test/e2e/node/kubelet_authz.go: fix SAR to include service account groups

This sets the appropriate groups (system:authenticated, system:serviceaccounts,
system:serviceaccounts:<ns>) in the SAR used in WaitForAuthzUpdate to accurately
simulate the service account’s identity.
This commit is contained in:
Fabio Bertinatto
2025-04-25 15:55:27 -03:00
parent b63fe3d667
commit e36a168a63
2 changed files with 3 additions and 1 deletions

View File

@@ -45,11 +45,12 @@ type bindingsGetter interface {
// WaitForAuthzUpdate checks if the give user can perform named verb and action
// on a resource or subresource.
func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, ra *authorizationv1.ResourceAttributes, allowed bool) error {
func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, groups []string, ra *authorizationv1.ResourceAttributes, allowed bool) error {
review := &authorizationv1.SubjectAccessReview{
Spec: authorizationv1.SubjectAccessReviewSpec{
ResourceAttributes: ra,
User: user,
Groups: groups,
},
}

View File

@@ -104,6 +104,7 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint,
err = e2eauth.WaitForAuthzUpdate(ctx, f.ClientSet.AuthorizationV1(),
serviceaccount.MakeUsername(ns, saName),
append(serviceaccount.MakeGroupNames(ns), "system:authenticated"),
&authorizationv1.ResourceAttributes{
Namespace: ns,
Verb: verb,