Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 52c7aa5b5a
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
test
/
e2e
/
auth
/
node_authz.go

node_authz.go 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package auth
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	v1 "k8s.io/api/core/v1"
    24. 

  24. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	"k8s.io/apimachinery/pkg/util/wait"
    27. 

  27. 	clientset "k8s.io/client-go/kubernetes"
    28. 

  28. 	restclient "k8s.io/client-go/rest"
    29. 

  29. 	"k8s.io/kubernetes/test/e2e/framework"
    30. 

  30. 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
    31. 

  31. 	imageutils "k8s.io/kubernetes/test/utils/image"
    32. 

  32. 

  33. 	"github.com/onsi/ginkgo"
    34. 

  34. 	"github.com/onsi/gomega"
    35. 

  35. )
    36. 

  36. 

  37. const (
    38. 

  38. 	nodesGroup     = "system:nodes"
    39. 

  39. 	nodeNamePrefix = "system:node:"
    40. 

  40. )
    41. 

  41. 

  42. var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
    43. 

  43. 

  44. 	f := framework.NewDefaultFramework("node-authz")
    45. 

  45. 	// client that will impersonate a node
    46. 

  46. 	var c clientset.Interface
    47. 

  47. 	var ns string
    48. 

  48. 	var asUser string
    49. 

  49. 	var defaultSaSecret string
    50. 

  50. 	var nodeName string
    51. 

  51. 	ginkgo.BeforeEach(func() {
    52. 

  52. 		ns = f.Namespace.Name
    53. 

  53. 

  54. 		nodeList, err := f.ClientSet.CoreV1().Nodes().List(metav1.ListOptions{})
    55. 

  55. 		framework.ExpectNoError(err, "failed to list nodes in namespace: %s", ns)
    56. 

  56. 		gomega.Expect(len(nodeList.Items)).NotTo(gomega.Equal(0))
    57. 

  57. 		nodeName = nodeList.Items[0].Name
    58. 

  58. 		asUser = nodeNamePrefix + nodeName
    59. 

  59. 		saName := "default"
    60. 

  60. 		sa, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Get(saName, metav1.GetOptions{})
    61. 

  61. 		gomega.Expect(len(sa.Secrets)).NotTo(gomega.Equal(0))
    62. 

  62. 		framework.ExpectNoError(err, "failed to retrieve service account (%s:%s)", ns, saName)
    63. 

  63. 		defaultSaSecret = sa.Secrets[0].Name
    64. 

  64. 		ginkgo.By("Creating a kubernetes client that impersonates a node")
    65. 

  65. 		config, err := framework.LoadConfig()
    66. 

  66. 		framework.ExpectNoError(err, "failed to load kubernetes client config")
    67. 

  67. 		config.Impersonate = restclient.ImpersonationConfig{
    68. 

  68. 			UserName: asUser,
    69. 

  69. 			Groups:   []string{nodesGroup},
    70. 

  70. 		}
    71. 

  71. 		c, err = clientset.NewForConfig(config)
    72. 

  72. 		framework.ExpectNoError(err, "failed to create Clientset for the given config: %+v", *config)
    73. 

  73. 

  74. 	})
    75. 

  75. 	ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
    76. 

  76. 		_, err := c.CoreV1().Secrets(ns).Get("foo", metav1.GetOptions{})
    77. 

  77. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    78. 

  78. 	})
    79. 

  79. 

  80. 	ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
    81. 

  81. 		_, err := c.CoreV1().Secrets(ns).Get(defaultSaSecret, metav1.GetOptions{})
    82. 

  82. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    83. 

  83. 	})
    84. 

  84. 

  85. 	ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
    86. 

  86. 		_, err := c.CoreV1().ConfigMaps(ns).Get("foo", metav1.GetOptions{})
    87. 

  87. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    88. 

  88. 	})
    89. 

  89. 

  90. 	ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
    91. 

  91. 		ginkgo.By("Create a configmap for testing")
    92. 

  92. 		configmap := &v1.ConfigMap{
    93. 

  93. 			ObjectMeta: metav1.ObjectMeta{
    94. 

  94. 				Namespace: ns,
    95. 

  95. 				Name:      "node-auth-configmap",
    96. 

  96. 			},
    97. 

  97. 			Data: map[string]string{
    98. 

  98. 				"data": "content",
    99. 

  99. 			},
    100. 

  100. 		}
    101. 

  101. 		_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(configmap)
    102. 

  102. 		framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
    103. 

  103. 		_, err = c.CoreV1().ConfigMaps(ns).Get(configmap.Name, metav1.GetOptions{})
    104. 

