k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap_test.go (about) 1 /* 2 Copyright 2023 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package node 18 19 import ( 20 "context" 21 "testing" 22 23 rbac "k8s.io/api/rbac/v1" 24 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 25 clientset "k8s.io/client-go/kubernetes" 26 clientsetfake "k8s.io/client-go/kubernetes/fake" 27 "k8s.io/kubernetes/cmd/kubeadm/app/constants" 28 ) 29 30 func TestAllowBootstrapTokensToPostCSRs(t *testing.T) { 31 tests := []struct { 32 name string 33 client clientset.Interface 34 }{ 35 { 36 name: "ClusterRoleBindings is empty", 37 client: clientsetfake.NewSimpleClientset(), 38 }, 39 { 40 name: "ClusterRoleBindings already exists", 41 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 42 ObjectMeta: metav1.ObjectMeta{ 43 Name: constants.NodeKubeletBootstrap, 44 }, 45 RoleRef: rbac.RoleRef{ 46 APIGroup: rbac.GroupName, 47 Kind: "ClusterRole", 48 Name: constants.NodeBootstrapperClusterRoleName, 49 }, 50 Subjects: []rbac.Subject{ 51 { 52 Kind: rbac.GroupKind, 53 Name: constants.NodeBootstrapTokenAuthGroup, 54 }, 55 }, 56 }), 57 }, 58 { 59 name: "Create new ClusterRoleBindings", 60 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 61 ObjectMeta: metav1.ObjectMeta{ 62 Name: constants.NodeKubeletBootstrap, 63 }, 64 RoleRef: rbac.RoleRef{ 65 APIGroup: rbac.GroupName, 66 Kind: "ClusterRole", 67 Name: constants.NodeBootstrapperClusterRoleName, 68 }, 69 Subjects: []rbac.Subject{ 70 { 71 Kind: rbac.GroupKind, 72 Name: constants.KubeProxyClusterRoleName, 73 }, 74 }, 75 }), 76 }, 77 } 78 for _, tt := range tests { 79 t.Run(tt.name, func(t *testing.T) { 80 if err := AllowBootstrapTokensToPostCSRs(tt.client); err != nil { 81 t.Errorf("AllowBootstrapTokensToPostCSRs() return error = %v", err) 82 } 83 }) 84 } 85 } 86 87 func TestAutoApproveNodeBootstrapTokens(t *testing.T) { 88 tests := []struct { 89 name string 90 client clientset.Interface 91 }{ 92 { 93 name: "ClusterRoleBindings is empty", 94 client: clientsetfake.NewSimpleClientset(), 95 }, 96 { 97 name: "ClusterRoleBindings already exists", 98 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 99 ObjectMeta: metav1.ObjectMeta{ 100 Name: constants.NodeAutoApproveBootstrapClusterRoleBinding, 101 }, 102 RoleRef: rbac.RoleRef{ 103 APIGroup: rbac.GroupName, 104 Kind: "ClusterRole", 105 Name: constants.CSRAutoApprovalClusterRoleName, 106 }, 107 Subjects: []rbac.Subject{ 108 { 109 Kind: rbac.GroupKind, 110 Name: constants.NodeBootstrapTokenAuthGroup, 111 }, 112 }, 113 }), 114 }, 115 { 116 name: "Create new ClusterRoleBindings", 117 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 118 ObjectMeta: metav1.ObjectMeta{ 119 Name: constants.NodeAutoApproveBootstrapClusterRoleBinding, 120 }, 121 RoleRef: rbac.RoleRef{ 122 APIGroup: rbac.GroupName, 123 Kind: "ClusterRole", 124 Name: constants.NodeSelfCSRAutoApprovalClusterRoleName, 125 }, 126 Subjects: []rbac.Subject{ 127 { 128 Kind: rbac.GroupKind, 129 Name: constants.NodeBootstrapTokenAuthGroup, 130 }, 131 }, 132 }), 133 }, 134 } 135 for _, tt := range tests { 136 t.Run(tt.name, func(t *testing.T) { 137 if err := AutoApproveNodeBootstrapTokens(tt.client); err != nil { 138 t.Errorf("AutoApproveNodeBootstrapTokens() return error = %v", err) 139 } 140 }) 141 } 142 } 143 144 func TestAutoApproveNodeCertificateRotation(t *testing.T) { 145 tests := []struct { 146 name string 147 client clientset.Interface 148 }{ 149 { 150 name: "ClusterRoleBindings is empty", 151 client: clientsetfake.NewSimpleClientset(), 152 }, 153 { 154 name: "ClusterRoleBindings already exists", 155 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 156 ObjectMeta: metav1.ObjectMeta{ 157 Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding, 158 }, 159 RoleRef: rbac.RoleRef{ 160 APIGroup: rbac.GroupName, 