Inicio Explorar Axuda
Iniciar sesión
tzeneto
/
custom-kube-scheduler
Seguir 1
Destacar 0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: cb14858ef6
Ramas Etiquetas
custom-kube-...
/
kubernetes
/
test
/
e2e
/
auth
/
node_authz.go

node_authz.go 6.3 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package auth
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	v1 "k8s.io/api/core/v1"
    25. 

  25. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    26. 

  26. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    27. 

  27. 	"k8s.io/apimachinery/pkg/util/wait"
    28. 

  28. 	clientset "k8s.io/client-go/kubernetes"
    29. 

  29. 	restclient "k8s.io/client-go/rest"
    30. 

  30. 	"k8s.io/kubernetes/test/e2e/framework"
    31. 

  31. 	imageutils "k8s.io/kubernetes/test/utils/image"
    32. 

  32. 

  33. 	"github.com/onsi/ginkgo"
    34. 

  34. )
    35. 

  35. 

  36. const (
    37. 

  37. 	nodesGroup     = "system:nodes"
    38. 

  38. 	nodeNamePrefix = "system:node:"
    39. 

  39. )
    40. 

  40. 

  41. var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() {
    42. 

  42. 

  43. 	f := framework.NewDefaultFramework("node-authz")
    44. 

  44. 	// client that will impersonate a node
    45. 

  45. 	var c clientset.Interface
    46. 

  46. 	var ns string
    47. 

  47. 	var asUser string
    48. 

  48. 	var defaultSaSecret string
    49. 

  49. 	var nodeName string
    50. 

  50. 	ginkgo.BeforeEach(func() {
    51. 

  51. 		ns = f.Namespace.Name
    52. 

  52. 

  53. 		nodeList, err := f.ClientSet.CoreV1().Nodes().List(context.TODO(), metav1.ListOptions{})
    54. 

  54. 		framework.ExpectNoError(err, "failed to list nodes in namespace: %s", ns)
    55. 

  55. 		framework.ExpectNotEqual(len(nodeList.Items), 0)
    56. 

  56. 		nodeName = nodeList.Items[0].Name
    57. 

  57. 		asUser = nodeNamePrefix + nodeName
    58. 

  58. 		saName := "default"
    59. 

  59. 		sa, err := f.ClientSet.CoreV1().ServiceAccounts(ns).Get(context.TODO(), saName, metav1.GetOptions{})
    60. 

  60. 		framework.ExpectNotEqual(len(sa.Secrets), 0)
    61. 

  61. 		framework.ExpectNoError(err, "failed to retrieve service account (%s:%s)", ns, saName)
    62. 

  62. 		defaultSaSecret = sa.Secrets[0].Name
    63. 

  63. 		ginkgo.By("Creating a kubernetes client that impersonates a node")
    64. 

  64. 		config, err := framework.LoadConfig()
    65. 

  65. 		framework.ExpectNoError(err, "failed to load kubernetes client config")
    66. 

  66. 		config.Impersonate = restclient.ImpersonationConfig{
    67. 

  67. 			UserName: asUser,
    68. 

  68. 			Groups:   []string{nodesGroup},
    69. 

  69. 		}
    70. 

  70. 		c, err = clientset.NewForConfig(config)
    71. 

  71. 		framework.ExpectNoError(err, "failed to create Clientset for the given config: %+v", *config)
    72. 

  72. 

  73. 	})
    74. 

  74. 	ginkgo.It("Getting a non-existent secret should exit with the Forbidden error, not a NotFound error", func() {
    75. 

  75. 		_, err := c.CoreV1().Secrets(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
    76. 

  76. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    77. 

  77. 	})
    78. 

  78. 

  79. 	ginkgo.It("Getting an existing secret should exit with the Forbidden error", func() {
    80. 

  80. 		_, err := c.CoreV1().Secrets(ns).Get(context.TODO(), defaultSaSecret, metav1.GetOptions{})
    81. 

  81. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    82. 

  82. 	})
    83. 

  83. 

  84. 	ginkgo.It("Getting a non-existent configmap should exit with the Forbidden error, not a NotFound error", func() {
    85. 

  85. 		_, err := c.CoreV1().ConfigMaps(ns).Get(context.TODO(), "foo", metav1.GetOptions{})
    86. 

  86. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    87. 

  87. 	})
    88. 

  88. 

  89. 	ginkgo.It("Getting an existing configmap should exit with the Forbidden error", func() {
    90. 

  90. 		ginkgo.By("Create a configmap for testing")
    91. 

  91. 		configmap := &v1.ConfigMap{
    92. 

  92. 			ObjectMeta: metav1.ObjectMeta{
    93. 

  93. 				Namespace: ns,
    94. 

  94. 				Name:      "node-auth-configmap",
    95. 

  95. 			},
    96. 

  96. 			Data: map[string]string{
    97. 

  97. 				"data": "content",
    98. 

  98. 			},
    99. 

  99. 		}
    100. 

