mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-14 18:53:35 +00:00
vendor update for CSI 0.3.0
This commit is contained in:
gman
1
vendor/k8s.io/kubernetes/test/e2e/auth/BUILD
generated
vendored
1
vendor/k8s.io/kubernetes/test/e2e/auth/BUILD
generated
vendored
@ -29,6 +29,7 @@ go_library(
|
||||
"//vendor/github.com/evanphx/json-patch:go_default_library",
|
||||
"//vendor/github.com/onsi/ginkgo:go_default_library",
|
||||
"//vendor/github.com/onsi/gomega:go_default_library",
|
||||
"//vendor/k8s.io/api/apps/v1:go_default_library",
|
||||
"//vendor/k8s.io/api/batch/v1:go_default_library",
|
||||
"//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||
|
||||
258
vendor/k8s.io/kubernetes/test/e2e/auth/audit.go
generated
vendored
258
vendor/k8s.io/kubernetes/test/e2e/auth/audit.go
generated
vendored
@ -21,21 +21,24 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
apps "k8s.io/api/apps/v1"
|
||||
apiv1 "k8s.io/api/core/v1"
|
||||
extensions "k8s.io/api/extensions/v1beta1"
|
||||
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
|
||||
"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
|
||||
apiextensionclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
|
||||
"k8s.io/apiextensions-apiserver/test/integration/testserver"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/apis/audit/v1beta1"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
"github.com/evanphx/json-patch"
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -62,9 +65,19 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
|
||||
config, err := framework.LoadConfig()
|
||||
framework.ExpectNoError(err, "failed to load config")
|
||||
apiExtensionClient, err := clientset.NewForConfig(config)
|
||||
apiExtensionClient, err := apiextensionclientset.NewForConfig(config)
|
||||
framework.ExpectNoError(err, "failed to initialize apiExtensionClient")
|
||||
|
||||
By("Creating a kubernetes client that impersonates an unauthorized anonymous user")
|
||||
config, err = framework.LoadConfig()
|
||||
framework.ExpectNoError(err)
|
||||
config.Impersonate = restclient.ImpersonationConfig{
|
||||
UserName: "system:anonymous",
|
||||
Groups: []string{"system:unauthenticated"},
|
||||
}
|
||||
anonymousClient, err := clientset.NewForConfig(config)
|
||||
framework.ExpectNoError(err)
|
||||
|
||||
testCases := []struct {
|
||||
action func()
|
||||
events []auditEvent
|
||||
@ -79,7 +92,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
Spec: apiv1.PodSpec{
|
||||
Containers: []apiv1.Container{{
|
||||
Name: "pause",
|
||||
Image: framework.GetPauseImageName(f.ClientSet),
|
||||
Image: imageutils.GetPauseImageName(),
|
||||
}},
|
||||
},
|
||||
}
|
||||
@ -117,6 +130,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -128,6 +142,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -139,6 +154,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseStarted,
|
||||
@ -150,6 +166,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -161,6 +178,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -172,6 +190,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -183,6 +202,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -194,6 +214,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -201,36 +222,36 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
{
|
||||
func() {
|
||||
podLabels := map[string]string{"name": "audit-deployment-pod"}
|
||||
d := framework.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), extensions.RecreateDeploymentStrategyType)
|
||||
d := framework.NewDeployment("audit-deployment", int32(1), podLabels, "redis", imageutils.GetE2EImage(imageutils.Redis), apps.RecreateDeploymentStrategyType)
|
||||
|
||||
_, err := f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Create(d)
|
||||
_, err := f.ClientSet.AppsV1().Deployments(namespace).Create(d)
|
||||
framework.ExpectNoError(err, "failed to create audit-deployment")
|
||||
|
||||
_, err = f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Get(d.Name, metav1.GetOptions{})
|
||||
_, err = f.ClientSet.AppsV1().Deployments(namespace).Get(d.Name, metav1.GetOptions{})
|
||||
framework.ExpectNoError(err, "failed to get audit-deployment")
|
||||
|
||||
deploymentChan, err := f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Watch(watchOptions)
|
||||
deploymentChan, err := f.ClientSet.AppsV1().Deployments(namespace).Watch(watchOptions)
|
||||
framework.ExpectNoError(err, "failed to create watch for deployments")
|
||||
for range deploymentChan.ResultChan() {
|
||||
}
|
||||
|
||||
_, err = f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Update(d)
|
||||
_, err = f.ClientSet.AppsV1().Deployments(namespace).Update(d)
|
||||
framework.ExpectNoError(err, "failed to update audit-deployment")
|
||||
|
||||
_, err = f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Patch(d.Name, types.JSONPatchType, patch)
|
||||
_, err = f.ClientSet.AppsV1().Deployments(namespace).Patch(d.Name, types.JSONPatchType, patch)
|
||||
framework.ExpectNoError(err, "failed to patch deployment")
|
||||
|
||||
_, err = f.ClientSet.ExtensionsV1beta1().Deployments(namespace).List(metav1.ListOptions{})
|
||||
_, err = f.ClientSet.AppsV1().Deployments(namespace).List(metav1.ListOptions{})
|
||||
framework.ExpectNoError(err, "failed to create list deployments")
|
||||
|
||||
err = f.ClientSet.ExtensionsV1beta1().Deployments(namespace).Delete("audit-deployment", &metav1.DeleteOptions{})
|
||||
err = f.ClientSet.AppsV1().Deployments(namespace).Delete("audit-deployment", &metav1.DeleteOptions{})
|
||||
framework.ExpectNoError(err, "failed to delete deployments")
|
||||
},
|
||||
[]auditEvent{
|
||||
{
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
|
||||
"create",
|
||||
201,
|
||||
auditTestUser,
|
||||
@ -238,10 +259,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
"get",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -249,10 +271,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments", namespace),
|
||||
"list",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -260,10 +283,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseStarted,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments?timeoutSeconds=%d&watch=true", namespace, watchTestTimeout),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeoutSeconds=%d&watch=true", namespace, watchTestTimeout),
|
||||
"watch",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -271,10 +295,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequest,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments?timeoutSeconds=%d&watch=true", namespace, watchTestTimeout),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments?timeoutSeconds=%d&watch=true", namespace, watchTestTimeout),
|
||||
"watch",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -282,10 +307,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
"update",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -293,10 +319,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
"patch",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -304,10 +331,11 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelRequestResponse,
|
||||
v1beta1.StageResponseComplete,
|
||||
fmt.Sprintf("/apis/extensions/v1beta1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
fmt.Sprintf("/apis/apps/v1/namespaces/%s/deployments/audit-deployment", namespace),
|
||||
"delete",
|
||||
200,
|
||||
auditTestUser,
|
||||
@ -315,6 +343,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
true,
|
||||
true,
|
||||
"allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -365,6 +394,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -376,6 +406,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -387,6 +418,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseStarted,
|
||||
@ -398,6 +430,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -409,6 +442,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -420,6 +454,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -431,6 +466,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -442,6 +478,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -491,6 +528,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -502,6 +540,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -513,6 +552,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseStarted,
|
||||
@ -524,6 +564,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -535,6 +576,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -546,6 +588,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -557,6 +600,7 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
}, {
|
||||
v1beta1.LevelMetadata,
|
||||
v1beta1.StageResponseComplete,
|
||||
@ -568,87 +612,137 @@ var _ = SIGDescribe("Advanced Audit", func() {
|
||||
namespace,
|
||||
false,
|
||||
false,
|
||||
"allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
// Create and delete custom resource definition.
