// ChangeUser changes the user used by the current CLI session.
func (c *CLI) ChangeUser(name string) *CLI {
adminClientConfig, err := testutil.GetClusterAdminClientConfig(c.adminConfigPath)
if err != nil {
FatalErr(err)
}
_, _, clientConfig, err := testutil.GetClientForUser(*adminClientConfig, name)
if err != nil {
FatalErr(err)
}
kubeConfig, err := config.CreateConfig(c.Namespace(), clientConfig)
if err != nil {
FatalErr(err)
}
c.configPath = filepath.Join(c.outputDir, name+".kubeconfig")
err = clientcmd.WriteToFile(*kubeConfig, c.configPath)
if err != nil {
FatalErr(err)
}
c.username = name
e2e.Logf("configPath is now %q", c.configPath)
return c
}
func setupBuildStrategyTest(t *testing.T) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
namespace := testutil.Namespace()
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
return
}
func TestDeployScale(t *testing.T) {
const namespace = "test-deploy-scale"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{}
config.Spec.Replicas = 1
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
scale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if scale.Spec.Replicas != 1 {
t.Fatalf("Expected scale.spec.replicas=1, got %#v", scale)
}
scaleUpdate := &extensions.Scale{
ObjectMeta: kapi.ObjectMeta{
Name: dc.Name,
Namespace: namespace,
},
Spec: extensions.ScaleSpec{Replicas: 3},
}
updatedScale, err := osClient.DeploymentConfigs(namespace).UpdateScale(scaleUpdate)
if err != nil {
// If this complains about "Scale" not being registered in "v1", check the kind overrides in the API registration in SubresourceGroupVersionKind
t.Fatalf("Couldn't update DeploymentConfig scale to %#v: %v", scaleUpdate, err)
}
if updatedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
persistedScale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if persistedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
}
func setupUserPodNodeConstraintsTest(t *testing.T, pluginConfig *pluginapi.PodNodeConstraintsConfig, user string) (*client.Client, *kclientset.Clientset) {
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
cfg := map[string]configapi.AdmissionPluginConfig{
"PodNodeConstraints": {
Configuration: pluginConfig,
},
}
masterConfig.AdmissionConfig.PluginConfig = cfg
masterConfig.KubernetesMasterConfig.AdmissionConfig.PluginConfig = cfg
kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userClient, userkubeClientset, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, user)
if err != nil {
t.Fatalf("error getting user/kube client: %v", err)
}
kubeClientset, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting kube client: %v", err)
}
ns := &kapi.Namespace{}
ns.Name = testutil.Namespace()
_, err = kubeClientset.Core().Namespaces().Create(ns)
if err != nil {
t.Fatalf("error creating namespace: %v", err)
}
if err := testserver.WaitForServiceAccounts(kubeClientset, testutil.Namespace(), []string{bootstrappolicy.DefaultServiceAccountName}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addUser := &policy.RoleModificationOptions{
RoleNamespace: ns.Name,
RoleName: bootstrappolicy.AdminRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{user},
}
if err := addUser.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
return userClient, userkubeClientset
}
// CreateNewProject creates a new project using the clusterAdminClient, then gets a token for the adminUser and returns
// back a client for the admin user
func CreateNewProject(clusterAdminClient *client.Client, clientConfig kclient.Config, projectName, adminUser string) (*client.Client, error) {
newProjectOptions := &newproject.NewProjectOptions{
Client: clusterAdminClient,
ProjectName: projectName,
AdminRole: bootstrappolicy.AdminRoleName,
AdminUser: adminUser,
}
if err := newProjectOptions.Run(false); err != nil {
return nil, err
}
client, _, _, err := util.GetClientForUser(clientConfig, adminUser)
return client, err
}
func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(valerieClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// ensure that a SAR for a non-exisitng namespace gives a SAR response and not a
// namespace doesn't exist response from admisison.
askCanICreatePodsInNonExistingNamespace := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{Namespace: "foo", Verb: "create", Resource: "pods"},
}
subjectAccessReviewTest{
description: "ensure SAR for non-existing namespace does not leak namespace info",
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("foo"),
localReview: askCanICreatePodsInNonExistingNamespace,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create pods in project "foo"`,
Namespace: "foo",
},
}.run(t)
}
func testSetupImageSignatureTest(t *testing.T, userName string) (adminClient *client.Client, userClient *client.Client, image *imageapi.Image) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
image, err = testutil.GetImageFixture("testdata/test-image.json")
if err != nil {
t.Fatalf("failed to read image fixture: %v", err)
}
image, err = adminClient.Images().Create(image)
if err != nil {
t.Fatalf("unexpected error creating image: %v", err)
}
if len(image.Signatures) != 0 {
t.Fatalf("expected empty signatures, not: %s", diff.ObjectDiff(image.Signatures, []imageapi.ImageSignature{}))
}
clusterAdminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userClient, _, _, err = testutil.GetClientForUser(*clusterAdminConfig, userName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return adminClient, userClient, image
}
func testProjectRequestLimitAdmission(t *testing.T, errorPrefix string, clientConfig *kclient.Config, tests map[string]bool) {
for user, expectSuccess := range tests {
oclient, _, _, err := testutil.GetClientForUser(*clientConfig, user)
if err != nil {
t.Fatalf("Error getting client for user %s: %v", user, err)
}
projectRequest := &projectapi.ProjectRequest{}
projectRequest.Name = kapi.SimpleNameGenerator.GenerateName("test-projectreq")
_, err = oclient.ProjectRequests().Create(projectRequest)
if err != nil && expectSuccess {
t.Errorf("%s: unexpected error for user %s: %v", errorPrefix, user, err)
continue
}
if !expectSuccess {
if err == nil {
t.Errorf("%s: did not get expected error for user %s", errorPrefix, user)
continue
}
if !apierrors.IsForbidden(err) {
t.Errorf("%s: did not get an expected forbidden error for user %s. Got: %v", errorPrefix, user, err)
}
}
}
}
func TestPodUpdateSCCEnforcement(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, haroldKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testserver.WaitForServiceAccounts(clusterAdminKubeClient, projectName, []string{"default"}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// so cluster-admin can create privileged pods, but harold cannot. This means that harold should not be able
// to update the privileged pods either, even if he lies about its privileged nature
privilegedPod := &kapi.Pod{
ObjectMeta: kapi.ObjectMeta{Name: "unsafe"},
Spec: kapi.PodSpec{
Containers: []kapi.Container{
{Name: "first", Image: "something-innocuous"},
},
SecurityContext: &kapi.PodSecurityContext{
HostPID: true,
},
},
}
if _, err := haroldKubeClient.Pods(projectName).Create(privilegedPod); !kapierror.IsForbidden(err) {
t.Fatalf("missing forbidden: %v", err)
}
actualPod, err := clusterAdminKubeClient.Pods(projectName).Create(privilegedPod)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
actualPod.Spec.Containers[0].Image = "something-nefarious"
if _, err := haroldKubeClient.Pods(projectName).Update(actualPod); !kapierror.IsForbidden(err) {
t.Fatalf("missing forbidden: %v", err)
}
// try to lie about the privileged nature
actualPod.Spec.SecurityContext.HostPID = false
if _, err := haroldKubeClient.Pods(projectName).Update(actualPod); err == nil {
t.Fatalf("missing error: %v", err)
}
}
func TestProjectWatch(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
bobClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "bob")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
w, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-01", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
select {
case event := <-w.ResultChan():
if event.Type != watch.Added {
t.Errorf("expected added, got %v", event)
}
project := event.Object.(*projectapi.Project)
if project.Name != "ns-01" {
t.Fatalf("expected %v, got %#v", "ns-01", project)
}
case <-time.After(3 * time.Second):
t.Fatalf("timeout")
}
joeClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-02", "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addBob := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("ns-02", joeClient),
Users: []string{"bob"},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// wait for the add
for {
select {
case event := <-w.ResultChan():
project := event.Object.(*projectapi.Project)
t.Logf("got %#v %#v", event, project)
if event.Type == watch.Added && project.Name == "ns-02" {
return
}
case <-time.After(3 * time.Second):
t.Fatalf("timeout")
}
}
if err := addBob.RemoveRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// wait for the delete
for {
select {
case event := <-w.ResultChan():
project := event.Object.(*projectapi.Project)
t.Logf("got %#v %#v", event, project)
if event.Type == watch.Deleted && project.Name == "ns-02" {
return
}
case <-time.After(3 * time.Second):
t.Fatalf("timeout")
}
}
// test the "start from beginning watch"
beginningWatch, err := bobClient.Projects().Watch(kapi.ListOptions{ResourceVersion: "0"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
select {
case event := <-beginningWatch.ResultChan():
if event.Type != watch.Added {
t.Errorf("expected added, got %v", event)
}
project := event.Object.(*projectapi.Project)
if project.Name != "ns-01" {
t.Fatalf("expected %v, got %#v", "ns-01", project)
}
case <-time.After(3 * time.Second):
t.Fatalf("timeout")
}
fromNowWatch, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
select {
case event := <-fromNowWatch.ResultChan():
t.Fatalf("unexpected event %v", event)
case <-time.After(3 * time.Second):
}
}
func runStorageTest(t *testing.T, ns string, autoscalingVersion, batchVersion, extensionsVersion unversioned.GroupVersion) {
etcdServer := testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
keys := etcd.NewKeysAPI(etcdServer.Client)
getGVKFromEtcd := func(prefix, name string) (*unversioned.GroupVersionKind, error) {
key := path.Join(masterConfig.EtcdStorageConfig.KubernetesStoragePrefix, prefix, ns, name)
resp, err := keys.Get(context.TODO(), key, nil)
if err != nil {
return nil, err
}
_, gvk, err := runtime.UnstructuredJSONScheme.Decode([]byte(resp.Node.Value), nil, nil)
return gvk, err
}
// TODO: Set storage versions for API groups
// masterConfig.EtcdStorageConfig.StorageVersions[autoscaling.GroupName] = autoscalingVersion.String()
// masterConfig.EtcdStorageConfig.StorageVersions[batch.GroupName] = batchVersion.String()
// masterConfig.EtcdStorageConfig.StorageVersions[extensions.GroupName] = extensionsVersion.String()
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// create the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, ns, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectAdminClient, ns, "get", extensions.Resource("horizontalpodautoscalers"), true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
jobTestcases := map[string]struct {
creator kclient.JobInterface
}{
"batch": {creator: projectAdminKubeClient.Batch().Jobs(ns)},
}
for name, testcase := range jobTestcases {
job := batch.Job{
ObjectMeta: kapi.ObjectMeta{Name: name + "-job"},
Spec: batch.JobSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
RestartPolicy: kapi.RestartPolicyNever,
Containers: []kapi.Container{{Name: "containername", Image: "containerimage"}},
},
},
},
}
// Create a Job
if _, err := testcase.creator.Create(&job); err != nil {
t.Fatalf("%s: unexpected error creating Job: %v", name, err)
}
// Ensure it is persisted correctly
if gvk, err := getGVKFromEtcd("jobs", job.Name); err != nil {
t.Fatalf("%s: unexpected error reading Job: %v", name, err)
} else if *gvk != batchVersion.WithKind("Job") {
t.Fatalf("%s: expected api version %s in etcd, got %s reading Job", name, batchVersion, gvk)
}
// Ensure it is accessible from both APIs
if _, err := projectAdminKubeClient.Batch().Jobs(ns).Get(job.Name); err != nil {
t.Errorf("%s: Error reading Job from the batch client: %#v", name, err)
}
if _, err := projectAdminKubeClient.Extensions().Jobs(ns).Get(job.Name); err != nil {
t.Errorf("%s: Error reading Job from the extensions client: %#v", name, err)
}
}
hpaTestcases := map[string]struct {
creator kclient.HorizontalPodAutoscalerInterface
}{
"autoscaling": {creator: projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(ns)},
"extensions": {creator: projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(ns)},
}
for name, testcase := range hpaTestcases {
hpa := extensions.HorizontalPodAutoscaler{
ObjectMeta: kapi.ObjectMeta{Name: name + "-hpa"},
Spec: extensions.HorizontalPodAutoscalerSpec{
MaxReplicas: 1,
ScaleRef: extensions.SubresourceReference{Kind: "ReplicationController", Name: "myrc", Subresource: "scale"},
},
}
// Create an HPA
if _, err := testcase.creator.Create(&hpa); err != nil {
t.Fatalf("%s: unexpected error creating HPA: %v", name, err)
}
// Make sure it is persisted correctly
if gvk, err := getGVKFromEtcd("horizontalpodautoscalers", hpa.Name); err != nil {
t.Fatalf("%s: unexpected error reading HPA: %v", name, err)
} else if *gvk != autoscalingVersion.WithKind("HorizontalPodAutoscaler") {
t.Fatalf("%s: expected api version %s in etcd, got %s reading HPA", name, autoscalingVersion, gvk)
}
// Make sure it is available from both APIs
if _, err := projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(ns).Get(hpa.Name); err != nil {
t.Errorf("%s: Error reading HPA.autoscaling from the autoscaling/v1 API: %#v", name, err)
}
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(ns).Get(hpa.Name); err != nil {
t.Errorf("%s: Error reading HPA.extensions from the extensions/v1beta1 API: %#v", name, err)
}
}
}
func TestExtensionsAPIDisabled(t *testing.T) {
const projName = "ext-disabled-proj"
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Disable all extensions API versions
