1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147 |
- /*
- Copyright 2016 The Kubernetes Authors.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package controlplane
- import (
- "fmt"
- "io/ioutil"
- "os"
- "path/filepath"
- "reflect"
- "sort"
- "strings"
- "testing"
- "github.com/lithammer/dedent"
- "k8s.io/apimachinery/pkg/util/sets"
- kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
- kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
- "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
- staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
- testutil "k8s.io/kubernetes/cmd/kubeadm/test"
- "k8s.io/kubernetes/pkg/features"
- )
- const (
- testCertsDir = "/var/lib/certs"
- )
- var cpVersion = kubeadmconstants.MinimumControlPlaneVersion.WithPreRelease("beta.2").String()
- func TestGetStaticPodSpecs(t *testing.T) {
- // Creates a Cluster Configuration
- cfg := &kubeadmapi.ClusterConfiguration{
- KubernetesVersion: "v1.9.0",
- }
- // Executes GetStaticPodSpecs
- specs := GetStaticPodSpecs(cfg, &kubeadmapi.APIEndpoint{})
- var tests = []struct {
- name string
- staticPodName string
- }{
- {
- name: "KubeAPIServer",
- staticPodName: kubeadmconstants.KubeAPIServer,
- },
- {
- name: "KubeControllerManager",
- staticPodName: kubeadmconstants.KubeControllerManager,
- },
- {
- name: "KubeScheduler",
- staticPodName: kubeadmconstants.KubeScheduler,
- },
- }
- for _, tc := range tests {
- t.Run(tc.name, func(t *testing.T) {
- // assert the spec for the staticPodName exists
- if spec, ok := specs[tc.staticPodName]; ok {
- // Assert each specs refers to the right pod
- if spec.Spec.Containers[0].Name != tc.staticPodName {
- t.Errorf("getKubeConfigSpecs spec for %s contains pod %s, expects %s", tc.staticPodName, spec.Spec.Containers[0].Name, tc.staticPodName)
- }
- } else {
- t.Errorf("getStaticPodSpecs didn't create spec for %s ", tc.staticPodName)
- }
- })
- }
- }
- func TestCreateStaticPodFilesAndWrappers(t *testing.T) {
- var tests = []struct {
- name string
- components []string
- }{
- {
- name: "KubeAPIServer KubeAPIServer KubeScheduler",
- components: []string{kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeControllerManager, kubeadmconstants.KubeScheduler},
- },
- {
- name: "KubeAPIServer",
- components: []string{kubeadmconstants.KubeAPIServer},
- },
- {
- name: "KubeControllerManager",
- components: []string{kubeadmconstants.KubeControllerManager},
- },
- {
- name: "KubeScheduler",
- components: []string{kubeadmconstants.KubeScheduler},
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- // Create temp folder for the test case
- tmpdir := testutil.SetupTempDir(t)
- defer os.RemoveAll(tmpdir)
- // Creates a Cluster Configuration
- cfg := &kubeadmapi.ClusterConfiguration{
- KubernetesVersion: "v1.9.0",
- }
- // Execute createStaticPodFunction
- manifestPath := filepath.Join(tmpdir, kubeadmconstants.ManifestsSubDirName)
- err := CreateStaticPodFiles(manifestPath, "", cfg, &kubeadmapi.APIEndpoint{}, test.components...)
- if err != nil {
- t.Errorf("Error executing createStaticPodFunction: %v", err)
- return
- }
- // Assert expected files are there
- testutil.AssertFilesCount(t, manifestPath, len(test.components))
- for _, fileName := range test.components {
- testutil.AssertFileExists(t, manifestPath, fileName+".yaml")
- }
- })
- }
- }
- func TestCreateStaticPodFilesKustomize(t *testing.T) {
- // Create temp folder for the test case
- tmpdir := testutil.SetupTempDir(t)
- defer os.RemoveAll(tmpdir)
- // Creates a Cluster Configuration
- cfg := &kubeadmapi.ClusterConfiguration{
- KubernetesVersion: "v1.9.0",
- }
- kustomizePath := filepath.Join(tmpdir, "kustomize")
- err := os.MkdirAll(kustomizePath, 0777)
- if err != nil {
- t.Fatalf("Couldn't create %s", kustomizePath)
- }
- patchString := dedent.Dedent(`
- apiVersion: v1
- kind: Pod
- metadata:
- name: kube-apiserver
- namespace: kube-system
- annotations:
- kustomize: patch for kube-apiserver
- `)
- err = ioutil.WriteFile(filepath.Join(kustomizePath, "patch.yaml"), []byte(patchString), 0644)
- if err != nil {
- t.Fatalf("WriteFile returned unexpected error: %v", err)
- }
- // Execute createStaticPodFunction with kustomizations
- manifestPath := filepath.Join(tmpdir, kubeadmconstants.ManifestsSubDirName)
- err = CreateStaticPodFiles(manifestPath, kustomizePath, cfg, &kubeadmapi.APIEndpoint{}, kubeadmconstants.KubeAPIServer)
- if err != nil {
- t.Errorf("Error executing createStaticPodFunction: %v", err)
- return
- }
- pod, err := staticpodutil.ReadStaticPodFromDisk(filepath.Join(manifestPath, fmt.Sprintf("%s.yaml", kubeadmconstants.KubeAPIServer)))
- if err != nil {
- t.Errorf("Error executing ReadStaticPodFromDisk: %v", err)
- return
- }
- if _, ok := pod.ObjectMeta.Annotations["kustomize"]; !ok {
- t.Error("Kustomize did not apply patches corresponding to the resource")
- }
- }
- func TestGetAPIServerCommand(t *testing.T) {
- var tests = []struct {
- name string
- cfg *kubeadmapi.ClusterConfiguration
- endpoint *kubeadmapi.APIEndpoint
- expected []string
- }{
- {
- name: "testing defaults",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- "--secure-port=123",
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=1.2.3.4",
- fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- },
- },
- {
- name: "ipv6 advertise address",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- fmt.Sprintf("--secure-port=%d", 123),
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=2001:db8::1",
- fmt.Sprintf("--etcd-servers=https://[::1]:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- },
- },
- {
- name: "an external etcd with custom ca, certs and keys",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- Etcd: kubeadmapi.Etcd{
- External: &kubeadmapi.ExternalEtcd{
- Endpoints: []string{"https://[2001:abcd:bcda::1]:2379", "https://[2001:abcd:bcda::2]:2379"},
- CAFile: "fuz",
- CertFile: "fiz",
- KeyFile: "faz",
- },
- },
- CertificatesDir: testCertsDir,
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- fmt.Sprintf("--secure-port=%d", 123),
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--enable-bootstrap-token-auth=true",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=2001:db8::1",
- "--etcd-servers=https://[2001:abcd:bcda::1]:2379,https://[2001:abcd:bcda::2]:2379",
- "--etcd-cafile=fuz",
- "--etcd-certfile=fiz",
- "--etcd-keyfile=faz",
- },
- },
- {
- name: "an insecure etcd",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- Etcd: kubeadmapi.Etcd{
- External: &kubeadmapi.ExternalEtcd{
- Endpoints: []string{"http://[::1]:2379", "http://[::1]:2380"},
- },
- },
- CertificatesDir: testCertsDir,
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- fmt.Sprintf("--secure-port=%d", 123),
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--enable-bootstrap-token-auth=true",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=2001:db8::1",
- "--etcd-servers=http://[::1]:2379,http://[::1]:2380",
- },
- },
- {
- name: "test APIServer.ExtraArgs works as expected",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- APIServer: kubeadmapi.APIServer{
- ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{
- "service-cluster-ip-range": "baz",
