testing latest commit

Author: MaysaMacedo

test/e2e/framework/auth/helpers.go

@@ -103,13 +103,13 @@ func WaitForNamedAuthorizationUpdate(ctx context.Context, c v1authorization.Subj
 
 // BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil
 // is returned with no action.
-func BindClusterRole(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error {
+func BindClusterRole(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) (*rbacv1.ClusterRoleBinding, error) {
 	if !IsRBACEnabled(ctx, c) {
-		return nil
+		return nil, nil
 	}
 
 	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
-	_, err := c.ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
+	clusterRoleBinding, err := c.ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: ns + "--" + clusterRole,
 		},
@@ -122,10 +122,10 @@ func BindClusterRole(ctx context.Context, c bindingsGetter, clusterRole, ns stri
 	}, metav1.CreateOptions{})
 
 	if err != nil {
-		return fmt.Errorf("binding clusterrole/%s for %q for %v: %w", clusterRole, ns, subjects, err)
+		return nil, fmt.Errorf("binding clusterrole/%s for %q for %v: %w", clusterRole, ns, subjects, err)
 	}
 
-	return nil
+	return clusterRoleBinding, nil
 }
 
 // BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil

test/e2e/kubectl/kubectl.go

@@ -573,7 +573,7 @@ var _ = SIGDescribe("Kubectl client", func() {
 
 				ginkgo.By("adding rbac permissions")
 				// grant the view permission widely to allow inspection of the `invalid` namespace and the default namespace
-				err := e2eauth.BindClusterRole(ctx, f.ClientSet.RbacV1(), "view", f.Namespace.Name,
+				_, err := e2eauth.BindClusterRole(ctx, f.ClientSet.RbacV1(), "view", f.Namespace.Name,
 					rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})
 				framework.ExpectNoError(err)
 

test/e2e/node/kubelet_authz.go

@@ -26,7 +26,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/kubernetes/pkg/cluster/ports"
 	"k8s.io/kubernetes/pkg/features"
@@ -60,7 +59,6 @@ var _ = SIGDescribe(framework.WithFeatureGate(features.KubeletFineGrainedAuthz),
 func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint, authzSubresource string) string {
 	ns := f.Namespace.Name
 	saName := authzSubresource
-	crName := authzSubresource + string(uuid.NewUUID())
 	verb := "get"
 	resource := "nodes"
 
@@ -74,11 +72,11 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint,
 	}, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
-	ginkgo.By(fmt.Sprintf("Creating ClusterRole %s with for %s/%s", crName, resource, authzSubresource))
+	ginkgo.By(fmt.Sprintf("Creating ClusterRole with prefix %s with for %s/%s", authzSubresource, resource, authzSubresource))
 
-	_, err = f.ClientSet.RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{
+	clusterRole, err := f.ClientSet.RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: crName,
+			GenerateName: authzSubresource + "-",
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
@@ -89,17 +87,27 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint,
 		},
 	}, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
+	defer func() {
+		ginkgo.By(fmt.Sprintf("Destroying ClusterRoles %q for this suite.", clusterRole.Name))
+		framework.ExpectNoError(f.ClientSet.RbacV1().ClusterRoles().Delete(ctx, clusterRole.Name, metav1.DeleteOptions{}))
+	}()
 
 	subject := rbacv1.Subject{
 		Kind:      rbacv1.ServiceAccountKind,
 		Namespace: ns,
 		Name:      saName,
 	}
 
-	ginkgo.By(fmt.Sprintf("Creating ClusterRoleBinding with ClusterRole %s with subject %s/%s", crName, ns, saName))
+	ginkgo.By(fmt.Sprintf("Creating ClusterRoleBinding with ClusterRole %s with subject %s/%s", clusterRole.Name, ns, saName))
 
-	err = e2eauth.BindClusterRole(ctx, f.ClientSet.RbacV1(), crName, ns, subject)
+	clusterRoleBinding, err := e2eauth.BindClusterRole(ctx, f.ClientSet.RbacV1(), clusterRole.Name, ns, subject)
 	framework.ExpectNoError(err)
+	defer func() {
+		if clusterRoleBinding != nil {
+			ginkgo.By(fmt.Sprintf("Destroying ClusterRoleBindings %q for this suite.", clusterRoleBinding.Name))
+			framework.ExpectNoError(f.ClientSet.RbacV1().ClusterRoleBindings().Delete(ctx, clusterRoleBinding.Name, metav1.DeleteOptions{}))
+		}
+	}()
 
 	ginkgo.By("Waiting for Authorization Update.")
 

test/e2e/storage/drivers/in_tree.go

@@ -165,10 +165,12 @@ func (n *nfsDriver) PrepareTest(ctx context.Context, f *framework.Framework) *st
 
 	// TODO(mkimuram): cluster-admin gives too much right but system:persistent-volume-provisioner
 	// is not enough. We should create new clusterrole for testing.
-	err := e2eauth.BindClusterRole(ctx, cs.RbacV1(), "cluster-admin", ns.Name,
+	clusterRoleBinding, err := e2eauth.BindClusterRole(ctx, cs.RbacV1(), "cluster-admin", ns.Name,
 		rbacv1.Subject{Kind: rbacv1.ServiceAccountKind, Namespace: ns.Name, Name: "default"})
 	framework.ExpectNoError(err)
-	ginkgo.DeferCleanup(cs.RbacV1().ClusterRoleBindings().Delete, ns.Name+"--"+"cluster-admin", *metav1.NewDeleteOptions(0))
+	if clusterRoleBinding != nil {
+		ginkgo.DeferCleanup(cs.RbacV1().ClusterRoleBindings().Delete, clusterRoleBinding.Name, *metav1.NewDeleteOptions(0))
+	}
 
 	err = e2eauth.WaitForAuthorizationUpdate(ctx, cs.AuthorizationV1(),
 		serviceaccount.MakeUsername(ns.Name, "default"),

test/e2e/storage/volume_provisioning.go

@@ -442,7 +442,7 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 				Name:      serviceAccountName,
 			}
 
-			err := e2eauth.BindClusterRole(ctx, c.RbacV1(), "system:persistent-volume-provisioner", ns, subject)
+			_, err := e2eauth.BindClusterRole(ctx, c.RbacV1(), "system:persistent-volume-provisioner", ns, subject)
 			framework.ExpectNoError(err)
 
 			roleName := "leader-locking-nfs-provisioner"