Entrar
golang
/
flannel
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: 2e8af17795
Branches Tags
flannel
/
vendor
/
k8s.io
/
kubernetes
/
test
/
e2e
/
service_accounts.go

service_accounts.go 8.3 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241 
  1. /*
    2. 

  2. Copyright 2014 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package e2e
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	"k8s.io/kubernetes/pkg/api"
    24. 

  24. 	apierrors "k8s.io/kubernetes/pkg/api/errors"
    25. 

  25. 	"k8s.io/kubernetes/pkg/util/uuid"
    26. 

  26. 	"k8s.io/kubernetes/pkg/util/wait"
    27. 

  27. 	"k8s.io/kubernetes/pkg/version"
    28. 

  28. 	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
    29. 

  29. 	"k8s.io/kubernetes/test/e2e/framework"
    30. 

  30. 

  31. 	. "github.com/onsi/ginkgo"
    32. 

  32. 	. "github.com/onsi/gomega"
    33. 

  33. )
    34. 

  34. 

  35. var serviceAccountTokenNamespaceVersion = version.MustParse("v1.2.0")
    36. 

  36. 

  37. var _ = framework.KubeDescribe("ServiceAccounts", func() {
    38. 

  38. 	f := framework.NewDefaultFramework("svcaccounts")
    39. 

  39. 

  40. 	It("should ensure a single API token exists", func() {
    41. 

  41. 		// wait for the service account to reference a single secret
    42. 

  42. 		var secrets []api.ObjectReference
    43. 

  43. 		framework.ExpectNoError(wait.Poll(time.Millisecond*500, time.Second*10, func() (bool, error) {
    44. 

  44. 			By("waiting for a single token reference")
    45. 

  45. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    46. 

  46. 			if apierrors.IsNotFound(err) {
    47. 

  47. 				framework.Logf("default service account was not found")
    48. 

  48. 				return false, nil
    49. 

  49. 			}
    50. 

  50. 			if err != nil {
    51. 

  51. 				framework.Logf("error getting default service account: %v", err)
    52. 

  52. 				return false, err
    53. 

  53. 			}
    54. 

  54. 			switch len(sa.Secrets) {
    55. 

  55. 			case 0:
    56. 

  56. 				framework.Logf("default service account has no secret references")
    57. 

  57. 				return false, nil
    58. 

  58. 			case 1:
    59. 

  59. 				framework.Logf("default service account has a single secret reference")
    60. 

  60. 				secrets = sa.Secrets
    61. 

  61. 				return true, nil
    62. 

  62. 			default:
    63. 

  63. 				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
    64. 

  64. 			}
    65. 

  65. 		}))
    66. 

  66. 

  67. 		// make sure the reference doesn't flutter
    68. 

  68. 		{
    69. 

  69. 			By("ensuring the single token reference persists")
    70. 

  70. 			time.Sleep(2 * time.Second)
    71. 

  71. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    72. 

  72. 			framework.ExpectNoError(err)
    73. 

  73. 			Expect(sa.Secrets).To(Equal(secrets))
    74. 

  74. 		}
    75. 

  75. 

  76. 		// delete the referenced secret
    77. 

  77. 		By("deleting the service account token")
    78. 

  78. 		framework.ExpectNoError(f.Client.Secrets(f.Namespace.Name).Delete(secrets[0].Name))
    79. 

  79. 

  80. 		// wait for the referenced secret to be removed, and another one autocreated
    81. 

  81. 		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
    82. 

  82. 			By("waiting for a new token reference")
    83. 

  83. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    84. 

  84. 			if err != nil {
    85. 

  85. 				framework.Logf("error getting default service account: %v", err)
    86. 

  86. 				return false, err
    87. 

  87. 			}
    88. 

  88. 			switch len(sa.Secrets) {
    89. 

  89. 			case 0:
    90. 

  90. 				framework.Logf("default service account has no secret references")
    91. 

  91. 				return false, nil
    92. 

  92. 			case 1:
    93. 

