From c794b5c442b18b078b287bcbb25bb18b9eb439cd Mon Sep 17 00:00:00 2001 From: Patrick Ohly Date: Tue, 20 Apr 2021 20:57:10 +0200 Subject: [PATCH] storage e2e: patch in RBAC rules for secrets In one mock test, the snapshotter needs permission to read secrets. That was disabled in the RBAC files of recent releases. We need to patch it back in during deployment. --- test/e2e/storage/drivers/csi.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/test/e2e/storage/drivers/csi.go b/test/e2e/storage/drivers/csi.go index beb33c1c9f0..c5775767f36 100644 --- a/test/e2e/storage/drivers/csi.go +++ b/test/e2e/storage/drivers/csi.go @@ -49,6 +49,7 @@ import ( "google.golang.org/grpc/codes" appsv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" storagev1 "k8s.io/api/storage/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -649,7 +650,25 @@ func (m *mockCSIDriver) PrepareTest(f *framework.Framework) (*storageframework.P FSGroupPolicy: m.fsGroupPolicy, } cleanup, err := utils.CreateFromManifests(f, m.driverNamespace, func(item interface{}) error { - return utils.PatchCSIDeployment(f, o, item) + if err := utils.PatchCSIDeployment(config.Framework, o, item); err != nil { + return err + } + + switch item := item.(type) { + case *rbacv1.ClusterRole: + if strings.HasPrefix(item.Name, "external-snapshotter-runner") { + // Re-enable access to secrets for the snapshotter sidecar for + // https://github.com/kubernetes/kubernetes/blob/6ede5ca95f78478fa627ecfea8136e0dff34436b/test/e2e/storage/csi_mock_volume.go#L1539-L1548 + // It was disabled in https://github.com/kubernetes-csi/external-snapshotter/blob/501cc505846c03ee665355132f2da0ce7d5d747d/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml#L26-L32 + item.Rules = append(item.Rules, rbacv1.PolicyRule{ + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{"get", "list"}, + }) + } + } + + return nil }, m.manifests...) if err != nil {