From f3e223cbbc137a1cd0d1a094ed76e1c73044f55c Mon Sep 17 00:00:00 2001 From: Michael Taufen Date: Fri, 29 Jan 2021 15:13:09 -0800 Subject: [PATCH] Promote ServiceAccountIssuerDiscovery test to conformance This satisfies the graduation criteria for promoting ServiceAccountIssuerDiscovery to GA, per the KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1393-oidc-discovery The test only uses GA APIs and has been passing for well over two weeks: https://testgrid.k8s.io/sig-release-master-blocking#gce-cos-master-alpha-features&include-filter-by-regex=ServiceAccountIssuerDiscovery --- test/conformance/testdata/conformance.yaml | 7 +++++++ test/e2e/auth/service_accounts.go | 10 +++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/test/conformance/testdata/conformance.yaml b/test/conformance/testdata/conformance.yaml index 6297f62a917..869cc88f129 100755 --- a/test/conformance/testdata/conformance.yaml +++ b/test/conformance/testdata/conformance.yaml @@ -1351,6 +1351,13 @@ resource must support get, update, patch.' release: v1.19 file: test/e2e/auth/certificates.go +- testname: OIDC Discovery (ServiceAccountIssuerDiscovery) + codename: '[sig-auth] ServiceAccounts ServiceAccountIssuerDiscovery should support + OIDC discovery of service account issuer [Conformance]' + description: Ensure kube-apiserver serves correct OIDC discovery endpoints by deploying + a Pod that verifies its own token against these endpoints. + release: v1.21 + file: test/e2e/auth/service_accounts.go - testname: Service account tokens auto mount optionally codename: '[sig-auth] ServiceAccounts should allow opting out of API token automount [Conformance]' description: Ensure that Service Account keys are mounted into the Pod only when diff --git a/test/e2e/auth/service_accounts.go b/test/e2e/auth/service_accounts.go index 8e20b568c12..b56745466ae 100644 --- a/test/e2e/auth/service_accounts.go +++ b/test/e2e/auth/service_accounts.go @@ -673,7 +673,15 @@ var _ = SIGDescribe("ServiceAccounts", func() { } }) - ginkgo.It("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() { + /* + Release: v1.21 + Testname: OIDC Discovery (ServiceAccountIssuerDiscovery) + Description: Ensure kube-apiserver serves correct OIDC discovery + endpoints by deploying a Pod that verifies its own + token against these endpoints. + */ + framework.ConformanceIt("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() { + // Allow the test pod access to the OIDC discovery non-resource URLs. // The role should have already been automatically created as part of the // RBAC bootstrap policy, but not the role binding. If RBAC is disabled,