masterConfig.KubernetesMasterConfig.DisabledAPIGroupVersions = map[string][]string{"extensions": {"*"}, "autoscaling": {"*"}, "batch": {"*"}}
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// create the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projName, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectAdminClient, projName, "get", expapi.Resource("horizontalpodautoscalers"), true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
// make sure extensions API objects cannot be listed or created
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).List(kapi.ListOptions{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error listing HPA, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).Create(&expapi.HorizontalPodAutoscaler{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error creating HPA, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).List(kapi.ListOptions{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error listing jobs, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).Create(&batch.Job{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error creating job, got %v", err)
}
// Delete the containing project
if err := testutil.DeleteAndWaitForNamespaceTermination(clusterAdminKubeClient, projName); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
}
func TestExtensionsAPIDisabledAutoscaleBatchEnabled(t *testing.T) {
const projName = "ext-disabled-batch-enabled-proj"
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Disable all extensions API versions
// Leave autoscaling/batch APIs enabled
masterConfig.KubernetesMasterConfig.DisabledAPIGroupVersions = map[string][]string{"extensions": {"*"}}
clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// create the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projName, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectAdminClient, projName, "get", expapi.Resource("horizontalpodautoscalers"), true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
validHPA := &expapi.HorizontalPodAutoscaler{
ObjectMeta: kapi.ObjectMeta{Name: "myjob"},
Spec: expapi.HorizontalPodAutoscalerSpec{
ScaleRef: expapi.SubresourceReference{Name: "foo", Kind: "ReplicationController", Subresource: "scale"},
MaxReplicas: 1,
},
}
validJob := &batch.Job{
ObjectMeta: kapi.ObjectMeta{Name: "myjob"},
Spec: batch.JobSpec{
Template: kapi.PodTemplateSpec{
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "mycontainer", Image: "myimage"}},
RestartPolicy: kapi.RestartPolicyNever,
},
},
},
}
// make sure extensions API objects cannot be listed or created
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).List(kapi.ListOptions{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error listing HPA, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).Create(validHPA); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error creating HPA, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).List(kapi.ListOptions{}); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error listing jobs, got %v", err)
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).Create(validJob); !errors.IsNotFound(err) {
t.Fatalf("expected NotFound error creating job, got %v", err)
}
// make sure autoscaling and batch API objects can be listed and created
if _, err := projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(projName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
if _, err := projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(projName).Create(validHPA); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
if _, err := projectAdminKubeClient.Batch().Jobs(projName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
if _, err := projectAdminKubeClient.Batch().Jobs(projName).Create(validJob); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
// Delete the containing project
if err := testutil.DeleteAndWaitForNamespaceTermination(clusterAdminKubeClient, projName); err != nil {
t.Fatalf("unexpected error: %#v", err)
}
// recreate the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projName, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectAdminClient, projName, "get", expapi.Resource("horizontalpodautoscalers"), true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
// make sure the created objects got cleaned up by namespace deletion
if hpas, err := projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(projName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %#v", err)
} else if len(hpas.Items) > 0 {
t.Fatalf("expected 0 HPA objects, got %#v", hpas.Items)
}
if jobs, err := projectAdminKubeClient.Batch().Jobs(projName).List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %#v", err)
} else if len(jobs.Items) > 0 {
t.Fatalf("expected 0 Job objects, got %#v", jobs.Items)
}
}
func TestTriggers_manual(t *testing.T) {
const namespace = "test-triggers-manual"
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, kubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Namespace = namespace
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{
{
Type: deployapi.DeploymentTriggerManual,
},
}
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
rcWatch, err := kubeClient.ReplicationControllers(namespace).Watch(labels.Everything(), fields.Everything(), dc.ResourceVersion)
if err != nil {
t.Fatalf("Couldn't subscribe to Deployments: %v", err)
}
defer rcWatch.Stop()
retryErr := kclient.RetryOnConflict(wait.Backoff{Steps: maxUpdateRetries}, func() error {
config, err := osClient.DeploymentConfigs(namespace).Generate(config.Name)
if err != nil {
return err
}
if config.Status.LatestVersion != 1 {
t.Fatalf("Generated deployment should have version 1: %#v", config)
}
t.Logf("config(1): %#v", config)
updatedConfig, err := osClient.DeploymentConfigs(namespace).Update(config)
if err != nil {
return err
}
t.Logf("config(2): %#v", updatedConfig)
return nil
})
if retryErr != nil {
t.Fatal(err)
}
event := <-rcWatch.ResultChan()
if e, a := watchapi.Added, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
deployment := event.Object.(*kapi.ReplicationController)
if e, a := config.Name, deployutil.DeploymentConfigNameFor(deployment); e != a {
t.Fatalf("Expected deployment annotated with deploymentConfig '%s', got '%s'", e, a)
}
if e, a := 1, deployutil.DeploymentVersionFor(deployment); e != a {
t.Fatalf("Deployment annotation version does not match: %#v", deployment)
}
}
func TestBasicUserBasedGroupManipulation(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// make sure we don't get back system groups
firstValerie, err := clusterAdminClient.Users().Get("valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(firstValerie.Groups) != 0 {
t.Errorf("unexpected groups: %v", firstValerie.Groups)
}
// make sure that user/~ returns groups for unbacked users
expectedClusterAdminGroups := []string{"system:cluster-admins"}
clusterAdminUser, err := clusterAdminClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(clusterAdminUser.Groups, expectedClusterAdminGroups) {
t.Errorf("expected %v, got %v", clusterAdminUser.Groups, expectedClusterAdminGroups)
}
valerieGroups := []string{"theGroup"}
firstValerie.Groups = append(firstValerie.Groups, valerieGroups...)
