Unverified Commit 9f40607e authored by Kubernetes Prow Robot's avatar Kubernetes Prow Robot Committed by GitHub

Merge pull request #71209 from dczombera/add_impersonation_test

Add an impersonation test case to the audit E2E test
parents f4487a06 f9df691c
......@@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() {
anonymousClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
By("Creating a kubernetes client that impersonates an authorized user")
config, err = framework.LoadConfig()
framework.ExpectNoError(err)
config.Impersonate = restclient.ImpersonationConfig{
UserName: "superman",
Groups: []string{"system:masters"},
}
impersonatedClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
testCases := []struct {
action func()
events []utils.AuditEvent
......@@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() {
},
},
},
// List pods as impersonated user.
{
func() {
_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list pods")
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
ImpersonatedUser: "superman",
ImpersonatedGroups: "system:masters",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
},
},
},
}
// test authorizer annotations, RBAC is required.
......@@ -684,17 +718,19 @@ var _ = SIGDescribe("Advanced Audit", func() {
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get",
Code: 403,
User: auditTestUser,
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods/another-audit-pod", namespace),
Verb: "get",
Code: 403,
User: auditTestUser,
ImpersonatedUser: "system:anonymous",
ImpersonatedGroups: "system:unauthenticated",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "forbid",
},
},
},
......
......@@ -20,6 +20,8 @@ import (
"bufio"
"fmt"
"io"
"sort"
"strings"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
......@@ -28,17 +30,19 @@ import (
)
type AuditEvent struct {
Level auditinternal.Level
Stage auditinternal.Stage
RequestURI string
Verb string
Code int32
User string
Resource string
Namespace string
RequestObject bool
ResponseObject bool
AuthorizeDecision string
Level auditinternal.Level
Stage auditinternal.Stage
RequestURI string
Verb string
Code int32
User string
ImpersonatedUser string
ImpersonatedGroups string
Resource string
Namespace string
RequestObject bool
ResponseObject bool
AuthorizeDecision string
}
// Search the audit log for the expected audit lines.
......@@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
if e.RequestObject != nil {
event.RequestObject = true
}
if e.ImpersonatedUser != nil {
event.ImpersonatedUser = e.ImpersonatedUser.Username
sort.Strings(e.ImpersonatedUser.Groups)
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
}
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
return event, nil
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment