Skip to content

Commit b022703

Browse files
Wei WengWei Weng
Wei Weng
authored and
Wei Weng
committed
remove some test because validating webhooks are on by default
Signed-off-by: Wei Weng <[email protected]>
1 parent ba9a2b4 commit b022703

File tree

2 files changed

+0
-307
lines changed

2 files changed

+0
-307
lines changed

test/e2e/fleet_guard_rail_test.go

Lines changed: 0 additions & 242 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,6 @@ import (
3232
"k8s.io/apimachinery/pkg/runtime"
3333
"k8s.io/apimachinery/pkg/types"
3434
utilrand "k8s.io/apimachinery/pkg/util/rand"
35-
"k8s.io/utils/ptr"
3635

3736
clusterv1beta1 "github.com/kubefleet-dev/kubefleet/apis/cluster/v1beta1"
3837
placementv1beta1 "github.com/kubefleet-dev/kubefleet/apis/placement/v1beta1"
@@ -916,247 +915,6 @@ var _ = Describe("fleet guard rail networking E2Es", Serial, Ordered, func() {
916915
})
917916
})
918917

919-
var _ = Describe("fleet guard rail for pods and replicasets in fleet/kube namespaces", Serial, Ordered, func() {
920-
var (
921-
podGVK = metav1.GroupVersionKind{Group: corev1.SchemeGroupVersion.Group, Version: corev1.SchemeGroupVersion.Version, Kind: "Pod"}
922-
replicaSetGVK = metav1.GroupVersionKind{Group: appsv1.SchemeGroupVersion.Group, Version: appsv1.SchemeGroupVersion.Version, Kind: "ReplicaSet"}
923-
)
924-
925-
Context("deny pod operations in fleet-system namespace", func() {
926-
It("should deny CREATE operation on pod in fleet-system namespace for user not in system:masters", func() {
927-
pod := corev1.Pod{
928-
ObjectMeta: metav1.ObjectMeta{
929-
Name: "test-pod",
930-
Namespace: "fleet-system",
931-
},
932-
Spec: corev1.PodSpec{
933-
Containers: []corev1.Container{
934-
{
935-
Name: "test-container",
936-
Image: "nginx:latest",
937-
},
938-
},
939-
},
940-
}
941-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &pod), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &podGVK, "", types.NamespacedName{Name: pod.Name, Namespace: pod.Namespace}))).Should(Succeed())
942-
})
943-
944-
It("should deny UPDATE operation on pod in fleet-system namespace for user not in system:masters", func() {
945-
// First create a pod as admin
946-
pod := corev1.Pod{
947-
ObjectMeta: metav1.ObjectMeta{
948-
Name: "test-pod-update",
949-
Namespace: "fleet-system",
950-
},
951-
Spec: corev1.PodSpec{
952-
Containers: []corev1.Container{
953-
{
954-
Name: "test-container",
955-
Image: "nginx:latest",
956-
},
957-
},
958-
},
959-
}
960-
Expect(hubClient.Create(ctx, &pod)).Should(Succeed())
961-
962-
// Try to update as non-admin
963-
Eventually(func(g Gomega) error {
964-
var p corev1.Pod
965-
err := hubClient.Get(ctx, types.NamespacedName{Name: pod.Name, Namespace: pod.Namespace}, &p)
966-
if err != nil {
967-
return err
968-
}
969-
p.Labels = map[string]string{testKey: testValue}
970-
err = impersonateHubClient.Update(ctx, &p)
971-
if k8sErrors.IsConflict(err) {
972-
return err
973-
}
974-
return checkIfStatusErrorWithMessage(err, fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Update, &podGVK, "", types.NamespacedName{Name: p.Name, Namespace: p.Namespace}))
975-
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
976-
977-
// Cleanup
978-
Expect(hubClient.Delete(ctx, &pod)).Should(Succeed())
979-
})
980-
})
981-
982-
Context("deny replicaset operations in fleet-member namespace", func() {
983-
var (
984-
mcName string
985-
imcNamespace string
986-
)
987-
988-
BeforeAll(func() {
989-
mcName = fmt.Sprintf(mcNameTemplate, GinkgoParallelProcess())
990-
imcNamespace = fmt.Sprintf(utils.NamespaceNameFormat, mcName)
991-
createMemberCluster(mcName, testIdentity, nil, map[string]string{fleetClusterResourceIDAnnotationKey: clusterID1})
992-
checkInternalMemberClusterExists(mcName, imcNamespace)
993-
})
994-
995-
AfterAll(func() {
996-
ensureMemberClusterAndRelatedResourcesDeletion(mcName)
997-
})
998-
999-
It("should deny CREATE operation on replicaset in fleet-member namespace for user not in MC identity", func() {
1000-
rs := appsv1.ReplicaSet{
1001-
ObjectMeta: metav1.ObjectMeta{
1002-
Name: "test-replicaset",
1003-
Namespace: imcNamespace,
1004-
},
1005-
Spec: appsv1.ReplicaSetSpec{
1006-
Replicas: ptr.To(int32(1)),
1007-
Selector: &metav1.LabelSelector{
1008-
MatchLabels: map[string]string{"app": "test"},
1009-
},
1010-
Template: corev1.PodTemplateSpec{
1011-
ObjectMeta: metav1.ObjectMeta{
1012-
Labels: map[string]string{"app": "test"},
1013-
},
1014-
Spec: corev1.PodSpec{
1015-
Containers: []corev1.Container{
1016-
{
1017-
Name: "test-container",
1018-
Image: "nginx:latest",
1019-
},
1020-
},
1021-
},
1022-
},
1023-
},
1024-
}
1025-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &rs), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &replicaSetGVK, "", types.NamespacedName{Name: rs.Name, Namespace: rs.Namespace}))).Should(Succeed())
1026-
})
1027-
1028-
It("should deny UPDATE operation on replicaset in fleet-member namespace for user not in MC identity", func() {
1029-
// First create a replicaset as admin
1030-
rs := appsv1.ReplicaSet{
1031-
ObjectMeta: metav1.ObjectMeta{
1032-
Name: "test-replicaset-update",
1033-
Namespace: imcNamespace,
1034-
},
1035-
Spec: appsv1.ReplicaSetSpec{
1036-
Replicas: ptr.To(int32(1)),
1037-
Selector: &metav1.LabelSelector{
1038-
MatchLabels: map[string]string{"app": "test"},
1039-
},
1040-
Template: corev1.PodTemplateSpec{
1041-
ObjectMeta: metav1.ObjectMeta{
1042-
Labels: map[string]string{"app": "test"},
1043-
},
1044-
Spec: corev1.PodSpec{
1045-
Containers: []corev1.Container{
1046-
{
1047-
Name: "test-container",
1048-
Image: "nginx:latest",
1049-
},
1050-
},
1051-
},
1052-
},
1053-
},
1054-
}
1055-
Expect(hubClient.Create(ctx, &rs)).Should(Succeed())
1056-
1057-
// Try to update as non-admin
1058-
Eventually(func(g Gomega) error {
1059-
var r appsv1.ReplicaSet
1060-
err := hubClient.Get(ctx, types.NamespacedName{Name: rs.Name, Namespace: rs.Namespace}, &r)
1061-
if err != nil {
1062-
return err
1063-
}
1064-
r.Labels = map[string]string{testKey: testValue}
1065-
err = impersonateHubClient.Update(ctx, &r)
1066-
if k8sErrors.IsConflict(err) {
1067-
return err
1068-
}
1069-
return checkIfStatusErrorWithMessage(err, fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Update, &replicaSetGVK, "", types.NamespacedName{Name: r.Name, Namespace: r.Namespace}))
1070-
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
1071-
1072-
// Cleanup
1073-
Expect(hubClient.Delete(ctx, &rs)).Should(Succeed())
1074-
})
1075-
1076-
It("should deny DELETE operation on pod in fleet-member namespace for user not in MC identity", func() {