|
||||
{
|
||||
func() {
|
||||
_, err = testserver.CreateNewCustomResourceDefinition(crd, apiExtensionClient, f.ClientPool)
|
||||
crd, err = testserver.CreateNewCustomResourceDefinition(crd, apiExtensionClient, f.DynamicClient)
|
||||
framework.ExpectNoError(err, "failed to create custom resource definition")
|
||||
testserver.DeleteCustomResourceDefinition(crd, apiExtensionClient)
|
||||
},
|
||||
[]auditEvent{
|
||||
{
|
||||
level: v1beta1.LevelRequestResponse,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions",
|
||||
verb: "create",
|
||||
code: 201,
|
||||
user: auditTestUser,
|
||||
resource: "customresourcedefinitions",
|
||||
requestObject: true,
|
||||
responseObject: true,
|
||||
level: v1beta1.LevelRequestResponse,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: "/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions",
|
||||
verb: "create",
|
||||
code: 201,
|
||||
user: auditTestUser,
|
||||
resource: "customresourcedefinitions",
|
||||
requestObject: true,
|
||||
responseObject: true,
|
||||
authorizeDecision: "allow",
|
||||
}, {
|
||||
level: v1beta1.LevelMetadata,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/%s/v1beta1/%s", crdNamespace, crdName),
|
||||
verb: "create",
|
||||
code: 201,
|
||||
user: auditTestUser,
|
||||
resource: crdName,
|
||||
requestObject: false,
|
||||
responseObject: false,
|
||||
level: v1beta1.LevelMetadata,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/%s/v1beta1/%s", crdNamespace, crdName),
|
||||
verb: "create",
|
||||
code: 201,
|
||||
user: auditTestUser,
|
||||
resource: crdName,
|
||||
requestObject: false,
|
||||
responseObject: false,
|
||||
authorizeDecision: "allow",
|
||||
}, {
|
||||
level: v1beta1.LevelRequestResponse,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/%s", crd.Name),
|
||||
verb: "delete",
|
||||
code: 200,
|
||||
user: auditTestUser,
|
||||
resource: "customresourcedefinitions",
|
||||
requestObject: false,
|
||||
responseObject: true,
|
||||
level: v1beta1.LevelRequestResponse,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/%s", crd.Name),
|
||||
verb: "delete",
|
||||
code: 200,
|
||||
user: auditTestUser,
|
||||
resource: "customresourcedefinitions",
|
||||
requestObject: false,
|
||||
responseObject: true,
|
||||
authorizeDecision: "allow",
|
||||
}, {
|
||||
level: v1beta1.LevelMetadata,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/%s/v1beta1/%s/setup-instance", crdNamespace, crdName),
|
||||
verb: "delete",
|
||||
code: 200,
|
||||
user: auditTestUser,
|
||||
resource: crdName,
|
||||
requestObject: false,
|
||||
responseObject: false,
|
||||
level: v1beta1.LevelMetadata,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/apis/%s/v1beta1/%s/setup-instance", crdNamespace, crdName),
|
||||
verb: "delete",
|
||||
code: 200,
|
||||
user: auditTestUser,
|
||||
resource: crdName,
|
||||
requestObject: false,
|
||||
responseObject: false,
|
||||
authorizeDecision: "allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// test authorizer annotations, RBAC is required.
|
||||
annotationTestCases := []struct {
|
||||
action func()
|
||||
events []auditEvent
|
||||
}{
|
||||
|
||||
// get a pod with unauthorized user
|
||||
{
|
||||
func() {
|
||||
_, err := anonymousClient.CoreV1().Pods(namespace).Get("another-audit-pod", metav1.GetOptions{})
|
||||
expectForbidden(err)
|
||||
},
|
||||
[]auditEvent{
|
||||
{
|
||||
level: v1beta1.LevelRequest,
|
||||
stage: v1beta1.StageResponseComplete,
|
||||
requestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
|
||||
verb: "get",
|
||||
code: 403,
|
||||
user: auditTestUser,
|
||||
resource: "pods",
|
||||
namespace: namespace,
|
||||
requestObject: false,
|
||||
responseObject: false,
|
||||
authorizeDecision: "forbid",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if framework.IsRBACEnabled(f) {
|
||||
testCases = append(testCases, annotationTestCases...)
|
||||
}
|
||||
expectedEvents := []auditEvent{}
|
||||
for _, t := range testCases {
|
||||
t.action()
|
||||
expectedEvents = append(expectedEvents, t.events...)
