github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 19:31:44 +00:00
Code Issues Projects Releases Wiki Activity

Add an impersonation test case to the audit E2E test

Browse Source
This commit is contained in:
Dennis Czombera 2018-11-19 14:03:16 +01:00
parent 7ba79c3183
commit f9df691c72
2 changed files with 67 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
test/e2e/auth/audit.go
View File

@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() {
anonymousClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
By("Creating a kubernetes client that impersonates an authorized user")
config, err = framework.LoadConfig()
framework.ExpectNoError(err)
config.Impersonate = restclient.ImpersonationConfig{
UserName: "superman",
Groups: []string{"system:masters"},
}
impersonatedClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
testCases := []struct {
action func()
events []utils.AuditEvent
@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() {
},
},
},
// List pods as impersonated user.
{
func() {
_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list pods")
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
ImpersonatedUser: "superman",
ImpersonatedGroups: "system:masters",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
},
},
},
}
// test authorizer annotations, RBAC is required.
@ -684,17 +718,19 @@ var _ = SIGDescribe("Advanced Audit", func() {
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get",
Code: 403,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get",
Code: 403,
User: auditTestUser,
ImpersonatedUser: "system:anonymous",
ImpersonatedGroups: "system:unauthenticated",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
},
},
},

31
test/utils/audit.go
View File

@ -20,6 +20,8 @@ import (
"bufio"
"fmt"
"io"
"sort"
"strings"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
@ -28,17 +30,19 @@ import (
)
type AuditEvent struct {
Level auditinternal.Level
Stage auditinternal.Stage
RequestURI string
Verb string
Code int32
User string
Resource string
Namespace string
RequestObject bool
ResponseObject bool
AuthorizeDecision string
Level auditinternal.Level
Stage auditinternal.Stage
RequestURI string
Verb string
Code int32
User string
ImpersonatedUser string
ImpersonatedGroups string
Resource string
Namespace string
RequestObject bool
ResponseObject bool
AuthorizeDecision string
}
// Search the audit log for the expected audit lines.
@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
if e.RequestObject != nil {
event.RequestObject = true
}
if e.ImpersonatedUser != nil {
event.ImpersonatedUser = e.ImpersonatedUser.Username
sort.Strings(e.ImpersonatedUser.Groups)
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
}
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
return event, nil
}