_, err = clusterAdminClient.Users().Update(firstValerie)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// make sure that user/~ doesn't get back system groups when it merges
secondValerie, err := valerieOpenshiftClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(secondValerie.Groups, valerieGroups) {
t.Errorf("expected %v, got %v", secondValerie.Groups, valerieGroups)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Subjects = authorizationapi.BuildSubjects([]string{}, valerieGroups, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", kapi.Resource("pods"), true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
func TestAuthorizationResolution(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err = clusterAdminClient.ClusterRoles().Delete(bootstrappolicy.ViewRoleName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// try to add Valerie to a non-existent role
if err := addValerie.AddRole(); !kapierror.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
roleWithGroup := &authorizationapi.ClusterRole{}
roleWithGroup.Name = "with-group"
roleWithGroup.Rules = append(roleWithGroup.Rules, authorizationapi.PolicyRule{
Verbs: sets.NewString("list"),
Resources: sets.NewString(authorizationapi.BuildGroupName),
})
if _, err := clusterAdminClient.ClusterRoles().Create(roleWithGroup); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addBuildLister := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: "with-group",
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"build-lister"},
}
if err := addBuildLister.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
buildListerClient, _, _, err := testutil.GetClientForUser(*clusterAdminConfig, "build-lister")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := buildListerClient.Builds(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := buildListerClient.DeploymentConfigs(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
}
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
clientInterface: clusterAdminClient.SubjectAccessReviews("default"),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clientInterface: dannyClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "mark told valerie cannot get project mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot get projects in project "mallet-project"`,
Namespace: "mallet-project",
},
}.run(t)
askCanEdgarDeletePods := &authorizationapi.SubjectAccessReview{User: "******", Verb: "delete", Resource: "pods"}
subjectAccessReviewTest{
description: "mark told edgar can delete pods in mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in mallet-project",
Namespace: "mallet-project",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run subject access review in project mallet-project",
clientInterface: haroldClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
err: `User "harold" cannot create subjectaccessreviews in project "mallet-project"`,
}.run(t)
askCanHaroldUpdateProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "update", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told harold can update project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanHaroldUpdateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{Groups: util.NewStringSet("system:cluster-admins"), Verb: "create", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told cluster admins can create projects",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by cluster rule:",
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run cluster subject access review",
clientInterface: haroldClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
err: `User "harold" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
askCanICreatePods := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "pods"}
subjectAccessReviewTest{
description: "harold told he can create pods in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanICreatePolicyBindings := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "policybindings"}
subjectAccessReviewTest{
description: "harold told he can create policybindings in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot create policybindings in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
}
func TestEndpointAdmission(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
masterConfig.KubernetesMasterConfig.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{
"RestrictedEndpointsAdmission": {
Configuration: &configapi.DefaultAdmissionConfig{},
},
}
masterConfig.NetworkConfig.ClusterNetworkCIDR = clusterNetworkCIDR
masterConfig.NetworkConfig.ServiceNetworkCIDR = serviceNetworkCIDR
kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting kube client: %v", err)
}
clusterAdminOSClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client config: %v", err)
}
// Cluster admin
testOne(t, clusterAdminKubeClient, "default", "cluster", true)
testOne(t, clusterAdminKubeClient, "default", "service", true)
testOne(t, clusterAdminKubeClient, "default", "external", true)
// Endpoint controller service account
_, serviceAccountClient, _, err := testutil.GetClientForServiceAccount(clusterAdminKubeClient, *clientConfig, bootstrappolicy.DefaultOpenShiftInfraNamespace, bootstrappolicy.InfraEndpointControllerServiceAccountName)
if err != nil {
t.Fatalf("error getting endpoint controller service account: %v", err)
}
testOne(t, serviceAccountClient, "default", "cluster", true)
testOne(t, serviceAccountClient, "default", "service", true)
testOne(t, serviceAccountClient, "default", "external", true)
// Project admin
_, err = testserver.CreateNewProject(clusterAdminOSClient, *clientConfig, "myproject", "myadmin")
if err != nil {
t.Fatalf("error creating project: %v", err)
}
_, projectAdminClient, _, err := testutil.GetClientForUser(*clientConfig, "myadmin")
if err != nil {
t.Fatalf("error getting project admin client: %v", err)
}
testOne(t, projectAdminClient, "myproject", "cluster", false)
testOne(t, projectAdminClient, "myproject", "service", false)
testOne(t, projectAdminClient, "myproject", "external", true)
// User without restricted endpoint permission can't modify IPs but can still do other modifications
ep := testOne(t, clusterAdminKubeClient, "myproject", "cluster", true)
ep.Annotations = map[string]string{"foo": "bar"}
ep, err = projectAdminClient.Endpoints("myproject").Update(ep)
if err != nil {
t.Fatalf("unexpected error updating endpoint annotation: %v", err)
}
ep.Subsets[0].Addresses[0].IP = exampleAddresses["service"]
ep, err = projectAdminClient.Endpoints("myproject").Update(ep)
if err == nil {
t.Fatalf("unexpected success modifying endpoint")
}
}
func TestInvalidRoleRefs(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
bobClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "bob")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
aliceClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "alice")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "foo", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "bar", "alice"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleName := "missing-role"
if _, err := clusterAdminClient.ClusterRoles().Create(&authorizationapi.ClusterRole{ObjectMeta: kapi.ObjectMeta{Name: roleName}}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
modifyRole := &policy.RoleModificationOptions{RoleName: roleName, Users: []string{"someuser"}}
// mess up rolebindings in "foo"
modifyRole.RoleBindingAccessor = policy.NewLocalRoleBindingAccessor("foo", clusterAdminClient)
if err := modifyRole.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// mess up rolebindings in "bar"
modifyRole.RoleBindingAccessor = policy.NewLocalRoleBindingAccessor("bar", clusterAdminClient)
if err := modifyRole.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// mess up clusterrolebindings
modifyRole.RoleBindingAccessor = policy.NewClusterRoleBindingAccessor(clusterAdminClient)
if err := modifyRole.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Orphan the rolebindings by deleting the role
if err := clusterAdminClient.ClusterRoles().Delete(roleName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// wait for evaluation errors to show up in both namespaces and at cluster scope
if err := wait.PollImmediate(100*time.Millisecond, 10*time.Second, func() (bool, error) {
