func TestUnprivilegedNewProjectDenied(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName) if err != nil { t.Fatalf("unexpected error: %v", err) } role.Rules = []authorizationapi.PolicyRule{} if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } valerieClientConfig := *clusterAdminClientConfig valerieClientConfig.Username = "" valerieClientConfig.Password = "" valerieClientConfig.BearerToken = "" valerieClientConfig.CertFile = "" valerieClientConfig.KeyFile = "" valerieClientConfig.CertData = nil valerieClientConfig.KeyData = nil accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!") if err != nil { t.Fatalf("unexpected error: %v", err) } valerieClientConfig.BearerToken = accessToken valerieOpenshiftClient, err := client.New(&valerieClientConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } if err := testutil.WaitForClusterPolicyUpdate(valerieOpenshiftClient, "create", projectapi.Resource("projectrequests"), false); err != nil { t.Fatalf("unexpected error: %v", err) } // confirm that we have access to request the project _, err = valerieOpenshiftClient.ProjectRequests().List(kapi.ListOptions{}) if err == nil { t.Fatalf("expected error: %v", err) } expectedError := `You may not request a new project via this API.` if (err != nil) && (err.Error() != expectedError) { t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error()) } }
func TestTemplateTransformationFromConfig(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMaster() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } walkJSONFiles("../templates/fixtures", func(name, path string, data []byte) { template, err := runtime.Decode(kapi.Codecs.UniversalDecoder(), data) if err != nil { t.Errorf("%q: unexpected error: %v", path, err) return } config, err := clusterAdminClient.TemplateConfigs("default").Create(template.(*templateapi.Template)) if err != nil { t.Errorf("%q: unexpected error: %v", path, err) return } if len(config.Objects) == 0 { t.Errorf("%q: no items in config object", path) return } t.Logf("tested %q", path) }) }
func TestSimpleImageChangeBuildTriggerFromImageStreamTagCustomWithConfigChange(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) projectAdminClient, _ := setup(t) clusterAdminClient, err := testutil.GetClusterAdminClient(testutil.GetBaseDir() + "/openshift.local.config/master/admin.kubeconfig") if err != nil { t.Fatalf("unexpected error: %v", err) } clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(clusterAdminClient) subjects := []kapi.ObjectReference{ { Kind: authorizationapi.SystemGroupKind, Name: bootstrappolicy.AuthenticatedGroup, }, } options := policy.RoleModificationOptions{ RoleNamespace: testutil.Namespace(), RoleName: bootstrappolicy.BuildStrategyCustomRoleName, RoleBindingAccessor: clusterRoleBindingAccessor, Subjects: subjects, } options.AddRole() if err := testutil.WaitForPolicyUpdate(projectAdminClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.CustomBuildResource), true); err != nil { t.Fatal(err) } imageStream := mockImageStream2(tag) imageStreamMapping := mockImageStreamMapping(imageStream.Name, "someimage", tag, "registry:8080/openshift/test-image-trigger:"+tag) strategy := customStrategy("ImageStreamTag", streamName+":"+tag) config := imageChangeBuildConfigWithConfigChange("custom-imagestreamtag", strategy) runTest(t, "SimpleImageChangeBuildTriggerFromImageStreamTagCustom", projectAdminClient, imageStream, imageStreamMapping, config, tag) }
func TestGroupCommands(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } newGroup := &groupscmd.NewGroupOptions{ GroupClient: clusterAdminClient.Groups(), Group: "group1", Users: []string{"first", "second", "third", "first"}, Printer: func(runtime.Object, io.Writer) error { return nil }, } if err := newGroup.AddGroup(); err != nil { t.Fatalf("unexpected error: %v", err) } group1, err := clusterAdminClient.Groups().Get("group1") if err != nil { t.Fatalf("unexpected error: %v", err) } if e, a := []string{"first", "second", "third"}, group1.Users; !reflect.DeepEqual(e, a) { t.Errorf("expected %v, actual %v", e, a) } modifyUsers := &groupscmd.GroupModificationOptions{ GroupClient: clusterAdminClient.Groups(), Group: "group1", Users: []string{"second", "fourth", "fifth"}, } if err := modifyUsers.AddUsers(); err != nil { t.Fatalf("unexpected error: %v", err) } group1, err = clusterAdminClient.Groups().Get("group1") if err != nil { t.Fatalf("unexpected error: %v", err) } if e, a := []string{"first", "second", "third", "fourth", "fifth"}, group1.Users; !reflect.DeepEqual(e, a) { t.Errorf("expected %v, actual %v", e, a) } if err := modifyUsers.RemoveUsers(); err != nil { t.Fatalf("unexpected error: %v", err) } group1, err = clusterAdminClient.Groups().Get("group1") if err != nil { t.Fatalf("unexpected error: %v", err) } if e, a := []string{"first", "third"}, group1.Users; !reflect.DeepEqual(e, a) { t.Errorf("expected %v, actual %v", e, a) } }