|
||||
}
|
||||
|
||||
expectAuditLines(f, expectedEvents)
|
||||
// The default flush timeout is 30 seconds, therefore it should be enough to retry once
|
||||
// to find all expected events. However, we're waiting for 5 minutes to avoid flakes.
|
||||
pollingInterval := 30 * time.Second
|
||||
pollingTimeout := 5 * time.Minute
|
||||
err = wait.Poll(pollingInterval, pollingTimeout, func() (bool, error) {
|
||||
ok, err := checkAuditLines(f, expectedEvents)
|
||||
if err != nil {
|
||||
framework.Logf("Failed to observe audit events: %v", err)
|
||||
}
|
||||
return ok, nil
|
||||
})
|
||||
framework.ExpectNoError(err, "after %v failed to observe audit events", pollingTimeout)
|
||||
})
|
||||
})
|
||||
|
||||
type auditEvent struct {
|
||||
level v1beta1.Level
|
||||
stage v1beta1.Stage
|
||||
requestURI string
|
||||
verb string
|
||||
code int32
|
||||
user string
|
||||
resource string
|
||||
namespace string
|
||||
requestObject bool
|
||||
responseObject bool
|
||||
level v1beta1.Level
|
||||
stage v1beta1.Stage
|
||||
requestURI string
|
||||
verb string
|
||||
code int32
|
||||
user string
|
||||
resource string
|
||||
namespace string
|
||||
requestObject bool
|
||||
responseObject bool
|
||||
authorizeDecision string
|
||||
}
|
||||
|
||||
// Search the audit log for the expected audit lines.
|
||||
func expectAuditLines(f *framework.Framework, expected []auditEvent) {
|
||||
func checkAuditLines(f *framework.Framework, expected []auditEvent) (bool, error) {
|
||||
expectations := map[auditEvent]bool{}
|
||||
for _, event := range expected {
|
||||
expectations[event] = false
|
||||
@ -656,25 +750,36 @@ func expectAuditLines(f *framework.Framework, expected []auditEvent) {
|
||||
|
||||
// Fetch the log stream.
|
||||
stream, err := f.ClientSet.CoreV1().RESTClient().Get().AbsPath("/logs/kube-apiserver-audit.log").Stream()
|
||||
framework.ExpectNoError(err, "could not read audit log")
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
defer stream.Close()
|
||||
|
||||
scanner := bufio.NewScanner(stream)
|
||||
for scanner.Scan() {
|
||||
line := scanner.Text()
|
||||
event, err := parseAuditLine(line)
|
||||
framework.ExpectNoError(err)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
// If the event was expected, mark it as found.
|
||||
if _, found := expectations[event]; found {
|
||||
expectations[event] = true
|
||||
}
|
||||
}
|
||||
framework.ExpectNoError(scanner.Err(), "error reading audit log")
|
||||
|
||||
for event, found := range expectations {
|
||||
Expect(found).To(BeTrue(), "Event %#v not found!", event)
|
||||
if err := scanner.Err(); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
noneMissing := true
|
||||
for event, found := range expectations {
|
||||
if !found {
|
||||
framework.Logf("Event %#v not found!", event)
|
||||
}
|
||||
noneMissing = noneMissing && found
|
||||
}
|
||||
return noneMissing, nil
|
||||
}
|
||||
|
||||
func parseAuditLine(line string) (auditEvent, error) {
|
||||
@ -702,5 +807,6 @@ func parseAuditLine(line string) (auditEvent, error) {
|
||||
if e.RequestObject != nil {
|
||||
event.requestObject = true
|
||||
}
|
||||
event.authorizeDecision = e.Annotations["authorization.k8s.io/decision"]
|
||||
return event, nil
|
||||
}
|
||||
|
||||
31
vendor/k8s.io/kubernetes/test/e2e/auth/node_authz.go
generated
vendored
31
vendor/k8s.io/kubernetes/test/e2e/auth/node_authz.go
generated
vendored
@ -27,6 +27,7 @@ import (
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
@ -74,11 +75,33 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
})
|
||||
|
||||
It("Getting an existent secret should exit with the Forbidden error", func() {
|
||||
It("Getting an existing secret should exit with the Forbidden error", func() {
|
||||
_, err := c.CoreV1().Secrets(ns).Get(defaultSaSecret, metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
})
|
||||
|
||||
It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
|
||||
_, err := c.CoreV1().ConfigMaps(ns).Get("foo", metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
