github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 19:01:49 +00:00
Code Issues Projects Releases Wiki Activity

install authorization.k8s.io/v1, add tests

Browse Source 
Use specific v1beta1 Authorization client

Add client expansions
This commit is contained in:
Jordan Liggitt 2017-01-30 14:35:28 -05:00
parent 31d45fe78f
commit 8706bc9617
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
24 changed files with 270 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: apiregistration.k8s.io/v1alpha1
kind: APIService
metadata:
name: v1.authorization.k8s.io
spec:
group: authorization.k8s.io
version: v1
service:
namespace: default
name: kubernetes
insecureSkipTLSVerify: true
priority: 100

2
cmd/kubelet/app/auth.go
View File

@ -42,7 +42,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
) )
if client != nil && !reflect.ValueOf(client).IsNil() { if client != nil && !reflect.ValueOf(client).IsNil() {
tokenClient = client.Authentication().TokenReviews() tokenClient = client.Authentication().TokenReviews()
sarClient = client.Authorization().SubjectAccessReviews() sarClient = client.AuthorizationV1beta1().SubjectAccessReviews()
} }
authenticator, err := buildAuthn(tokenClient, config.Authentication) authenticator, err := buildAuthn(tokenClient, config.Authentication)

1
cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go
View File

@ -72,6 +72,7 @@ func New() *Generator {
`k8s.io/kubernetes/pkg/apis/policy/v1beta1`, `k8s.io/kubernetes/pkg/apis/policy/v1beta1`,
`k8s.io/kubernetes/pkg/apis/extensions/v1beta1`, `k8s.io/kubernetes/pkg/apis/extensions/v1beta1`,
`k8s.io/kubernetes/pkg/apis/autoscaling/v1`, `k8s.io/kubernetes/pkg/apis/autoscaling/v1`,
`k8s.io/kubernetes/pkg/apis/authorization/v1`,
`k8s.io/kubernetes/pkg/apis/authorization/v1beta1`, `k8s.io/kubernetes/pkg/apis/authorization/v1beta1`,
`k8s.io/kubernetes/pkg/apis/batch/v1`, `k8s.io/kubernetes/pkg/apis/batch/v1`,
`k8s.io/kubernetes/pkg/apis/batch/v2alpha1`, `k8s.io/kubernetes/pkg/apis/batch/v2alpha1`,

1
hack/.linted_packages
View File

@ -122,6 +122,7 @@ pkg/client/listers/apps/v1beta1
pkg/client/listers/authentication/internalversion pkg/client/listers/authentication/internalversion
pkg/client/listers/authentication/v1beta1 pkg/client/listers/authentication/v1beta1
pkg/client/listers/authorization/internalversion pkg/client/listers/authorization/internalversion
pkg/client/listers/authorization/v1
pkg/client/listers/authorization/v1beta1 pkg/client/listers/authorization/v1beta1
pkg/client/listers/autoscaling/internalversion pkg/client/listers/autoscaling/internalversion
pkg/client/listers/autoscaling/v1 pkg/client/listers/autoscaling/v1

1
hack/lib/init.sh
View File

@ -55,6 +55,7 @@ KUBE_AVAILABLE_GROUP_VERSIONS="${KUBE_AVAILABLE_GROUP_VERSIONS:-\
v1 \ v1 \
apps/v1beta1 \ apps/v1beta1 \
authentication.k8s.io/v1beta1 \ authentication.k8s.io/v1beta1 \
authorization.k8s.io/v1 \
authorization.k8s.io/v1beta1 \ authorization.k8s.io/v1beta1 \
autoscaling/v1 \ autoscaling/v1 \
batch/v1 \ batch/v1 \