  93. 				if sa.Secrets[0] == secrets[0] {
    94. 

  94. 					framework.Logf("default service account still has the deleted secret reference")
    95. 

  95. 					return false, nil
    96. 

  96. 				}
    97. 

  97. 				framework.Logf("default service account has a new single secret reference")
    98. 

  98. 				secrets = sa.Secrets
    99. 

  99. 				return true, nil
    100. 

  100. 			default:
    101. 

  101. 				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
    102. 

  102. 			}
    103. 

  103. 		}))
    104. 

  104. 

  105. 		// make sure the reference doesn't flutter
    106. 

  106. 		{
    107. 

  107. 			By("ensuring the single token reference persists")
    108. 

  108. 			time.Sleep(2 * time.Second)
    109. 

  109. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    110. 

  110. 			framework.ExpectNoError(err)
    111. 

  111. 			Expect(sa.Secrets).To(Equal(secrets))
    112. 

  112. 		}
    113. 

  113. 

  114. 		// delete the reference from the service account
    115. 

  115. 		By("deleting the reference to the service account token")
    116. 

  116. 		{
    117. 

  117. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    118. 

  118. 			framework.ExpectNoError(err)
    119. 

  119. 			sa.Secrets = nil
    120. 

  120. 			_, updateErr := f.Client.ServiceAccounts(f.Namespace.Name).Update(sa)
    121. 

  121. 			framework.ExpectNoError(updateErr)
    122. 

  122. 		}
    123. 

  123. 

  124. 		// wait for another one to be autocreated
    125. 

  125. 		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
    126. 

  126. 			By("waiting for a new token to be created and added")
    127. 

  127. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    128. 

  128. 			if err != nil {
    129. 

  129. 				framework.Logf("error getting default service account: %v", err)
    130. 

  130. 				return false, err
    131. 

  131. 			}
    132. 

  132. 			switch len(sa.Secrets) {
    133. 

  133. 			case 0:
    134. 

  134. 				framework.Logf("default service account has no secret references")
    135. 

  135. 				return false, nil
    136. 

  136. 			case 1:
    137. 

  137. 				framework.Logf("default service account has a new single secret reference")
    138. 

  138. 				secrets = sa.Secrets
    139. 

  139. 				return true, nil
    140. 

  140. 			default:
    141. 

  141. 				return false, fmt.Errorf("default service account has too many secret references: %#v", sa.Secrets)
    142. 

  142. 			}
    143. 

  143. 		}))
    144. 

  144. 

  145. 		// make sure the reference doesn't flutter
    146. 

  146. 		{
    147. 

  147. 			By("ensuring the single token reference persists")
    148. 

  148. 			time.Sleep(2 * time.Second)
    149. 

  149. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    150. 

  150. 			framework.ExpectNoError(err)
    151. 

  151. 			Expect(sa.Secrets).To(Equal(secrets))
    152. 

  152. 		}
    153. 

  153. 	})
    154. 

  154. 

  155. 	It("should mount an API token into pods [Conformance]", func() {
    156. 

  156. 		var tokenContent string
    157. 

  157. 		var rootCAContent string
    158. 

  158. 

  159. 		// Standard get, update retry loop
    160. 

  160. 		framework.ExpectNoError(wait.Poll(time.Millisecond*500, framework.ServiceAccountProvisionTimeout, func() (bool, error) {
    161. 

  161. 			By("getting the auto-created API token")
    162. 

  162. 			sa, err := f.Client.ServiceAccounts(f.Namespace.Name).Get("default")
    163. 

  163. 			if apierrors.IsNotFound(err) {
    164. 

  164. 				framework.Logf("default service account was not found")
    165. 

  165. 				return false, nil
    166. 

  166. 			}
    167. 

  167. 			if err != nil {
    168. 

  168. 				framework.Logf("error getting default service account: %v", err)
    169. 

  169. 				return false, err
    170. 

  170. 			}
    171. 

  171. 			if len(sa.Secrets) == 0 {
    172. 

  172. 				framework.Logf("default service account has no secret references")
    173. 

  173. 				return false, nil
    174. 

  174. 			}
    175. 

  175. 			for _, secretRef := range sa.Secrets {
    176. 

  176. 				secret, err := f.Client.Secrets(f.Namespace.Name).Get(secretRef.Name)
    177. 

  177. 				if err != nil {
    178. 

  178. 					framework.Logf("Error getting secret %s: %v", secretRef.Name, err)
    179. 

  179. 					continue
    180. 

  180. 				}
    181. 

  181. 				if secret.Type == api.SecretTypeServiceAccountToken {
    182. 

  182. 					tokenContent = string(secret.Data[api.ServiceAccountTokenKey])
    183. 

  183. 					rootCAContent = string(secret.Data[api.ServiceAccountRootCAKey])
    184. 

  184. 					return true, nil
    185. 

  185. 				}
    186. 

  186. 			}
    187. 

  187. 

  188. 			framework.Logf("default service account has no secret references to valid service account tokens")
    189. 

  189. 			return false, nil
    190. 

  190. 		}))
    191. 

  191. 

  192. 		pod := &api.Pod{
    193. 

  193. 			ObjectMeta: api.ObjectMeta{
    194. 

  194. 				Name: "pod-service-account-" + string(uuid.NewUUID()),
    195. 

  195. 			},
    196. 

  196. 			Spec: api.PodSpec{
    197. 

  197. 				Containers: []api.Container{
    198. 

  198. 					{
    199. 

  199. 						Name:  "token-test",
    200. 

  200. 						Image: "gcr.io/google_containers/mounttest:0.2",
    201. 

  201. 						Args: []string{
    202. 

  202. 							fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountTokenKey),
    203. 

  203. 						},
    204. 

  204. 					},
    205. 

  205. 					{
    206. 

  206. 						Name:  "root-ca-test",
    207. 

  207. 						Image: "gcr.io/google_containers/mounttest:0.2",
    208. 

  208. 						Args: []string{
    209. 

  209. 							fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountRootCAKey),
    210. 

  210. 						},
    211. 

  211. 					},
    212. 

  212. 				},
    213. 

  213. 				RestartPolicy: api.RestartPolicyNever,
    214. 

  214. 			},
    215. 

  215. 		}
    216. 

  216. 

  217. 		supportsTokenNamespace, _ := framework.ServerVersionGTE(serviceAccountTokenNamespaceVersion, f.Client)
    218. 

  218. 		if supportsTokenNamespace {
    219. 

  219. 			pod.Spec.Containers = append(pod.Spec.Containers, api.Container{
    220. 

  220. 				Name:  "namespace-test",
    221. 

  221. 				Image: "gcr.io/google_containers/mounttest:0.2",
    222. 

  222. 				Args: []string{
    223. 

  223. 					fmt.Sprintf("--file_content=%s/%s", serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountNamespaceKey),
    224. 

  224. 				},
    225. 

  225. 			})
    226. 

  226. 		}
    227. 

  227. 

  228. 		f.TestContainerOutput("consume service account token", pod, 0, []string{
    229. 

  229. 			fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountTokenKey, tokenContent),
    230. 

  230. 		})
    231. 

  231. 		f.TestContainerOutput("consume service account root CA", pod, 1, []string{
    232. 

  232. 			fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountRootCAKey, rootCAContent),
    233. 

  233. 		})
    234. 

  234. 

  235. 		if supportsTokenNamespace {
    236. 

  236. 			f.TestContainerOutput("consume service account namespace", pod, 2, []string{
    237. 

  237. 				fmt.Sprintf(`content of file "%s/%s": %s`, serviceaccount.DefaultAPITokenMountPath, api.ServiceAccountNamespaceKey, f.Namespace.Name),
    238. 

  238. 			})
    239. 

  239. 		}
    240. 

  240. 	})
    241. 

  241. })
    242.