From 3836857229cff769c4e522079faba0a949841c0c Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Sun, 26 Nov 2017 20:32:49 +0100 Subject: [PATCH 1/2] e2e: Only create PSP if RBAC is enabled Using PSP in e2e tests depend on RBAC being enabled in the cluster and thus PSP should only be used when RBAC is. --- test/e2e/framework/psp_util.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/framework/psp_util.go b/test/e2e/framework/psp_util.go index d3938c90e83..bb8d0dadc9b 100644 --- a/test/e2e/framework/psp_util.go +++ b/test/e2e/framework/psp_util.go @@ -97,7 +97,7 @@ var ( ) func CreatePrivilegedPSPBinding(f *Framework, namespace string) { - if !IsPodSecurityPolicyEnabled(f) { + if !IsPodSecurityPolicyEnabled(f) || !IsRBACEnabled(f) { return } // Create the privileged PSP & role From a37d8ec1f92f2ec9afb9520c11f392c23c689b94 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Wed, 13 Dec 2017 14:24:01 +0100 Subject: [PATCH 2/2] Don't create PSP binding when RBAC is not enabled --- test/e2e/framework/psp_util.go | 54 ++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/test/e2e/framework/psp_util.go b/test/e2e/framework/psp_util.go index bb8d0dadc9b..4e6e4f8a701 100644 --- a/test/e2e/framework/psp_util.go +++ b/test/e2e/framework/psp_util.go @@ -97,7 +97,7 @@ var ( ) func CreatePrivilegedPSPBinding(f *Framework, namespace string) { - if !IsPodSecurityPolicyEnabled(f) || !IsRBACEnabled(f) { + if !IsPodSecurityPolicyEnabled(f) { return } // Create the privileged PSP & role @@ -114,30 +114,34 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) { psp, err = f.ClientSet.ExtensionsV1beta1().PodSecurityPolicies().Create(psp) ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged) - // Create the Role to bind it to the namespace. - _, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged}, - Rules: []rbacv1beta1.PolicyRule{{ - APIGroups: []string{"extensions"}, - Resources: []string{"podsecuritypolicies"}, - ResourceNames: []string{podSecurityPolicyPrivileged}, - Verbs: []string{"use"}, - }}, - }) - ExpectNoError(err, "Failed to create PSP role") + if IsRBACEnabled(f) { + // Create the Role to bind it to the namespace. + _, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged}, + Rules: []rbacv1beta1.PolicyRule{{ + APIGroups: []string{"extensions"}, + Resources: []string{"podsecuritypolicies"}, + ResourceNames: []string{podSecurityPolicyPrivileged}, + Verbs: []string{"use"}, + }}, + }) + ExpectNoError(err, "Failed to create PSP role") + } }) - By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s", - podSecurityPolicyPrivileged, namespace)) - BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), - podSecurityPolicyPrivileged, - namespace, - rbacv1beta1.Subject{ - Kind: rbacv1beta1.ServiceAccountKind, - Namespace: namespace, - Name: "default", - }) - ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), - serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged, - schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true)) + if IsRBACEnabled(f) { + By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s", + podSecurityPolicyPrivileged, namespace)) + BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), + podSecurityPolicyPrivileged, + namespace, + rbacv1beta1.Subject{ + Kind: rbacv1beta1.ServiceAccountKind, + Namespace: namespace, + Name: "default", + }) + ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), + serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged, + schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true)) + } }