15
hack/make-rules/test-cmd-util.sh
View File

@ -3251,10 +3251,21 @@ __EOF__
if kube::test::if_supports_resource "${subjectaccessreviews}" ; then if kube::test::if_supports_resource "${subjectaccessreviews}" ; then
# check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful
# but it proves that works # but it proves that works
kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar.json --validate=false kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false
kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false
SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar.json > "${SAR_RESULT_FILE}" curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}"
if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
else
kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")"
exit 1
fi
rm "${SAR_RESULT_FILE}"
SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
else else

4
pkg/apis/authorization/install/install.go
View File

@ -25,6 +25,7 @@ import (
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/authorization" "k8s.io/kubernetes/pkg/apis/authorization"
"k8s.io/kubernetes/pkg/apis/authorization/v1"
"k8s.io/kubernetes/pkg/apis/authorization/v1beta1" "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
) )
@ -37,13 +38,14 @@ func Install(groupFactoryRegistry announced.APIGroupFactoryRegistry, registry *r
if err := announced.NewGroupMetaFactory( if err := announced.NewGroupMetaFactory(
&announced.GroupMetaFactoryArgs{ &announced.GroupMetaFactoryArgs{
GroupName: authorization.GroupName, GroupName: authorization.GroupName,
VersionPreferenceOrder: []string{v1beta1.SchemeGroupVersion.Version}, VersionPreferenceOrder: []string{v1.SchemeGroupVersion.Version, v1beta1.SchemeGroupVersion.Version},
ImportPrefix: "k8s.io/kubernetes/pkg/apis/authorization", ImportPrefix: "k8s.io/kubernetes/pkg/apis/authorization",
RootScopedKinds: sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview"), RootScopedKinds: sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview"),
AddInternalObjectsToScheme: authorization.AddToScheme, AddInternalObjectsToScheme: authorization.AddToScheme,
}, },
announced.VersionToSchemeFunc{ announced.VersionToSchemeFunc{
v1beta1.SchemeGroupVersion.Version: v1beta1.AddToScheme, v1beta1.SchemeGroupVersion.Version: v1beta1.AddToScheme,
v1.SchemeGroupVersion.Version: v1.AddToScheme,
}, },
).Announce(groupFactoryRegistry).RegisterAndEnable(registry, scheme); err != nil { ).Announce(groupFactoryRegistry).RegisterAndEnable(registry, scheme); err != nil {
panic(err) panic(err)

27
pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,27 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
core "k8s.io/client-go/testing"
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
func (c *FakeLocalSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
obj, err := c.Fake.Invokes(core.NewCreateAction(authorizationapi.SchemeGroupVersion.WithResource("localsubjectaccessreviews"), c.ns, sar), &authorizationapi.SubjectAccessReview{})
return obj.(*authorizationapi.LocalSubjectAccessReview), err
}

27
pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,27 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
core "k8s.io/client-go/testing"
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
func (c *FakeSelfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectaccessreviews"), sar), &authorizationapi.SelfSubjectAccessReview{})
return obj.(*authorizationapi.SelfSubjectAccessReview), err
}

27
pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,27 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
core "k8s.io/client-go/testing"
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
func (c *FakeSubjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("subjectaccessreviews"), sar), &authorizationapi.SubjectAccessReview{})
return obj.(*authorizationapi.SubjectAccessReview), err
}

6
pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go
View File

@ -15,9 +15,3 @@ limitations under the License.
*/ */
package v1 package v1
type LocalSubjectAccessReviewExpansion interface{}
type SelfSubjectAccessReviewExpansion interface{}
type SubjectAccessReviewExpansion interface{}

36
pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,36 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
type LocalSubjectAccessReviewExpansion interface {
Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error)
}
func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
result = &authorizationapi.LocalSubjectAccessReview{}
err = c.client.Post().
Namespace(c.ns).
Resource("localsubjectaccessreviews").
Body(sar).
Do().
Into(result)
return
}

35
pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,35 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
type SelfSubjectAccessReviewExpansion interface {
Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error)
}
func (c *selfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
result = &authorizationapi.SelfSubjectAccessReview{}
err = c.client.Post().
Resource("selfsubjectaccessreviews").
Body(sar).
Do().
Into(result)
return
}