review := &authorizationapi.ResourceAccessReview{Action: authorizationapi.Action{Verb: "get", Resource: "pods"}}
review.Action.Namespace = "foo"
if resp, err := clusterAdminClient.ResourceAccessReviews().Create(review); err != nil || resp.EvaluationError == "" {
return false, err
}
review.Action.Namespace = "bar"
if resp, err := clusterAdminClient.ResourceAccessReviews().Create(review); err != nil || resp.EvaluationError == "" {
return false, err
}
review.Action.Namespace = ""
if resp, err := clusterAdminClient.ResourceAccessReviews().Create(review); err != nil || resp.EvaluationError == "" {
return false, err
}
return true, nil
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Make sure bob still sees his project (and only his project)
if projects, err := bobClient.Projects().List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
} else if hasErr := hasExactlyTheseProjects(projects, sets.NewString("foo")); hasErr != nil {
t.Error(hasErr)
}
// Make sure alice still sees her project (and only her project)
if projects, err := aliceClient.Projects().List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
} else if hasErr := hasExactlyTheseProjects(projects, sets.NewString("bar")); hasErr != nil {
t.Error(hasErr)
}
// Make sure cluster admin still sees all projects
if projects, err := clusterAdminClient.Projects().List(kapi.ListOptions{}); err != nil {
t.Fatalf("unexpected error: %v", err)
} else {
projectNames := sets.NewString()
for _, project := range projects.Items {
projectNames.Insert(project.Name)
}
if !projectNames.HasAll("foo", "bar", "openshift-infra", "openshift", "default") {
t.Errorf("Expected projects foo and bar, got %v", projectNames.List())
}
}
}
func TestScopedProjectAccess(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
fullBobClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "bob")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
oneTwoBobClient, _, _, err := testutil.GetScopedClientForUser(clusterAdminClient, *clusterAdminClientConfig, "bob", []string{
scope.UserListScopedProjects,
scope.ClusterRoleIndicator + "view:one",
scope.ClusterRoleIndicator + "view:two",
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
twoThreeBobClient, _, _, err := testutil.GetScopedClientForUser(clusterAdminClient, *clusterAdminClientConfig, "bob", []string{
scope.UserListScopedProjects,
scope.ClusterRoleIndicator + "view:two",
scope.ClusterRoleIndicator + "view:three",
})
allBobClient, _, _, err := testutil.GetScopedClientForUser(clusterAdminClient, *clusterAdminClientConfig, "bob", []string{
scope.UserListScopedProjects,
scope.ClusterRoleIndicator + "view:*",
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
oneTwoWatch, err := oneTwoBobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
twoThreeWatch, err := twoThreeBobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
allWatch, err := allBobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "one", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyAdd("one", allWatch, t)
waitForOnlyAdd("one", oneTwoWatch, t)
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "two", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyAdd("two", allWatch, t)
waitForOnlyAdd("two", oneTwoWatch, t)
waitForOnlyAdd("two", twoThreeWatch, t)
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "three", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyAdd("three", allWatch, t)
waitForOnlyAdd("three", twoThreeWatch, t)
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "four", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyAdd("four", allWatch, t)
oneTwoProjects, err := oneTwoBobClient.Projects().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := hasExactlyTheseProjects(oneTwoProjects, sets.NewString("one", "two")); err != nil {
t.Error(err)
}
twoThreeProjects, err := twoThreeBobClient.Projects().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := hasExactlyTheseProjects(twoThreeProjects, sets.NewString("two", "three")); err != nil {
t.Error(err)
}
allProjects, err := allBobClient.Projects().List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := hasExactlyTheseProjects(allProjects, sets.NewString("one", "two", "three", "four")); err != nil {
t.Error(err)
}
if err := fullBobClient.Projects().Delete("four"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyDelete("four", allWatch, t)
if err := fullBobClient.Projects().Delete("three"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyDelete("three", allWatch, t)
waitForOnlyDelete("three", twoThreeWatch, t)
if err := fullBobClient.Projects().Delete("two"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyDelete("two", allWatch, t)
waitForOnlyDelete("two", oneTwoWatch, t)
waitForOnlyDelete("two", twoThreeWatch, t)
if err := fullBobClient.Projects().Delete("one"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForOnlyDelete("one", allWatch, t)
waitForOnlyDelete("one", oneTwoWatch, t)
}
func TestProjectWatch(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
bobClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "bob")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
w, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-01", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-01", w, t)
// TEST FOR ADD/REMOVE ACCESS
joeClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-02", "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addBob := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("ns-02", joeClient),
Users: []string{"bob"},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-02", w, t)
if err := addBob.RemoveRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForDelete("ns-02", w, t)
// TEST FOR DELETE PROJECT
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-03", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-03", w, t)
if err := bobClient.Projects().Delete("ns-03"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// wait for the delete
waitForDelete("ns-03", w, t)
// test the "start from beginning watch"
beginningWatch, err := bobClient.Projects().Watch(kapi.ListOptions{ResourceVersion: "0"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-01", beginningWatch, t)
fromNowWatch, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
select {
case event := <-fromNowWatch.ResultChan():
t.Fatalf("unexpected event %v", event)
case <-time.After(3 * time.Second):
}
}
func TestExtensionsAPIDeletion(t *testing.T) {
const projName = "ext-deletion-proj"
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// create the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projName, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectAdminClient, projName, "get", expapi.Resource("horizontalpodautoscalers"), true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
// create the extensions resources as the project admin
percent := int32(10)
hpa := autoscaling.HorizontalPodAutoscaler{
ObjectMeta: kapi.ObjectMeta{Name: "test-hpa"},
Spec: autoscaling.HorizontalPodAutoscalerSpec{
ScaleTargetRef: autoscaling.CrossVersionObjectReference{Kind: "DeploymentConfig", Name: "frontend", APIVersion: "v1"},
MaxReplicas: 10,
TargetCPUUtilizationPercentage: &percent,
},
}
if _, err := projectAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(projName).Create(&hpa); err != nil {
t.Fatalf("unexpected error creating the HPA object: %v", err)
}
job := batch.Job{
ObjectMeta: kapi.ObjectMeta{Name: "test-job"},
Spec: batch.JobSpec{
Template: kapi.PodTemplateSpec{
ObjectMeta: kapi.ObjectMeta{Labels: map[string]string{"foo": "bar"}},
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "baz", Image: "run"}},
RestartPolicy: kapi.RestartPolicyOnFailure,
},
},
},
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).Create(&job); err != nil {
t.Fatalf("unexpected error creating the job object: %v", err)
}
if err := clusterAdminClient.Projects().Delete(projName); err != nil {
t.Fatalf("unexpected error deleting the project: %v", err)
}
err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {
_, err := clusterAdminKubeClient.Namespaces().Get(projName)
if errors.IsNotFound(err) {
return true, nil
}
return false, err
})
if err != nil {
t.Fatalf("unexpected error while waiting for project to delete: %v", err)
}
if _, err := clusterAdminKubeClient.Autoscaling().HorizontalPodAutoscalers(projName).Get(hpa.Name); err == nil {
t.Fatalf("HPA object was still present after project was deleted!")
