Skip to content

'envtest' should support test scenarios with Authn/Authz configurations (should expose secure endpoint info of kube-apiserver) #983

New issue
New issue
Closed
Closed
'envtest' should support test scenarios with Authn/Authz configurations (should expose secure endpoint info of kube-apiserver)#983
Labels
lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
Milestone
 
v0.6.x
@everpeace

Description

@everpeace
everpeace
opened on Jun 6, 2020

What is the problem

When we configured some authentication modules by envtest.Environment.KubeAPIServerFlags like below:

// just an example using basic auth module
te := &envtest.Environment{
  KubeAPIServerFlags: append(
    envtest.DefaultKubeAPIServerFlags, "--basic-auth-file=my-file", "--authorization-mode=RBAC",
  ),
}
cfg, _ := te.Start()

envtest.Config points to the insecure endpoint of kube-apiserver. As an official document says, we can't use this endpoint to test some scenarios containing authn/authz configurations. Moreover, envtest doesn't expose any TLS configurations of envtest's kube-apiserver.

Thus, users don't have any method to connect the secure endpoint of envtest's kube-apiserver.

Why does this need??

When controllers/webhooks interact with SubjectAccessReview or SelfSubjectAccessReview, user's wanted to test some scenarios containing authz(mainly RBAC) configurations.

Solution

internal.testing.integration.APIServer can expose TLSClientConfig containing its ca certificate that is setup in starting APIServer by TinyCA. Perhaps, we would envtest.Environment.SecureConfig for user's convenience.

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions