d20cab10b9
Those images that are pulled from Dockerhub will cause pull failures on some test clusters due to Dockerhub rate limiting. Because we already have some images that we use for testing, and because those images are already pre-loaded onto our CI clusters to make the tests faster, use one of those images and always specify PullIfNotPresent to avoid pulling the image again during the integration test.
432 lines
14 KiB
Go
432 lines
14 KiB
Go
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
package integration
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
certificatesv1 "k8s.io/api/certificates/v1"
|
|
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/rest"
|
|
"k8s.io/client-go/util/cert"
|
|
"k8s.io/client-go/util/certificate/csr"
|
|
"k8s.io/client-go/util/keyutil"
|
|
|
|
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
|
|
"go.pinniped.dev/test/testlib"
|
|
)
|
|
|
|
func TestWhoAmI_Kubeadm(t *testing.T) {
|
|
// use the cluster signing key being available as a proxy for this being a kubeadm cluster
|
|
// we should add more robust logic around skipping clusters based on vendor
|
|
_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
whoAmI, err := testlib.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// this user info is based off of the bootstrap cert user created by kubeadm
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "kubernetes-admin",
|
|
Groups: []string{
|
|
"system:masters",
|
|
"system:authenticated",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmI,
|
|
)
|
|
}
|
|
|
|
func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
|
|
_ = testlib.IntegrationEnv(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
kubeClient := testlib.NewKubernetesClientset(t).CoreV1()
|
|
|
|
ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "test-whoami-",
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
t.Cleanup(func() {
|
|
require.NoError(t, kubeClient.Namespaces().Delete(context.Background(), ns.Name, metav1.DeleteOptions{}))
|
|
})
|
|
|
|
sa, err := kubeClient.ServiceAccounts(ns.Name).Create(ctx, &corev1.ServiceAccount{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "test-whoami-",
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
secret, err := kubeClient.Secrets(ns.Name).Create(ctx, &corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "test-whoami-",
|
|
Annotations: map[string]string{
|
|
corev1.ServiceAccountNameKey: sa.Name,
|
|
},
|
|
},
|
|
Type: corev1.SecretTypeServiceAccountToken,
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
|
|
secret, err = kubeClient.Secrets(ns.Name).Get(ctx, secret.Name, metav1.GetOptions{})
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return len(secret.Data[corev1.ServiceAccountTokenKey]) > 0, nil
|
|
}, time.Minute, time.Second)
|
|
|
|
saConfig := testlib.NewAnonymousClientRestConfig(t)
|
|
saConfig.BearerToken = string(secret.Data[corev1.ServiceAccountTokenKey])
|
|
|
|
whoAmI, err := testlib.NewKubeclient(t, saConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// legacy service account tokens do not have any extra info
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "system:serviceaccount:" + ns.Name + ":" + sa.Name,
|
|
UID: "", // aggregation drops UID: https://github.com/kubernetes/kubernetes/issues/93699
|
|
Groups: []string{
|
|
"system:serviceaccounts",
|
|
"system:serviceaccounts:" + ns.Name,
|
|
"system:authenticated",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmI,
|
|
)
|
|
}
|
|
|
|
func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
|
|
env := testlib.IntegrationEnv(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
kubeClient := testlib.NewKubernetesClientset(t).CoreV1()
|
|
|
|
ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "test-whoami-",
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
t.Cleanup(func() {
|
|
require.NoError(t, kubeClient.Namespaces().Delete(context.Background(), ns.Name, metav1.DeleteOptions{}))