func TestLeaderLeaseSwapWhileWaiting(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) client := testutil.NewEtcdClient() key := "/random/key" if _, err := client.Create(key, "holder", 10); err != nil { t.Fatal(err) } go func() { time.Sleep(time.Second) if _, err := client.Set(key, "other", 10); err != nil { t.Fatal(err) } glog.Infof("Changed key ownership") }() lease := leaderlease.NewEtcd(client, key, "other", 10) ch := make(chan error, 1) go lease.AcquireAndHold(ch) <-ch glog.Infof("Lease acquired") lease.Release() if err, ok := <-ch; err == nil || !ok || !strings.Contains(err.Error(), "the lease has been lost") { t.Errorf("Expected error and open channel when lease was swapped: %v %t", err, ok) } <-ch glog.Infof("Lease gone") }
func TestAutomaticCreationOfPullSecrets(t *testing.T) { saNamespace := api.NamespaceDefault saName := serviceaccountadmission.DefaultServiceAccountName testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminConfig, err := testserver.StartTestMaster() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } // Get a service account token saToken, err := waitForServiceAccountToken(clusterAdminKubeClient, saNamespace, saName, 20, time.Second) if err != nil { t.Errorf("unexpected error: %v", err) } if len(saToken) == 0 { t.Errorf("token was not created") } // Get the matching dockercfg secret saPullSecret, err := waitForServiceAccountPullSecret(clusterAdminKubeClient, saNamespace, saName, 20, time.Second) if err != nil { t.Errorf("unexpected error: %v", err) } if len(saPullSecret) == 0 { t.Errorf("pull secret was not created") } }
func TestAccessOriginWebConsole(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) masterOptions, err := testserver.DefaultMasterOptions() if err != nil { t.Fatalf("unexpected error: %v", err) } if _, err = testserver.StartConfiguredMaster(masterOptions); err != nil { t.Fatalf("unexpected error: %v", err) } for endpoint, exp := range map[string]struct { statusCode int location string }{ "": {http.StatusFound, masterOptions.AssetConfig.PublicURL}, "healthz": {http.StatusOK, ""}, "login": {http.StatusOK, ""}, "oauth/token/request": {http.StatusFound, masterOptions.AssetConfig.MasterPublicURL + "/oauth/authorize"}, "console": {http.StatusMovedPermanently, "/console/"}, "console/": {http.StatusOK, ""}, "console/java": {http.StatusOK, ""}, } { url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint tryAccessURL(t, url, exp.statusCode, exp.location, nil) } }
func TestLeaderLeaseSwapWhileWaiting(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) c, err := testutil.MakeNewEtcdClient() if err != nil { t.Fatal(err) } client := etcdclient.NewKeysAPI(c) key := "/random/key" if _, err := client.Set(context.Background(), key, "holder", &etcdclient.SetOptions{TTL: 10 * time.Second, PrevExist: etcdclient.PrevNoExist}); err != nil { t.Fatal(err) } go func() { time.Sleep(time.Second) if _, err := client.Set(context.Background(), key, "other", &etcdclient.SetOptions{TTL: 10 * time.Second}); err != nil { t.Fatal(err) } glog.Infof("Changed key ownership") }() lease := leaderlease.NewEtcd(c, key, "other", 10) ch := make(chan error, 1) go lease.AcquireAndHold(ch) <-ch glog.Infof("Lease acquired") lease.Release() if err, ok := <-ch; err == nil || !ok || !strings.Contains(err.Error(), "the lease has been lost") { t.Errorf("Expected error and open channel when lease was swapped: %v %t", err, ok) } <-ch glog.Infof("Lease gone") }
func TestClusterResourceOverridePluginWithNoLimits(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) config := &overrideapi.ClusterResourceOverrideConfig{ LimitCPUToMemoryPercent: 100, CPURequestToLimitPercent: 50, MemoryRequestToLimitPercent: 50, } kubeClientset := setupClusterResourceOverrideTest(t, config) podHandler := kubeClientset.Core().Pods(testutil.Namespace()) // test with no limits object present podCreated, err := podHandler.Create(testClusterResourceOverridePod("limitless", "2Gi", "1")) if err != nil { t.Fatal(err) } if memory := podCreated.Spec.Containers[0].Resources.Requests.Memory(); memory.Cmp(resource.MustParse("1Gi")) != 0 { t.Errorf("limitlesspod: Memory did not match expected 1Gi: %#v", memory) } if cpu := podCreated.Spec.Containers[0].Resources.Limits.Cpu(); cpu.Cmp(resource.MustParse("2")) != 0 { t.Errorf("limitlesspod: CPU limit did not match expected 2 core: %#v", cpu) } if cpu := podCreated.Spec.Containers[0].Resources.Requests.Cpu(); cpu.Cmp(resource.MustParse("1")) != 0 { t.Errorf("limitlesspod: CPU req did not match expected 1 core: %#v", cpu) } }
