add unit and integration tests for rbac authorizer by ericchiang · Pull Request #26753 · kubernetes/kubernetes

ericchiang · 2016-06-02T23:47:38Z

This PR adds lots of tests for the RBAC authorizer.

The plan over the next couple days is to add a lot more test cases.

Updates #23396

cc @erictune

ericchiang · 2016-06-07T17:32:55Z

@erictune this is a bit more fleshed out. Any comments?

ericchiang · 2016-06-07T18:28:19Z

e2e testing woes

â€¢ Failure [301.928 seconds]
[k8s.io] Kubelet
/var/lib/jenkins/workspace/node-pull-build-e2e-test@2/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:639
  metrics api
  /var/lib/jenkins/workspace/node-pull-build-e2e-test@2/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e_node/kubelet_test.go:165
    when querying /stats/summary
    /var/lib/jenkins/workspace/node-pull-build-e2e-test@2/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e_node/kubelet_test.go:164
      it should report resource usage through the stats api [It]
      /var/lib/jenkins/workspace/node-pull-build-e2e-test@2/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e_node/kubelet_test.go:163

      Timed out after 300.000s.
      Expected
          <*errors.errorString | 0xc8209f5310>: {
              s: "expected metrics for kubelet",
          }
      to be nil

erictune · 2016-06-09T00:22:19Z

You are testing denial when the object does not exist. You should also test denial when the object does exist.

erictune · 2016-06-09T00:28:21Z

Suggest: for each type of object, have a test case where that object is modified, and then authz outcomes change.

davidopp · 2016-06-12T01:56:17Z

Added 1.3 milestone since the associated issue is marked 1.3

erictune · 2016-06-14T00:19:12Z

LGTM

erictune · 2016-06-14T00:19:29Z

lgtm

erictune · 2016-06-14T05:26:36Z

--- FAIL: TestRBAC (0.15s)
    rbac_test.go:438: case 0, req 6: pod-reader GET pods expected "200 OK" got "403 Forbidden"
    rbac_test.go:438: case 1, req 7: job-writer GET jobs expected "200 OK" got "403 Forbidden"
    rbac_test.go:438: case 1, req 8: job-writer GET jobs expected "404 Not Found" got "403 Forbidden"
    rbac_test.go:438: case 1, req 9: job-writer POST jobs expected "201 Created" got "403 Forbidden"
    rbac_test.go:438: case 1, req 10: job-writer GET jobs expected "200 OK" got "403 Forbidden"
    rbac_test.go:438: case 1, req 11: job-writer-namespace GET jobs expected "200 OK" got "403 Forbidden"
    rbac_test.go:438: case 1, req 12: job-writer-namespace GET jobs expected "404 Not Found" got "403 Forbidden"
    rbac_test.go:438: case 1, req 13: job-writer-namespace POST jobs expected "201 Created" got "403 Forbidden"
    rbac_test.go:438: case 1, req 14: job-writer-namespace GET jobs expected "200 OK" got "403 Forbidden"

ericchiang · 2016-06-14T15:49:43Z

@erictune am looking into this

ericchiang · 2016-06-14T17:55:04Z

git bisect says #27255 is when this started failing.

ericchiang · 2016-06-14T19:22:53Z

@erictune this should be good now

erictune · 2016-06-15T19:56:38Z

LGTM

ericchiang · 2016-06-17T17:05:00Z

@erictune This test failure doesn't look related to the PR

# k8s.io/kubernetes/cmd/kubelet
/usr/local/go/pkg/tool/linux_amd64/link: running aarch64-linux-gnu-gcc failed: fork/exec /usr/bin/aarch64-linux-gnu-gcc: cannot allocate memory

goltermann · 2016-06-20T00:33:44Z

@k8s-bot e2e test this issue: #IGNORE

k8s-bot · 2016-06-20T01:15:31Z

GCE e2e build/test passed for commit d13e351.

k8s-github-robot · 2016-06-20T01:38:57Z

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

k8s-bot · 2016-06-20T02:18:56Z

GCE e2e build/test passed for commit d13e351.

k8s-github-robot · 2016-06-20T02:19:08Z

Automatic merge from submit-queue

googlebot added the cla: yes label Jun 2, 2016

ericchiang force-pushed the rbac-authorizer-tests branch from ad064d9 to d07ec41 Compare June 2, 2016 23:48

k8s-github-robot assigned ixdy Jun 2, 2016

k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. release-note-label-needed labels Jun 2, 2016

ixdy assigned erictune and unassigned ixdy Jun 3, 2016

ericchiang force-pushed the rbac-authorizer-tests branch from d07ec41 to 7104d4a Compare June 7, 2016 17:31

ericchiang changed the title ~~add unit and integration tests for rbac authorizer [wip]~~ add unit and integration tests for rbac authorizer Jun 7, 2016

ericchiang force-pushed the rbac-authorizer-tests branch from 7104d4a to cc7611b Compare June 7, 2016 22:28

ericchiang mentioned this pull request Jun 8, 2016

Role-based access control (RBAC) kubernetes/enhancements#2

Closed

erictune reviewed Jun 9, 2016
View reviewed changes

davidopp added this to the v1.3 milestone Jun 12, 2016

erictune added lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Jun 14, 2016

add unit and integration tests for rbac authorizer

d13e351

ericchiang force-pushed the rbac-authorizer-tests branch from cc7611b to d13e351 Compare June 14, 2016 18:07

k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 14, 2016

erictune added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 15, 2016

erictune mentioned this pull request Jun 17, 2016

Upstream Openshift Authz #23396

Closed

erictune added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jun 17, 2016

k8s-github-robot merged commit 6fbf99b into kubernetes:master Jun 20, 2016

Conversation

ericchiang commented Jun 2, 2016

Uh oh!

ericchiang commented Jun 7, 2016

Uh oh!

ericchiang commented Jun 7, 2016

Uh oh!

erictune Jun 9, 2016

Choose a reason for hiding this comment

Uh oh!

erictune commented Jun 9, 2016

Uh oh!

davidopp commented Jun 12, 2016

Uh oh!

erictune commented Jun 14, 2016

Uh oh!

erictune commented Jun 14, 2016

Uh oh!

erictune commented Jun 14, 2016

Uh oh!

ericchiang commented Jun 14, 2016

Uh oh!

ericchiang commented Jun 14, 2016

Uh oh!

ericchiang commented Jun 14, 2016

Uh oh!

erictune commented Jun 15, 2016

Uh oh!

ericchiang commented Jun 17, 2016

Uh oh!

goltermann commented Jun 20, 2016

Uh oh!

k8s-bot commented Jun 20, 2016

Uh oh!

k8s-github-robot commented Jun 20, 2016

Uh oh!

k8s-bot commented Jun 20, 2016

Uh oh!

k8s-github-robot commented Jun 20, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants