diff --git a/cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml b/cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml new file mode 100644 index 0000000000..6465e31f24 --- /dev/null +++ b/cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml @@ -0,0 +1,12 @@ +apiVersion: apiregistration.k8s.io/v1alpha1 +kind: APIService +metadata: + name: v1.authorization.k8s.io +spec: + group: authorization.k8s.io + version: v1 + service: + namespace: default + name: kubernetes + insecureSkipTLSVerify: true + priority: 100 diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go index ed10f5f13b..bc8e19945b 100644 --- a/cmd/kubelet/app/auth.go +++ b/cmd/kubelet/app/auth.go @@ -42,7 +42,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo ) if client != nil && !reflect.ValueOf(client).IsNil() { tokenClient = client.Authentication().TokenReviews() - sarClient = client.Authorization().SubjectAccessReviews() + sarClient = client.AuthorizationV1beta1().SubjectAccessReviews() } authenticator, err := buildAuthn(tokenClient, config.Authentication) diff --git a/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go b/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go index 60df80eb2c..bc9753c07f 100644 --- a/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go +++ b/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go @@ -72,6 +72,7 @@ func New() *Generator { `k8s.io/kubernetes/pkg/apis/policy/v1beta1`, `k8s.io/kubernetes/pkg/apis/extensions/v1beta1`, `k8s.io/kubernetes/pkg/apis/autoscaling/v1`, + `k8s.io/kubernetes/pkg/apis/authorization/v1`, `k8s.io/kubernetes/pkg/apis/authorization/v1beta1`, `k8s.io/kubernetes/pkg/apis/batch/v1`, `k8s.io/kubernetes/pkg/apis/batch/v2alpha1`, diff --git a/hack/.linted_packages b/hack/.linted_packages index b576e59195..c75df4cd23 100644 --- a/hack/.linted_packages +++ b/hack/.linted_packages @@ -122,6 +122,7 @@ pkg/client/listers/apps/v1beta1 pkg/client/listers/authentication/internalversion pkg/client/listers/authentication/v1beta1 pkg/client/listers/authorization/internalversion +pkg/client/listers/authorization/v1 pkg/client/listers/authorization/v1beta1 pkg/client/listers/autoscaling/internalversion pkg/client/listers/autoscaling/v1 diff --git a/hack/lib/init.sh b/hack/lib/init.sh index 6943c84f85..2e909995a2 100644 --- a/hack/lib/init.sh +++ b/hack/lib/init.sh @@ -55,6 +55,7 @@ KUBE_AVAILABLE_GROUP_VERSIONS="${KUBE_AVAILABLE_GROUP_VERSIONS:-\ v1 \ apps/v1beta1 \ authentication.k8s.io/v1beta1 \ +authorization.k8s.io/v1 \ authorization.k8s.io/v1beta1 \ autoscaling/v1 \ batch/v1 \ diff --git a/hack/make-rules/test-cmd-util.sh b/hack/make-rules/test-cmd-util.sh index 7b9494c548..7a5998a697 100644 --- a/hack/make-rules/test-cmd-util.sh +++ b/hack/make-rules/test-cmd-util.sh @@ -3251,10 +3251,21 @@ __EOF__ if kube::test::if_supports_resource "${subjectaccessreviews}" ; then # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful # but it proves that works - kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar.json --validate=false + kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false + kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" - curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar.json > "${SAR_RESULT_FILE}" + curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}" + if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then + kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" + else + kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")" + exit 1 + fi + rm "${SAR_RESULT_FILE}" + + SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" + curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}" if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" else diff --git a/pkg/apis/authorization/install/install.go b/pkg/apis/authorization/install/install.go index 5b320c855d..1b82992f64 100644 --- a/pkg/apis/authorization/install/install.go +++ b/pkg/apis/authorization/install/install.go @@ -25,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/apis/authorization" + "k8s.io/kubernetes/pkg/apis/authorization/v1" "k8s.io/kubernetes/pkg/apis/authorization/v1beta1" ) @@ -37,13 +38,14 @@ func Install(groupFactoryRegistry announced.APIGroupFactoryRegistry, registry *r if err := announced.NewGroupMetaFactory( &announced.GroupMetaFactoryArgs{ GroupName: authorization.GroupName, - VersionPreferenceOrder: []string{v1beta1.SchemeGroupVersion.Version}, + VersionPreferenceOrder: []string{v1.SchemeGroupVersion.Version, v1beta1.SchemeGroupVersion.Version}, ImportPrefix: "k8s.io/kubernetes/pkg/apis/authorization", RootScopedKinds: sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview"), AddInternalObjectsToScheme: authorization.AddToScheme, }, announced.VersionToSchemeFunc{ v1beta1.SchemeGroupVersion.Version: v1beta1.AddToScheme, + v1.SchemeGroupVersion.Version: v1.AddToScheme, }, ).Announce(groupFactoryRegistry).RegisterAndEnable(registry, scheme); err != nil { panic(err) diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go new file mode 100644 index 0000000000..d63b59484f --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + core "k8s.io/client-go/testing" + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +func (c *FakeLocalSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) { + obj, err := c.Fake.Invokes(core.NewCreateAction(authorizationapi.SchemeGroupVersion.WithResource("localsubjectaccessreviews"), c.ns, sar), &authorizationapi.SubjectAccessReview{}) + return obj.