  104. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    105. 

  105. 	})
    106. 

  106. 

  107. 	ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
    108. 

  108. 		ginkgo.By("Create a secret for testing")
    109. 

  109. 		secret := &v1.Secret{
    110. 

  110. 			ObjectMeta: metav1.ObjectMeta{
    111. 

  111. 				Namespace: ns,
    112. 

  112. 				Name:      "node-auth-secret",
    113. 

  113. 			},
    114. 

  114. 			Data: map[string][]byte{
    115. 

  115. 				"data": []byte("keep it secret"),
    116. 

  116. 			},
    117. 

  117. 		}
    118. 

  118. 		_, err := f.ClientSet.CoreV1().Secrets(ns).Create(secret)
    119. 

  119. 		framework.ExpectNoError(err, "failed to create secret (%s:%s)", ns, secret.Name)
    120. 

  120. 

  121. 		ginkgo.By("Node should not get the secret")
    122. 

  122. 		_, err = c.CoreV1().Secrets(ns).Get(secret.Name, metav1.GetOptions{})
    123. 

  123. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    124. 

  124. 

  125. 		ginkgo.By("Create a pod that use the secret")
    126. 

  126. 		pod := &v1.Pod{
    127. 

  127. 			ObjectMeta: metav1.ObjectMeta{
    128. 

  128. 				Name: "pause",
    129. 

  129. 			},
    130. 

  130. 			Spec: v1.PodSpec{
    131. 

  131. 				Containers: []v1.Container{
    132. 

  132. 					{
    133. 

  133. 						Name:  "pause",
    134. 

  134. 						Image: imageutils.GetPauseImageName(),
    135. 

  135. 					},
    136. 

  136. 				},
    137. 

  137. 				NodeName: nodeName,
    138. 

  138. 				Volumes: []v1.Volume{
    139. 

  139. 					{
    140. 

  140. 						Name: "node-auth-secret",
    141. 

  141. 						VolumeSource: v1.VolumeSource{
    142. 

  142. 							Secret: &v1.SecretVolumeSource{
    143. 

  143. 								SecretName: secret.Name,
    144. 

  144. 							},
    145. 

  145. 						},
    146. 

  146. 					},
    147. 

  147. 				},
    148. 

  148. 			},
    149. 

  149. 		}
    150. 

  150. 

  151. 		_, err = f.ClientSet.CoreV1().Pods(ns).Create(pod)
    152. 

  152. 		framework.ExpectNoError(err, "failed to create pod (%s:%s)", ns, pod.Name)
    153. 

  153. 

  154. 		ginkgo.By("The node should able to access the secret")
    155. 

  155. 		itv := framework.Poll
    156. 

  156. 		dur := 1 * time.Minute
    157. 

  157. 		err = wait.Poll(itv, dur, func() (bool, error) {
    158. 

  158. 			_, err = c.CoreV1().Secrets(ns).Get(secret.Name, metav1.GetOptions{})
    159. 

  159. 			if err != nil {
    160. 

  160. 				e2elog.Logf("Failed to get secret %v, err: %v", secret.Name, err)
    161. 

  161. 				return false, nil
    162. 

  162. 			}
    163. 

  163. 			return true, nil
    164. 

  164. 		})
    165. 

  165. 		framework.ExpectNoError(err, "failed to get secret after trying every %v for %v (%s:%s)", itv, dur, ns, secret.Name)
    166. 

  166. 	})
    167. 

  167. 

  168. 	ginkgo.It("A node shouldn't be able to create another node", func() {
    169. 

  169. 		node := &v1.Node{
    170. 

  170. 			ObjectMeta: metav1.ObjectMeta{Name: "foo"},
    171. 

  171. 			TypeMeta: metav1.TypeMeta{
    172. 

  172. 				Kind:       "Node",
    173. 

  173. 				APIVersion: "v1",
    174. 

  174. 			},
    175. 

  175. 		}
    176. 

  176. 		ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
    177. 

  177. 		_, err := c.CoreV1().Nodes().Create(node)
    178. 

  178. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    179. 

  179. 	})
    180. 

  180. 

  181. 	ginkgo.It("A node shouldn't be able to delete another node", func() {
    182. 

  182. 		ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
    183. 

  183. 		err := c.CoreV1().Nodes().Delete("foo", &metav1.DeleteOptions{})
    184. 

  184. 		gomega.Expect(apierrors.IsForbidden(err)).Should(gomega.Equal(true))
    185. 

  185. 	})
    186. 

  186. })
    187. 

  187.