Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor and clean up e2e framework utils, this patch handles test/e2e/framework/psp_util.go file #77534

Merged
merged 1 commit into from
Aug 1, 2019
Merged

Refactor and clean up e2e framework utils, this patch handles test/e2e/framework/psp_util.go file #77534

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions test/e2e/auth/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ go_library(
"//test/e2e/framework/log:go_default_library",
"//test/e2e/framework/node:go_default_library",
"//test/e2e/framework/pod:go_default_library",
"//test/e2e/framework/psp:go_default_library",
"//test/utils:go_default_library",
"//test/utils/image:go_default_library",
"//vendor/github.com/evanphx/json-patch:go_default_library",
Expand Down
3 changes: 2 additions & 1 deletion test/e2e/auth/pod_security_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import (
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/e2e/framework/auth"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
e2epsp "k8s.io/kubernetes/test/e2e/framework/psp"
imageutils "k8s.io/kubernetes/test/utils/image"
utilpointer "k8s.io/utils/pointer"

Expand All @@ -53,7 +54,7 @@ var _ = SIGDescribe("PodSecurityPolicy", func() {
var c clientset.Interface
var ns string // Test namespace, for convenience
ginkgo.BeforeEach(func() {
if !framework.IsPodSecurityPolicyEnabled(f) {
if !e2epsp.IsPodSecurityPolicyEnabled(f.ClientSet) {
framework.Skipf("PodSecurityPolicy not enabled")
}
if !auth.IsRBACEnabled(f.ClientSet.RbacV1()) {
Expand Down
7 changes: 2 additions & 5 deletions test/e2e/framework/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ go_library(
"pods.go",
"profile_gatherer.go",
"provider.go",
"psp_util.go",
"pv_util.go",
"rc_util.go",
"resource_usage_gatherer.go",
Expand All @@ -45,13 +44,11 @@ go_library(
"//pkg/master/ports:go_default_library",
"//pkg/scheduler/algorithm/predicates:go_default_library",
"//pkg/scheduler/nodeinfo:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/util/system:go_default_library",
"//pkg/util/taints:go_default_library",
"//pkg/volume/util:go_default_library",
"//staging/src/k8s.io/api/apps/v1:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/storage/v1:go_default_library",
"//staging/src/k8s.io/api/storage/v1beta1:go_default_library",
Expand All @@ -74,7 +71,6 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/discovery:go_default_library",
"//staging/src/k8s.io/client-go/discovery/cached/memory:go_default_library",
Expand All @@ -91,14 +87,14 @@ go_library(
"//staging/src/k8s.io/client-go/tools/remotecommand:go_default_library",
"//staging/src/k8s.io/client-go/tools/watch:go_default_library",
"//staging/src/k8s.io/component-base/cli/flag:go_default_library",
"//test/e2e/framework/auth:go_default_library",
"//test/e2e/framework/config:go_default_library",
"//test/e2e/framework/ginkgowrapper:go_default_library",
"//test/e2e/framework/kubelet:go_default_library",
"//test/e2e/framework/log:go_default_library",
"//test/e2e/framework/metrics:go_default_library",
"//test/e2e/framework/node:go_default_library",
"//test/e2e/framework/pod:go_default_library",
"//test/e2e/framework/psp:go_default_library",
"//test/e2e/framework/resource:go_default_library",
"//test/e2e/framework/ssh:go_default_library",
"//test/e2e/framework/testfiles:go_default_library",
Expand Down Expand Up @@ -151,6 +147,7 @@ filegroup(
"//test/e2e/framework/providers/kubemark:all-srcs",
"//test/e2e/framework/providers/openstack:all-srcs",
"//test/e2e/framework/providers/vsphere:all-srcs",
"//test/e2e/framework/psp:all-srcs",
"//test/e2e/framework/replicaset:all-srcs",
"//test/e2e/framework/resource:all-srcs",
"//test/e2e/framework/service:all-srcs",
Expand Down
3 changes: 2 additions & 1 deletion test/e2e/framework/framework.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ import (
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
e2epsp "k8s.io/kubernetes/test/e2e/framework/psp"
testutils "k8s.io/kubernetes/test/utils"

"github.com/onsi/ginkgo"
Expand Down Expand Up @@ -406,7 +407,7 @@ func (f *Framework) CreateNamespace(baseName string, labels map[string]string) (
f.AddNamespacesToDelete(ns)

if err == nil && !f.SkipPrivilegedPSPBinding {
createPrivilegedPSPBinding(f, ns.Name)
e2epsp.CreatePrivilegedPSPBinding(f.ClientSet, ns.Name)
}

return ns, err
Expand Down
37 changes: 37 additions & 0 deletions test/e2e/framework/psp/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")

go_library(
name = "go_default_library",
srcs = ["psp.go"],
importpath = "k8s.io/kubernetes/test/e2e/framework/psp",
visibility = ["//visibility:public"],
deps = [
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//test/e2e/framework/auth:go_default_library",
"//test/e2e/framework/log:go_default_library",
"//vendor/github.com/onsi/ginkgo:go_default_library",
"//vendor/github.com/onsi/gomega:go_default_library",
],
)

filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)

filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)
33 changes: 22 additions & 11 deletions test/e2e/framework/psp_util.go → test/e2e/framework/psp/psp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/kubernetes/pkg/security/podsecuritypolicy/seccomp"
"k8s.io/kubernetes/test/e2e/framework/auth"
e2elog "k8s.io/kubernetes/test/e2e/framework/log"

"github.com/onsi/ginkgo"
"github.com/onsi/gomega"
)

const (
Expand Down Expand Up @@ -79,9 +81,9 @@ func privilegedPSP(name string) *policyv1beta1.PodSecurityPolicy {
}

// IsPodSecurityPolicyEnabled returns true if PodSecurityPolicy is enabled. Otherwise false.
func IsPodSecurityPolicyEnabled(f *Framework) bool {
func IsPodSecurityPolicyEnabled(kubeClient clientset.Interface) bool {
isPSPEnabledOnce.Do(func() {
psps, err := f.ClientSet.PolicyV1beta1().PodSecurityPolicies().List(metav1.ListOptions{})
psps, err := kubeClient.PolicyV1beta1().PodSecurityPolicies().List(metav1.ListOptions{})
if err != nil {
e2elog.Logf("Error listing PodSecurityPolicies; assuming PodSecurityPolicy is disabled: %v", err)
isPSPEnabled = false
Expand All @@ -100,13 +102,14 @@ var (
privilegedPSPOnce sync.Once
)

func createPrivilegedPSPBinding(f *Framework, namespace string) {
if !IsPodSecurityPolicyEnabled(f) {
// CreatePrivilegedPSPBinding creates the privileged PSP & role
func CreatePrivilegedPSPBinding(kubeClient clientset.Interface, namespace string) {
if !IsPodSecurityPolicyEnabled(kubeClient) {
return
}
// Create the privileged PSP & role
privilegedPSPOnce.Do(func() {
_, err := f.ClientSet.PolicyV1beta1().PodSecurityPolicies().Get(
_, err := kubeClient.PolicyV1beta1().PodSecurityPolicies().Get(
podSecurityPolicyPrivileged, metav1.GetOptions{})
if !apierrs.IsNotFound(err) {
// Privileged PSP was already created.
Expand All @@ -115,14 +118,14 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
}

psp := privilegedPSP(podSecurityPolicyPrivileged)
psp, err = f.ClientSet.PolicyV1beta1().PodSecurityPolicies().Create(psp)
psp, err = kubeClient.PolicyV1beta1().PodSecurityPolicies().Create(psp)
if !apierrs.IsAlreadyExists(err) {
ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
}

if auth.IsRBACEnabled(f.ClientSet.RbacV1()) {
if auth.IsRBACEnabled(kubeClient.RbacV1()) {
// Create the Role to bind it to the namespace.
_, err = f.ClientSet.RbacV1().ClusterRoles().Create(&rbacv1.ClusterRole{
_, err = kubeClient.RbacV1().ClusterRoles().Create(&rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
Rules: []rbacv1.PolicyRule{{
APIGroups: []string{"extensions"},
Expand All @@ -137,10 +140,10 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
}
})

if auth.IsRBACEnabled(f.ClientSet.RbacV1()) {
if auth.IsRBACEnabled(kubeClient.RbacV1()) {
ginkgo.By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
podSecurityPolicyPrivileged, namespace))
err := auth.BindClusterRoleInNamespace(f.ClientSet.RbacV1(),
err := auth.BindClusterRoleInNamespace(kubeClient.RbacV1(),
podSecurityPolicyPrivileged,
namespace,
rbacv1.Subject{
Expand All @@ -149,8 +152,16 @@ func createPrivilegedPSPBinding(f *Framework, namespace string) {
Name: "default",
})
ExpectNoError(err)
ExpectNoError(auth.WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1(),
ExpectNoError(auth.WaitForNamedAuthorizationUpdate(kubeClient.AuthorizationV1(),
serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
}
}

// ExpectNoError is a copy from the same name function in file test/e2e/framework.go
func ExpectNoError(err error, explain ...interface{}) {
if err != nil {
e2elog.Logf("Unexpected error occurred: %v", err)
}
gomega.ExpectWithOffset(2, err).NotTo(gomega.HaveOccurred(), explain...)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the ExpectNoError from the framework calls gomega.ExpectWithOffset(1, err) not gomega.ExpectWithOffset(2, err), correct? If so, we should change this.
This patch changes the current behavior. Which is not wrong but we should add it in a separate PR and only focus on refactoring for this on. This way we can revert if something starts failing in CI.

/lgtm cancel

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alejandrox1 Do you mean we should change gomega.ExpectWithOffset(2, err).NotTo(gomega.HaveOccurred(), explain...) to gomega.ExpectWithOffset(1, err).NotTo(gomega.HaveOccurred(), explain...)? But I believe the original definition should be gomega.ExpectWithOffset(2, err).NotTo(gomega.HaveOccurred(), explain...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, you are completely right!
Given https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/util.go#L1321
a framework.NoExpectError is equivalent to gomega.ExpectWithOffset(2, err).NotTo(gomega.HaveOccurred(), explain...).

/lgtm
/hold cancel

}