k8s.io/kubernetes@v1.29.3/test/cmd/authorization.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2018 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -o errexit 18 set -o nounset 19 set -o pipefail 20 21 run_authorization_tests() { 22 set -o nounset 23 set -o errexit 24 25 kube::log::status "Testing authorization" 26 27 # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful 28 # but it proves that works 29 kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false 30 31 SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" 32 curl -kfsS -H "Content-Type:" -H 'Authorization: Bearer admin-token' "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}" 33 if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then 34 kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" 35 else 36 kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")" 37 exit 1 38 fi 39 rm "${SAR_RESULT_FILE}" 40 41 set +o nounset 42 set +o errexit 43 } 44 45 run_impersonation_tests() { 46 set -o nounset 47 set -o errexit 48 49 kube::log::status "Testing impersonation" 50 51 output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-group=foo 2>&1) 52 kube::test::if_has_string "${output_message}" 'without impersonating a user' 53 54 output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-uid=abc123 2>&1) 55 kube::test::if_has_string "${output_message}" 'without impersonating a user' 56 57 if kube::test::if_supports_resource "${csr:?}" ; then 58 # --as 59 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 60 kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1' 61 kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}}{{end}}' 'system:authenticated' 62 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" 63 64 # --as-group 65 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-group=group2 --as-group=group1 --as-group=,,,chameleon 66 kube::test::get_object_assert 'csr/foo' '{{len .spec.groups}}' '4' 67 kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}} {{end}}' 'group2 group1 ,,,chameleon system:authenticated ' 68 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" 69 70 # --as-uid 71 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-uid=abc123 72 kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1' 73 kube::test::get_object_assert 'csr/foo' '{{.spec.uid}}' 'abc123' 74 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" 75 76 fi 77 78 set +o nounset 79 set +o errexit 80 }