github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/integration-tests/rbac.go (about) 1 package integration_tests 2 3 import ( 4 "fmt" 5 "strings" 6 "time" 7 ) 8 9 func verifyRBAC(master NodeDeets, sshKey string) error { 10 // copy rbac policy over to master node 11 err := copyFileToRemote("test-resources/rbac/pod-reader.yaml", "/tmp/pod-reader.yaml", master, sshKey, 10*time.Second) 12 if err != nil { 13 return err 14 } 15 // we need the CA key to generate a new user cert 16 err = copyFileToRemote("generated/keys/ca-key.pem", "/tmp/ca-key.pem", master, sshKey, 10*time.Second) 17 if err != nil { 18 return err 19 } 20 // create using kubectl 21 commands := []string{ 22 // create the RBAC policy 23 "sudo kubectl --kubeconfig /root/.kube/config create -f /tmp/pod-reader.yaml", 24 // generate a private key for jane 25 "sudo openssl genrsa -out /tmp/jane-key.pem 2048", 26 // generate a CSR for jane 27 "sudo openssl req -new -key /tmp/jane-key.pem -out /tmp/jane-csr.pem -subj \"/CN=jane/O=some-group\"", 28 // generate certificate for jane 29 "sudo openssl x509 -req -in /tmp/jane-csr.pem -CA /etc/kubernetes/ca.pem -CAkey /tmp/ca-key.pem -CAcreateserial -out /tmp/jane.pem -days 10", 30 // configure new user in kubeconfig 31 "sudo kubectl --kubeconfig /root/.kube/config config set-credentials jane --client-certificate=/tmp/jane.pem --client-key=/tmp/jane-key.pem", 32 } 33 err = runViaSSH(commands, []NodeDeets{master}, sshKey, 30*time.Second) 34 if err != nil { 35 return err 36 } 37 // Using kubectl to get pods should succeed 38 err = runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config get pods --user=jane"}, []NodeDeets{master}, sshKey, 30*time.Second) 39 if err != nil { 40 return fmt.Errorf("failed to get pods as jane: %v", err) 41 } 42 // This command is expected to fail, so we ignore the error. 43 // We expect the output to contain the string "Forbidden" 44 out, _ := executeCmd("sudo kubectl --kubeconfig /root/.kube/config get nodes --user=jane", master.PublicIP, master.SSHUser, sshKey) 45 if !strings.Contains(out, "Forbidden") { 46 return fmt.Errorf("expected a forbidden response from the server, but output did not indicate this. Output was: %s", out) 47 } 48 return nil 49 }