func TestImageStreamList(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMaster() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Errorf("unexpected error: %v", err) } err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace()) if err != nil { t.Errorf("unexpected error: %v", err) } builds, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(kapi.ListOptions{}) if err != nil { t.Fatalf("Unexpected error %v", err) } if len(builds.Items) != 0 { t.Errorf("Expected no builds, got %#v", builds.Items) } }
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Errorf("unexpected error: %v", err) } valerieClientConfig := *clusterAdminClientConfig valerieClientConfig.Username = "" valerieClientConfig.Password = "" valerieClientConfig.BearerToken = "" valerieClientConfig.CertFile = "" valerieClientConfig.KeyFile = "" valerieClientConfig.CertData = nil valerieClientConfig.KeyData = nil accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!") if err != nil { t.Fatalf("unexpected error: %v", err) } valerieClientConfig.BearerToken = accessToken valerieOpenshiftClient, err := client.New(&valerieClientConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } // can I get a subjectaccessreview on myself even if I have no rights to do it generally askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{ Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"}, } subjectAccessReviewTest{ localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"), localReview: askCanICreatePolicyBindings, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, Reason: `User "valerie" cannot create policybindings in project "openshift"`, Namespace: "openshift", }, }.run(t) // I shouldn't be allowed to ask whether someone else can perform an action askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{ Groups: sets.NewString("system:cluster-admins"), Action: authorizationapi.Action{Verb: "create", Resource: "projects"}, } subjectAccessReviewTest{ localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"), localReview: askCanClusterAdminsCreateProject, err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`, }.run(t) }
func TestPodNodeConstraintsAdmissionPluginSetNodeSelectorNonAdmin(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) config := &pluginapi.PodNodeConstraintsConfig{ NodeSelectorLabelBlacklist: []string{"hostname"}, } oclient, kclientset := setupUserPodNodeConstraintsTest(t, config, "derples") testPodNodeConstraintsObjectCreationWithPodTemplate(t, "set node selector, regular user", kclientset, oclient, "", map[string]string{"hostname": "foo"}, true) }
func TestStorageVersionsUnified(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) runStorageTest(t, "unified", extensions_v1beta1.SchemeGroupVersion, extensions_v1beta1.SchemeGroupVersion, extensions_v1beta1.SchemeGroupVersion, ) }
func TestPodNodeConstraintsAdmissionPluginSetNodeSelectorClusterAdmin(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) config := &pluginapi.PodNodeConstraintsConfig{ NodeSelectorLabelBlacklist: []string{"hostname"}, } oclient, kclientset := setupClusterAdminPodNodeConstraintsTest(t, config) testPodNodeConstraintsObjectCreationWithPodTemplate(t, "set node selector, cluster admin", kclientset, oclient, "", map[string]string{"hostname": "foo"}, false) }
func TestWebhookGitHubPing(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMaster() if err != nil { t.Fatalf("unable to start master: %v", err) } kubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unable to get kubeClient: %v", err) } osClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unable to get osClient: %v", err) } kubeClient.Core().Namespaces().Create(&kapi.Namespace{ ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()}, }) // create buildconfig buildConfig := mockBuildConfigImageParms("originalimage", "imagestream", "validtag") if _, err := osClient.BuildConfigs(testutil.Namespace()).Create(buildConfig); err != nil { t.Fatalf("Unexpected error: %v", err) } watch, err := osClient.Builds(testutil.Namespace()).Watch(kapi.ListOptions{}) if err != nil { t.Fatalf("Couldn't subscribe to builds: %v", err) } defer watch.Stop() for _, s := range []string{ "/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret101/github", "/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret100/github", "/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret102/github", } { // trigger build event sending push notification clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } postFile(osClient.RESTClient.Client, "ping", "pingevent.json", clusterAdminClientConfig.Host+s, http.StatusOK, t) // TODO: improve negative testing timer := time.NewTimer(time.Second / 2) select { case <-timer.C: // nothing should happen case event := <-watch.ResultChan(): build := event.Object.(*buildapi.Build) t.Fatalf("Unexpected build created: %#v", build) } } }
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Errorf("unexpected error: %v", err) } valerieClientConfig := *clusterAdminClientConfig valerieClientConfig.Username = "" valerieClientConfig.Password = "" valerieClientConfig.BearerToken = "" valerieClientConfig.CertFile = "" valerieClientConfig.KeyFile = "" valerieClientConfig.CertData = nil valerieClientConfig.KeyData = nil accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!") if err != nil { t.Fatalf("unexpected error: %v", err) } valerieClientConfig.BearerToken = accessToken valerieOpenshiftClient, err := client.New(&valerieClientConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } openshiftSharedResourcesNamespace := "openshift" if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil { t.Errorf("unexpected error: %v", err) } if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) { t.Errorf("unexpected error: %v", err) } if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil { t.Errorf("unexpected error: %v", err) } if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) { t.Errorf("unexpected error: %v", err) } if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) { t.Errorf("unexpected error: %v", err) } if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) { t.Errorf("unexpected error: %v", err) } }
func TestSimpleImageChangeBuildTriggerFromImageStreamTagDockerWithConfigChange(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) projectAdminClient, _ := setup(t) imageStream := mockImageStream2(tag) imageStreamMapping := mockImageStreamMapping(imageStream.Name, "someimage", tag, "registry:8080/openshift/test-image-trigger:"+tag) strategy := dockerStrategy("ImageStreamTag", streamName+":"+tag) config := imageChangeBuildConfigWithConfigChange("docker-imagestreamtag", strategy) runTest(t, "SimpleImageChangeBuildTriggerFromImageStreamTagDocker", projectAdminClient, imageStream, imageStreamMapping, config, tag) }
func TestRootRedirect(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) masterConfig, _, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } transport := knet.SetTransportDefaults(&http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, }, }) req, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil) req.Header.Set("Accept", "*/*") resp, err := transport.RoundTrip(req) if err != nil { t.Fatalf("Unexpected error: %v", err) } if resp.StatusCode != http.StatusOK { t.Fatalf("Expected %d, got %d", http.StatusOK, resp.StatusCode) } if resp.Header.Get("Content-Type") != "application/json" { t.Fatalf("Expected %s, got %s", "application/json", resp.Header.Get("Content-Type")) } type result struct { Paths []string } body, err := ioutil.ReadAll(resp.Body) if err != nil { t.Fatalf("Unexpected error reading the body: %v", err) } var got result json.Unmarshal(body, &got) sort.Strings(got.Paths) if !reflect.DeepEqual(got.Paths, expectedIndex) { t.Fatalf("Unexpected index: got=%v, expected=%v", got, expectedIndex) } req, err = http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil) req.Header.Set("Accept", "text/html") resp, err = transport.RoundTrip(req) if err != nil { t.Errorf("Unexpected error: %v", err) } if resp.StatusCode != http.StatusFound { t.Errorf("Expected %d, got %d", http.StatusFound, resp.StatusCode) } if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL { t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location")) } // TODO add a test for when asset config is nil, the redirect should not occur in this case even when // accept header contains text/html }