161 Kind: "ClusterRole", 162 Name: constants.NodeSelfCSRAutoApprovalClusterRoleName, 163 }, 164 Subjects: []rbac.Subject{ 165 { 166 Kind: rbac.GroupKind, 167 Name: constants.NodesGroup, 168 }, 169 }, 170 }), 171 }, 172 { 173 name: "Create new ClusterRoleBindings", 174 client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{ 175 ObjectMeta: metav1.ObjectMeta{ 176 Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding, 177 }, 178 RoleRef: rbac.RoleRef{ 179 APIGroup: rbac.GroupName, 180 Kind: "ClusterRole", 181 Name: constants.NodeSelfCSRAutoApprovalClusterRoleName, 182 }, 183 Subjects: []rbac.Subject{ 184 { 185 Kind: rbac.GroupKind, 186 Name: constants.NodeBootstrapTokenAuthGroup, 187 }, 188 }, 189 }), 190 }, 191 } 192 for _, tt := range tests { 193 t.Run(tt.name, func(t *testing.T) { 194 if err := AutoApproveNodeCertificateRotation(tt.client); err != nil { 195 t.Errorf("AutoApproveNodeCertificateRotation() return error = %v", err) 196 } 197 }) 198 } 199 } 200 201 func TestAllowBoostrapTokensToGetNodes(t *testing.T) { 202 tests := []struct { 203 name string 204 client clientset.Interface 205 }{ 206 { 207 name: "RBAC rules are empty", 208 client: clientsetfake.NewSimpleClientset(), 209 }, 210 { 211 name: "RBAC rules already exists", 212 client: newMockRbacClientForTest(t, &rbac.ClusterRole{ 213 ObjectMeta: metav1.ObjectMeta{ 214 Name: constants.GetNodesClusterRoleName, 215 }, 216 Rules: []rbac.PolicyRule{ 217 { 218 Verbs: []string{"get"}, 219 APIGroups: []string{""}, 220 Resources: []string{"nodes"}, 221 }, 222 }, 223 }, &rbac.ClusterRoleBinding{ 224 ObjectMeta: metav1.ObjectMeta{ 225 Name: constants.GetNodesClusterRoleName, 226 }, 227 RoleRef: rbac.RoleRef{ 228 APIGroup: rbac.GroupName, 229 Kind: "ClusterRole", 230 Name: constants.GetNodesClusterRoleName, 231 }, 232 Subjects: []rbac.Subject{ 233 { 234 Kind: rbac.GroupKind, 235 Name: constants.NodeBootstrapTokenAuthGroup, 236 }, 237 }, 238 }), 239 }, 240 { 241 name: "Create new RBAC rules", 242 client: newMockRbacClientForTest(t, &rbac.ClusterRole{ 243 ObjectMeta: metav1.ObjectMeta{ 244 Name: constants.GetNodesClusterRoleName, 245 }, 246 Rules: []rbac.PolicyRule{ 247 { 248 Verbs: []string{"create"}, 249 APIGroups: []string{""}, 250 Resources: []string{"nodes"}, 251 }, 252 }, 253 }, &rbac.ClusterRoleBinding{ 254 ObjectMeta: metav1.ObjectMeta{ 255 Name: constants.GetNodesClusterRoleName, 256 }, 257 RoleRef: rbac.RoleRef{ 258 APIGroup: rbac.GroupName, 259 Kind: "ClusterRole", 260 Name: constants.NodeAutoApproveBootstrapClusterRoleBinding, 261 }, 262 Subjects: []rbac.Subject{ 263 { 264 Kind: rbac.GroupKind, 265 Name: constants.NodeBootstrapTokenAuthGroup, 266 }, 267 }, 268 }), 269 }, 270 } 271 for _, tt := range tests { 272 t.Run(tt.name, func(t *testing.T) { 273 if err := AllowBoostrapTokensToGetNodes(tt.client); err != nil { 274 t.Errorf("AllowBoostrapTokensToGetNodes() return error = %v", err) 275 } 276 }) 277 } 278 } 279 280 func newMockClusterRoleBinddingClientForTest(t *testing.T, clusterRoleBinding *rbac.ClusterRoleBinding) *clientsetfake.Clientset { 281 client := clientsetfake.NewSimpleClientset() 282 _, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}) 283 284 if err != nil { 285 t.Fatalf("error creating ClusterRoleBindings: %v", err) 286 } 287 return client 288 } 289 290 func newMockRbacClientForTest(t *testing.T, clusterRole *rbac.ClusterRole, clusterRoleBinding *rbac.ClusterRoleBinding) *clientsetfake.Clientset { 291 client := clientsetfake.NewSimpleClientset() 292 _, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}) 293 if err != nil { 294 t.Fatalf("error creating ClusterRoles: %v", err) 295 } 296 _, err = client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}) 297 if err != nil { 298 t.Fatalf("error creating ClusterRoleBindings: %v", err) 299 } 300 return client 301 }