|
|
})
|
|
|
|
sa, err := kubeClient.ServiceAccounts(ns.Name).Create(ctx, &corev1.ServiceAccount{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "test-whoami-",
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
_, tokenRequestProbeErr := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{}, metav1.CreateOptions{})
|
|
if errors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
|
|
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
|
|
}
|
|
|
|
pod := testlib.CreatePod(ctx, t, "whoami", ns.Name,
|
|
corev1.PodSpec{
|
|
Containers: []corev1.Container{
|
|
{
|
|
Name: "sleeper",
|
|
Image: env.ShellContainerImage,
|
|
ImagePullPolicy: corev1.PullIfNotPresent,
|
|
Command: []string{"sh", "-c", "sleep 3600"},
|
|
},
|
|
},
|
|
ServiceAccountName: sa.Name,
|
|
})
|
|
|
|
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
|
|
Spec: authenticationv1.TokenRequestSpec{
|
|
Audiences: []string{"should-fail-because-wrong-audience"}, // anything that is not an API server audience
|
|
BoundObjectRef: &authenticationv1.BoundObjectReference{
|
|
Kind: "Pod",
|
|
APIVersion: "",
|
|
Name: pod.Name,
|
|
UID: pod.UID,
|
|
},
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
saBadAudConfig := testlib.NewAnonymousClientRestConfig(t)
|
|
saBadAudConfig.BearerToken = tokenRequestBadAudience.Status.Token
|
|
|
|
_, badAudErr := testlib.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.True(t, errors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr))
|
|
|
|
tokenRequest, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
|
|
Spec: authenticationv1.TokenRequestSpec{
|
|
Audiences: []string{},
|
|
BoundObjectRef: &authenticationv1.BoundObjectReference{
|
|
Kind: "Pod",
|
|
APIVersion: "",
|
|
Name: pod.Name,
|
|
UID: pod.UID,
|
|
},
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
saTokenReqConfig := testlib.NewAnonymousClientRestConfig(t)
|
|
saTokenReqConfig.BearerToken = tokenRequest.Status.Token
|
|
|
|
whoAmITokenReq, err := testlib.NewKubeclient(t, saTokenReqConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// new service account tokens include the pod info in the extra fields
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "system:serviceaccount:" + ns.Name + ":" + sa.Name,
|
|
UID: "", // aggregation drops UID: https://github.com/kubernetes/kubernetes/issues/93699
|
|
Groups: []string{
|
|
"system:serviceaccounts",
|
|
"system:serviceaccounts:" + ns.Name,
|
|
"system:authenticated",
|
|
},
|
|
Extra: map[string]identityv1alpha1.ExtraValue{
|
|
"authentication.kubernetes.io/pod-name": {pod.Name},
|
|
"authentication.kubernetes.io/pod-uid": {string(pod.UID)},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmITokenReq,
|
|
)
|
|
}
|
|
|
|
func TestWhoAmI_CSR(t *testing.T) {
|
|
// use the cluster signing key being available as a proxy for this not being an EKS cluster
|
|
// we should add more robust logic around skipping clusters based on vendor
|
|
_ = testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
kubeClient := testlib.NewKubernetesClientset(t)
|
|
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
require.NoError(t, err)
|
|
|
|
der, err := x509.MarshalECPrivateKey(privateKey)
|
|
require.NoError(t, err)
|
|
|
|
keyPEM := pem.EncodeToMemory(&pem.Block{Type: keyutil.ECPrivateKeyBlockType, Bytes: der})
|
|
|
|
csrPEM, err := cert.MakeCSR(privateKey, &pkix.Name{
|
|
CommonName: "panda-man",
|
|
Organization: []string{"living-the-dream", "need-more-sleep"},
|
|
}, nil, nil)
|
|
require.NoError(t, err)
|
|
|
|
csrName, csrUID, err := csr.RequestCertificate(
|
|
kubeClient,
|
|
csrPEM,
|
|
"",
|
|
certificatesv1.KubeAPIServerClientSignerName,
|
|
nil,
|
|
[]certificatesv1.KeyUsage{certificatesv1.UsageClientAuth},
|
|
privateKey,
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
t.Cleanup(func() {
|
|
require.NoError(t, kubeClient.CertificatesV1beta1().CertificateSigningRequests().
|
|
Delete(context.Background(), csrName, metav1.DeleteOptions{}))
|
|
})
|
|
|
|
// this is a blind update with no resource version checks, which is only safe during tests
|
|
// use the beta CSR API to support older clusters
|
|
_, err = kubeClient.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(ctx, &certificatesv1beta1.CertificateSigningRequest{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: csrName,
|
|
},
|
|
Status: certificatesv1beta1.CertificateSigningRequestStatus{
|
|
Conditions: []certificatesv1beta1.CertificateSigningRequestCondition{
|
|
{
|
|
Type: certificatesv1beta1.CertificateApproved,
|
|
Status: corev1.ConditionTrue,
|
|
Reason: "WhoAmICSRTest",
|
|
},
|
|
},
|
|
},
|
|
}, metav1.UpdateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
crtPEM, err := csr.WaitForCertificate(ctx, kubeClient, csrName, csrUID)
|
|
require.NoError(t, err)
|
|
|
|
csrConfig := testlib.NewAnonymousClientRestConfig(t)
|
|
csrConfig.CertData = crtPEM
|
|
csrConfig.KeyData = keyPEM
|
|
|
|
whoAmI, err := testlib.NewKubeclient(t, csrConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "panda-man",
|
|
Groups: []string{
|
|
"need-more-sleep",
|
|
"living-the-dream",
|
|
"system:authenticated",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmI,
|
|
)
|
|
}
|
|
|
|
func TestWhoAmI_Anonymous(t *testing.T) {
|
|
_ = testlib.IntegrationEnv(t).WithCapability(testlib.AnonymousAuthenticationSupported)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
anonymousConfig := testlib.NewAnonymousClientRestConfig(t)
|
|
|
|
whoAmI, err := testlib.NewKubeclient(t, anonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// this also asserts that all users, even unauthenticated ones, can call this API when anonymous is enabled
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "system:anonymous",
|
|
Groups: []string{
|
|
"system:unauthenticated",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmI,
|
|
)
|
|
}
|
|
|
|
func TestWhoAmI_ImpersonateDirectly(t *testing.T) {
|
|
_ = testlib.IntegrationEnv(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
impersonationConfig := testlib.NewClientConfig(t)
|
|
impersonationConfig.Impersonate = rest.ImpersonationConfig{
|
|
UserName: "solaire",
|
|
// need to impersonate system:authenticated directly to support older clusters otherwise we will get RBAC errors below
|
|
Groups: []string{"astora", "lordran", "system:authenticated"},
|
|
Extra: map[string][]string{
|
|
"covenant": {"warrior-of-sunlight"},
|
|
"loves": {"sun", "co-op"},
|
|
},
|
|
}
|
|
|
|
whoAmI, err := testlib.NewKubeclient(t, impersonationConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "solaire",
|
|
UID: "", // no way to impersonate UID: https://github.com/kubernetes/kubernetes/issues/93699
|
|
Groups: []string{
|
|
"astora",
|
|
"lordran",
|
|
"system:authenticated", // impersonation will add this implicitly but only in newer clusters
|
|
},
|
|
Extra: map[string]identityv1alpha1.ExtraValue{
|
|
"covenant": {"warrior-of-sunlight"},
|
|
"loves": {"sun", "co-op"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmI,
|
|
)
|
|
|
|
impersonationAnonymousConfig := testlib.NewClientConfig(t)
|
|
impersonationAnonymousConfig.Impersonate.UserName = "system:anonymous"
|
|
// need to impersonate system:unauthenticated directly to support older clusters otherwise we will get RBAC errors below
|
|
impersonationAnonymousConfig.Impersonate.Groups = []string{"system:unauthenticated"}
|
|
|
|
whoAmIAnonymous, err := testlib.NewKubeclient(t, impersonationAnonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
|
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t,
|
|
&identityv1alpha1.WhoAmIRequest{
|
|
Status: identityv1alpha1.WhoAmIRequestStatus{
|
|
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
|
User: identityv1alpha1.UserInfo{
|
|
Username: "system:anonymous",
|
|
Groups: []string{
|
|
"system:unauthenticated", // impersonation will add this implicitly but only in newer clusters
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
whoAmIAnonymous,
|
|
)
|
|
}
|