k8s.io/kubernetes@v1.29.3/test/cmd/authorization.sh (about)

     1  #!/usr/bin/env bash
     2  
     3  # Copyright 2018 The Kubernetes Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -o errexit
    18  set -o nounset
    19  set -o pipefail
    20  
    21  run_authorization_tests() {
    22    set -o nounset
    23    set -o errexit
    24  
    25    kube::log::status "Testing authorization"
    26  
    27    # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful
    28    # but it proves that works
    29    kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false
    30  
    31    SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
    32    curl -kfsS -H "Content-Type:" -H 'Authorization: Bearer admin-token' "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
    33    if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
    34      kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
    35    else
    36      kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")"
    37      exit 1
    38    fi
    39    rm "${SAR_RESULT_FILE}"
    40  
    41    set +o nounset
    42    set +o errexit
    43  }
    44  
    45  run_impersonation_tests() {
    46    set -o nounset
    47    set -o errexit
    48  
    49    kube::log::status "Testing impersonation"
    50  
    51    output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-group=foo 2>&1)
    52    kube::test::if_has_string "${output_message}" 'without impersonating a user'
    53  
    54    output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-uid=abc123 2>&1)
    55    kube::test::if_has_string "${output_message}" 'without impersonating a user'
    56  
    57    if kube::test::if_supports_resource "${csr:?}" ; then
    58      # --as
    59      kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1
    60      kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1'
    61      kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}}{{end}}' 'system:authenticated'
    62      kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
    63  
    64      # --as-group
    65      kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-group=group2 --as-group=group1 --as-group=,,,chameleon
    66      kube::test::get_object_assert 'csr/foo' '{{len .spec.groups}}' '4'
    67      kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}} {{end}}' 'group2 group1 ,,,chameleon system:authenticated '
    68      kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
    69  
    70      # --as-uid
    71      kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-uid=abc123
    72      kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1'
    73      kube::test::get_object_assert 'csr/foo' '{{.spec.uid}}' 'abc123'
    74      kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
    75  
    76    fi
    77  
    78    set +o nounset
    79    set +o errexit
    80  }