...

Source file src/k8s.io/kubernetes/test/e2e_kubeadm/admin_test.go

Documentation: k8s.io/kubernetes/test/e2e_kubeadm 

     1  /*
     2  Copyright 2023 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package kubeadm
    18  
    19  import (
    20  	"context"
    21  
    22  	"github.com/onsi/ginkgo/v2"
    23  
    24  	rbacv1 "k8s.io/api/rbac/v1"
    25  	"k8s.io/apimachinery/pkg/util/version"
    26  	admissionapi "k8s.io/pod-security-admission/api"
    27  
    28  	"k8s.io/kubernetes/test/e2e/framework"
    29  	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
    30  )
    31  
    32  const (
    33  	kubeadmClusterAdminsGroupAndCRB = "kubeadm:cluster-admins"
    34  	clusterAdminClusterRole         = "cluster-admin"
    35  )
    36  
    37  // Define a container for all the tests aimed at verifying that administrators
    38  // have "cluster-admin" level of access.
    39  var _ = Describe("admin", func() {
    40  
    41  	// Get an instance of the k8s test framework
    42  	f := framework.NewDefaultFramework("admin")
    43  	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
    44  
    45  	// Tests in this container are not expected to create new objects in the cluster
    46  	// so we are disabling the creation of a namespace in order to get a faster execution
    47  	f.SkipNamespaceCreation = true
    48  
    49  	ginkgo.It("kubeadm:cluster-admins CRB must exist and be binding the cluster-admin ClusterRole"+
    50  		" to the kubeadm:cluster-admins Group", func(ctx context.Context) {
    51  
    52  		// Use the ClusterConfiguration.kubernetesVersion to decide whether to look for the CRB.
    53  		// It was added in kubeadm v1.29-pre, but kubeadm supports a maximum skew of N-1
    54  		// with the control plane, so this is fine as long as kubernetesVersion matches
    55  		// the kubeadm version. Otherwise this test is skipped.
    56  		m := getClusterConfiguration(f.ClientSet)
    57  		const verKey = "kubernetesVersion"
    58  		verInterface, exists := m[verKey]
    59  		if !exists {
    60  			framework.Failf("the kubeadm ConfigMap %s is missing a %s key in %s",
    61  				kubeadmConfigName,
    62  				verKey,
    63  				kubeadmConfigClusterConfigurationConfigMapKey)
    64  		}
    65  
    66  		// Parse the version string
    67  		verStr, ok := verInterface.(string)
    68  		if !ok {
    69  			framework.Failf("cannot cast %s to string", verKey)
    70  		}
    71  		ver, err := version.ParseSemantic(verStr)
    72  		if err != nil {
    73  			framework.Failf("could not parse the %s key: %v", verKey, err)
    74  		}
    75  
    76  		// If the version is older than the version when this feature was added, skip this test
    77  		minVer := version.MustParseSemantic("v1.29.0-alpha.2.188+05076de57fc49f")
    78  		if !ver.AtLeast(minVer) {
    79  			e2eskipper.Skipf("Skipping because version %s is older than the minimum version %s",
    80  				ver,
    81  				minVer)
    82  		}
    83  
    84  		// Expect the CRB to exist
    85  		ExpectClusterRoleBindingWithSubjectAndRole(f.ClientSet,
    86  			kubeadmClusterAdminsGroupAndCRB,
    87  			rbacv1.GroupKind, kubeadmClusterAdminsGroupAndCRB,
    88  			clusterAdminClusterRole,
    89  		)
    90  	})
    91  })
    92  

View as plain text