Merge pull request kubevirt#8857 from 0xFelix/remove-subresource-test…

…-dependencies tests/subresource_api_test.go: Use API client for RBAC tests
matosatti · Dec 1, 2022 · 3c4c35d · 3c4c35d
2 parents 8378b54 + 25d56b2
commit 3c4c35d
Show file tree

Hide file tree

Showing 7 changed files with 139 additions and 289 deletions.
diff --git a/.fossa.yml b/.fossa.yml
@@ -22,13 +22,6 @@ analyze:
     options:
       modules-vendor: true
       strategy: gomodules
-  - name: subresource-access-test
-    type: go
-    target: 'kubevirt.io/kubevirt/cmd/subresource-access-test'
-    path: cmd/subresource-access-test
-    options:
-      modules-vendor: true
-      strategy: gomodules
   - name: fake-qemu-process
     type: go
     target: 'kubevirt.io/kubevirt/cmd/fake-qemu-process'

diff --git a/BUILD.bazel b/BUILD.bazel
@@ -191,7 +191,6 @@ container_bundle(
         "$(container_prefix)/$(image_prefix)example-hook-sidecar:$(container_tag)": "//cmd/example-hook-sidecar:example-hook-sidecar-image",
         "$(container_prefix)/$(image_prefix)example-disk-mutation-hook-sidecar:$(container_tag)": "//cmd/example-disk-mutation-hook-sidecar:example-disk-mutation-hook-sidecar-image",
         "$(container_prefix)/$(image_prefix)example-cloudinit-hook-sidecar:$(container_tag)": "//cmd/example-cloudinit-hook-sidecar:example-cloudinit-hook-sidecar-image",
-        "$(container_prefix)/$(image_prefix)subresource-access-test:$(container_tag)": "//cmd/subresource-access-test:subresource-access-test-image",
         # container-disk images
         "$(container_prefix)/$(image_prefix)alpine-container-disk-demo:$(container_tag)": "//containerimages:alpine-container-disk-image",
         "$(container_prefix)/$(image_prefix)cirros-container-disk-demo:$(container_tag)": "//containerimages:cirros-container-disk-image",

diff --git a/cmd/subresource-access-test/BUILD.bazel b/cmd/subresource-access-test/BUILD.bazel
diff --git a/cmd/subresource-access-test/subresource-access-test.go b/cmd/subresource-access-test/subresource-access-test.go
diff --git a/hack/config-default.sh b/hack/config-default.sh
@@ -1,5 +1,5 @@
-binaries="cmd/virt-operator cmd/virt-controller cmd/virt-launcher cmd/virt-handler cmd/virtctl cmd/fake-qemu-process cmd/virt-api cmd/subresource-access-test cmd/example-hook-sidecar cmd/example-cloudinit-hook-sidecar cmd/virt-chroot"
-docker_images="cmd/virt-operator cmd/virt-controller cmd/virt-launcher cmd/virt-handler cmd/virt-api images/disks-images-provider images/vm-killer images/nfs-server cmd/subresource-access-test images/winrmcli cmd/example-hook-sidecar cmd/example-cloudinit-hook-sidecar tests/conformance"
+binaries="cmd/virt-operator cmd/virt-controller cmd/virt-launcher cmd/virt-handler cmd/virtctl cmd/fake-qemu-process cmd/virt-api cmd/example-hook-sidecar cmd/example-cloudinit-hook-sidecar cmd/virt-chroot"
+docker_images="cmd/virt-operator cmd/virt-controller cmd/virt-launcher cmd/virt-handler cmd/virt-api images/disks-images-provider images/vm-killer images/nfs-server images/winrmcli cmd/example-hook-sidecar cmd/example-cloudinit-hook-sidecar tests/conformance"
 docker_tag=${DOCKER_TAG:-latest}
 docker_tag_alt=${DOCKER_TAG_ALT}
 image_prefix=${IMAGE_PREFIX}

diff --git a/tests/subresource_api_test.go b/tests/subresource_api_test.go
@@ -26,9 +26,9 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	k8sv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
 	"k8s.io/utils/pointer"
 
 	"kubevirt.io/kubevirt/tests/framework/matcher"
@@ -40,7 +40,6 @@ import (
 	"kubevirt.io/client-go/kubecli"
 