  100. 		_, err := f.ClientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configmap, metav1.CreateOptions{})
    101. 

  101. 		framework.ExpectNoError(err, "failed to create configmap (%s:%s) %+v", ns, configmap.Name, *configmap)
    102. 

  102. 		_, err = c.CoreV1().ConfigMaps(ns).Get(context.TODO(), configmap.Name, metav1.GetOptions{})
    103. 

  103. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    104. 

  104. 	})
    105. 

  105. 

  106. 	ginkgo.It("Getting a secret for a workload the node has access to should succeed", func() {
    107. 

  107. 		ginkgo.By("Create a secret for testing")
    108. 

  108. 		secret := &v1.Secret{
    109. 

  109. 			ObjectMeta: metav1.ObjectMeta{
    110. 

  110. 				Namespace: ns,
    111. 

  111. 				Name:      "node-auth-secret",
    112. 

  112. 			},
    113. 

  113. 			Data: map[string][]byte{
    114. 

  114. 				"data": []byte("keep it secret"),
    115. 

  115. 			},
    116. 

  116. 		}
    117. 

  117. 		_, err := f.ClientSet.CoreV1().Secrets(ns).Create(context.TODO(), secret, metav1.CreateOptions{})
    118. 

  118. 		framework.ExpectNoError(err, "failed to create secret (%s:%s)", ns, secret.Name)
    119. 

  119. 

  120. 		ginkgo.By("Node should not get the secret")
    121. 

  121. 		_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
    122. 

  122. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    123. 

  123. 

  124. 		ginkgo.By("Create a pod that use the secret")
    125. 

  125. 		pod := &v1.Pod{
    126. 

  126. 			ObjectMeta: metav1.ObjectMeta{
    127. 

  127. 				Name: "pause",
    128. 

  128. 			},
    129. 

  129. 			Spec: v1.PodSpec{
    130. 

  130. 				Containers: []v1.Container{
    131. 

  131. 					{
    132. 

  132. 						Name:  "pause",
    133. 

  133. 						Image: imageutils.GetPauseImageName(),
    134. 

  134. 					},
    135. 

  135. 				},
    136. 

  136. 				NodeName: nodeName,
    137. 

  137. 				Volumes: []v1.Volume{
    138. 

  138. 					{
    139. 

  139. 						Name: "node-auth-secret",
    140. 

  140. 						VolumeSource: v1.VolumeSource{
    141. 

  141. 							Secret: &v1.SecretVolumeSource{
    142. 

  142. 								SecretName: secret.Name,
    143. 

  143. 							},
    144. 

  144. 						},
    145. 

  145. 					},
    146. 

  146. 				},
    147. 

  147. 			},
    148. 

  148. 		}
    149. 

  149. 

  150. 		_, err = f.ClientSet.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
    151. 

  151. 		framework.ExpectNoError(err, "failed to create pod (%s:%s)", ns, pod.Name)
    152. 

  152. 

  153. 		ginkgo.By("The node should able to access the secret")
    154. 

  154. 		itv := framework.Poll
    155. 

  155. 		dur := 1 * time.Minute
    156. 

  156. 		err = wait.Poll(itv, dur, func() (bool, error) {
    157. 

  157. 			_, err = c.CoreV1().Secrets(ns).Get(context.TODO(), secret.Name, metav1.GetOptions{})
    158. 

  158. 			if err != nil {
    159. 

  159. 				framework.Logf("Failed to get secret %v, err: %v", secret.Name, err)
    160. 

  160. 				return false, nil
    161. 

  161. 			}
    162. 

  162. 			return true, nil
    163. 

  163. 		})
    164. 

  164. 		framework.ExpectNoError(err, "failed to get secret after trying every %v for %v (%s:%s)", itv, dur, ns, secret.Name)
    165. 

  165. 	})
    166. 

  166. 

  167. 	ginkgo.It("A node shouldn't be able to create another node", func() {
    168. 

  168. 		node := &v1.Node{
    169. 

  169. 			ObjectMeta: metav1.ObjectMeta{Name: "foo"},
    170. 

  170. 			TypeMeta: metav1.TypeMeta{
    171. 

  171. 				Kind:       "Node",
    172. 

  172. 				APIVersion: "v1",
    173. 

  173. 			},
    174. 

  174. 		}
    175. 

  175. 		ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
    176. 

  176. 		_, err := c.CoreV1().Nodes().Create(context.TODO(), node, metav1.CreateOptions{})
    177. 

  177. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    178. 

  178. 	})
    179. 

  179. 

  180. 	ginkgo.It("A node shouldn't be able to delete another node", func() {
    181. 

  181. 		ginkgo.By(fmt.Sprintf("Create node foo by user: %v", asUser))
    182. 

  182. 		err := c.CoreV1().Nodes().Delete(context.TODO(), "foo", &metav1.DeleteOptions{})
    183. 

  183. 		framework.ExpectEqual(apierrors.IsForbidden(err), true)
    184. 

  184. 	})
    185. 

  185. })
    186. 

  186.