Skip to content
This repository was archived by the owner on May 17, 2024. It is now read-only.

Commit 3e2c947

Browse files
JoshVanLJoshVanL
committed
Adds logs to e2e test output + updates impersonation tests for better
converage Signed-off-by: JoshVanL <[email protected]>
1 parent 8e0b061 commit 3e2c947

File tree

2 files changed

+79
-7
lines changed

2 files changed

+79
-7
lines changed

test/e2e/framework/framework.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,14 @@ func (f *Framework) BeforeEach() {
9191

9292
// AfterEach deletes the namespace, after reading its events.
9393
func (f *Framework) AfterEach() {
94+
// Output logs from proxy of test case.
95+
err := f.Helper().Kubectl(f.Namespace.Name).Run("logs", "-lapp=kube-oidc-proxy-e2e")
96+
if err != nil {
97+
By("Failed to gather logs from kube-oidc-proxy: " + err.Error())
98+
}
99+
94100
By("Deleting kube-oidc-proxy deployment")
95-
err := f.Helper().DeleteProxy(f.Namespace.Name)
101+
err = f.Helper().DeleteProxy(f.Namespace.Name)
96102
Expect(err).NotTo(HaveOccurred())
97103

98104
By("Deleting mock OIDC issuer")

test/e2e/suite/cases/impersonation/impersonation.go

Lines changed: 72 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
. "github.com/onsi/ginkgo"
99
. "github.com/onsi/gomega"
1010

11+
rbacv1 "k8s.io/api/rbac/v1"
1112
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
1213
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1314
"k8s.io/client-go/kubernetes"
@@ -67,13 +68,78 @@ var _ = framework.CasesDescribe("Impersonation", func() {
6768
By("Enabling the disabling of impersonation")
6869
f.DeployProxyWith(nil, "--disable-impersonation")
6970

70-
// Should return an Unauthorized response from Kubernetes as it does not
71-
// trust the OIDC token we have presented however it has been authenticated
72-
// by kube-oidc-proxy.
73-
_, err := f.NewProxyClient().CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
74-
if !k8sErrors.IsUnauthorized(err) {
75-
Expect(err).NotTo(HaveOccurred())
71+
By("Creating ClusterRole for system:anonymous to impersonate")
72+
roleImpersonate, err := f.Helper().KubeClient.RbacV1().ClusterRoles().Create(&rbacv1.ClusterRole{
73+
ObjectMeta: metav1.ObjectMeta{
74+
GenerateName: fmt.Sprintf("test-user-role-impersonate-"),
75+
},
76+
Rules: []rbacv1.PolicyRule{
77+
{APIGroups: []string{""}, Resources: []string{"users"}, Verbs: []string{"impersonate"}},
78+
},
79+
})
80+
Expect(err).NotTo(HaveOccurred())
81+
82+
By("Creating Role for user foo to list Pods")
83+
rolePods, err := f.Helper().KubeClient.RbacV1().Roles(f.Namespace.Name).Create(&rbacv1.Role{
84+
ObjectMeta: metav1.ObjectMeta{
85+
GenerateName: fmt.Sprintf("test-user-role-pods-"),
86+
},
87+
Rules: []rbacv1.PolicyRule{
88+
{APIGroups: []string{""}, Resources: []string{"pods"}, Verbs: []string{"get", "list"}},
89+
},
90+
})
91+
Expect(err).NotTo(HaveOccurred())
92+
93+
By("Creating ClusterRoleBinding for user system:anonymous")
94+
rolebindingImpersonate, err := f.Helper().KubeClient.RbacV1().ClusterRoleBindings().Create(
95+
&rbacv1.ClusterRoleBinding{
96+
ObjectMeta: metav1.ObjectMeta{
97+
GenerateName: "test-user-binding-system-anonymous",
98+
},
99+
Subjects: []rbacv1.Subject{{Name: "system:anonymous", Kind: "User"}},
100+
RoleRef: rbacv1.RoleRef{Name: roleImpersonate.Name, Kind: "ClusterRole"},
101+
})
102+
Expect(err).NotTo(HaveOccurred())
103+
104+
By("Creating RoleBinding for user [email protected]")
105+
rolebindingPods, err := f.Helper().KubeClient.RbacV1().RoleBindings(f.Namespace.Name).Create(
106+
&rbacv1.RoleBinding{
107+
ObjectMeta: metav1.ObjectMeta{
108+
GenerateName: "test-user-binding-user-foo-example-com",
109+
},
110+
Subjects: []rbacv1.Subject{{Name: "[email protected]", Kind: "User"}},
111+
RoleRef: rbacv1.RoleRef{Name: rolePods.Name, Kind: "Role"},
112+
})
113+
Expect(err).NotTo(HaveOccurred())
114+
115+
// build client with impersonation
116+
config := f.NewProxyRestConfig()
117+
config.Impersonate = rest.ImpersonationConfig{
118+
UserName: "[email protected]",
76119
}
120+
client, err := kubernetes.NewForConfig(config)
121+
Expect(err).NotTo(HaveOccurred())
122+
123+
// Should not error since we have authorized system:anonymous to
124+
// impersonate and [email protected] to list pods
125+
_, err = client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
126+
Expect(err).NotTo(HaveOccurred())
127+
128+
By("Deleting RoleBinding for user [email protected]")
129+
err = f.Helper().KubeClient.RbacV1().RoleBindings(f.Namespace.Name).Delete(rolebindingPods.Name, nil)
130+
Expect(err).NotTo(HaveOccurred())
131+
132+
By("Deleting Role for list Pods")
133+
err = f.Helper().KubeClient.RbacV1().Roles(f.Namespace.Name).Delete(rolePods.Name, nil)
134+
Expect(err).NotTo(HaveOccurred())
135+
136+
By("Deleting ClusterRoleBinding for user system:anonymous")
137+
err = f.Helper().KubeClient.RbacV1().ClusterRoleBindings().Delete(rolebindingImpersonate.Name, nil)
138+
Expect(err).NotTo(HaveOccurred())
139+
140+
By("Deleting ClusterRole for Impersonate")
141+
err = f.Helper().KubeClient.RbacV1().ClusterRoles().Delete(roleImpersonate.Name, nil)
142+
Expect(err).NotTo(HaveOccurred())
77143
})
78144
})
79145

0 commit comments

Comments
 (0)