- "advertise-address": "9.9.9.9",
- "audit-policy-file": "/etc/config/audit.yaml",
- "audit-log-path": "/var/log/kubernetes",
- },
- },
- },
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=baz",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- "--secure-port=123",
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=9.9.9.9",
- fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- "--audit-policy-file=/etc/config/audit.yaml",
- "--audit-log-path=/var/log/kubernetes",
- },
- },
- {
- name: "authorization-mode extra-args ABAC",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- APIServer: kubeadmapi.APIServer{
- ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{
- "authorization-mode": kubeadmconstants.ModeABAC,
- },
- },
- },
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- "--secure-port=123",
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=ABAC",
- "--advertise-address=1.2.3.4",
- fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- },
- },
- {
- name: "insecure-port extra-args",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- APIServer: kubeadmapi.APIServer{
- ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{
- "insecure-port": "1234",
- },
- },
- },
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=1234",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- "--secure-port=123",
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC",
- "--advertise-address=1.2.3.4",
- fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- },
- },
- {
- name: "authorization-mode extra-args Webhook",
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
- CertificatesDir: testCertsDir,
- APIServer: kubeadmapi.APIServer{
- ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{
- "authorization-mode": strings.Join([]string{
- kubeadmconstants.ModeNode,
- kubeadmconstants.ModeRBAC,
- kubeadmconstants.ModeWebhook,
- }, ","),
- },
- },
- },
- },
- endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
- expected: []string{
- "kube-apiserver",
- "--insecure-port=0",
- "--enable-admission-plugins=NodeRestriction",
- "--service-cluster-ip-range=bar",
- "--service-account-key-file=" + testCertsDir + "/sa.pub",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--tls-cert-file=" + testCertsDir + "/apiserver.crt",
- "--tls-private-key-file=" + testCertsDir + "/apiserver.key",
- "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
- "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
- "--enable-bootstrap-token-auth=true",
- "--secure-port=123",
- "--allow-privileged=true",
- "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
- "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
- "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
- "--requestheader-username-headers=X-Remote-User",
- "--requestheader-group-headers=X-Remote-Group",
- "--requestheader-extra-headers-prefix=X-Remote-Extra-",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--requestheader-allowed-names=front-proxy-client",
- "--authorization-mode=Node,RBAC,Webhook",
- "--advertise-address=1.2.3.4",
- fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
- "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
- "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
- "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
- },
- },
- }
- for _, rt := range tests {
- t.Run(rt.name, func(t *testing.T) {
- actual := getAPIServerCommand(rt.cfg, rt.endpoint)
- sort.Strings(actual)
- sort.Strings(rt.expected)
- if !reflect.DeepEqual(actual, rt.expected) {
- errorDiffArguments(t, rt.name, actual, rt.expected)
- }
- })
- }
- }
- func errorDiffArguments(t *testing.T, name string, actual, expected []string) {
- expectedShort := removeCommon(expected, actual)
- actualShort := removeCommon(actual, expected)
- t.Errorf(
- "[%s] failed getAPIServerCommand:\nexpected:\n%v\nsaw:\n%v"+
- "\nexpectedShort:\n%v\nsawShort:\n%v\n",
- name, expected, actual,
- expectedShort, actualShort)
- }
- // removeCommon removes common items from left list
- // makes compairing two cmdline (with lots of arguments) easier
- func removeCommon(left, right []string) []string {
- origSet := sets.NewString(left...)
- origSet.Delete(right...)
