diff --git a/test/e2e_node/kubelet_authz_test.go b/test/e2e_node/kubelet_authz_test.go index ff4df6f0661..ddb15289f0e 100644 --- a/test/e2e_node/kubelet_authz_test.go +++ b/test/e2e_node/kubelet_authz_test.go @@ -60,6 +60,9 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, crName := authzSubresource verb := "get" resource := "nodes" + + ginkgo.By(fmt.Sprintf("Creating Service Account:%s/%s", ns, saName)) + _, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Create(ctx, &v1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: saName, @@ -68,12 +71,15 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, }, metav1.CreateOptions{}) framework.ExpectNoError(err) + ginkgo.By(fmt.Sprintf("Creating ClusterRole %s with for %s/%s", crName, resource, authzSubresource)) + _, err = f.ClientSet.RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ Name: crName, }, Rules: []rbacv1.PolicyRule{ { + APIGroups: []string{""}, Verbs: []string{verb}, Resources: []string{resource + "/" + authzSubresource}, }, @@ -87,9 +93,13 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, Name: saName, } + ginkgo.By(fmt.Sprintf("Creating ClusterRoleBinding with ClusterRole %s with subject %s/%s", crName, ns, saName)) + err = e2eauth.BindClusterRole(ctx, f.ClientSet.RbacV1(), crName, ns, subject) framework.ExpectNoError(err) + ginkgo.By("Waiting for Authorization Update.") + err = e2eauth.WaitForAuthzUpdate(ctx, f.ClientSet.AuthorizationV1(), serviceaccount.MakeUsername(ns, saName), &authorizationv1.ResourceAttributes{ @@ -102,6 +112,8 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, ) framework.ExpectNoError(err) + ginkgo.By(fmt.Sprintf("Getting token for ServiceAccount %s/%s.", ns, saName)) + tr, err := f.ClientSet.CoreV1().ServiceAccounts(ns).CreateToken(ctx, saName, &authenticationv1.TokenRequest{}, metav1.CreateOptions{}) framework.ExpectNoError(err)