github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/integration-tests/rbac.go

github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/integration-tests/rbac.go (about)

     1  package integration_tests
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  	"time"
     7  )
     8  
     9  func verifyRBAC(master NodeDeets, sshKey string) error {
    10  	// copy rbac policy over to master node
    11  	err := copyFileToRemote("test-resources/rbac/pod-reader.yaml", "/tmp/pod-reader.yaml", master, sshKey, 10*time.Second)
    12  	if err != nil {
    13  		return err
    14  	}
    15  	// we need the CA key to generate a new user cert
    16  	err = copyFileToRemote("generated/keys/ca-key.pem", "/tmp/ca-key.pem", master, sshKey, 10*time.Second)
    17  	if err != nil {
    18  		return err
    19  	}
    20  	// create using kubectl
    21  	commands := []string{
    22  		// create the RBAC policy
    23  		"sudo kubectl --kubeconfig /root/.kube/config create -f /tmp/pod-reader.yaml",
    24  		// generate a private key for jane
    25  		"sudo openssl genrsa -out /tmp/jane-key.pem 2048",
    26  		// generate a CSR for jane
    27  		"sudo openssl req -new -key /tmp/jane-key.pem -out /tmp/jane-csr.pem -subj \"/CN=jane/O=some-group\"",
    28  		// generate certificate for jane
    29  		"sudo openssl x509 -req -in /tmp/jane-csr.pem -CA /etc/kubernetes/ca.pem -CAkey /tmp/ca-key.pem -CAcreateserial -out /tmp/jane.pem -days 10",
    30  		// configure new user in kubeconfig
    31  		"sudo kubectl --kubeconfig /root/.kube/config config set-credentials jane --client-certificate=/tmp/jane.pem --client-key=/tmp/jane-key.pem",
    32  	}
    33  	err = runViaSSH(commands, []NodeDeets{master}, sshKey, 30*time.Second)
    34  	if err != nil {
    35  		return err
    36  	}
    37  	// Using kubectl to get pods should succeed
    38  	err = runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config get pods --user=jane"}, []NodeDeets{master}, sshKey, 30*time.Second)
    39  	if err != nil {
    40  		return fmt.Errorf("failed to get pods as jane: %v", err)
    41  	}
    42  	// This command is expected to fail, so we ignore the error.
    43  	// We expect the output to contain the string "Forbidden"
    44  	out, _ := executeCmd("sudo kubectl --kubeconfig /root/.kube/config get nodes --user=jane", master.PublicIP, master.SSHUser, sshKey)
    45  	if !strings.Contains(out, "Forbidden") {
    46  		return fmt.Errorf("expected a forbidden response from the server, but output did not indicate this. Output was: %s", out)
    47  	}
    48  	return nil
    49  }