- return origSet.List()
- }
- func TestGetControllerManagerCommand(t *testing.T) {
- var tests = []struct {
- name string
- cfg *kubeadmapi.ClusterConfiguration
- expected []string
- }{
- {
- name: "custom cluster name for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- KubernetesVersion: cpVersion,
- CertificatesDir: testCertsDir,
- ClusterName: "some-other-cluster-name",
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--cluster-name=some-other-cluster-name",
- },
- },
- {
- name: "custom certs dir for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- },
- },
- {
- name: "custom cluster-cidr for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16"},
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=10.0.1.15/16",
- "--node-cidr-mask-size=24",
- },
- },
- {
- name: "custom service-cluster-ip-range for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{
- PodSubnet: "10.0.1.15/16",
- ServiceSubnet: "172.20.0.0/24"},
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=10.0.1.15/16",
- "--node-cidr-mask-size=24",
- "--service-cluster-ip-range=172.20.0.0/24",
- },
- },
- {
- name: "custom extra-args for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16"},
- ControllerManager: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{"node-cidr-mask-size": "20"},
- },
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=10.0.1.15/16",
- "--node-cidr-mask-size=20",
- },
- },
- {
- name: "custom IPv6 networking for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{
- PodSubnet: "2001:db8::/64",
- ServiceSubnet: "fd03::/112",
- },
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=2001:db8::/64",
- "--node-cidr-mask-size=80",
- "--service-cluster-ip-range=fd03::/112",
- },
- },
- {
- name: "dual-stack networking for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{
- PodSubnet: "2001:db8::/64,10.1.0.0/16",
- ServiceSubnet: "fd03::/112,192.168.0.0/16",
- },
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- FeatureGates: map[string]bool{string(features.IPv6DualStack): true},
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--feature-gates=IPv6DualStack=true",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=2001:db8::/64,10.1.0.0/16",
- "--node-cidr-mask-size-ipv4=24",
- "--node-cidr-mask-size-ipv6=80",
- "--service-cluster-ip-range=fd03::/112,192.168.0.0/16",
- },
- },
- {
- name: "dual-stack networking custom extra-args for " + cpVersion,
- cfg: &kubeadmapi.ClusterConfiguration{
- Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16,2001:db8::/64"},
- ControllerManager: kubeadmapi.ControlPlaneComponent{
- ExtraArgs: map[string]string{"node-cidr-mask-size-ipv4": "20", "node-cidr-mask-size-ipv6": "96"},
- },
- CertificatesDir: testCertsDir,
- KubernetesVersion: cpVersion,
- FeatureGates: map[string]bool{string(features.IPv6DualStack): true},
- },
- expected: []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + testCertsDir + "/ca.crt",
- "--service-account-private-key-file=" + testCertsDir + "/sa.key",
- "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
- "--cluster-signing-key-file=" + testCertsDir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + testCertsDir + "/ca.crt",
- "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
- "--feature-gates=IPv6DualStack=true",
- "--allocate-node-cidrs=true",
- "--cluster-cidr=10.0.1.15/16,2001:db8::/64",
- "--node-cidr-mask-size-ipv4=20",
- "--node-cidr-mask-size-ipv6=96",
- },
- },
- }
- for _, rt := range tests {
- t.Run(rt.name, func(t *testing.T) {
- actual := getControllerManagerCommand(rt.cfg)
- sort.Strings(actual)
- sort.Strings(rt.expected)
- if !reflect.DeepEqual(actual, rt.expected) {
- errorDiffArguments(t, rt.name, actual, rt.expected)
- }
- })
- }
- }
- func TestCalcNodeCidrSize(t *testing.T) {
- tests := []struct {
- name string
- podSubnet string
- expectedPrefix string