1077-
// First create a pod as admin
1078-
pod := corev1.Pod{
1079-
ObjectMeta: metav1.ObjectMeta{
1080-
Name: "test-pod-delete",
1081-
Namespace: imcNamespace,
1082-
},
1083-
Spec: corev1.PodSpec{
1084-
Containers: []corev1.Container{
1085-
{
1086-
Name: "test-container",
1087-
Image: "nginx:latest",
1088-
},
1089-
},
1090-
},
1091-
}
1092-
Expect(hubClient.Create(ctx, &pod)).Should(Succeed())
1093-
1094-
// Try to delete as non-admin
1095-
Eventually(func() error {
1096-
var p corev1.Pod
1097-
err := hubClient.Get(ctx, types.NamespacedName{Name: pod.Name, Namespace: pod.Namespace}, &p)
1098-
if err != nil {
1099-
return err
1100-
}
1101-
err = impersonateHubClient.Delete(ctx, &p)
1102-
return checkIfStatusErrorWithMessage(err, fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Delete, &podGVK, "", types.NamespacedName{Name: p.Name, Namespace: p.Namespace}))
1103-
}, eventuallyDuration, eventuallyInterval).Should(Succeed())
1104-
1105-
// Cleanup by admin
1106-
Expect(hubClient.Delete(ctx, &pod)).Should(Succeed())
1107-
})
1108-
})
1109-
1110-
Context("deny pod/replicaset operations in kube-system namespace", func() {
1111-
It("should deny CREATE operation on pod in kube-system namespace for user not in system:masters", func() {
1112-
pod := corev1.Pod{
1113-
ObjectMeta: metav1.ObjectMeta{
1114-
Name: "test-pod-kube",
1115-
Namespace: "kube-system",
1116-
},
1117-
Spec: corev1.PodSpec{
1118-
Containers: []corev1.Container{
1119-
{
1120-
Name: "test-container",
1121-
Image: "nginx:latest",
1122-
},
1123-
},
1124-
},
1125-
}
1126-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &pod), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &podGVK, "", types.NamespacedName{Name: pod.Name, Namespace: pod.Namespace}))).Should(Succeed())
1127-
})
1128-
1129-
It("should deny CREATE operation on replicaset in kube-system namespace for user not in system:masters", func() {
1130-
rs := appsv1.ReplicaSet{
1131-
ObjectMeta: metav1.ObjectMeta{
1132-
Name: "test-replicaset-kube",
1133-
Namespace: "kube-system",
1134-
},
1135-
Spec: appsv1.ReplicaSetSpec{
1136-
Replicas: ptr.To(int32(1)),
1137-
Selector: &metav1.LabelSelector{
1138-
MatchLabels: map[string]string{"app": "test"},
1139-
},
1140-
Template: corev1.PodTemplateSpec{
1141-
ObjectMeta: metav1.ObjectMeta{
1142-
Labels: map[string]string{"app": "test"},
1143-
},
1144-
Spec: corev1.PodSpec{
1145-
Containers: []corev1.Container{
1146-
{
1147-
Name: "test-container",
1148-
Image: "nginx:latest",
1149-
},
1150-
},
1151-
},
1152-
},
1153-
},
1154-
}
1155-
Expect(checkIfStatusErrorWithMessage(impersonateHubClient.Create(ctx, &rs), fmt.Sprintf(validation.ResourceDeniedFormat, testUser, utils.GenerateGroupString(testGroups), admissionv1.Create, &replicaSetGVK, "", types.NamespacedName{Name: rs.Name, Namespace: rs.Namespace}))).Should(Succeed())
1156-
})
1157-
})
1158-
})
1159-
1160918
var _ = Describe("fleet guard rail restrict internal fleet resources from being created in fleet/kube pre-fixed namespaces", Serial, Ordered, func() {
1161919
Context("deny request to CREATE IMC in fleet-system namespace", func() {
1162920
It("should deny CREATE operation on internal member cluster resource in fleet-system namespace for invalid user", func() {

test/e2e/resource_placement_hub_workload_test.go

Lines changed: 0 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -211,70 +211,5 @@ var _ = Describe("placing workloads using a RP with PickAll policy", Label("reso
211211
}
212212
})
213213

214-
It("should verify deployment pods are created on hub cluster", func() {
215-
By("checking that deployment pods exist on hub cluster")
216-
Eventually(func() error {
217-
var deployed appsv1.Deployment
218-
if err := hubClient.Get(ctx, types.NamespacedName{
219-
Name: testDeployment.Name,
220-
Namespace: testDeployment.Namespace,
221-
}, &deployed); err != nil {
222-
return err
223-
}
224-
// Verify deployment is ready on hub
225-
if deployed.Status.ReadyReplicas != *deployed.Spec.Replicas {
226-
return fmt.Errorf("hub deployment not ready: %d/%d replicas ready", deployed.Status.ReadyReplicas, *deployed.Spec.Replicas)
227-
}
228-
if deployed.Status.UpdatedReplicas != *deployed.Spec.Replicas {
229-
return fmt.Errorf("hub deployment not updated: %d/%d replicas updated", deployed.Status.UpdatedReplicas, *deployed.Spec.Replicas)
230-
}
231-
return nil
232-
}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed(),
233-
"Deployment should be ready on hub cluster")
234-
})
235-
236-
It("should verify daemonset pods are created on hub cluster", func() {
237-
By("checking that daemonset pods exist on hub cluster")
238-
Eventually(func() error {
239-
var deployed appsv1.DaemonSet
240-
if err := hubClient.Get(ctx, types.NamespacedName{
241-
Name: testDaemonSet.Name,
242-
Namespace: testDaemonSet.Namespace,
243-
}, &deployed); err != nil {
244-
return err
245-
}
246-
// Verify daemonset is ready on hub
247-
if deployed.Status.NumberAvailable != deployed.Status.DesiredNumberScheduled {
248-
return fmt.Errorf("hub daemonset not ready: %d/%d pods available", deployed.Status.NumberAvailable, deployed.Status.DesiredNumberScheduled)
249-
}
250-
if deployed.Status.CurrentNumberScheduled != deployed.Status.UpdatedNumberScheduled {
251-
return fmt.Errorf("hub daemonset not updated: %d/%d pods updated", deployed.Status.UpdatedNumberScheduled, deployed.Status.CurrentNumberScheduled)
252-
}
253-
return nil
254-
}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed(),
255-
"DaemonSet should be ready on hub cluster")
256-
})
257-
258-
It("should verify statefulset pods are created on hub cluster", func() {
259-
By("checking that statefulset pods exist on hub cluster")
260-
Eventually(func() error {
261-
var deployed appsv1.StatefulSet
262-
if err := hubClient.Get(ctx, types.NamespacedName{
263-
Name: testStatefulSet.Name,
264-
Namespace: testStatefulSet.Namespace,
265-
}, &deployed); err != nil {
266-
return err
267-
}
268-
// Verify statefulset is ready on hub
269-
if deployed.Status.ReadyReplicas != *deployed.Spec.Replicas {
270-
return fmt.Errorf("hub statefulset not ready: %d/%d replicas ready", deployed.Status.ReadyReplicas, *deployed.Spec.Replicas)
271-
}
272-
if deployed.Status.CurrentReplicas != deployed.Status.UpdatedReplicas {
273-
return fmt.Errorf("hub statefulset not updated: %d/%d replicas updated", deployed.Status.UpdatedReplicas, deployed.Status.CurrentReplicas)
274-
}
275-
return nil
276-
}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed(),
277-
"StatefulSet should be ready on hub cluster")
278-
})
279214
})
280215
})

0 commit comments

Comments
 (0)