e2e-kubeadm-refactor

Author: fabriziopandini

test/e2e_kubeadm/BUILD

@@ -9,24 +9,28 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
 go_test(
     name = "go_default_test",
     srcs = [
+        "bootstrap_token_test.go",
+        "cluster_info_test.go",
+        "controlplane_nodes_test.go",
         "e2e_kubeadm_suite_test.go",
-        "kubeadm_test.go",
+        "kubeadm_config_test.go",
     ],
     out = "e2e_kubeadm.test",
     embed = [":go_default_library"],
     tags = ["e2e"],
     deps = [
+        "//staging/src/k8s.io/api/authorization/v1:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
-        "//staging/src/k8s.io/client-go/rest:go_default_library",
         "//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
         "//test/e2e/framework:go_default_library",
         "//vendor/github.com/onsi/ginkgo:go_default_library",
         "//vendor/github.com/onsi/gomega:go_default_library",
         "//vendor/github.com/spf13/pflag:go_default_library",
+        "//vendor/gopkg.in/yaml.v2:go_default_library",
     ],
 )
 
@@ -50,11 +54,22 @@ filegroup(
 
 go_library(
     name = "go_default_library",
-    srcs = ["matchers.go"],
+    srcs = [
+        "bootstrap_signer.go",
+        "const.go",
+        "framework.go",
+        "util.go",
+    ],
     importpath = "k8s.io/kubernetes/test/e2e_kubeadm",
     visibility = ["//visibility:public"],
     deps = [
+        "//staging/src/k8s.io/api/authorization/v1:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/rbac/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
+        "//test/e2e/framework:go_default_library",
+        "//vendor/github.com/onsi/ginkgo:go_default_library",
         "//vendor/github.com/onsi/gomega:go_default_library",
         "//vendor/github.com/onsi/gomega/gstruct:go_default_library",
     ],

test/e2e_kubeadm/bootstrap_signer.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+)
+
+const (
+	bootstrapTokensSignerRoleName = "system:controller:bootstrap-signer"
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm creates the bootstrap signer
+var _ = KubeadmDescribe("bootstrap signer", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("bootstrap token")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	It("should be active", func() {
+		//NB. this is technically implemented a part of the control-plane phase
+		//    and more specifically if the controller manager is properly configured,
+		//    the bootstrapsigner controller is activated and the system:controller:bootstrap-signer
+		//    group will be automatically created
+		ExpectRole(f.ClientSet, kubeSystemNamespace, bootstrapTokensSignerRoleName)
+	})
+})

test/e2e_kubeadm/bootstrap_token_test.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	bootstrapTokensGroup                             = "system:bootstrappers:kubeadm:default-node-token"
+	bootstrapTokensAllowPostCSRClusterRoleBinding    = "kubeadm:kubelet-bootstrap"
+	bootstrapTokensAllowPostCSRClusterRoleName       = "system:node-bootstrapper"
+	bootstrapTokensCSRAutoApprovalClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
+	bootstrapTokensCSRAutoApprovalClusterRoleName    = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm creates the bootstrap token, the system:bootstrappers:kubeadm:default-node-token group
+// and that all the related RBAC rules are in place
+var _ = KubeadmDescribe("bootstrap token", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("bootstrap token")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	It("should exist and be properly configured", func() {
+		secrets, err := f.ClientSet.CoreV1().
+			Secrets(kubeSystemNamespace).
+			List(metav1.ListOptions{})
+		framework.ExpectNoError(err, "error reading Secrets")
+
+		tokenNum := 0
+		for _, s := range secrets.Items {
+			if s.Type == corev1.SecretTypeBootstrapToken {
+				//TODO: might be we want to further check tokens  (auth-extra-groups, usage etc)
+				tokenNum++
+			}
+		}
+		Expect(tokenNum).Should(BeNumerically(">", 0), "At least one bootstrap token should exist")
+	})
+
+	It("should be allowed to post CSR for kubelet certificates on joining nodes", func() {
+		ExpectClusterRoleBindingWithSubjectAndRole(f.ClientSet,
+			bootstrapTokensAllowPostCSRClusterRoleBinding,
+			rbacv1.GroupKind, bootstrapTokensGroup,
+			bootstrapTokensAllowPostCSRClusterRoleName,
+		)
+		//TODO: check if possible to verify "allowed to post CSR" using subject asses review as well
+	})
+
+	It("should be allowed to auto approve CSR for kubelet certificates on joining nodes", func() {
+		ExpectClusterRoleBindingWithSubjectAndRole(f.ClientSet,
+			bootstrapTokensCSRAutoApprovalClusterRoleBinding,
+			rbacv1.GroupKind, bootstrapTokensGroup,
+			bootstrapTokensCSRAutoApprovalClusterRoleName,
+		)
+		//TODO: check if possible to verify "allowed to auto approve CSR" using subject asses review as well
+	})
+})

test/e2e_kubeadm/cluster_info_test.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	authv1 "k8s.io/api/authorization/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	clusterInfoConfigMapName   = "cluster-info"
+	clusterInfoRoleName        = "kubeadm:bootstrap-signer-clusterinfo"
+	clusterInfoRoleBindingName = clusterInfoRoleName
+)
+
+var (
+	clusterInfoConfigMapResource = &authv1.ResourceAttributes{
+		Namespace: kubePublicNamespace,
+		Name:      clusterInfoConfigMapName,
+		Resource:  "configmaps",
+		Verb:      "get",
+	}
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm creates the cluster-info ConfigMap, that it is properly configured
+// and that all the related RBAC rules are in place
+var _ = KubeadmDescribe("cluster-info ConfigMap", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("cluster-info")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	It("should exist and be properly configured", func() {
+		// Nb. this is technically implemented a part of the bootstrap-token phase
+		cm := GetConfigMap(f.ClientSet, kubePublicNamespace, clusterInfoConfigMapName)
+
+		Expect(cm.Data).To(HaveKey(HavePrefix(bootstrapapi.JWSSignatureKeyPrefix)))
+		Expect(cm.Data).To(HaveKey(bootstrapapi.KubeConfigKey))
+
+		//TODO: What else? server?
+	})
+
+	It("should have related Role and RoleBinding", func() {
+		// Nb. this is technically implemented a part of the bootstrap-token phase
+		ExpectRole(f.ClientSet, kubePublicNamespace, clusterInfoRoleName)
+		ExpectRoleBinding(f.ClientSet, kubePublicNamespace, clusterInfoRoleBindingName)
+	})
+
+	It("should be accessible for anonymous", func() {
+		ExpectSubjectHasAccessToResource(f.ClientSet,
+			rbacv1.UserKind, anonymousUser,
+			clusterInfoConfigMapResource,
+		)
+	})
+})

test/e2e_kubeadm/matchers.go renamed to test/e2e_kubeadm/const.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2018 The Kubernetes Authors.
+Copyright 2019 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,22 +16,11 @@ limitations under the License.
 
 package e2e_kubeadm
 
-import (
-	"github.com/onsi/gomega"
-	"github.com/onsi/gomega/gstruct"
-	corev1 "k8s.io/api/core/v1"
-)
+const (
+	kubePublicNamespace = "kube-public"
+	kubeSystemNamespace = "kube-system"
 
-func subject(name, kind string) gomega.OmegaMatcher {
-	return gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
-		"Name": gomega.Equal(name),
-		"Kind": gomega.Equal(kind),
-	})
-}
+	anonymousUser = "system:anonymous"
 
-func taint(key string, effect corev1.TaintEffect) gomega.OmegaMatcher {
-	return gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
-		"Key":    gomega.Equal(key),
-		"Effect": gomega.Equal(effect),
-	})
-}
+	nodesGroup = "system:nodes"
+)

test/e2e_kubeadm/controlplane_nodes_test.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	controlPlaneTaint = "node-role.kubernetes.io/master"
+)
+
+// Define container for all the test specification aimed at verifying
+// that kubeadm configures the control-plane node as expected
+var _ = KubeadmDescribe("control-plane node", func() {
+
+	// Get an instance of the k8s test framework
+	f := framework.NewDefaultFramework("control-plane node")
+
+	// Tests in this container are not expected to create new objects in the cluster
+	// so we are disabling the creation of a namespace in order to get a faster execution
+	f.SkipNamespaceCreation = true
+
+	// Important! please note that this test can't be run on single-node clusters
+	// in case you can skip this test with SKIP=multi-node
+	It("should be labelled and tainted [multi-node]", func() {
+		// get all control-plane nodes (and this implicitly checks that node are properly labeled)
+		controlPlanes := getControlPlaneNodes(f.ClientSet)
+
+		// checks if there is at least one control-plane node
+		Expect(controlPlanes.Items).NotTo(BeEmpty(), "at least one node with label %s should exist. if you are running test on a single-node cluster, you can skip this test with SKIP=multi-node", controlPlaneTaint)
+
+		// checks that the control-plane nodes have the expected taint
+		for _, cp := range controlPlanes.Items {
+			framework.ExpectNodeHasTaint(f.ClientSet, cp.GetName(), &corev1.Taint{Key: controlPlaneTaint, Effect: corev1.TaintEffectNoSchedule})
+		}
+	})
+})
+
+func getControlPlaneNodes(c clientset.Interface) *corev1.NodeList {
+	selector := labels.Set{controlPlaneTaint: ""}.AsSelector()
+	masters, err := c.CoreV1().Nodes().
+		List(metav1.ListOptions{LabelSelector: selector.String()})
+	framework.ExpectNoError(err, "error reading control-plane nodes")
+
+	return masters
+}

test/e2e_kubeadm/framework.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e_kubeadm
+
+import "k8s.io/kubernetes/test/e2e/framework"
+
+func KubeadmDescribe(text string, body func()) bool {
+	return framework.KubeDescribe("[sig-cluster-lifecycle] [area-kubeadm] "+text, body)
+}