From e36a168a63039ff76e659a7ea2a91798d65c9f82 Mon Sep 17 00:00:00 2001 From: Fabio Bertinatto Date: Fri, 25 Apr 2025 15:55:27 -0300 Subject: [PATCH] test/e2e/node/kubelet_authz.go: fix SAR to include service account groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This sets the appropriate groups (system:authenticated, system:serviceaccounts, system:serviceaccounts:) in the SAR used in WaitForAuthzUpdate to accurately simulate the service account’s identity. --- test/e2e/framework/auth/helpers.go | 3 ++- test/e2e/node/kubelet_authz.go | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/test/e2e/framework/auth/helpers.go b/test/e2e/framework/auth/helpers.go index 28a12c7ba6c..6312e737c3d 100644 --- a/test/e2e/framework/auth/helpers.go +++ b/test/e2e/framework/auth/helpers.go @@ -45,11 +45,12 @@ type bindingsGetter interface { // WaitForAuthzUpdate checks if the give user can perform named verb and action // on a resource or subresource. -func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, ra *authorizationv1.ResourceAttributes, allowed bool) error { +func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, groups []string, ra *authorizationv1.ResourceAttributes, allowed bool) error { review := &authorizationv1.SubjectAccessReview{ Spec: authorizationv1.SubjectAccessReviewSpec{ ResourceAttributes: ra, User: user, + Groups: groups, }, } diff --git a/test/e2e/node/kubelet_authz.go b/test/e2e/node/kubelet_authz.go index 198304b17b2..8d65acc76fa 100644 --- a/test/e2e/node/kubelet_authz.go +++ b/test/e2e/node/kubelet_authz.go @@ -104,6 +104,7 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, err = e2eauth.WaitForAuthzUpdate(ctx, f.ClientSet.AuthorizationV1(), serviceaccount.MakeUsername(ns, saName), + append(serviceaccount.MakeGroupNames(ns), "system:authenticated"), &authorizationv1.ResourceAttributes{ Namespace: ns, Verb: verb,