mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-06-11 01:41:54 -04:00
fix(admission): reword NodeRestriction audience authorization error
The previous error message said the audience was "not found in pod spec volume", which led users to mount a spurious projected service account token volume in the pod spec to satisfy the check. That is not the intended remedy: kubelets should be authorized via RBAC to request tokens for the configured audience. Reword the error to a generic "is not authorized to request tokens for audience %q" so users are not pushed toward modifying pod specs. The valid authorization paths (pod spec volume, CSIDriver tokenRequests, or the request-serviceaccounts-token-audience verb) are documented in the kubelet credential provider task page. Update the unit and integration test expectations to match.
This commit is contained in:
Anish Ramasekar
parent
12484ce715
commit
7262edeb59
3 changed files with 41 additions and 41 deletions
|
|
@ -712,10 +712,10 @@ func (p *Plugin) validateNodeServiceAccountAudience(ctx context.Context, tr *aut
|
|||
return nil
|
||||
}
|
||||
if err != nil {
|
||||
return fmt.Errorf("audience %q not found in pod spec volume, error authorizing %s to request tokens for this audience: %w", requestedAudience, userInfo.GetName(), err)
|
||||
return fmt.Errorf("error authorizing %s to request tokens for audience %q: %w", userInfo.GetName(), requestedAudience, err)
|
||||
}
|
||||
|
||||
return fmt.Errorf("audience %q not found in pod spec volume, %s is not authorized to request tokens for this audience", requestedAudience, userInfo.GetName())
|
||||
return fmt.Errorf("%s is not authorized to request tokens for audience %q", userInfo.GetName(), requestedAudience)
|
||||
}
|
||||
|
||||
func (p *Plugin) podReferencesAudience(ctx context.Context, pod *v1.Pod, audience string) (bool, error) {
|
||||
|
|
|
|||
|
|
@ -1408,7 +1408,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true)
|
||||
},
|
||||
attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, coremypod.UID, []string{"foo"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||
err: `serviceaccounts "mysa" is forbidden: audience "foo" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`,
|
||||
err: `serviceaccounts "mysa" is forbidden: system:node:mynode is not authorized to request tokens for audience "foo"`,
|
||||
authz: fakeAuthorizer{
|
||||
t: t,
|
||||
serviceAccountName: "mysa",
|
||||
|
|
@ -1438,7 +1438,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true)
|
||||
},
|
||||
attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithCSI.Name, v1mypodWithCSI.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||
err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`,
|
||||
err: `system:node:mynode is not authorized to request tokens for audience "bar"`,
|
||||
authz: fakeAuthorizer{
|
||||
t: t,
|
||||
serviceAccountName: "mysa",
|
||||
|
|
@ -1485,7 +1485,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true)
|
||||
},
|
||||
attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithPVCRefCSI.Name, v1mypodWithPVCRefCSI.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||
err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`,
|
||||
err: `system:node:mynode is not authorized to request tokens for audience "bar"`,
|
||||
authz: fakeAuthorizer{
|
||||
t: t,
|
||||
serviceAccountName: "mysa",
|
||||
|
|
@ -1549,7 +1549,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true)
|
||||
},
|
||||
attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithEphemeralVolume.Name, v1mypodWithEphemeralVolume.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||
err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`,
|
||||
err: `system:node:mynode is not authorized to request tokens for audience "bar"`,
|
||||
authz: fakeAuthorizer{
|
||||
t: t,
|
||||
serviceAccountName: "mysa",
|
||||
|
|
@ -1670,7 +1670,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
requestAudience: "foo",
|
||||
decision: authorizer.DecisionDeny,
|
||||
},
|
||||
err: `serviceaccounts "mysa" is forbidden: audience "foo" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`,
|
||||
err: `serviceaccounts "mysa" is forbidden: system:node:mynode is not authorized to request tokens for audience "foo"`,
|
||||
},
|
||||
|
||||
// Unrelated objects
|
||||
|
|
|
|||
|
|
@ -1026,7 +1026,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
t.Run("csidriver exists but tokenrequest audience not found should be forbidden", func(t *testing.T) {
|
||||
createCSIDriver(t, superuserClient, "csidriver-audience", "com.example.csi.mydriver")
|
||||
pod := createPod(t, superuserClient, nil)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver")
|
||||
})
|
||||
|
|
@ -1035,7 +1035,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
createCSIDriver(t, superuserClient, "csidriver-audience", "com.example.csi.mydriver")
|
||||
persistentVolumeClaimVolumeSource := &corev1.PersistentVolumeClaimVolumeSource{ClaimName: "mypvc"}
|
||||