func TestClusterResourceOverridePluginWithLimits(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) config := &overrideapi.ClusterResourceOverrideConfig{ LimitCPUToMemoryPercent: 100, CPURequestToLimitPercent: 50, MemoryRequestToLimitPercent: 50, } kubeClientset := setupClusterResourceOverrideTest(t, config) podHandler := kubeClientset.Core().Pods(testutil.Namespace()) limitHandler := kubeClientset.Core().LimitRanges(testutil.Namespace()) // test with limits object with defaults; // I wanted to test with a limits object without defaults to see limits forbid an empty resource spec, // but found that if defaults aren't set in the limit object, something still fills them in. // note: defaults are only used when quantities are *missing*, not when they are 0 limitItem := kapi.LimitRangeItem{ Type: kapi.LimitTypeContainer, Max: testResourceList("2Gi", "2"), Min: testResourceList("128Mi", "200m"), Default: testResourceList("512Mi", "500m"), // note: auto-filled from max if we set that; DefaultRequest: testResourceList("128Mi", "200m"), // filled from max if set, or min if that is set MaxLimitRequestRatio: kapi.ResourceList{}, } limit := &kapi.LimitRange{ ObjectMeta: kapi.ObjectMeta{Name: "limit"}, Spec: kapi.LimitRangeSpec{Limits: []kapi.LimitRangeItem{limitItem}}, } _, err := limitHandler.Create(limit) if err != nil { t.Fatal(err) } podCreated, err := podHandler.Create(testClusterResourceOverridePod("limit-with-default", "", "1")) if err != nil { t.Fatal(err) } if memory := podCreated.Spec.Containers[0].Resources.Limits.Memory(); memory.Cmp(resource.MustParse("512Mi")) != 0 { t.Errorf("limit-with-default: Memory limit did not match default 512Mi: %v", memory) } if memory := podCreated.Spec.Containers[0].Resources.Requests.Memory(); memory.Cmp(resource.MustParse("256Mi")) != 0 { t.Errorf("limit-with-default: Memory req did not match expected 256Mi: %v", memory) } if cpu := podCreated.Spec.Containers[0].Resources.Limits.Cpu(); cpu.Cmp(resource.MustParse("500m")) != 0 { t.Errorf("limit-with-default: CPU limit did not match expected 500 mcore: %v", cpu) } if cpu := podCreated.Spec.Containers[0].Resources.Requests.Cpu(); cpu.Cmp(resource.MustParse("250m")) != 0 { t.Errorf("limit-with-default: CPU req did not match expected 250 mcore: %v", cpu) } // set it up so that the overrides create resources that fail validation _, err = podHandler.Create(testClusterResourceOverridePod("limit-with-default-fail", "128Mi", "1")) if err == nil { t.Errorf("limit-with-default-fail: expected to be forbidden") } else if !apierrors.IsForbidden(err) { t.Errorf("limit-with-default-fail: unexpected error: %v", err) } }
func TestBasicFunctionalityWithAudit(t *testing.T) { kubeClient, _ := setupAuditTest(t) defer testutil.DumpEtcdOnFailure(t) if _, err := kubeClient.Core().Pods(kapi.NamespaceDefault).Watch(kapi.ListOptions{}); err != nil { t.Errorf("Unexpected error watching pods: %v", err) } // TOOD: test oc debug, exec, rsh, port-forward }
func TestBuildOverrideForcePull(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) oclient, kclientset := setupBuildOverridesAdmissionTest(t, &overridesapi.BuildOverridesConfig{ ForcePull: true, }) build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild()) if !build.Spec.Strategy.DockerStrategy.ForcePull { t.Errorf("ForcePull was not set on resulting build") } }
func TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, true) clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient} buildConfigs := map[string]*buildapi.BuildConfig{} // by default admins and editors can create all type of buildconfigs for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { var err error if buildConfigs[string(strategy)+clientType], err = createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); err != nil { t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err) } } } // by default admins and editors can instantiate build configs for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); err != nil { t.Errorf("unexpected instantiate error for strategy %s and client %s: %v", strategy, clientType, err) } } } removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient) // make sure buildconfigs are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure buildconfig updates are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := updateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure instantiate is rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } }
func TestBuildDefaultAnnotations(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) annotations := map[string]string{"KEY": "VALUE"} oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{ Annotations: annotations, }) _, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild()) if actual := pod.Annotations; strings.Compare(actual["KEY"], annotations["KEY"]) != 0 { t.Errorf("Resulting pod did not get expected annotations: actual: %v, expected: %v", actual["KEY"], annotations["KEY"]) } }
func TestBuildDefaultGitHTTPSProxy(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) httpsProxy := "https://my.test.proxy:12345" oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{ GitHTTPSProxy: httpsProxy, }) build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild()) if actual := build.Spec.Source.Git.HTTPSProxy; actual == nil || *actual != httpsProxy { t.Errorf("Resulting build did not get expected HTTPS proxy: %v", actual) } }
func TestBuildDefaultNodeSelectors(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) selectors := map[string]string{"KEY": "VALUE"} oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{ NodeSelector: selectors, }) _, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild()) if actual := pod.Spec.NodeSelector; !reflect.DeepEqual(selectors, actual) { t.Errorf("Resulting pod did not get expected nodeselectors: %v", actual) } }
func TestBuildDefaultLabels(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) labels := []buildapi.ImageLabel{{Name: "KEY", Value: "VALUE"}} oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{ ImageLabels: labels, }) build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild()) if actual := build.Spec.Output.ImageLabels; !reflect.DeepEqual(labels, actual) { t.Errorf("Resulting build did not get expected labels: %v", actual) } }
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) _, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold") if err != nil { t.Fatalf("unexpected error: %v", err) } markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark") if err != nil { t.Fatalf("unexpected error: %v", err) } _, err = haroldClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{}) if err != nil { t.Fatalf("unexpected error: %v", err) } _, err = markClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{}) if (err == nil) || !kapierror.IsForbidden(err) { t.Fatalf("unexpected error: %v", err) } // projects are a special case where a get of a project actually sets a namespace. Make sure that // the namespace is properly special cased and set for authorization rules _, err = haroldClient.Projects().Get("hammer-project") if err != nil { t.Fatalf("unexpected error: %v", err) } _, err = markClient.Projects().Get("hammer-project") if (err == nil) || !kapierror.IsForbidden(err) { t.Fatalf("unexpected error: %v", err) } // wait for the project authorization cache to catch the change. It is on a one second period waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10) waitForProject(t, markClient, "mallet-project", 1*time.Second, 10) }
// TestRouterReloadSuppressionOnSync validates that the router will // not be reloaded until all events from the initial sync have been // processed. Reload should similarly suppressed on subsequent // resyncs. func TestRouterReloadSuppressionOnSync(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) stressRouter( t, // Allow the test to be configured to enable experimentation // without a costly (~60s+) go build. cmdutil.EnvInt("OS_TEST_NAMESPACE_COUNT", 1, 1), cmdutil.EnvInt("OS_TEST_ROUTES_PER_NAMESPACE", 10, 10), cmdutil.EnvInt("OS_TEST_ROUTER_COUNT", 1, 1), cmdutil.EnvInt("OS_TEST_MAX_ROUTER_DELAY", 10, 10), ) }
func TestRunOnceDurationAdmissionPlugin(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) var secs int64 = 3600 config := &pluginapi.RunOnceDurationConfig{ ActiveDeadlineSecondsLimit: &secs, } kclient := setupRunOnceDurationTest(t, config, nil) testPodDuration(t, "global, no duration", kclient, testRunOnceDurationPod(0), 3600) testPodDuration(t, "global, larger duration", kclient, testRunOnceDurationPod(7200), 3600) testPodDuration(t, "global, smaller duration", kclient, testRunOnceDurationPod(100), 100) }
func TestBuildOverrideForcePullCustomStrategy(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) oclient, kclientset := setupBuildOverridesAdmissionTest(t, &overridesapi.BuildOverridesConfig{ ForcePull: true, }) build, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestCustomBuild()) if pod.Spec.Containers[0].ImagePullPolicy != kapi.PullAlways { t.Errorf("Pod ImagePullPolicy is not PullAlways") } if !build.Spec.Strategy.CustomStrategy.ForcePull { t.Errorf("ForcePull was not set on resulting build") } }