github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 02:41:25 +00:00
Code Issues Projects Releases Wiki Activity

Promote ServiceAccountIssuerDiscovery test to conformance

Browse Source 
This satisfies the graduation criteria for promoting
ServiceAccountIssuerDiscovery to GA, per the KEP:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1393-oidc-discovery

The test only uses GA APIs and has been passing for well
over two weeks:
https://testgrid.k8s.io/sig-release-master-blocking#gce-cos-master-alpha-features&include-filter-by-regex=ServiceAccountIssuerDiscovery
This commit is contained in:
Michael Taufen 2021-01-29 15:13:09 -08:00
parent 89a51477c8
commit f3e223cbbc
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
test/conformance/testdata/conformance.yaml vendored
View File

@ -1351,6 +1351,13 @@
resource must support get, update, patch.' resource must support get, update, patch.'
release: v1.19 release: v1.19
file: test/e2e/auth/certificates.go file: test/e2e/auth/certificates.go
- testname: OIDC Discovery (ServiceAccountIssuerDiscovery)
codename: '[sig-auth] ServiceAccounts ServiceAccountIssuerDiscovery should support
OIDC discovery of service account issuer [Conformance]'
description: Ensure kube-apiserver serves correct OIDC discovery endpoints by deploying
a Pod that verifies its own token against these endpoints.
release: v1.21
file: test/e2e/auth/service_accounts.go
- testname: Service account tokens auto mount optionally - testname: Service account tokens auto mount optionally
codename: '[sig-auth] ServiceAccounts should allow opting out of API token automount [Conformance]' codename: '[sig-auth] ServiceAccounts should allow opting out of API token automount [Conformance]'
description: Ensure that Service Account keys are mounted into the Pod only when description: Ensure that Service Account keys are mounted into the Pod only when

10
test/e2e/auth/service_accounts.go
View File

@ -673,7 +673,15 @@ var _ = SIGDescribe("ServiceAccounts", func() {
} }
}) })
ginkgo.It("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() { /*
Release: v1.21
Testname: OIDC Discovery (ServiceAccountIssuerDiscovery)
Description: Ensure kube-apiserver serves correct OIDC discovery
endpoints by deploying a Pod that verifies its own
token against these endpoints.
*/
framework.ConformanceIt("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() {
// Allow the test pod access to the OIDC discovery non-resource URLs. // Allow the test pod access to the OIDC discovery non-resource URLs.
// The role should have already been automatically created as part of the // The role should have already been automatically created as part of the
// RBAC bootstrap policy, but not the role binding. If RBAC is disabled, // RBAC bootstrap policy, but not the role binding. If RBAC is disabled,