 	"kubevirt.io/kubevirt/tests"
-	"kubevirt.io/kubevirt/tests/flags"
 	"kubevirt.io/kubevirt/tests/libvmi"
 	"kubevirt.io/kubevirt/tests/testsuite"
 )
@@ -58,65 +57,98 @@ var _ = Describe("[sig-compute]Subresource Api", func() {
 	})
 
 	Describe("[rfe_id:1195][crit:medium][vendor:cnv-qe@redhat.com][level:component] Rbac Authorization", func() {
-		var resource string
+		var vm *v1.VirtualMachine
+
 		BeforeEach(func() {
-			vm := tests.NewRandomVirtualMachine(libvmi.NewCirros(), false)
-			resource = vm.Name
-			vm, err := virtCli.VirtualMachine(util.NamespaceTestDefault).Create(vm)
+			vm = tests.NewRandomVirtualMachine(libvmi.NewCirros(), false)
+			vm, err = virtCli.VirtualMachine(util.NamespaceTestDefault).Create(vm)
 			Expect(err).ToNot(HaveOccurred())
 		})
 
 		Context("with correct permissions", func() {
 			It("[test_id:3170]should be allowed to access subresource endpoint", func() {
-				testClientJob(virtCli, true, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceServiceAccountName)
+				err := saClient.VirtualMachine(util.NamespaceTestDefault).Start(vm.Name, &v1.StartOptions{})
+				Expect(err).ToNot(HaveOccurred())
 			})
 		})
 		Context("Without permissions", func() {
 			It("[test_id:3171]should not be able to access subresource endpoint", func() {
-				testClientJob(virtCli, false, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceUnprivilegedServiceAccountName)
+				err := saClient.VirtualMachine(util.NamespaceTestDefault).Start(vm.Name, &v1.StartOptions{})
+				Expect(err).To(HaveOccurred())
+				Expect(errors.ReasonForError(err)).To(Equal(metav1.StatusReasonForbidden))
 			})
 		})
 	})
 
 	Describe("[rfe_id:1195][crit:medium][vendor:cnv-qe@redhat.com][level:component] Rbac Authorization For Version Command", func() {
-		resource := "version"
-
 		Context("with authenticated user", func() {
 			It("[test_id:3172]should be allowed to access subresource version endpoint", func() {
-				testClientJob(virtCli, true, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceServiceAccountName)
+				_, err := saClient.ServerVersion().Get()
+				Expect(err).ToNot(HaveOccurred())
 			})
 		})
 		Context("Without permissions", func() {
 			It("[test_id:3173]should be able to access subresource version endpoint", func() {
-				testClientJob(virtCli, false, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceUnprivilegedServiceAccountName)
+				_, err := saClient.ServerVersion().Get()
+				Expect(err).ToNot(HaveOccurred())
 			})
 		})
 	})
 
 	Describe("[crit:medium][vendor:cnv-qe@redhat.com][level:component] Rbac Authorization For Guestfs Command", func() {
-		resource := "guestfs"
-
 		Context("with authenticated user", func() {
 			It("should be allowed to access subresource guestfs endpoint", func() {
-				testClientJob(virtCli, true, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceServiceAccountName)
+				_, err := saClient.GuestfsVersion().Get()
+				Expect(err).ToNot(HaveOccurred())
 			})
 		})
 		Context("Without permissions", func() {
 			It("should be able to access subresource guestfs endpoint", func() {
-				testClientJob(virtCli, false, resource)
+				saClient := getClientForSA(virtCli, testsuite.SubresourceUnprivilegedServiceAccountName)
+				_, err := saClient.GuestfsVersion().Get()
+				Expect(err).ToNot(HaveOccurred())
 			})
 		})
 	})
 
 	Describe("[crit:medium][vendor:cnv-qe@redhat.com][level:component] Rbac Authorization For Expand-Spec Command", func() {
-		const resource = "expand-vm-spec"
+		var vm *v1.VirtualMachine
+
+		BeforeEach(func() {
+			vm = &v1.VirtualMachine{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "vm-test",
+					Namespace: util.NamespaceTestDefault,
+				},
+				Spec: v1.VirtualMachineSpec{
+					Template: &v1.VirtualMachineInstanceTemplateSpec{
+						Spec: v1.VirtualMachineInstanceSpec{
+							Domain: v1.DomainSpec{
+								Devices: v1.Devices{},
+							},
+						},
+					},
+				},
+			}
+			vm.SetGroupVersionKind(v1.VirtualMachineGroupVersionKind)
+		})
 