} else if !errors.IsNotFound(err) {
t.Fatalf("Error trying to get deleted HPA object (not a not-found error): %v", err)
}
if _, err := clusterAdminKubeClient.Extensions().Jobs(projName).Get(job.Name); err == nil {
t.Fatalf("Job object was still present after project was deleted!")
} else if !errors.IsNotFound(err) {
t.Fatalf("Error trying to get deleted Job object (not a not-found error): %v", err)
}
}
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, _, dannyConfig, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
localInterface: clusterAdminClient.LocalSubjectAccessReviews("default"),
localReview: &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clusterInterface: dannyClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "mark told valerie cannot get project mallet-project",
localInterface: markClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot get projects in project "mallet-project"`,
Namespace: "mallet-project",
},
}.run(t)
askCanEdgarDeletePods := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "delete", Resource: "pods"},
}
subjectAccessReviewTest{
description: "mark told edgar can delete pods in mallet-project",
localInterface: markClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanEdgarDeletePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in mallet-project",
Namespace: "mallet-project",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run subject access review in project mallet-project",
localInterface: haroldClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanEdgarDeletePods,
err: `User "harold" cannot create localsubjectaccessreviews in project "mallet-project"`,
}.run(t)
askCanHaroldUpdateProject := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "update", Resource: "projects"},
}
subjectAccessReviewTest{
description: "harold told harold can update project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanHaroldUpdateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{
Groups: sets.NewString("system:cluster-admins"),
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told cluster admins can create projects",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanClusterAdminsCreateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by cluster rule",
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run cluster subject access review",
clusterInterface: haroldClient.SubjectAccessReviews(),
clusterReview: askCanClusterAdminsCreateProject,
err: `User "harold" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
askCanICreatePods := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "pods"},
}
subjectAccessReviewTest{
description: "harold told he can create pods in project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanICreatePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
description: "harold told he can create policybindings in project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot create policybindings in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
// impersonate SAR tests
// impersonated empty token SAR shouldn't be allowed at all
// impersonated danny token SAR shouldn't be allowed to see pods in hammer or in cluster
// impersonated danny token SAR should be allowed to see pods in default
// we need a token client for overriding
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
otherAdminClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "other-admin")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addOtherAdmin := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ClusterAdminRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"other-admin"},
}
if err := addOtherAdmin.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
subjectAccessReviewTest{
description: "empty token impersonate can't see pods in namespace",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", ""),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
err: `impersonating token may not be empty`,
}.run(t)
subjectAccessReviewTest{
description: "empty token impersonate can't see pods in cluster",
clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(""),
clusterReview: &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
err: `impersonating token may not be empty`,
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can't see pods in hammer namespace",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", dannyConfig.BearerToken),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot list pods in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can't see pods in cluster",
clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(dannyConfig.BearerToken),
clusterReview: &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot list all pods in the cluster`,
},
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can see pods in default",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("default", dannyConfig.BearerToken),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: `allowed by rule in default`,
Namespace: "default",
},
}.run(t)
}
func TestBasicGroupManipulation(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
theGroup := &userapi.Group{}
theGroup.Name = "thegroup"
theGroup.Users = append(theGroup.Users, "valerie", "victor")
_, err = clusterAdminClient.Groups().Create(theGroup)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Groups = util.NewStringSet(theGroup.Name)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", "pods", true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
victorOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "victor")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = victorOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
func TestDeployScale(t *testing.T) {
const namespace = "test-deploy-scale"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{}
config.Spec.Replicas = 1
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
condition := func() (bool, error) {
config, err := osClient.DeploymentConfigs(namespace).Get(dc.Name)
if err != nil {
return false, nil
}
return deployutil.HasSynced(config), nil
}
if err := wait.PollImmediate(500*time.Millisecond, 10*time.Second, condition); err != nil {
t.Fatalf("Deployment config never synced: %v", err)
}
scale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if scale.Spec.Replicas != 1 {
t.Fatalf("Expected scale.spec.replicas=1, got %#v", scale)
}
scaleUpdate := deployapi.ScaleFromConfig(dc)
scaleUpdate.Spec.Replicas = 3
updatedScale, err := osClient.DeploymentConfigs(namespace).UpdateScale(scaleUpdate)
if err != nil {
// If this complains about "Scale" not being registered in "v1", check the kind overrides in the API registration in SubresourceGroupVersionKind
t.Fatalf("Couldn't update DeploymentConfig scale to %#v: %v", scaleUpdate, err)
}
if updatedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
persistedScale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if persistedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
}
func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
testutil.RequireEtcd(t)
namespace := testutil.Namespace()
var clusterAdminKubeConfig string
var err error
if includeControllers {
_, clusterAdminKubeConfig, err = testserver.StartTestMaster()
} else {
_, clusterAdminKubeConfig, err = testserver.StartTestMasterAPI()
}
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", buildapi.Resource(authorizationapi.DockerBuildResource), true); err != nil {
t.Fatalf(err.Error())
}
// we need a template that doesn't create service accounts or rolebindings so editors can create
// pipeline buildconfig's successfully, so we're not using the standard jenkins template.
// but we do need a template that creates a service named jenkins.
template, err := testutil.GetTemplateFixture("../../examples/jenkins/master-slave/jenkins-master-template.json")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// pipeline defaults expect to find a template named jenkins-ephemeral
// in the openshift namespace.
template.Name = "jenkins-ephemeral"
template.Namespace = "openshift"
_, err = clusterAdminClient.Templates("openshift").Create(template)
if err != nil {
t.Fatalf("Couldn't create jenkins template: %v", err)
}
return
}
func TestBasicGroupManipulation(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
theGroup := &userapi.Group{}
theGroup.Name = "thegroup"
theGroup.Users = append(theGroup.Users, "valerie", "victor")
_, err = clusterAdminClient.Groups().Create(theGroup)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Subjects = authorizationapi.BuildSubjects([]string{}, []string{theGroup.Name}, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", kapi.Resource("pods"), true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
victorOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "victor")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = victorOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
func TestExtensionsAPIDeletion(t *testing.T) {
const projName = "ext-deletion-proj"
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// create the containing project
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projName, "admin"); err != nil {
t.Fatalf("unexpected error creating the project: %v", err)
}
projectAdminClient, projectAdminKubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "admin")
if err != nil {
t.Fatalf("unexpected error getting project admin client: %v", err)
}
// TODO: switch to checking "list","horizontalpodautoscalers" once SAR supports API groups
if err := testutil.WaitForPolicyUpdate(projectAdminClient, projName, "get", "pods", true); err != nil {
t.Fatalf("unexpected error waiting for policy update: %v", err)
}
// create the extensions resources as the project admin
hpa := expapi.HorizontalPodAutoscaler{
ObjectMeta: kapi.ObjectMeta{Name: "test-hpa"},
Spec: expapi.HorizontalPodAutoscalerSpec{
ScaleRef: expapi.SubresourceReference{Kind: "DeploymentConfig", Name: "frontend", APIVersion: "v1", Subresource: "scale"},
MaxReplicas: 10,
CPUUtilization: &expapi.CPUTargetUtilization{TargetPercentage: 10},
},
}
if _, err := projectAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).Create(&hpa); err != nil {
t.Fatalf("unexpected error creating the HPA object: %v", err)
}
job := expapi.Job{
ObjectMeta: kapi.ObjectMeta{Name: "test-job"},
Spec: expapi.JobSpec{
Selector: &unversioned.LabelSelector{MatchLabels: map[string]string{"foo": "bar"}},
Template: kapi.PodTemplateSpec{
ObjectMeta: kapi.ObjectMeta{Labels: map[string]string{"foo": "bar"}},
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "baz", Image: "run"}},
RestartPolicy: kapi.RestartPolicyOnFailure,
},
},
},
}
if _, err := projectAdminKubeClient.Extensions().Jobs(projName).Create(&job); err != nil {
t.Fatalf("unexpected error creating the job object: %v", err)
}
if err := clusterAdminClient.Projects().Delete(projName); err != nil {
t.Fatalf("unexpected error deleting the project: %v", err)
}
err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {
_, err := clusterAdminKubeClient.Namespaces().Get(projName)
if errors.IsNotFound(err) {
return true, nil
}
return false, err
})
if err != nil {
t.Fatalf("unexpected error while waiting for project to delete: %v", err)
}
if _, err := clusterAdminKubeClient.Extensions().HorizontalPodAutoscalers(projName).Get(hpa.Name); err == nil {
t.Fatalf("HPA object was still present after project was deleted!")
} else if !errors.IsNotFound(err) {
t.Fatalf("Error trying to get deleted HPA object (not a not-found error): %v", err)
}
if _, err := clusterAdminKubeClient.Extensions().Jobs(projName).Get(job.Name); err == nil {
t.Fatalf("Job object was still present after project was deleted!")
} else if !errors.IsNotFound(err) {
t.Fatalf("Error trying to get deleted Job object (not a not-found error): %v", err)
}
}
func TestNodeAuth(t *testing.T) {
// Server config
masterConfig, nodeConfig, adminKubeConfigFile, err := testserver.StartTestAllInOne()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Cluster admin clients and client configs
adminClient, err := testutil.GetClusterAdminKubeClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
originAdminClient, err := testutil.GetClusterAdminClient(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminConfig, err := testutil.GetClusterAdminClientConfig(adminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Client configs for lesser users
masterKubeletClientConfig := configapi.GetKubeletClientConfig(*masterConfig)
anonymousConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig := clientcmd.AnonymousClientConfig(*adminConfig)
badTokenConfig.BearerToken = "bad-token"
bobClient, _, bobConfig, err := testutil.GetClientForUser(*adminConfig, "bob")
_, _, aliceConfig, err := testutil.GetClientForUser(*adminConfig, "alice")
sa1Client, _, sa1Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa1")
_, _, sa2Config, err := testutil.GetClientForServiceAccount(adminClient, *adminConfig, "default", "sa2")
// Grant Bob system:node-reader, which should let them read metrics and stats
addBob := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.NodeReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "User", Name: "bob"}},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Grant sa1 system:cluster-reader, which should let them read metrics and stats
addSA1 := &policy.RoleModificationOptions{
RoleName: bootstrappolicy.ClusterReaderRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(originAdminClient),
Subjects: []kapi.ObjectReference{{Kind: "ServiceAccount", Namespace: "default", Name: "sa1"}},
}
if err := addSA1.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Wait for policy cache
if err := testutil.WaitForClusterPolicyUpdate(bobClient, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(sa1Client, "get", "nodes/metrics", true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, nodePort, err := net.SplitHostPort(nodeConfig.ServingInfo.BindAddress)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodePortInt, err := strconv.ParseInt(nodePort, 0, 0)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
nodeTLS := configapi.UseTLS(nodeConfig.ServingInfo)
kubeletClientConfig := func(config *kclient.Config) *kubeletclient.KubeletClientConfig {
return &kubeletclient.KubeletClientConfig{
Port: uint(nodePortInt),
EnableHttps: nodeTLS,
TLSClientConfig: config.TLSClientConfig,
BearerToken: config.BearerToken,
}
}
testCases := map[string]struct {
KubeletClientConfig *kubeletclient.KubeletClientConfig
Forbidden bool
NodeViewer bool
NodeAdmin bool
}{
"bad token": {
KubeletClientConfig: kubeletClientConfig(&badTokenConfig),
},
"anonymous": {
KubeletClientConfig: kubeletClientConfig(&anonymousConfig),
Forbidden: true,
},
"cluster admin": {
KubeletClientConfig: kubeletClientConfig(adminConfig),
NodeAdmin: true,
},
"master kubelet client": {
KubeletClientConfig: masterKubeletClientConfig,
NodeAdmin: true,
},
"bob": {
KubeletClientConfig: kubeletClientConfig(bobConfig),
NodeViewer: true,
},
"alice": {
KubeletClientConfig: kubeletClientConfig(aliceConfig),
Forbidden: true,
},
"sa1": {
KubeletClientConfig: kubeletClientConfig(sa1Config),
NodeViewer: true,
},
"sa2": {
KubeletClientConfig: kubeletClientConfig(sa2Config),
Forbidden: true,
},
}
for k, tc := range testCases {
var (
// expected result for requests a viewer should be able to make
viewResult int
// expected result for requests an admin should be able to make (that can actually complete with a 200 in our tests)
adminResultOK int
// expected result for requests an admin should be able to make (that return a 404 in this test if the authn/authz layer is completed)
adminResultMissing int
)
switch {
case tc.NodeAdmin:
viewResult = http.StatusOK
adminResultOK = http.StatusOK
adminResultMissing = http.StatusNotFound
case tc.NodeViewer:
viewResult = http.StatusOK
adminResultOK = http.StatusForbidden
adminResultMissing = http.StatusForbidden
case tc.Forbidden:
viewResult = http.StatusForbidden
adminResultOK = http.StatusForbidden
adminResultMissing = http.StatusForbidden
default:
viewResult = http.StatusUnauthorized
adminResultOK = http.StatusUnauthorized
adminResultMissing = http.StatusUnauthorized
}
requests := []testRequest{
// Responses to invalid paths are the same for all users
{"GET", "/", http.StatusNotFound},
{"GET", "/stats", http.StatusMovedPermanently}, // ServeMux redirects to the directory
{"GET", "/logs", http.StatusMovedPermanently}, // ServeMux redirects to the directory
{"GET", "/invalid", http.StatusNotFound},
// viewer requests
{"GET", "/metrics", viewResult},
{"GET", "/stats/", viewResult},
{"POST", "/stats/", viewResult}, // stats requests can be POSTs which contain query options
// successful admin requests
{"GET", "/healthz", adminResultOK},
{"GET", "/pods", adminResultOK},
{"GET", "/logs/", adminResultOK},
// not found admin requests
{"GET", "/containerLogs/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/exec/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/run/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/attach/mynamespace/mypod/mycontainer", adminResultMissing},
{"POST", "/portForward/mynamespace/mypod/mycontainer", adminResultMissing},
// GET is supported in origin on /exec and /attach for backwards compatibility
// make sure node admin permissions are required
{"GET", "/exec/mynamespace/mypod/mycontainer", adminResultMissing},
{"GET", "/attach/mynamespace/mypod/mycontainer", adminResultMissing},
}
rt, err := kubeletclient.MakeTransport(tc.KubeletClientConfig)
if err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
continue
}
for _, r := range requests {
req, err := http.NewRequest(r.Method, "https://"+nodeConfig.NodeName+":10250"+r.Path, nil)
if err != nil {
t.Errorf("%s: %s: unexpected error: %v", k, r.Path, err)
continue
}
resp, err := rt.RoundTrip(req)
if err != nil {
t.Errorf("%s: %s: unexpected error: %v", k, r.Path, err)
continue
}
resp.Body.Close()
if resp.StatusCode != r.Result {
t.Errorf("%s: %s: expected %d, got %d", k, r.Path, r.Result, resp.StatusCode)
continue
}
}
}
}
func TestTriggers_configChange(t *testing.T) {
const namespace = "test-triggers-configchange"
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, kubeClient, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Namespace = namespace
config.Spec.Triggers[0] = deploytest.OkConfigChangeTrigger()
rcWatch, err := kubeClient.ReplicationControllers(namespace).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to Deployments %v", err)
}
defer rcWatch.Stop()
// submit the initial deployment config
if _, err := osClient.DeploymentConfigs(namespace).Create(config); err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v", err)
}
// verify the initial deployment exists
event := <-rcWatch.ResultChan()
if e, a := watchapi.Added, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
deployment := event.Object.(*kapi.ReplicationController)
if e, a := config.Name, deployutil.DeploymentConfigNameFor(deployment); e != a {
t.Fatalf("Expected deployment annotated with deploymentConfig '%s', got '%s'", e, a)
}
assertEnvVarEquals("ENV1", "VAL1", deployment, t)
retryErr := kclient.RetryOnConflict(wait.Backoff{Steps: maxUpdateRetries}, func() error {
// submit a new config with an updated environment variable
config, err := osClient.DeploymentConfigs(namespace).Generate(config.Name)
if err != nil {
return err
}
config.Spec.Template.Spec.Containers[0].Env[0].Value = "UPDATED"
// before we update the config, we need to update the state of the existing deployment
// this is required to be done manually since the deployment and deployer pod controllers are not run in this test
// get this live or conflicts will never end up resolved
liveDeployment, err := kubeClient.ReplicationControllers(deployment.Namespace).Get(deployment.Name)
if err != nil {
return err
}
liveDeployment.Annotations[deployapi.DeploymentStatusAnnotation] = string(deployapi.DeploymentStatusComplete)
// update the deployment
if _, err := kubeClient.ReplicationControllers(namespace).Update(liveDeployment); err != nil {
return err
}
event = <-rcWatch.ResultChan()
if e, a := watchapi.Modified, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
if _, err := osClient.DeploymentConfigs(namespace).Update(config); err != nil {
return err
}
return nil
})
if retryErr != nil {
t.Fatal(retryErr)
}
var newDeployment *kapi.ReplicationController
for {
event = <-rcWatch.ResultChan()
if event.Type != watchapi.Added {
// Discard modifications which could be applied to the original RC, etc.
continue
}
newDeployment = event.Object.(*kapi.ReplicationController)
break
}
assertEnvVarEquals("ENV1", "UPDATED", newDeployment, t)
if newDeployment.Name == deployment.Name {
t.Fatalf("expected new deployment; old=%s, new=%s", deployment.Name, newDeployment.Name)
}
}