(*authorizationapi.LocalSubjectAccessReview), err +} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go new file mode 100644 index 0000000000..86a6726e28 --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + core "k8s.io/client-go/testing" + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +func (c *FakeSelfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) { + obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectaccessreviews"), sar), &authorizationapi.SelfSubjectAccessReview{}) + return obj.(*authorizationapi.SelfSubjectAccessReview), err +} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go new file mode 100644 index 0000000000..5e8cff0229 --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + core "k8s.io/client-go/testing" + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +func (c *FakeSubjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) { + obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("subjectaccessreviews"), sar), &authorizationapi.SubjectAccessReview{}) + return obj.(*authorizationapi.SubjectAccessReview), err +} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go index abbf044fb6..42e76d5e43 100644 --- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go @@ -15,9 +15,3 @@ limitations under the License. */ package v1 - -type LocalSubjectAccessReviewExpansion interface{} - -type SelfSubjectAccessReviewExpansion interface{} - -type SubjectAccessReviewExpansion interface{} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go new file mode 100644 index 0000000000..13dd9ff3fd --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go @@ -0,0 +1,36 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +type LocalSubjectAccessReviewExpansion interface { + Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) +} + +func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) { + result = &authorizationapi.LocalSubjectAccessReview{} + err = c.client.Post(). + Namespace(c.ns). + Resource("localsubjectaccessreviews"). + Body(sar). + Do(). + Into(result) + return +} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go new file mode 100644 index 0000000000..698d8eef43 --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go @@ -0,0 +1,35 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +type SelfSubjectAccessReviewExpansion interface { + Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) +} + +func (c *selfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) { + result = &authorizationapi.SelfSubjectAccessReview{} + err = c.client.Post(). + Resource("selfsubjectaccessreviews"). + Body(sar). + Do(). + Into(result) + return +} diff --git a/pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go b/pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go new file mode 100644 index 0000000000..eb1db89816 --- /dev/null +++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go @@ -0,0 +1,36 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1" +) + +// The SubjectAccessReviewExpansion interface allows manually adding extra methods to the AuthorizationInterface. +type SubjectAccessReviewExpansion interface { + Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) +} + +func (c *subjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) { + result = &authorizationapi.SubjectAccessReview{} + err = c.client.Post(). + Resource("subjectaccessreviews"). + Body(sar). + Do(). + Into(result) + return +} diff --git a/pkg/controller/garbagecollector/garbagecollector.go b/pkg/controller/garbagecollector/garbagecollector.go index e2af652bf1..7c4250634e 100644 --- a/pkg/controller/garbagecollector/garbagecollector.go +++ b/pkg/controller/garbagecollector/garbagecollector.go @@ -536,6 +536,9 @@ var ignoredResources = map[schema.GroupVersionResource]struct{}{ schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "subjectaccessreviews"}: {}, schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "selfsubjectaccessreviews"}: {}, schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "localsubjectaccessreviews"}: {}, + schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "subjectaccessreviews"}: {}, + schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "selfsubjectaccessreviews"}: {}, + schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "localsubjectaccessreviews"}: {}, } func NewGarbageCollector(metaOnlyClientPool dynamic.ClientPool, clientPool dynamic.ClientPool, mapper meta.RESTMapper, deletableResources map[schema.GroupVersionResource]struct{}) (*GarbageCollector, error) { diff --git a/pkg/master/master.go b/pkg/master/master.go index fccdfb6d32..697639ccd5 100644 --- a/pkg/master/master.go +++ b/pkg/master/master.go @@ -36,6 +36,7 @@ import ( apiv1 "k8s.io/kubernetes/pkg/api/v1" appsapi "k8s.io/kubernetes/pkg/apis/apps/v1beta1" authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1" + authorizationapiv1 "k8s.io/kubernetes/pkg/apis/authorization/v1" authorizationapiv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1" autoscalingapiv1 "k8s.io/kubernetes/pkg/apis/autoscaling/v1" batchapiv1 "k8s.io/kubernetes/pkg/apis/batch/v1" @@ -399,6 +400,7 @@ func DefaultAPIResourceConfigSource() *genericapiserver.ResourceConfig { rbacapi.SchemeGroupVersion, storageapiv1beta1.SchemeGroupVersion, certificatesapiv1beta1.SchemeGroupVersion, + authorizationapiv1.SchemeGroupVersion, authorizationapiv1beta1.SchemeGroupVersion, ) diff --git a/pkg/registry/authorization/rest/storage_authorization.go b/pkg/registry/authorization/rest/storage_authorization.go index d041448911..0b694d5947 100644 --- a/pkg/registry/authorization/rest/storage_authorization.go +++ b/pkg/registry/authorization/rest/storage_authorization.go @@ -23,6 +23,7 @@ import ( genericapiserver "k8s.io/apiserver/pkg/server" "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/apis/authorization" + authorizationv1 "k8s.io/kubernetes/pkg/apis/authorization/v1" authorizationv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1" "k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview" "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview" @@ -45,6 +46,11 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapise apiGroupInfo.GroupMeta.GroupVersion = authorizationv1beta1.SchemeGroupVersion } + if apiResourceConfigSource.AnyResourcesForVersionEnabled(authorizationv1.SchemeGroupVersion) { + apiGroupInfo.VersionedResourcesStorageMap[authorizationv1.SchemeGroupVersion.Version] = p.v1Storage(apiResourceConfigSource, restOptionsGetter) + apiGroupInfo.GroupMeta.GroupVersion = authorizationv1.SchemeGroupVersion + } + return apiGroupInfo, true } @@ -65,6 +71,23 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource genericapise return storage } +func (p RESTStorageProvider) v1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage { + version := authorizationv1beta1.SchemeGroupVersion + + storage := map[string]rest.Storage{} + if apiResourceConfigSource.ResourceEnabled(version.WithResource("subjectaccessreviews")) { + storage["subjectaccessreviews"] = subjectaccessreview.NewREST(p.Authorizer) + } + if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectaccessreviews")) { + storage["selfsubjectaccessreviews"] = selfsubjectaccessreview.NewREST(p.Authorizer) + } + if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) { + storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer) + } + + return storage +} + func (p RESTStorageProvider) GroupName() string { return authorization.GroupName } diff --git a/test/e2e/examples.go b/test/e2e/examples.go index bb1b76a1c6..410907d185 100644 --- a/test/e2e/examples.go +++ b/test/e2e/examples.go @@ -74,7 +74,7 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() { framework.BindClusterRoleInNamespace(c.Rbac(), "edit", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) - err := framework.WaitForAuthorizationUpdate(c.Authorization(), + err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/ingress.go b/test/e2e/ingress.go index 58f31e198a..798d684e5b 100644 --- a/test/e2e/ingress.go +++ b/test/e2e/ingress.go @@ -71,7 +71,7 @@ var _ = framework.KubeDescribe("Loadbalancing: L7", func() { framework.BindClusterRole(jig.client.Rbac(), "cluster-admin", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) - err := framework.WaitForAuthorizationUpdate(jig.client.Authorization(), + err := framework.WaitForAuthorizationUpdate(jig.client.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), "", "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/kubectl.go b/test/e2e/kubectl.go index d165678946..f8d565eb80 100644 --- a/test/e2e/kubectl.go +++ b/test/e2e/kubectl.go @@ -583,7 +583,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() { framework.BindClusterRole(f.ClientSet.Rbac(), "view", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) - err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), + err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/node_problem_detector.go b/test/e2e/node_problem_detector.go index 871f824913..7019b9f719 100644 --- a/test/e2e/node_problem_detector.go +++ b/test/e2e/node_problem_detector.go @@ -66,7 +66,7 @@ var _ = framework.KubeDescribe("NodeProblemDetector", func() { framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) - err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), + err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), "", "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/e2e/pre_stop.go b/test/e2e/pre_stop.go index cdd7d05ab6..40b6f5438e 100644 --- a/test/e2e/pre_stop.go +++ b/test/e2e/pre_stop.go @@ -183,7 +183,7 @@ var _ = framework.KubeDescribe("PreStop", func() { framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name, rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"}) - err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(), + err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), serviceaccount.MakeUsername(f.Namespace.Name, "default"), "", "create", schema.GroupResource{Resource: "pods"}, true) framework.ExpectNoError(err) diff --git a/test/fixtures/pkg/kubectl/cmd/create/sar-v1.json b/test/fixtures/pkg/kubectl/cmd/create/sar-v1.json new file mode 100644 index 0000000000..68a0dbd75d --- /dev/null +++ b/test/fixtures/pkg/kubectl/cmd/create/sar-v1.json @@ -0,0 +1,16 @@ +{ + "apiVersion": "authorization.k8s.io/v1", + "kind": "SubjectAccessReview", + "spec": { + "user": "bob", + "groups": [ + "the-group" + ], + "resourceAttributes": { + "namespace": "ns", + "verb": "create", + "group": "autoscaling", + "resource": "horizontalpodautoscalers" + } + } +} \ No newline at end of file diff --git a/test/fixtures/pkg/kubectl/cmd/create/sar.json b/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json similarity index 94% rename from test/fixtures/pkg/kubectl/cmd/create/sar.json rename to test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json index 4b2a0c29bd..5291a021a7 100644 --- a/test/fixtures/pkg/kubectl/cmd/create/sar.json +++ b/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json @@ -3,7 +3,7 @@ "kind": "SubjectAccessReview", "spec": { "user": "bob", - "groups": [ + "group": [ "the-group" ], "resourceAttributes": {