HOSTEDCP-1308: Add e2e to ensure SA token not mounted on mgmt workloa…

…ds unless necessary
openshift · Dec 21, 2023 · e6a7048 · e6a7048
1 parent 6315b72
commit e6a7048
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 19 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go
@@ -159,6 +159,8 @@ func ReconcileStatefulSet(ss *appsv1.StatefulSet, p *EtcdParams) error {
 		},
 	}
 
+	ss.Spec.Template.Spec.AutomountServiceAccountToken = pointer.Bool(false)
+
 	p.DeploymentConfig.ApplyToStatefulSet(ss)
 
 	return nil

diff --git a/test/e2e/util/hypershift_framework.go b/test/e2e/util/hypershift_framework.go
@@ -121,6 +121,7 @@ func (h *hypershiftTest) after(hostedCluster *hyperv1.HostedCluster, opts *core.
 		if platform == hyperv1.AWSPlatform {
 			EnsureHCPPodsAffinitiesAndTolerations(t, context.Background(), h.client, hostedCluster)
 		}
+		EnsureSATokenNotMountedUnlessNecessary(t, context.Background(), h.client, hostedCluster)
 	})
 }
 

diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go
@@ -52,6 +52,24 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+var expectedKasManagementComponents = []string{
+	"cluster-network-operator",
+	"ignition-server",
+	"cluster-storage-operator",
+	"csi-snapshot-controller-operator",
+	"machine-approver",
+	"cluster-autoscaler",
+	"cluster-node-tuning-operator",
+	"capi-provider-controller-manager",
+	"cluster-api",
+	"control-plane-operator",
+	"control-plane-pki-operator",
+	"hosted-cluster-config-operator",
+	"cloud-controller-manager",
+	"olm-collect-profiles",
+	"aws-ebs-csi-driver-operator",
+}
+
 func UpdateObject[T crclient.Object](t *testing.T, ctx context.Context, client crclient.Client, original T, mutate func(obj T)) error {
 	return wait.PollImmediateWithContext(ctx, time.Second, time.Minute*1, func(ctx context.Context) (done bool, err error) {
 		if err := client.Get(ctx, crclient.ObjectKeyFromObject(original), original); err != nil {
@@ -755,27 +773,9 @@ func EnsureNetworkPolicies(t *testing.T, ctx context.Context, c crclient.Client,
 
 		hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name)
 		t.Run("EnsureComponentsHaveNeedManagementKASAccessLabel", func(t *testing.T) {
-			// Check for all components expected to have NeedManagementKASAccessLabel.
-			want := []string{
-				"cluster-network-operator",
-				"ignition-server",
-				"cluster-storage-operator",
-				"csi-snapshot-controller-operator",
-				"machine-approver",
-				"cluster-autoscaler",
-				"cluster-node-tuning-operator",
-				"capi-provider-controller-manager",
-				"cluster-api",
-				"control-plane-operator",
-				"control-plane-pki-operator",
-				"hosted-cluster-config-operator",
-				"cloud-controller-manager",
-				"olm-collect-profiles",
-				"aws-ebs-csi-driver-operator",
-			}
 
 			g := NewWithT(t)
-			err := checkPodsHaveLabel(ctx, c, want, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"})
+			err := checkPodsHaveLabel(ctx, c, expectedKasManagementComponents, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"})
 			g.Expect(err).ToNot(HaveOccurred())
 		})
 
@@ -1717,3 +1717,43 @@ func EnsureNoHCPPodsLandOnDefaultNode(t *testing.T, ctx context.Context, client
 		g.Expect(hcpNodeNames).To(ContainElement(pod.Spec.NodeName))
 	}
 }
+
+func EnsureSATokenNotMountedUnlessNecessary(t *testing.T, ctx context.Context, c crclient.Client, hostedCluster *hyperv1.HostedCluster) {
+	g := NewWithT(t)
+
+	hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name)
+
+	var pods corev1.PodList
+	if err := c.List(ctx, &pods, &crclient.ListOptions{Namespace: hcpNamespace}); err != nil {
+		t.Fatalf("failed to list pods: %v", err)
+	}
+
+	expectedKasManagementComponents = append(expectedKasManagementComponents,
+		"packageserver",
+		"ovnkube-control-plane",
+		"csi-snapshot-webhook",            // Remove once https://github.com/openshift/cluster-csi-snapshot-controller-operator/pull/182 merges
+		"cloud-network-config-controller") // Remove once  https://github.com/openshift/cluster-network-operator/pull/2165 merges
+
+	for _, pod := range pods.Items {
+		hasPrefix := false
+		for _, prefix := range expectedKasManagementComponents {
+			if strings.HasPrefix(pod.Name, prefix) {
+				hasPrefix = true
+				break
+			}
+		}
+		if !hasPrefix {
+			for _, volume := range pod.Spec.Volumes {
+				if strings.HasPrefix(volume.Name, "kube-api-access-") {
+					fmt.Printf("SA token mount found in pod %s\n", pod.Name)
+				}
+			}
+		}
+
+		//if !hasPrefix {
+		//	for _, volume := range pod.Spec.Volumes {
+		//		g.Expect(volume.Name).ToNot(HavePrefix("kube-api-access-"))
+		//	}
+		//}
+	}
+}