- expectedIPv6 bool
- }{
- {
- name: "Malformed pod subnet",
- podSubnet: "10.10.10/160",
- expectedPrefix: "24",
- expectedIPv6: false,
- },
- {
- name: "V4: Always uses 24",
- podSubnet: "10.10.10.10/16",
- expectedPrefix: "24",
- expectedIPv6: false,
- },
- {
- name: "V6: Use pod subnet size, when not enough space",
- podSubnet: "2001:db8::/128",
- expectedPrefix: "128",
- expectedIPv6: true,
- },
- {
- name: "V6: Use pod subnet size, when not enough space",
- podSubnet: "2001:db8::/113",
- expectedPrefix: "113",
- expectedIPv6: true,
- },
- {
- name: "V6: Special case with 256 nodes",
- podSubnet: "2001:db8::/112",
- expectedPrefix: "120",
- expectedIPv6: true,
- },
- {
- name: "V6: Using /120 for node CIDR",
- podSubnet: "2001:db8::/104",
- expectedPrefix: "120",
- expectedIPv6: true,
- },
- {
- name: "V6: Using /112 for node CIDR",
- podSubnet: "2001:db8::/103",
- expectedPrefix: "112",
- expectedIPv6: true,
- },
- {
- name: "V6: Using /112 for node CIDR",
- podSubnet: "2001:db8::/96",
- expectedPrefix: "112",
- expectedIPv6: true,
- },
- {
- name: "V6: Using /104 for node CIDR",
- podSubnet: "2001:db8::/95",
- expectedPrefix: "104",
- expectedIPv6: true,
- },
- {
- name: "V6: For /64 pod net, use /80",
- podSubnet: "2001:db8::/64",
- expectedPrefix: "80",
- expectedIPv6: true,
- },
- {
- name: "V6: For /48 pod net, use /64",
- podSubnet: "2001:db8::/48",
- expectedPrefix: "64",
- expectedIPv6: true,
- },
- {
- name: "V6: For /32 pod net, use /48",
- podSubnet: "2001:db8::/32",
- expectedPrefix: "48",
- expectedIPv6: true,
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- actualPrefix, actualIPv6 := calcNodeCidrSize(test.podSubnet)
- if actualPrefix != test.expectedPrefix {
- t.Errorf("Case [%s]\nCalc of node CIDR size for pod subnet %q failed: Expected %q, saw %q",
- test.name, test.podSubnet, test.expectedPrefix, actualPrefix)
- }
- if actualIPv6 != test.expectedIPv6 {
- t.Errorf("Case [%s]\nCalc of node CIDR size for pod subnet %q failed: Expected isIPv6=%v, saw isIPv6=%v",
- test.name, test.podSubnet, test.expectedIPv6, actualIPv6)
- }
- })
- }
- }
- func TestGetControllerManagerCommandExternalCA(t *testing.T) {
- tests := []struct {
- name string
- cfg *kubeadmapi.InitConfiguration
- caKeyPresent bool
- expectedArgFunc func(dir string) []string
- }{
- {
- name: "caKeyPresent-false for " + cpVersion,
- cfg: &kubeadmapi.InitConfiguration{
- LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4"},
- ClusterConfiguration: kubeadmapi.ClusterConfiguration{
- KubernetesVersion: cpVersion,
- Networking: kubeadmapi.Networking{ServiceSubnet: "10.96.0.0/12", DNSDomain: "cluster.local"},
- },
- },
- caKeyPresent: false,
- expectedArgFunc: func(tmpdir string) []string {
- return []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + tmpdir + "/ca.crt",
- "--service-account-private-key-file=" + tmpdir + "/sa.key",
- "--cluster-signing-cert-file=",
- "--cluster-signing-key-file=",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + tmpdir + "/ca.crt",
- "--requestheader-client-ca-file=" + tmpdir + "/front-proxy-ca.crt",
- }
- },
- },
- {
- name: "caKeyPresent true for " + cpVersion,
- cfg: &kubeadmapi.InitConfiguration{
- LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4"},
- ClusterConfiguration: kubeadmapi.ClusterConfiguration{
- KubernetesVersion: cpVersion,
- Networking: kubeadmapi.Networking{ServiceSubnet: "10.96.0.0/12", DNSDomain: "cluster.local"},
- },
- },
- caKeyPresent: true,
- expectedArgFunc: func(tmpdir string) []string {
- return []string{
- "kube-controller-manager",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--root-ca-file=" + tmpdir + "/ca.crt",
- "--service-account-private-key-file=" + tmpdir + "/sa.key",
- "--cluster-signing-cert-file=" + tmpdir + "/ca.crt",
- "--cluster-signing-key-file=" + tmpdir + "/ca.key",
- "--use-service-account-credentials=true",
- "--controllers=*,bootstrapsigner,tokencleaner",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf",
- "--client-ca-file=" + tmpdir + "/ca.crt",
- "--requestheader-client-ca-file=" + tmpdir + "/front-proxy-ca.crt",
- }
- },
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- // Create temp folder for the test case
- tmpdir := testutil.SetupTempDir(t)
- defer os.RemoveAll(tmpdir)
- test.cfg.CertificatesDir = tmpdir
- if err := certs.CreatePKIAssets(test.cfg); err != nil {
- t.Errorf("failed creating pki assets: %v", err)
- }
- // delete ca.key and front-proxy-ca.key if test.caKeyPresent is false
- if !test.caKeyPresent {
- if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.CAKeyName)); err != nil {
- t.Errorf("failed removing %s: %v", kubeadmconstants.CAKeyName, err)
- }
- if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)); err != nil {
- t.Errorf("failed removing %s: %v", kubeadmconstants.FrontProxyCAKeyName, err)
- }
- }
- actual := getControllerManagerCommand(&test.cfg.ClusterConfiguration)
- expected := test.expectedArgFunc(tmpdir)
- sort.Strings(actual)
- sort.Strings(expected)
- if !reflect.DeepEqual(actual, expected) {
- errorDiffArguments(t, test.name, actual, expected)
- }
- })
- }
- }
- func TestGetSchedulerCommand(t *testing.T) {
- var tests = []struct {
- name string
- cfg *kubeadmapi.ClusterConfiguration
- expected []string
- }{
- {
- name: "scheduler defaults",
- cfg: &kubeadmapi.ClusterConfiguration{},
- expected: []string{
- "kube-scheduler",
- "--bind-address=127.0.0.1",
- "--leader-elect=true",
- "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
- "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
- "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
- },
- },
- }
- for _, rt := range tests {
- t.Run(rt.name, func(t *testing.T) {
- actual := getSchedulerCommand(rt.cfg)
- sort.Strings(actual)
- sort.Strings(rt.expected)
- if !reflect.DeepEqual(actual, rt.expected) {
- errorDiffArguments(t, rt.name, actual, rt.expected)
- }
- })
- }
- }
- func TestGetAuthzModes(t *testing.T) {
- var tests = []struct {
- name string
- authMode []string
- expected string
- }{
- {
- name: "default if empty",
- authMode: []string{},
- expected: "Node,RBAC",
- },
- {
- name: "default non empty",
- authMode: []string{kubeadmconstants.ModeNode, kubeadmconstants.ModeRBAC},
- expected: "Node,RBAC",
- },
- {
- name: "single unspecified returning default",
- authMode: []string{"FooAuthzMode"},
- expected: "Node,RBAC",
- },
- {
- name: "multiple ignored",
- authMode: []string{kubeadmconstants.ModeNode, "foo", kubeadmconstants.ModeRBAC, "bar"},
- expected: "Node,RBAC",
- },
- {
- name: "single mode",
- authMode: []string{kubeadmconstants.ModeAlwaysDeny},
- expected: "AlwaysDeny",
- },
- {
- name: "multiple special order",
- authMode: []string{kubeadmconstants.ModeNode, kubeadmconstants.ModeWebhook, kubeadmconstants.ModeRBAC, kubeadmconstants.ModeABAC},
- expected: "Node,Webhook,RBAC,ABAC",
- },
- }
- for _, rt := range tests {
- t.Run(rt.name, func(t *testing.T) {
- actual := getAuthzModes(strings.Join(rt.authMode, ","))
- if actual != rt.expected {
- t.Errorf("failed getAuthzModes:\nexpected:\n%v\nsaw:\n%v", rt.expected, actual)
- }
- })
- }
- }
- func TestIsValidAuthzMode(t *testing.T) {
- var tests = []struct {
- mode string
- valid bool
- }{
- {
- mode: "Node",
- valid: true,
- },
- {
- mode: "RBAC",
- valid: true,
- },
- {
- mode: "ABAC",
- valid: true,
- },
- {
- mode: "AlwaysAllow",
- valid: true,
- },
- {
- mode: "Webhook",
- valid: true,
- },
- {
- mode: "AlwaysDeny",
- valid: true,
- },
- {
- mode: "Foo",
- valid: false,
- },
- }
- for _, rt := range tests {
- t.Run(rt.mode, func(t *testing.T) {
- isValid := isValidAuthzMode(rt.mode)
- if isValid != rt.valid {
- t.Errorf("failed isValidAuthzMode:\nexpected:\n%v\nsaw:\n%v", rt.valid, isValid)
- }
- })
- }
- }
|