit_dynamic.go index 671e60e145b..7a7e9773d10 100644 --- a/test/e2e/auth/audit_dynamic.go +++ b/test/e2e/auth/audit_dynamic.go @@ -348,7 +348,7 @@ var _ = SIGDescribe("[Feature:DynamicAudit]", func() { }, } - if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1()) { testCases = append(testCases, annotationTestCases...) } expectedEvents := []utils.AuditEvent{} diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go index f31229e3f86..09433aac914 100644 --- a/test/e2e/auth/pod_security_policy.go +++ b/test/e2e/auth/pod_security_policy.go @@ -21,7 +21,7 @@ import ( v1 "k8s.io/api/core/v1" policy "k8s.io/api/policy/v1beta1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -55,7 +55,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() { if !framework.IsPodSecurityPolicyEnabled(f) { framework.Skipf("PodSecurityPolicy not enabled") } - if !auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { + if !auth.IsRBACEnabled(f.ClientSet.RbacV1()) { framework.Skipf("RBAC not enabled") } ns = f.Namespace.Name @@ -71,8 +71,8 @@ var _ = SIGDescribe("PodSecurityPolicy", func() { framework.ExpectNoError(err) ginkgo.By("Binding the edit role to the default SA") - err = auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "edit", ns, - rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"}) + err = auth.BindClusterRole(f.ClientSet.RbacV1(), "edit", ns, + rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: ns, Name: "default"}) framework.ExpectNoError(err) }) @@ -218,11 +218,11 @@ func createAndBindPSP(f *framework.Framework, pspTemplate *policy.PodSecurityPol framework.ExpectNoError(err, "Failed to create PSP") // Create the Role to bind it to the namespace. - _, err = f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{ + _, err = f.ClientSet.RbacV1().Roles(ns).Create(&rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, - Rules: []rbacv1beta1.PolicyRule{{ + Rules: []rbacv1.PolicyRule{{ APIGroups: []string{"policy"}, Resources: []string{"podsecuritypolicies"}, ResourceNames: []string{name}, @@ -232,14 +232,14 @@ func createAndBindPSP(f *framework.Framework, pspTemplate *policy.PodSecurityPol framework.ExpectNoError(err, "Failed to create PSP role") // Bind the role to the namespace. - err = auth.BindRoleInNamespace(f.ClientSet.RbacV1beta1(), name, ns, rbacv1beta1.Subject{ - Kind: rbacv1beta1.ServiceAccountKind, + err = auth.BindRoleInNamespace(f.ClientSet.RbacV1(), name, ns, rbacv1.Subject{ + Kind: rbacv1.ServiceAccountKind, Namespace: ns, Name: "default", }) framework.ExpectNoError(err) - framework.ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + framework.ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1(), serviceaccount.MakeUsername(ns, "default"), ns, "use", name, schema.GroupResource{Group: "policy", Resource: "podsecuritypolicies"}, true)) diff --git a/test/e2e/examples.go b/test/e2e/examples.go index f6ea9ee1be1..30540447022 100644 --- a/test/e2e/examples.go +++ b/test/e2e/examples.go @@ -22,7 +22,7 @@ import ( "sync" "time" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/serviceaccount" @@ -52,11 +52,11 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() { // this test wants powerful permissions. Since the namespace names are unique, we can leave this // lying around so we don't have to race any caches - err := auth.BindClusterRoleInNamespace(c.RbacV1beta1(), "edit", f.Namespace.Name, - rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + err := auth.BindClusterRoleInNamespace(c.RbacV1(), "edit", f.Namespace.Name, + rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) framework.ExpectNoError(err) - err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/framework/BUILD b/test/e2e/framework/BUILD index e0f89e9c254..032118d3166 100644 --- a/test/e2e/framework/BUILD +++ b/test/e2e/framework/BUILD @@ -68,7 +68,6 @@ go_library( "//staging/src/k8s.io/api/extensions/v1beta1:go_default_library", "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/api/rbac/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", "//staging/src/k8s.io/api/storage/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library", diff --git a/test/e2e/framework/auth/BUILD b/test/e2e/framework/auth/BUILD index c1bbba2fa05..07580c35080 100644 --- a/test/e2e/framework/auth/BUILD +++ b/test/e2e/framework/auth/BUILD @@ -6,13 +6,13 @@ go_library( importpath = "k8s.io/kubernetes/test/e2e/framework/auth", visibility = ["//visibility:public"], deps = [ - "//staging/src/k8s.io/api/authorization/v1beta1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/authorization/v1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library", "//vendor/github.com/onsi/ginkgo:go_default_library", "//vendor/github.com/pkg/errors:go_default_library", ], diff --git a/test/e2e/framework/auth/helpers.go b/test/e2e/framework/auth/helpers.go index 39161a73358..0415baa4e5c 100644 --- a/test/e2e/framework/auth/helpers.go +++ b/test/e2e/framework/auth/helpers.go @@ -23,13 +23,13 @@ import ( "github.com/onsi/ginkgo" "github.com/pkg/errors" - authorizationv1beta1 "k8s.io/api/authorization/v1beta1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + authorizationv1 "k8s.io/api/authorization/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/wait" - v1beta1authorization "k8s.io/client-go/kubernetes/typed/authorization/v1beta1" - v1beta1rbac "k8s.io/client-go/kubernetes/typed/rbac/v1beta1" + v1authorization "k8s.io/client-go/kubernetes/typed/authorization/v1" + v1rbac "k8s.io/client-go/kubernetes/typed/rbac/v1" ) const ( @@ -38,23 +38,23 @@ const ( ) type bindingsGetter interface { - v1beta1rbac.RoleBindingsGetter - v1beta1rbac.ClusterRoleBindingsGetter - v1beta1rbac.ClusterRolesGetter + v1rbac.RoleBindingsGetter + v1rbac.ClusterRoleBindingsGetter + v1rbac.ClusterRolesGetter } // WaitForAuthorizationUpdate checks if the given user can perform the named verb and action. // If policyCachePollTimeout is reached without the expected condition matching, an error is returned -func WaitForAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error { +func WaitForAuthorizationUpdate(c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error { return WaitForNamedAuthorizationUpdate(c, user, namespace, verb, "", resource, allowed) } // WaitForNamedAuthorizationUpdate checks if the given user can perform the named verb and action on the named resource. // If policyCachePollTimeout is reached without the expected condition matching, an error is returned -func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviewsGetter, user, namespace, verb, resourceName string, resource schema.GroupResource, allowed bool) error { - review := &authorizationv1beta1.SubjectAccessReview{ - Spec: authorizationv1beta1.SubjectAccessReviewSpec{ - ResourceAttributes: &authorizationv1beta1.ResourceAttributes{ +func WaitForNamedAuthorizationUpdate(c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb, resourceName string, resource schema.GroupResource, allowed bool) error { + review := &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ Group: resource.Group, Verb: verb, Resource: resource.Resource, @@ -80,17 +80,17 @@ func WaitForNamedAuthorizationUpdate(c v1beta1authorization.SubjectAccessReviews // BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil // is returned with no action. -func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error { +func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error { if !IsRBACEnabled(c) { return nil } // Since the namespace names are unique, we can leave this lying around so we don't have to race any caches - _, err := c.ClusterRoleBindings().Create(&rbacv1beta1.ClusterRoleBinding{ + _, err := c.ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: ns + "--" + clusterRole, }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: clusterRole, @@ -107,27 +107,27 @@ func BindClusterRole(c bindingsGetter, clusterRole, ns string, subjects ...rbacv // BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil // is returned with no action. -func BindClusterRoleInNamespace(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1beta1.Subject) error { +func BindClusterRoleInNamespace(c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error { return bindInNamespace(c, "ClusterRole", clusterRole, ns, subjects...) } // BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil // is returned with no action. -func BindRoleInNamespace(c bindingsGetter, role, ns string, subjects ...rbacv1beta1.Subject) error { +func BindRoleInNamespace(c bindingsGetter, role, ns string, subjects ...rbacv1.Subject) error { return bindInNamespace(c, "Role", role, ns, subjects...) } -func bindInNamespace(c bindingsGetter, roleType, role, ns string, subjects ...rbacv1beta1.Subject) error { +func bindInNamespace(c bindingsGetter, roleType, role, ns string, subjects ...rbacv1.Subject) error { if !IsRBACEnabled(c) { return nil } // Since the namespace names are unique, we can leave this lying around so we don't have to race any caches - _, err := c.RoleBindings(ns).Create(&rbacv1beta1.RoleBinding{ + _, err := c.RoleBindings(ns).Create(&rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: ns + "--" + role, }, - RoleRef: rbacv1beta1.RoleRef{ + RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: roleType, Name: role, @@ -148,7 +148,7 @@ var ( ) // IsRBACEnabled returns true if RBAC is enabled. Otherwise false. -func IsRBACEnabled(crGetter v1beta1rbac.ClusterRolesGetter) bool { +func IsRBACEnabled(crGetter v1rbac.ClusterRolesGetter) bool { isRBACEnabledOnce.Do(func() { crs, err := crGetter.ClusterRoles().List(metav1.ListOptions{}) if err != nil { diff --git a/test/e2e/framework/psp_util.go b/test/e2e/framework/psp_util.go index e09925666fe..35129b686e8 100644 --- a/test/e2e/framework/psp_util.go +++ b/test/e2e/framework/psp_util.go @@ -22,7 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" policy "k8s.io/api/policy/v1beta1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -120,11 +120,11 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) { ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged) } - if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1()) { // Create the Role to bind it to the namespace. - _, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ + _, err = f.ClientSet.RbacV1().ClusterRoles().Create(&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged}, - Rules: []rbacv1beta1.PolicyRule{{ + Rules: []rbacv1.PolicyRule{{ APIGroups: []string{"extensions"}, Resources: []string{"podsecuritypolicies"}, ResourceNames: []string{podSecurityPolicyPrivileged}, @@ -137,19 +137,19 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) { } }) - if auth.IsRBACEnabled(f.ClientSet.RbacV1beta1()) { + if auth.IsRBACEnabled(f.ClientSet.RbacV1()) { ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s", podSecurityPolicyPrivileged, namespace)) - err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), + err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1(), podSecurityPolicyPrivileged, namespace, - rbacv1beta1.Subject{ - Kind: rbacv1beta1.ServiceAccountKind, + rbacv1.Subject{ + Kind: rbacv1.ServiceAccountKind, Namespace: namespace, Name: "default", }) ExpectNoError(err) - ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1(), serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged, schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true)) } diff --git a/test/e2e/kubectl/BUILD b/test/e2e/kubectl/BUILD index 2880d843f03..08f46885328 100644 --- a/test/e2e/kubectl/BUILD +++ b/test/e2e/kubectl/BUILD @@ -17,7 +17,7 @@ go_library( "//pkg/controller:go_default_library", "//pkg/kubectl/polymorphichelpers:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library", diff --git a/test/e2e/kubectl/kubectl.go b/test/e2e/kubectl/kubectl.go index 157f6d922ec..1bfdfe62c6f 100644 --- a/test/e2e/kubectl/kubectl.go +++ b/test/e2e/kubectl/kubectl.go @@ -41,7 +41,7 @@ import ( "github.com/elazarl/goproxy" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" apierrs "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" @@ -619,11 +619,11 @@ var _ = SIGDescribe("Kubectl client", func() { ginkgo.It("should handle in-cluster config", func() { ginkgo.By("adding rbac permissions") // grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace - err := auth.BindClusterRole(f.ClientSet.RbacV1beta1(), "view", f.Namespace.Name, - rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + err := auth.BindClusterRole(f.ClientSet.RbacV1(), "view", f.Namespace.Name, + rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) framework.ExpectNoError(err) - err = auth.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/network/BUILD b/test/e2e/network/BUILD index 3bce08ba9e0..7a41b825b8e 100644 --- a/test/e2e/network/BUILD +++ b/test/e2e/network/BUILD @@ -36,7 +36,7 @@ go_library( "//pkg/master/ports:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/networking/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library", diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go index 9e428f1a793..0845e490ef2 100644 --- a/test/e2e/network/ingress.go +++ b/test/e2e/network/ingress.go @@ -27,7 +27,7 @@ import ( compute "google.golang.org/api/compute/v1" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -64,11 +64,11 @@ var _ = SIGDescribe("Loadbalancing: L7", func() { // this test wants powerful permissions. Since the namespace names are unique, we can leave this // lying around so we don't have to race any caches - err := auth.BindClusterRole(jig.Client.RbacV1beta1(), "cluster-admin", f.Namespace.Name, - rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) + err := auth.BindClusterRole(jig.Client.RbacV1(), "cluster-admin", f.Namespace.Name, + rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) framework.ExpectNoError(err) - err = auth.