Fix integration tests to pass with Kube 1.27/1.28 pre-release builds
Fix test failures that occurred in the k8s-main integration test CI job when using Kube 1.27 and 1.28 pre-release builds.
This commit is contained in:
Ryan Richard
parent
64263fdb0a
commit
7cd16b179c
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package integration
|
package integration
|
||||||
@ -458,10 +458,19 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr
|
|||||||
}
|
}
|
||||||
require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion)
|
require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion)
|
||||||
|
|
||||||
|
for i := range actualResourceList.APIResources {
|
||||||
// Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't
|
// Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't
|
||||||
// worry about comparing that field.
|
// worry about comparing that field.
|
||||||
for i := range actualResourceList.APIResources {
|
|
||||||
actualResourceList.APIResources[i].StorageVersionHash = ""
|
actualResourceList.APIResources[i].StorageVersionHash = ""
|
||||||
|
|
||||||
|
// These fields were empty for a long time but started to be non-empty at some Kubernetes version.
|
||||||
|
// The filled-in fields were first noticed when CI tested against a 1.27 pre-release.
|
||||||
|
// To make this test pass on all versions of Kube, just ignore these fields for now.
|
||||||
|
actualResourceList.APIResources[i].Group = ""
|
||||||
|
actualResourceList.APIResources[i].Version = ""
|
||||||
|
if strings.HasSuffix(actualResourceList.APIResources[i].Name, "/status") {
|
||||||
|
actualResourceList.APIResources[i].SingularName = ""
|
||||||
|
}
|
||||||
}
|
}
|
||||||
require.ElementsMatch(t, expectedResources, actualResourceList.APIResources, "unexpected API resources")
|
require.ElementsMatch(t, expectedResources, actualResourceList.APIResources, "unexpected API resources")
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package integration
|
package integration
|
||||||
@ -47,9 +47,6 @@ func TestServiceAccountPermissions(t *testing.T) {
|
|||||||
// the impersonation proxy SA has the same permissions for all checks because it should only be authorized via cluster role bindings
|
// the impersonation proxy SA has the same permissions for all checks because it should only be authorized via cluster role bindings
|
||||||
|
|
||||||
expectedResourceRules := []authorizationv1.ResourceRule{
|
expectedResourceRules := []authorizationv1.ResourceRule{
|
||||||
// system:basic-user is bound to system:authenticated by default
|
|
||||||
{Verbs: []string{"create"}, APIGroups: []string{"authorization.k8s.io"}, Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"}},
|
|
||||||
|
|
||||||
// the expected impersonation permissions
|
// the expected impersonation permissions
|
||||||
{Verbs: []string{"impersonate"}, APIGroups: []string{""}, Resources: []string{"users", "groups", "serviceaccounts"}},
|
{Verbs: []string{"impersonate"}, APIGroups: []string{""}, Resources: []string{"users", "groups", "serviceaccounts"}},
|
||||||
{Verbs: []string{"impersonate"}, APIGroups: []string{"authentication.k8s.io"}, Resources: []string{"*"}},
|
{Verbs: []string{"impersonate"}, APIGroups: []string{"authentication.k8s.io"}, Resources: []string{"*"}},
|
||||||
@ -59,6 +56,23 @@ func TestServiceAccountPermissions(t *testing.T) {
|
|||||||
{Verbs: []string{"create", "list"}, APIGroups: []string{"identity.concierge." + env.APIGroupSuffix}, Resources: []string{"whoamirequests"}},
|
{Verbs: []string{"create", "list"}, APIGroups: []string{"identity.concierge." + env.APIGroupSuffix}, Resources: []string{"whoamirequests"}},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// system:basic-user is bound to system:authenticated by default, so the SA gets these permissions too.
|
||||||
|
// See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles.
|
||||||
|
// Note that this list previously only included "selfsubjectaccessreviews" and "selfsubjectrulesreviews",
|
||||||
|
// but later was updated in Kubernetes to also include "selfsubjectreviews".
|
||||||
|
// Rather than explicitly listing them all as expectations, dynamically append them here, so this test
|
||||||
|
// can pass against all versions of Kubernetes.
|
||||||
|
basicUserClusterRole, err := testlib.NewKubernetesClientset(t).RbacV1().ClusterRoles().Get(ctx, "system:basic-user", metav1.GetOptions{})
|
||||||
|
require.NoError(t, err)
|
||||||
|
for _, policyRule := range basicUserClusterRole.Rules {
|
||||||
|
expectedResourceRules = append(expectedResourceRules, authorizationv1.ResourceRule{
|
||||||
|
Verbs: policyRule.Verbs,
|
||||||
|
APIGroups: policyRule.APIGroups,
|
||||||
|
Resources: policyRule.Resources,
|
||||||
|
ResourceNames: policyRule.ResourceNames,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
if otherPinnipedGroupSuffix := getOtherPinnipedGroupSuffix(t); len(otherPinnipedGroupSuffix) > 0 {
|
if otherPinnipedGroupSuffix := getOtherPinnipedGroupSuffix(t); len(otherPinnipedGroupSuffix) > 0 {
|
||||||
expectedResourceRules = append(expectedResourceRules,
|
expectedResourceRules = append(expectedResourceRules,
|
||||||
// we bind these to system:authenticated in the other instance of pinniped
|
// we bind these to system:authenticated in the other instance of pinniped
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user