 		It("should be allowed to access expand-vm-spec endpoint with authenticated user", func() {
-			testClientJob(virtCli, true, resource)
+			saClient := getClientForSA(virtCli, testsuite.SubresourceServiceAccountName)
+			_, err = saClient.ExpandSpec(util.NamespaceTestDefault).ForVirtualMachine(vm)
+			Expect(err).ToNot(HaveOccurred())
 		})
 
 		It("should not be able to access expand-vm-spec endpoint without authenticated user", func() {
-			testClientJob(virtCli, false, resource)
+			saClient := getClientForSA(virtCli, testsuite.SubresourceUnprivilegedServiceAccountName)
+			_, err = saClient.ExpandSpec(util.NamespaceTestDefault).ForVirtualMachine(vm)
+			Expect(err).To(HaveOccurred())
+			Expect(errors.ReasonForError(err)).To(Equal(metav1.StatusReasonForbidden))
 		})
 	})
 
@@ -647,55 +679,21 @@ var _ = Describe("[sig-compute]Subresource Api", func() {
 	})
 })
 
-func testClientJob(virtCli kubecli.KubevirtClient, withServiceAccount bool, resource string) {
-	const subresourceTestLabel = "subresource-access-test-pod"
-	user := int64(1001)
-	namespace := util.NamespaceTestDefault
-	expectedPhase := k8sv1.PodFailed
-	name := "subresource-access-tester"
-	job := &k8sv1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: name,
-			Labels: map[string]string{
-				v1.AppLabel: subresourceTestLabel,
-			},
-		},
-		Spec: k8sv1.PodSpec{
-			RestartPolicy: k8sv1.RestartPolicyNever,
-			Containers: []k8sv1.Container{
-				{
-					Name:    name,
-					Image:   fmt.Sprintf("%s/subresource-access-test:%s", flags.KubeVirtUtilityRepoPrefix, flags.KubeVirtUtilityVersionTag),
-					Command: []string{"/subresource-access-test", "-n", namespace, resource},
-					SecurityContext: &k8sv1.SecurityContext{
-						AllowPrivilegeEscalation: pointer.Bool(false),
-						Capabilities:             &k8sv1.Capabilities{Drop: []k8sv1.Capability{"ALL"}},
-					},
-				},
-			},
-			SecurityContext: &k8sv1.PodSecurityContext{
-				RunAsNonRoot:   pointer.Bool(true),
-				RunAsUser:      &user,
-				SeccompProfile: &k8sv1.SeccompProfile{Type: k8sv1.SeccompProfileTypeRuntimeDefault},
-			},
-		},
-	}
+func getClientForSA(virtCli kubecli.KubevirtClient, saName string) kubecli.KubevirtClient {
+	secret, err := virtCli.CoreV1().Secrets(util.NamespaceTestDefault).Get(context.Background(), saName, metav1.GetOptions{})
+	Expect(err).ToNot(HaveOccurred())
 
-	if withServiceAccount {
-		job.Spec.ServiceAccountName = testsuite.SubresourceServiceAccountName
-		expectedPhase = k8sv1.PodSucceeded
-	} else if resource == "version" || resource == "guestfs" {
-		expectedPhase = k8sv1.PodSucceeded
-	}
+	token, ok := secret.Data["token"]
+	Expect(ok).To(BeTrue())
 
-	pod, err := virtCli.CoreV1().Pods(namespace).Create(context.Background(), job, metav1.CreateOptions{})
+	saClient, err := kubecli.GetKubevirtClientFromRESTConfig(&rest.Config{
+		Host: virtCli.Config().Host,
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure: true,
+		},
+		BearerToken: string(token),
+	})
 	Expect(err).ToNot(HaveOccurred())
 
-	getStatus := func() k8sv1.PodPhase {
-		pod, err := virtCli.CoreV1().Pods(namespace).Get(context.Background(), pod.Name, metav1.GetOptions{})
-		Expect(err).ToNot(HaveOccurred())
-		return pod.Status.Phase
-	}
-
-	Eventually(getStatus, 60, 0.5).Should(Equal(expectedPhase))
+	return saClient
 }