Merge pull request kubernetes#75641 from fabriziopandini/e2e-kubeadm-new-test

E2e kubeadm new test

Author: k8s-ci-robot

test/e2e_kubeadm/BUILD

@@ -12,8 +12,13 @@ go_test(
         "bootstrap_token_test.go",
         "cluster_info_test.go",
         "controlplane_nodes_test.go",
+        "dns_addon_test.go",
         "e2e_kubeadm_suite_test.go",
+        "kubeadm_certs_test.go",
         "kubeadm_config_test.go",
+        "kubelet_config_test.go",
+        "nodes_test.go",
+        "proxy_addon_test.go",
     ],
     out = "e2e_kubeadm.test",
     embed = [":go_default_library"],
@@ -24,6 +29,7 @@ go_test(
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/version:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
         "//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
         "//test/e2e/framework:go_default_library",
@@ -63,6 +69,7 @@ go_library(
     importpath = "k8s.io/kubernetes/test/e2e_kubeadm",
     visibility = ["//visibility:public"],
     deps = [
+        "//staging/src/k8s.io/api/apps/v1:go_default_library",
         "//staging/src/k8s.io/api/authorization/v1:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",

test/e2e_kubeadm/const.go

@@ -21,6 +21,4 @@ const (
 	kubeSystemNamespace = "kube-system"
 
 	anonymousUser = "system:anonymous"
-
-	nodesGroup = "system:nodes"
 )

test/e2e_kubeadm/dns_addon_test.go

@@ -0,0 +1,150 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	dnsService = "kube-dns"
+
+	coreDNSServiceAccountName = "coredns"
+	coreDNSConfigMap          = "coredns"
+	coreDNSConfigMapKey       = "Corefile"
+	coreDNSRoleName           = "system:coredns"
+	coreDNSRoleBindingName    = coreDNSRoleName
+	coreDNSDeploymentName     = "coredns"
+
+	kubeDNSServiceAccountName = "kube-dns"
+	kubeDNSDeploymentName     = "kube-dns"
+)
+
+var (
+	dnsType = ""
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm configures the dns as expected
+var _ = KubeadmDescribe("DNS addon", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("DNS")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	// kubeadm supports two type of DNS addon, and so
+	// it is necessary to get it from the kubeadm-config ConfigMap before testing
+	BeforeEach(func() {
+		// if the dnsType name is already known exit
+		if dnsType != "" {
+			return
+		}
+
+		// gets the ClusterConfiguration from the kubeadm kubeadm-config ConfigMap as a untyped map
+		m := getClusterConfiguration(f.ClientSet)
+
+		// Extract the dnsType
+		dnsType = "CoreDNS"
+		if _, ok := m["dns"]; ok {
+			d := m["dns"].(map[interface{}]interface{})
+			if t, ok := d["type"]; ok {
+				dnsType = t.(string)
+			}
+		}
+	})
+
+	Context("kube-dns", func() {
+		Context("kube-dns ServiceAccount", func() {
+			It("should exist", func() {
+				if dnsType != "kube-dns" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				ExpectServiceAccount(f.ClientSet, kubeSystemNamespace, kubeDNSServiceAccountName)
+			})
+		})
+
+		Context("kube-dns Deployment", func() {
+			It("should exist and be properly configured", func() {
+				if dnsType != "kube-dns" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				d := GetDeployment(f.ClientSet, kubeSystemNamespace, kubeDNSDeploymentName)
+
+				Expect(d.Spec.Template.Spec.ServiceAccountName).To(Equal(kubeDNSServiceAccountName))
+			})
+		})
+	})
+
+	Context("CoreDNS", func() {
+		Context("CoreDNS ServiceAccount", func() {
+			It("should exist", func() {
+				if dnsType != "CoreDNS" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				ExpectServiceAccount(f.ClientSet, kubeSystemNamespace, coreDNSServiceAccountName)
+			})
+
+			It("should have related ClusterRole and ClusterRoleBinding", func() {
+				if dnsType != "CoreDNS" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				ExpectClusterRole(f.ClientSet, coreDNSRoleName)
+				ExpectClusterRoleBinding(f.ClientSet, coreDNSRoleBindingName)
+			})
+		})
+
+		Context("CoreDNS ConfigMap", func() {
+			It("should exist and be properly configured", func() {
+				if dnsType != "CoreDNS" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				cm := GetConfigMap(f.ClientSet, kubeSystemNamespace, coreDNSConfigMap)
+
+				Expect(cm.Data).To(HaveKey(coreDNSConfigMapKey))
+			})
+		})
+
+		Context("CoreDNS Deployment", func() {
+			It("should exist and be properly configured", func() {
+				if dnsType != "CoreDNS" {
+					framework.Skipf("Skipping because DNS type is %s", dnsType)
+				}
+
+				d := GetDeployment(f.ClientSet, kubeSystemNamespace, coreDNSDeploymentName)
+
+				Expect(d.Spec.Template.Spec.ServiceAccountName).To(Equal(coreDNSServiceAccountName))
+			})
+		})
+	})
+
+	Context("DNS Service", func() {
+		It("should exist", func() {
+			ExpectService(f.ClientSet, kubeSystemNamespace, dnsService)
+		})
+	})
+})