})
|
||||
|
||||
It("Getting an existing configmap should exit with the Forbidden error", func() {
|
||||
By("Create a configmap for testing")
|
||||
configmap := &v1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: ns,
|
||||
Name: "node-auth-configmap",
|
||||
},
|
||||
Data: map[string]string{
|
||||
"data": "content",
|
||||
},
|
||||
}
|
||||
_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(configmap)
|
||||
Expect(err).NotTo(HaveOccurred())
|
||||
_, err = c.CoreV1().ConfigMaps(ns).Get(configmap.Name, metav1.GetOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
})
|
||||
|
||||
It("Getting a secret for a workload the node has access to should succeed", func() {
|
||||
By("Create a secret for testing")
|
||||
secret := &v1.Secret{
|
||||
@ -106,7 +129,7 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Name: "pause",
|
||||
Image: framework.GetPauseImageName(f.ClientSet),
|
||||
Image: imageutils.GetPauseImageName(),
|
||||
},
|
||||
},
|
||||
NodeName: nodeName,
|
||||
@ -138,7 +161,7 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
Expect(err).NotTo(HaveOccurred())
|
||||
})
|
||||
|
||||
It("A node shouldn't be able to create an other node", func() {
|
||||
It("A node shouldn't be able to create another node", func() {
|
||||
node := &v1.Node{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
@ -151,7 +174,7 @@ var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
})
|
||||
|
||||
It("A node shouldn't be able to delete an other node", func() {
|
||||
It("A node shouldn't be able to delete another node", func() {
|
||||
By(fmt.Sprintf("Create node foo by user: %v", asUser))
|
||||
err := c.CoreV1().Nodes().Delete("foo", &metav1.DeleteOptions{})
|
||||
Expect(apierrors.IsForbidden(err)).Should(Equal(true))
|
||||
|
||||
19
vendor/k8s.io/kubernetes/test/e2e/auth/pod_security_policy.go
generated
vendored
19
vendor/k8s.io/kubernetes/test/e2e/auth/pod_security_policy.go
generated
vendored
@ -35,6 +35,7 @@ import (
|
||||
utilpointer "k8s.io/kubernetes/pkg/util/pointer"
|
||||
"k8s.io/kubernetes/test/e2e/common"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
@ -315,17 +316,17 @@ func restrictedPod(f *framework.Framework, name string) *v1.Pod {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Annotations: map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "docker/default",
|
||||
v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||
apparmor.ContainerAnnotationKeyPrefix + "pause": apparmor.ProfileRuntimeDefault,
|
||||
},
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
Containers: []v1.Container{{
|
||||
Name: "pause",
|
||||
Image: framework.GetPauseImageName(f.ClientSet),
|
||||
Image: imageutils.GetPauseImageName(),
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
AllowPrivilegeEscalation: boolPtr(false),
|
||||
RunAsUser: intPtr(65534),
|
||||
RunAsUser: utilpointer.Int64Ptr(65534),
|
||||
},
|
||||
}},
|
||||
},
|
||||
@ -373,8 +374,8 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Annotations: map[string]string{
|
||||
seccomp.AllowedProfilesAnnotationKey: "docker/default",
|
||||
seccomp.DefaultProfileAnnotationKey: "docker/default",
|
||||
seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||
seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||
},
|
||||
@ -428,8 +429,8 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Annotations: map[string]string{
|
||||
seccomp.AllowedProfilesAnnotationKey: "docker/default",
|
||||
seccomp.DefaultProfileAnnotationKey: "docker/default",
|
||||
seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||
seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault,
|
||||
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
|
||||
},
|
||||
@ -480,7 +481,3 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
|
||||
func boolPtr(b bool) *bool {
|
||||
return &b
|
||||
}
|
||||
|
||||
func intPtr(i int64) *int64 {
|
||||
return &i
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user