36
pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go Normal file
View File

@ -0,0 +1,36 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
)
// The SubjectAccessReviewExpansion interface allows manually adding extra methods to the AuthorizationInterface.
type SubjectAccessReviewExpansion interface {
Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error)
}
func (c *subjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
result = &authorizationapi.SubjectAccessReview{}
err = c.client.Post().
Resource("subjectaccessreviews").
Body(sar).
Do().
Into(result)
return
}

3
pkg/controller/garbagecollector/garbagecollector.go
View File

@ -536,6 +536,9 @@ var ignoredResources = map[schema.GroupVersionResource]struct{}{
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "subjectaccessreviews"}: {}, schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "subjectaccessreviews"}: {},
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "selfsubjectaccessreviews"}: {}, schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "selfsubjectaccessreviews"}: {},
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "localsubjectaccessreviews"}: {}, schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "localsubjectaccessreviews"}: {},
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "subjectaccessreviews"}: {},
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "selfsubjectaccessreviews"}: {},
schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "localsubjectaccessreviews"}: {},
} }
func NewGarbageCollector(metaOnlyClientPool dynamic.ClientPool, clientPool dynamic.ClientPool, mapper meta.RESTMapper, deletableResources map[schema.GroupVersionResource]struct{}) (*GarbageCollector, error) { func NewGarbageCollector(metaOnlyClientPool dynamic.ClientPool, clientPool dynamic.ClientPool, mapper meta.RESTMapper, deletableResources map[schema.GroupVersionResource]struct{}) (*GarbageCollector, error) {

2
pkg/master/master.go
View File

@ -36,6 +36,7 @@ import (
apiv1 "k8s.io/kubernetes/pkg/api/v1" apiv1 "k8s.io/kubernetes/pkg/api/v1"
appsapi "k8s.io/kubernetes/pkg/apis/apps/v1beta1" appsapi "k8s.io/kubernetes/pkg/apis/apps/v1beta1"
authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1" authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1"
authorizationapiv1 "k8s.io/kubernetes/pkg/apis/authorization/v1"
authorizationapiv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1" authorizationapiv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
autoscalingapiv1 "k8s.io/kubernetes/pkg/apis/autoscaling/v1" autoscalingapiv1 "k8s.io/kubernetes/pkg/apis/autoscaling/v1"
batchapiv1 "k8s.io/kubernetes/pkg/apis/batch/v1" batchapiv1 "k8s.io/kubernetes/pkg/apis/batch/v1"
@ -399,6 +400,7 @@ func DefaultAPIResourceConfigSource() *genericapiserver.ResourceConfig {
rbacapi.SchemeGroupVersion, rbacapi.SchemeGroupVersion,
storageapiv1beta1.SchemeGroupVersion, storageapiv1beta1.SchemeGroupVersion,
certificatesapiv1beta1.SchemeGroupVersion, certificatesapiv1beta1.SchemeGroupVersion,
authorizationapiv1.SchemeGroupVersion,
authorizationapiv1beta1.SchemeGroupVersion, authorizationapiv1beta1.SchemeGroupVersion,
) )