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(jig.Client.AuthorizationV1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), "", "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/storage/BUILD b/test/e2e/storage/BUILD index 5db5b9dd909..c748d7d9652 100644 --- a/test/e2e/storage/BUILD +++ b/test/e2e/storage/BUILD @@ -42,7 +42,7 @@ go_library( "//staging/src/k8s.io/api/apps/v1:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", diff --git a/test/e2e/storage/drivers/BUILD b/test/e2e/storage/drivers/BUILD index 8c1cefbd564..5a24bf51f66 100644 --- a/test/e2e/storage/drivers/BUILD +++ b/test/e2e/storage/drivers/BUILD @@ -11,7 +11,7 @@ go_library( visibility = ["//visibility:public"], deps = [ "//staging/src/k8s.io/api/core/v1:go_default_library", - "//staging/src/k8s.io/api/rbac/v1beta1:go_default_library", + "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", diff --git a/test/e2e/storage/drivers/in_tree.go b/test/e2e/storage/drivers/in_tree.go index d07290fb50a..fd99ee6eb27 100644 --- a/test/e2e/storage/drivers/in_tree.go +++ b/test/e2e/storage/drivers/in_tree.go @@ -46,7 +46,7 @@ import ( "github.com/onsi/ginkgo" "github.com/onsi/gomega" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -156,11 +156,11 @@ func (n *nfsDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTestConf // TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner // is not enough. We should create new clusterrole for testing. - err := auth.BindClusterRole(cs.RbacV1beta1(), "cluster-admin", ns.Name, - rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns.Name, Name: "default"}) + err := auth.BindClusterRole(cs.RbacV1(), "cluster-admin", ns.Name, + rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: ns.Name, Name: "default"}) framework.ExpectNoError(err) - err = auth.WaitForAuthorizationUpdate(cs.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(cs.AuthorizationV1(), serviceaccount.MakeUsername(ns.Name, "default"), "", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true) framework.ExpectNoError(err, "Failed to update authorization: %v", err) @@ -175,7 +175,7 @@ func (n *nfsDriver) PrepareTest(f *framework.Framework) (*testsuites.PerTestConf }, func() { framework.ExpectNoError(framework.DeletePodWithWait(f, cs, n.externalProvisionerPod)) clusterRoleBindingName := ns.Name + "--" + "cluster-admin" - cs.RbacV1beta1().ClusterRoleBindings().Delete(clusterRoleBindingName, metav1.NewDeleteOptions(0)) + cs.RbacV1().ClusterRoleBindings().Delete(clusterRoleBindingName, metav1.NewDeleteOptions(0)) } } diff --git a/test/e2e/storage/volume_provisioning.go b/test/e2e/storage/volume_provisioning.go index 420a5790e7b..13b89913bec 100644 --- a/test/e2e/storage/volume_provisioning.go +++ b/test/e2e/storage/volume_provisioning.go @@ -34,7 +34,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" v1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" storage "k8s.io/api/storage/v1" storagebeta "k8s.io/api/storage/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -706,21 +706,21 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() { // external dynamic provisioner pods need additional permissions provided by the // persistent-volume-provisioner clusterrole and a leader-locking role serviceAccountName := "default" - subject := rbacv1beta1.Subject{ - Kind: rbacv1beta1.ServiceAccountKind, + subject := rbacv1.Subject{ + Kind: rbacv1.ServiceAccountKind, Namespace: ns, Name: serviceAccountName, } - err := auth.BindClusterRole(c.RbacV1beta1(), "system:persistent-volume-provisioner", ns, subject) + err := auth.BindClusterRole(c.RbacV1(), "system:persistent-volume-provisioner", ns, subject) framework.ExpectNoError(err) roleName := "leader-locking-nfs-provisioner" - _, err = f.ClientSet.RbacV1beta1().Roles(ns).Create(&rbacv1beta1.Role{ + _, err = f.ClientSet.RbacV1().Roles(ns).Create(&rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: roleName, }, - Rules: []rbacv1beta1.PolicyRule{{ + Rules: []rbacv1.PolicyRule{{ APIGroups: []string{""}, Resources: []string{"endpoints"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, @@ -728,10 +728,10 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() { }) framework.ExpectNoError(err, "Failed to create leader-locking role") - err = auth.BindRoleInNamespace(c.RbacV1beta1(), roleName, ns, subject) + err = auth.BindRoleInNamespace(c.RbacV1(), roleName, ns, subject) framework.ExpectNoError(err) - err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), + err = auth.WaitForAuthorizationUpdate(c.AuthorizationV1(), serviceaccount.MakeUsername(ns, serviceAccountName), "", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true) framework.ExpectNoError(err, "Failed to update authorization")