remove metadata-concealment related testing

We agreed to remove these tests in SIG Auth because they aren't testing
any OSS functionality.

build/dependencies.yaml

@@ -211,20 +211,6 @@ dependencies:
     - path: build/common.sh
       match: __default_setcap_version=
 
-  # metadata-concealment: bump this one first
-  - name: "metadata-concealment"
-    version: "1.6"
-    refPaths:
-    - path: test/images/metadata-concealment/VERSION
-      match: \d.\d
-
-  # then after merge and successful postsubmit image push / promotion, bump this
-  - name: "metadata-concealment: dependents"
-    version: "1.6"
-    refPaths:
-    - path: test/utils/image/manifest.go
-      match: configs\[CheckMetadataConcealment\] = Config{list\.PromoterE2eRegistry, "metadata-concealment", "\d+\.\d+"}
-
   # cadvisor
   - name: "gcr.io/cadvisor/cadvisor: dependents"
     version: "v0.43.0"

test/e2e/auth/metadata_concealment.go

@@ -1,65 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package auth
-
-import (
-	batchv1 "k8s.io/api/batch/v1"
-	"k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/kubernetes/test/e2e/framework"
-	e2ejob "k8s.io/kubernetes/test/e2e/framework/job"
-	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
-
-	"github.com/onsi/ginkgo"
-	imageutil "k8s.io/kubernetes/test/utils/image"
-)
-
-var _ = SIGDescribe("Metadata Concealment", func() {
-	f := framework.NewDefaultFramework("metadata-concealment")
-
-	ginkgo.It("should run a check-metadata-concealment job to completion", func() {
-		e2eskipper.SkipUnlessProviderIs("gce")
-		ginkgo.By("Creating a job")
-		job := &batchv1.Job{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "check-metadata-concealment",
-			},
-			Spec: batchv1.JobSpec{
-				Template: v1.PodTemplateSpec{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "check-metadata-concealment",
-					},
-					Spec: v1.PodSpec{
-						Containers: []v1.Container{
-							{
-								Name:  "check-metadata-concealment",
-								Image: imageutil.GetE2EImage(imageutil.CheckMetadataConcealment),
-							},
-						},
-						RestartPolicy: v1.RestartPolicyOnFailure,
-					},
-				},
-			},
-		}
-		job, err := e2ejob.CreateJob(f.ClientSet, f.Namespace.Name, job)
-		framework.ExpectNoError(err, "failed to create job (%s:%s)", f.Namespace.Name, job.Name)
-
-		ginkgo.By("Ensuring job reaches completions")
-		err = e2ejob.WaitForJobComplete(f.ClientSet, f.Namespace.Name, job.Name, int32(1))
-		framework.ExpectNoError(err, "failed to ensure job completion (%s:%s)", f.Namespace.Name, job.Name)
-	})
-})

test/images/metadata-concealment/Dockerfile

@@ -1,19 +0,0 @@
-# Copyright 2021 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-FROM scratch
-
-COPY check_metadata_concealment /
-
-ENTRYPOINT ["/check_metadata_concealment"]

test/images/metadata-concealment/Makefile

@@ -1,27 +0,0 @@
-# Copyright 2016 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-SRCS=check_metadata_concealment
-OS ?= linux
-ARCH ?= amd64
-TARGET ?= $(CURDIR)
-GOARM ?= 7
-GOLANG_VERSION ?= latest
-SRC_DIR = $(notdir $(shell pwd))
-export
-
-bin:
-	../image-util.sh bin $(SRCS)
-
-.PHONY: bin

test/images/metadata-concealment/OWNERS

@@ -1,2 +0,0 @@
-approvers:
-  - dims

test/images/metadata-concealment/README.md

@@ -1,5 +0,0 @@
-# metadata-concealment
-
-Runs various checks against the GCE metadata API. If the checks pass, the job is run to completion. It fails and stops at the first error encountered.
-
-Only valid if using the GCE provider.