23
pkg/registry/authorization/rest/storage_authorization.go
View File

@ -23,6 +23,7 @@ import (
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/authorization" "k8s.io/kubernetes/pkg/apis/authorization"
authorizationv1 "k8s.io/kubernetes/pkg/apis/authorization/v1"
authorizationv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1" authorizationv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
"k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview" "k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview"
"k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview" "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview"
@ -45,6 +46,11 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapise
apiGroupInfo.GroupMeta.GroupVersion = authorizationv1beta1.SchemeGroupVersion apiGroupInfo.GroupMeta.GroupVersion = authorizationv1beta1.SchemeGroupVersion
} }
if apiResourceConfigSource.AnyResourcesForVersionEnabled(authorizationv1.SchemeGroupVersion) {
apiGroupInfo.VersionedResourcesStorageMap[authorizationv1.SchemeGroupVersion.Version] = p.v1Storage(apiResourceConfigSource, restOptionsGetter)
apiGroupInfo.GroupMeta.GroupVersion = authorizationv1.SchemeGroupVersion
}
return apiGroupInfo, true return apiGroupInfo, true
} }
@ -65,6 +71,23 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource genericapise
return storage return storage
} }
func (p RESTStorageProvider) v1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
version := authorizationv1beta1.SchemeGroupVersion
storage := map[string]rest.Storage{}
if apiResourceConfigSource.ResourceEnabled(version.WithResource("subjectaccessreviews")) {
storage["subjectaccessreviews"] = subjectaccessreview.NewREST(p.Authorizer)
}
if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectaccessreviews")) {
storage["selfsubjectaccessreviews"] = selfsubjectaccessreview.NewREST(p.Authorizer)
}
if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) {
storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer)
}
return storage
}
func (p RESTStorageProvider) GroupName() string { func (p RESTStorageProvider) GroupName() string {
return authorization.GroupName return authorization.GroupName
} }

2
test/e2e/examples.go
View File

@ -74,7 +74,7 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() {
framework.BindClusterRoleInNamespace(c.Rbac(), "edit", f.Namespace.Name, framework.BindClusterRoleInNamespace(c.Rbac(), "edit", f.Namespace.Name,
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
err := framework.WaitForAuthorizationUpdate(c.Authorization(), err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true) f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)

2
test/e2e/ingress.go
View File

@ -71,7 +71,7 @@ var _ = framework.KubeDescribe("Loadbalancing: L7", func() {
framework.BindClusterRole(jig.client.Rbac(), "cluster-admin", f.Namespace.Name, framework.BindClusterRole(jig.client.Rbac(), "cluster-admin", f.Namespace.Name,
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
err := framework.WaitForAuthorizationUpdate(jig.client.Authorization(), err := framework.WaitForAuthorizationUpdate(jig.client.AuthorizationV1beta1(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
"", "create", schema.GroupResource{Resource: "pods"}, true) "", "create", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)

2
test/e2e/kubectl.go
View File

@ -583,7 +583,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
framework.BindClusterRole(f.ClientSet.Rbac(), "view", f.Namespace.Name, framework.BindClusterRole(f.ClientSet.Rbac(), "view", f.Namespace.Name,
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true) f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)

2
test/e2e/node_problem_detector.go
View File

@ -66,7 +66,7 @@ var _ = framework.KubeDescribe("NodeProblemDetector", func() {
framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name, framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name,
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
"", "create", schema.GroupResource{Resource: "pods"}, true) "", "create", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)

2
test/e2e/pre_stop.go
View File

@ -183,7 +183,7 @@ var _ = framework.KubeDescribe("PreStop", func() {
framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name, framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name,
rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
"", "create", schema.GroupResource{Resource: "pods"}, true) "", "create", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)

16
test/fixtures/pkg/kubectl/cmd/create/sar-v1.json vendored Normal file
View File

@ -0,0 +1,16 @@
{
"apiVersion": "authorization.k8s.io/v1",
"kind": "SubjectAccessReview",
"spec": {
"user": "bob",
"groups": [
"the-group"
],
"resourceAttributes": {
"namespace": "ns",
"verb": "create",
"group": "autoscaling",
"resource": "horizontalpodautoscalers"
}
}
}

2
test/fixtures/pkg/kubectl/cmd/create/sar.json → test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json vendored
View File

@ -3,7 +3,7 @@
"kind": "SubjectAccessReview", "kind": "SubjectAccessReview",
"spec": { "spec": {
"user": "bob", "user": "bob",
"groups": [ "group": [
"the-group" "the-group"
], ],
"resourceAttributes": { "resourceAttributes": {