test/e2e_kubeadm/kubeadm_certs_test.go

@@ -0,0 +1,116 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	"fmt"
+
+	authv1 "k8s.io/api/authorization/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	kubeadmCertsSecretName = "kubeadm-certs"
+)
+
+var (
+	kubeadmCertsRoleName        = fmt.Sprintf("kubeadm:%s", kubeadmCertsSecretName)
+	kubeadmCertsRoleBindingName = kubeadmCertsRoleName
+
+	kubeadmCertsSecretResource = &authv1.ResourceAttributes{
+		Namespace: kubeSystemNamespace,
+		Name:      kubeadmCertsSecretName,
+		Resource:  "secrets",
+		Verb:      "get",
+	}
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm creates the kubeadm-certs Secret, that it is properly configured
+// and that all the related RBAC rules are in place
+
+// Important! please note that kubeadm-certs is not created by default (still alpha)
+// in case you want to skip this test use SKIP=copy-certs
+var _ = KubeadmDescribe("kubeadm-certs [copy-certs]", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("kubeadm-certs")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	It("should exist and be properly configured", func() {
+		s := GetSecret(f.ClientSet, kubeSystemNamespace, kubeadmCertsSecretName)
+
+		// Checks the kubeadm-certs is ownen by a time lived token
+		Expect(s.OwnerReferences).To(HaveLen(1), "%s should have one owner reference", kubeadmCertsSecretName)
+		ownRef := s.OwnerReferences[0]
+		Expect(ownRef.Kind).To(Equal("Secret"), "%s should be owned by a secret", kubeadmCertsSecretName)
+		Expect(*ownRef.BlockOwnerDeletion).To(BeTrue(), "%s should be deleted on owner deletion", kubeadmCertsSecretName)
+
+		o := GetSecret(f.ClientSet, kubeSystemNamespace, ownRef.Name)
+		Expect(o.Type).To(Equal(corev1.SecretTypeBootstrapToken), "%s should have an owner reference that refers to a bootstrap-token", kubeadmCertsSecretName)
+		Expect(o.Data).To(HaveKey("expiration"), "%s should have an owner reference with an expiration", kubeadmCertsSecretName)
+
+		// gets the ClusterConfiguration from the kubeadm kubeadm-config ConfigMap as a untyped map
+		m := getClusterConfiguration(f.ClientSet)
+
+		// Extract the etcd Type
+		etcdType := "local"
+		if _, ok := m["etcd"]; ok {
+			d := m["etcd"].(map[interface{}]interface{})
+			if _, ok := d["external"]; ok {
+				etcdType = "external"
+			}
+		}
+
+		// check if all the expected key exists
+		Expect(s.Data).To(HaveKey("ca.crt"))
+		Expect(s.Data).To(HaveKey("ca.key"))
+		Expect(s.Data).To(HaveKey("front-proxy-ca.crt"))
+		Expect(s.Data).To(HaveKey("front-proxy-ca.key"))
+		Expect(s.Data).To(HaveKey("sa.pub"))
+		Expect(s.Data).To(HaveKey("sa.key"))
+
+		if etcdType == "local" {
+			Expect(s.Data).To(HaveKey("etcd-ca.crt"))
+			Expect(s.Data).To(HaveKey("etcd-ca.key"))
+		} else {
+			Expect(s.Data).To(HaveKey("external-etcd-ca.crt"))
+			Expect(s.Data).To(HaveKey("external-etcd.crt"))
+			Expect(s.Data).To(HaveKey("external-etcd.key"))
+		}
+	})
+
+	It("should have related Role and RoleBinding", func() {
+		ExpectRole(f.ClientSet, kubeSystemNamespace, kubeadmCertsRoleName)
+		ExpectRoleBinding(f.ClientSet, kubeSystemNamespace, kubeadmCertsRoleBindingName)
+	})
+
+	It("should be accessible for bootstrap tokens", func() {
+		ExpectSubjectHasAccessToResource(f.ClientSet,
+			rbacv1.GroupKind, bootstrapTokensGroup,
+			kubeadmCertsSecretResource,
+		)
+	})
+})