test/images/metadata-concealment/VERSION

@@ -1 +0,0 @@
-1.6

test/images/metadata-concealment/check_metadata_concealment.go

@@ -1,154 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-	"regexp"
-)
-
-var (
-	successEndpoints = []string{
-		// Discovery
-		"http://169.254.169.254",
-		"http://metadata.google.internal",
-		"http://169.254.169.254/",
-		"http://metadata.google.internal/",
-		"http://metadata.google.internal/computeMetadata",
-		"http://metadata.google.internal/computeMetadata/v1",
-		// Allowed API versions.
-		"http://metadata.google.internal/computeMetadata/v1/",
-		// Service account token endpoints.
-		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token",
-		// Permitted recursive query to SA endpoint.
-		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true",
-		// Known query params.
-		"http://metadata.google.internal/computeMetadata/v1/instance/tags?alt=text",
-		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=false",
-		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&timeout_sec=0",
-		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&last_etag=d34db33f",
-	}
-	noKubeEnvEndpoints = []string{
-		// Check that these don't get a recursive result.
-		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive%3Dtrue",   // urlencoded
-		"http://metadata.google.internal/computeMetadata/v1/instance/?re%08ecursive=true", // backspaced
-	}
-	failureEndpoints = []string{
-		// Other API versions.
-		"http://metadata.google.internal/0.2/",
-		"http://metadata.google.internal/computeMetadata/v2/",
-		// kube-env.
-		"http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env",
-		// VM identity.
-		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity",
-		// Forbidden recursive queries.
-		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true",
-		"http://metadata.google.internal/computeMetadata/v1/instance/?%72%65%63%75%72%73%69%76%65=true", // url-encoded
-		// Unknown query param key.
-		"http://metadata.google.internal/computeMetadata/v1/instance/?something=else",
-		"http://metadata.google.internal/computeMetadata/v1/instance/?unknown",
-		// Other.
-		"http://metadata.google.internal/computeMetadata/v1/instance/attributes//kube-env",
-		"http://metadata.google.internal/computeMetadata/v1/instance/attributes/../attributes/kube-env",
-		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts//default/identity",
-		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/../service-accounts/default/identity",
-	}
-)
-
-func main() {
-	success := 0
-	h := map[string][]string{
-		"Metadata-Flavor": {"Google"},
-	}
-	for _, e := range successEndpoints {
-		if err := checkURL(e, h, 200, "", ""); err != nil {
-			log.Printf("Wrong response for %v: %v", e, err)
-			success = 1
-		}
-	}
-	for _, e := range noKubeEnvEndpoints {
-		if err := checkURL(e, h, 403, "", "kube-env"); err != nil {
-			log.Printf("Wrong response for %v: %v", e, err)
-			success = 1
-		}
-	}
-	for _, e := range failureEndpoints {
-		if err := checkURL(e, h, 403, "", ""); err != nil {
-			log.Printf("Wrong response for %v: %v", e, err)
-			success = 1
-		}
-	}
-
-	xForwardedForHeader := map[string][]string{
-		"X-Forwarded-For": {"Somebody-somewhere"},
-	}
-	// Check that success endpoints fail if X-Forwarded-For is present.
-	for _, e := range successEndpoints {
-		if err := checkURL(e, xForwardedForHeader, 403, "", ""); err != nil {
-			log.Printf("Wrong response for %v with X-Forwarded-For: %v", e, err)
-			success = 1
-		}
-	}
-	os.Exit(success)
-}
-
-// Checks that a URL with the given headers returns the right code.
-// If expectedToContain is non-empty, checks that the body contains expectedToContain.
-// Similarly, if expectedToNotContain is non-empty, checks that the body doesn't contain expectedToNotContain.
-func checkURL(url string, header http.Header, expectedStatus int, expectedToContain, expectedToNotContain string) error {
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		return err
-	}
-	req.Header = header
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != expectedStatus {
-		return fmt.Errorf("unexpected response: got %d, want %d", resp.StatusCode, expectedStatus)
-	}
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	if expectedToContain != "" {
-		matched, err := regexp.Match(expectedToContain, body)
-		if err != nil {
-			return err
-		}
-		if !matched {
-			return fmt.Errorf("body didn't contain %q: got %v", expectedToContain, string(body))
-		}
-	}
-	if expectedToNotContain != "" {
-		matched, err := regexp.Match(expectedToNotContain, body)
-		if err != nil {
-			return err
-		}
-		if matched {
-			return fmt.Errorf("body incorrectly contained %q: got %v", expectedToNotContain, string(body))
-		}
-	}
-	return nil
-}

test/utils/image/manifest.go

@@ -158,8 +158,6 @@ const (
 	AuthenticatedWindowsNanoServer
 	// BusyBox image
 	BusyBox
-	// CheckMetadataConcealment image
-	CheckMetadataConcealment
 	// CudaVectorAdd image
 	CudaVectorAdd
 	// CudaVectorAdd2 image
@@ -240,7 +238,6 @@ func initImageConfigs(list RegistryList) (map[int]Config, map[int]Config) {
 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.17.5"}
 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"}
 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.29-2"}
-	configs[CheckMetadataConcealment] = Config{list.PromoterE2eRegistry, "metadata-concealment", "1.6"}
 	configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"}
 	configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.2"}
 	configs[DebianIptables] = Config{list.BuildImageRegistry, "debian-iptables", "bullseye-v1.1.0"}