pod := createPod(t, superuserClient, []corev1.Volume{{Name: "foo", VolumeSource: corev1.VolumeSource{PersistentVolumeClaim: persistentVolumeClaimVolumeSource}}})
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver")
|
||||
})
|
||||
|
|
@ -1049,7 +1049,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
VolumeName: "mypv",
|
||||
}}}
|
||||
pod := createPod(t, superuserClient, []corev1.Volume{{Name: "foo", VolumeSource: corev1.VolumeSource{Ephemeral: ephemeralVolumeSource}}})
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver")
|
||||
})
|
||||
|
|
@ -1094,19 +1094,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
|
||||
createServiceAccount(t, superuserClient, "ns", "some-random-name")
|
||||
pod := createPod(t, superuserClient, nil, podWithServiceAccountName("some-random-name"))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
createRBACClusterRole(t, cr, superuserClient)
|
||||
createRBACClusterRoleBinding(t, crb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
deleteRBACClusterRole(t, cr, superuserClient)
|
||||
deleteRBACClusterRoleBinding(t, crb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
deleteServiceAccount(t, superuserClient, "ns", "some-random-name")
|
||||
})
|
||||
|
|
@ -1128,19 +1128,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
}
|
||||
|
||||
pod := createPod(t, superuserClient, nil)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
createRBACClusterRole(t, cr, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
deleteRBACClusterRole(t, cr, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
|
||||
|
|
@ -1161,19 +1161,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
}
|
||||
|
||||
pod := createPod(t, superuserClient, nil)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
|
||||
|
|
@ -1195,19 +1195,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
|
||||
createServiceAccount(t, superuserClient, "ns", "custom-sa")
|
||||
pod := createPod(t, superuserClient, nil, podWithServiceAccountName("custom-sa"))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
deleteServiceAccount(t, superuserClient, "ns", "custom-sa")
|
||||
})
|
||||
|
|
@ -1230,10 +1230,10 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
|
||||
pod := createPod(t, superuserClient, nil)
|
||||
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
randomAudience := rand.String(10)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences(randomAudience)), `audience "`+randomAudience+`" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences(randomAudience)), `system:node:node1 is not authorized to request tokens for audience "`+randomAudience+`"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
|
@ -1246,7 +1246,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
|
||||
|
|
@ -1268,8 +1268,8 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
|
||||
pod := createPod(t, superuserClient, nil)
|
||||
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
|
@ -1280,7 +1280,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
|
||||
|
|
@ -1301,19 +1301,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
}
|
||||
|
||||
pod := createPod(t, superuserClient, nil, podWithAutoMountServiceAccountToken(false))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `audience "" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `system:node:node1 is not authorized to request tokens for audience ""`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
|
||||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `audience "" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `system:node:node1 is not authorized to request tokens for audience ""`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
|
||||
|
|
@ -1334,19 +1334,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
|
|||
}
|
||||
|
||||
pod := createPod(t, superuserClient, nil, podWithAutoMountServiceAccountToken(false))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `audience "myaud://audience1/audience2.com" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `system:node:node1 is not authorized to request tokens for audience "myaud://audience1/audience2.com"`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
|
||||
createRBACRole(t, role, superuserClient)
|
||||
createRBACRoleBinding(t, rb, superuserClient)
|
||||
|
||||
expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")))
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`)
|
||||
|
||||
deleteRBACRole(t, role, superuserClient)
|
||||
deleteRBACRoleBinding(t, rb, superuserClient)
|
||||
// After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up.
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `audience "myaud://audience1/audience2.com" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`)
|
||||
expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `system:node:node1 is not authorized to request tokens for audience "myaud://audience1/audience2.com"`)
|
||||
deletePod(t, superuserClient, "pod1")
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue