From 7262edeb59886c0ba9f69a65cf3cd1b48ffaefbb Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 13 May 2026 16:30:51 -0700 Subject: [PATCH] fix(admission): reword NodeRestriction audience authorization error The previous error message said the audience was "not found in pod spec volume", which led users to mount a spurious projected service account token volume in the pod spec to satisfy the check. That is not the intended remedy: kubelets should be authorized via RBAC to request tokens for the configured audience. Reword the error to a generic "is not authorized to request tokens for audience %q" so users are not pushed toward modifying pod specs. The valid authorization paths (pod spec volume, CSIDriver tokenRequests, or the request-serviceaccounts-token-audience verb) are documented in the kubelet credential provider task page. Update the unit and integration test expectations to match. --- .../admission/noderestriction/admission.go | 4 +- .../noderestriction/admission_test.go | 10 +-- test/integration/auth/node_test.go | 68 +++++++++---------- 3 files changed, 41 insertions(+), 41 deletions(-) diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go index 4bdc9984573..955548ed6c0 100644 --- a/plugin/pkg/admission/noderestriction/admission.go +++ b/plugin/pkg/admission/noderestriction/admission.go @@ -712,10 +712,10 @@ func (p *Plugin) validateNodeServiceAccountAudience(ctx context.Context, tr *aut return nil } if err != nil { - return fmt.Errorf("audience %q not found in pod spec volume, error authorizing %s to request tokens for this audience: %w", requestedAudience, userInfo.GetName(), err) + return fmt.Errorf("error authorizing %s to request tokens for audience %q: %w", userInfo.GetName(), requestedAudience, err) } - return fmt.Errorf("audience %q not found in pod spec volume, %s is not authorized to request tokens for this audience", requestedAudience, userInfo.GetName()) + return fmt.Errorf("%s is not authorized to request tokens for audience %q", userInfo.GetName(), requestedAudience) } func (p *Plugin) podReferencesAudience(ctx context.Context, pod *v1.Pod, audience string) (bool, error) { diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go index 4ece7acda0b..4a15c24c65f 100644 --- a/plugin/pkg/admission/noderestriction/admission_test.go +++ b/plugin/pkg/admission/noderestriction/admission_test.go @@ -1408,7 +1408,7 @@ func Test_nodePlugin_Admit(t *testing.T) { featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true) }, attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, coremypod.UID, []string{"foo"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode), - err: `serviceaccounts "mysa" is forbidden: audience "foo" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`, + err: `serviceaccounts "mysa" is forbidden: system:node:mynode is not authorized to request tokens for audience "foo"`, authz: fakeAuthorizer{ t: t, serviceAccountName: "mysa", @@ -1438,7 +1438,7 @@ func Test_nodePlugin_Admit(t *testing.T) { featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true) }, attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithCSI.Name, v1mypodWithCSI.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode), - err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`, + err: `system:node:mynode is not authorized to request tokens for audience "bar"`, authz: fakeAuthorizer{ t: t, serviceAccountName: "mysa", @@ -1485,7 +1485,7 @@ func Test_nodePlugin_Admit(t *testing.T) { featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true) }, attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithPVCRefCSI.Name, v1mypodWithPVCRefCSI.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode), - err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`, + err: `system:node:mynode is not authorized to request tokens for audience "bar"`, authz: fakeAuthorizer{ t: t, serviceAccountName: "mysa", @@ -1549,7 +1549,7 @@ func Test_nodePlugin_Admit(t *testing.T) { featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ServiceAccountNodeAudienceRestriction, true) }, attributes: admission.NewAttributesRecord(makeTokenRequest(coremypodWithEphemeralVolume.Name, v1mypodWithEphemeralVolume.UID, []string{"bar"}), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, &metav1.CreateOptions{}, false, mynode), - err: `audience "bar" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`, + err: `system:node:mynode is not authorized to request tokens for audience "bar"`, authz: fakeAuthorizer{ t: t, serviceAccountName: "mysa", @@ -1670,7 +1670,7 @@ func Test_nodePlugin_Admit(t *testing.T) { requestAudience: "foo", decision: authorizer.DecisionDeny, }, - err: `serviceaccounts "mysa" is forbidden: audience "foo" not found in pod spec volume, system:node:mynode is not authorized to request tokens for this audience`, + err: `serviceaccounts "mysa" is forbidden: system:node:mynode is not authorized to request tokens for audience "foo"`, }, // Unrelated objects diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index 3e5f63ffcd7..4fd33bd58f4 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -1026,7 +1026,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { t.Run("csidriver exists but tokenrequest audience not found should be forbidden", func(t *testing.T) { createCSIDriver(t, superuserClient, "csidriver-audience", "com.example.csi.mydriver") pod := createPod(t, superuserClient, nil) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`) deletePod(t, superuserClient, "pod1") deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver") }) @@ -1035,7 +1035,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { createCSIDriver(t, superuserClient, "csidriver-audience", "com.example.csi.mydriver") persistentVolumeClaimVolumeSource := &corev1.PersistentVolumeClaimVolumeSource{ClaimName: "mypvc"} pod := createPod(t, superuserClient, []corev1.Volume{{Name: "foo", VolumeSource: corev1.VolumeSource{PersistentVolumeClaim: persistentVolumeClaimVolumeSource}}}) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`) deletePod(t, superuserClient, "pod1") deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver") }) @@ -1049,7 +1049,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { VolumeName: "mypv", }}} pod := createPod(t, superuserClient, []corev1.Volume{{Name: "foo", VolumeSource: corev1.VolumeSource{Ephemeral: ephemeralVolumeSource}}}) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `audience "csidriver-audience-not-found" not found in pod spec volume`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("csidriver-audience-not-found")), `is not authorized to request tokens for audience "csidriver-audience-not-found"`) deletePod(t, superuserClient, "pod1") deleteCSIDriver(t, superuserClient, "com.example.csi.mydriver") }) @@ -1094,19 +1094,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { createServiceAccount(t, superuserClient, "ns", "some-random-name") pod := createPod(t, superuserClient, nil, podWithServiceAccountName("some-random-name")) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) createRBACClusterRole(t, cr, superuserClient) createRBACClusterRoleBinding(t, crb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name"))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) deleteRBACClusterRole(t, cr, superuserClient) deleteRBACClusterRoleBinding(t, crb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("some-random-name")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") deleteServiceAccount(t, superuserClient, "ns", "some-random-name") }) @@ -1128,19 +1128,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { } pod := createPod(t, superuserClient, nil) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) createRBACClusterRole(t, cr, superuserClient) createRBACRoleBinding(t, rb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) deleteRBACClusterRole(t, cr, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") }) @@ -1161,19 +1161,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { } pod := createPod(t, superuserClient, nil) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") }) @@ -1195,19 +1195,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { createServiceAccount(t, superuserClient, "ns", "custom-sa") pod := createPod(t, superuserClient, nil, podWithServiceAccountName("custom-sa")) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa"))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1"), tokenRequestWithName("custom-sa")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") deleteServiceAccount(t, superuserClient, "ns", "custom-sa") }) @@ -1230,10 +1230,10 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { pod := createPod(t, superuserClient, nil) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) randomAudience := rand.String(10) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences(randomAudience)), `audience "`+randomAudience+`" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences(randomAudience)), `system:node:node1 is not authorized to request tokens for audience "`+randomAudience+`"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) @@ -1246,7 +1246,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") }) @@ -1268,8 +1268,8 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { pod := createPod(t, superuserClient, nil) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `audience "audience2" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience2")), `system:node:node1 is not authorized to request tokens for audience "audience2"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) @@ -1280,7 +1280,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deletePod(t, superuserClient, "pod1") }) @@ -1301,19 +1301,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { } pod := createPod(t, superuserClient, nil, podWithAutoMountServiceAccountToken(false)) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `audience "" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `system:node:node1 is not authorized to request tokens for audience ""`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences(""))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `audience "" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("")), `system:node:node1 is not authorized to request tokens for audience ""`) deletePod(t, superuserClient, "pod1") }) @@ -1334,19 +1334,19 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) { } pod := createPod(t, superuserClient, nil, podWithAutoMountServiceAccountToken(false)) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `audience "myaud://audience1/audience2.com" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `system:node:node1 is not authorized to request tokens for audience "myaud://audience1/audience2.com"`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) createRBACRole(t, role, superuserClient) createRBACRoleBinding(t, rb, superuserClient) expectAllowed(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com"))) - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `audience "audience1" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("audience1")), `system:node:node1 is not authorized to request tokens for audience "audience1"`) deleteRBACRole(t, role, superuserClient) deleteRBACRoleBinding(t, rb, superuserClient) // After the delete use a expectedForbiddenMessage to wait for the RBAC authorizer to catch up. - expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `audience "myaud://audience1/audience2.com" not found in pod spec volume, system:node:node1 is not authorized to request tokens for this audience`) + expectedForbiddenMessage(t, createTokenRequest(node1Client, pod.UID, tokenRequestWithAudiences("myaud://audience1/audience2.com")), `system:node:node1 is not authorized to request tokens for audience "myaud://audience1/audience2.com"`) deletePod(t, superuserClient, "pod1") }) }