install authorization.k8s.io/v1, add tests

Use specific v1beta1 Authorization client Add client expansions
2017-01-30 14:35:28 -05:00 · 2017-01-30 14:35:28 -05:00 · 8706bc9617
parent 31d45fe78f
commit 8706bc9617
24 changed files with 270 additions and 16 deletions
--- a/cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml
+++ b/cmd/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml
@ -0,0 +1,12 @@
+apiVersion: apiregistration.k8s.io/v1alpha1
+kind: APIService
+metadata:
+  name: v1.authorization.k8s.io
+spec:
+  group: authorization.k8s.io
+  version: v1
+  service:
+    namespace: default
+    name: kubernetes
+  insecureSkipTLSVerify: true
+  priority: 100
--- a/cmd/kubelet/app/auth.go
+++ b/cmd/kubelet/app/auth.go
@ -42,7 +42,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
 	)
 	if client != nil && !reflect.ValueOf(client).IsNil() {
 		tokenClient = client.Authentication().TokenReviews()
-		sarClient = client.Authorization().SubjectAccessReviews()
+		sarClient = client.AuthorizationV1beta1().SubjectAccessReviews()
 	}

 	authenticator, err := buildAuthn(tokenClient, config.Authentication)
--- a/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go
+++ b/cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go
@ -72,6 +72,7 @@ func New() *Generator {
 			`k8s.io/kubernetes/pkg/apis/policy/v1beta1`,
 			`k8s.io/kubernetes/pkg/apis/extensions/v1beta1`,
 			`k8s.io/kubernetes/pkg/apis/autoscaling/v1`,
+			`k8s.io/kubernetes/pkg/apis/authorization/v1`,
 			`k8s.io/kubernetes/pkg/apis/authorization/v1beta1`,
 			`k8s.io/kubernetes/pkg/apis/batch/v1`,
 			`k8s.io/kubernetes/pkg/apis/batch/v2alpha1`,
--- a/hack/.linted_packages
+++ b/hack/.linted_packages
@ -122,6 +122,7 @@ pkg/client/listers/apps/v1beta1
 pkg/client/listers/authentication/internalversion
 pkg/client/listers/authentication/v1beta1
 pkg/client/listers/authorization/internalversion
+pkg/client/listers/authorization/v1
 pkg/client/listers/authorization/v1beta1
 pkg/client/listers/autoscaling/internalversion
 pkg/client/listers/autoscaling/v1
--- a/hack/lib/init.sh
+++ b/hack/lib/init.sh
@ -55,6 +55,7 @@ KUBE_AVAILABLE_GROUP_VERSIONS="${KUBE_AVAILABLE_GROUP_VERSIONS:-\
 v1 \
 apps/v1beta1 \
 authentication.k8s.io/v1beta1 \
+authorization.k8s.io/v1 \
 authorization.k8s.io/v1beta1 \
 autoscaling/v1 \
 batch/v1 \
--- a/hack/make-rules/test-cmd-util.sh
+++ b/hack/make-rules/test-cmd-util.sh
@ -3251,10 +3251,21 @@ __EOF__
  if kube::test::if_supports_resource "${subjectaccessreviews}" ; then
    # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful
    # but it proves that works
-    kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar.json --validate=false
+    kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false
+    kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false

    SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
-    curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar.json > "${SAR_RESULT_FILE}"
+    curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}"
+    if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
+      kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
+    else
+      kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")"
+      exit 1
+    fi
+    rm "${SAR_RESULT_FILE}"
+
+    SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
+    curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
    if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
      kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
    else
--- a/pkg/apis/authorization/install/install.go
+++ b/pkg/apis/authorization/install/install.go
@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/authorization"
+	"k8s.io/kubernetes/pkg/apis/authorization/v1"
 	"k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
 )

@ -37,13 +38,14 @@ func Install(groupFactoryRegistry announced.APIGroupFactoryRegistry, registry *r
 	if err := announced.NewGroupMetaFactory(
 		&announced.GroupMetaFactoryArgs{
 			GroupName:                  authorization.GroupName,
-			VersionPreferenceOrder:     []string{v1beta1.SchemeGroupVersion.Version},
+			VersionPreferenceOrder:     []string{v1.SchemeGroupVersion.Version, v1beta1.SchemeGroupVersion.Version},
 			ImportPrefix:               "k8s.io/kubernetes/pkg/apis/authorization",
 			RootScopedKinds:            sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview"),
 			AddInternalObjectsToScheme: authorization.AddToScheme,
 		},
 		announced.VersionToSchemeFunc{
 			v1beta1.SchemeGroupVersion.Version: v1beta1.AddToScheme,
+			v1.SchemeGroupVersion.Version:      v1.AddToScheme,
 		},
 	).Announce(groupFactoryRegistry).RegisterAndEnable(registry, scheme); err != nil {
 		panic(err)
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_localsubjectaccessreview_expansion.go
@ -0,0 +1,27 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import (
+	core "k8s.io/client-go/testing"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+func (c *FakeLocalSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
+	obj, err := c.Fake.Invokes(core.NewCreateAction(authorizationapi.SchemeGroupVersion.WithResource("localsubjectaccessreviews"), c.ns, sar), &authorizationapi.SubjectAccessReview{})
+	return obj.(*authorizationapi.LocalSubjectAccessReview), err
+}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_selfsubjectaccessreview_expansion.go
@ -0,0 +1,27 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import (
+	core "k8s.io/client-go/testing"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+func (c *FakeSelfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
+	obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectaccessreviews"), sar), &authorizationapi.SelfSubjectAccessReview{})
+	return obj.(*authorizationapi.SelfSubjectAccessReview), err
+}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/fake/fake_subjectaccessreview_expansion.go
@ -0,0 +1,27 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import (
+	core "k8s.io/client-go/testing"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+func (c *FakeSubjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
+	obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("subjectaccessreviews"), sar), &authorizationapi.SubjectAccessReview{})
+	return obj.(*authorizationapi.SubjectAccessReview), err
+}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/generated_expansion.go
@ -15,9 +15,3 @@ limitations under the License.
 */

 package v1
-
-type LocalSubjectAccessReviewExpansion interface{}
-
-type SelfSubjectAccessReviewExpansion interface{}
-
-type SubjectAccessReviewExpansion interface{}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/localsubjectaccessreview_expansion.go
@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+type LocalSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error)
+}
+
+func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
+	result = &authorizationapi.LocalSubjectAccessReview{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("localsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/selfsubjectaccessreview_expansion.go
@ -0,0 +1,35 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+type SelfSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error)
+}
+
+func (c *selfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
+	result = &authorizationapi.SelfSubjectAccessReview{}
+	err = c.client.Post().
+		Resource("selfsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
--- a/pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/authorization/v1/subjectaccessreview_expansion.go
@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization/v1"
+)
+
+// The SubjectAccessReviewExpansion interface allows manually adding extra methods to the AuthorizationInterface.
+type SubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error)
+}
+
+func (c *subjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
+	result = &authorizationapi.SubjectAccessReview{}
+	err = c.client.Post().
+		Resource("subjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
--- a/pkg/controller/garbagecollector/garbagecollector.go
+++ b/pkg/controller/garbagecollector/garbagecollector.go
@ -536,6 +536,9 @@ var ignoredResources = map[schema.GroupVersionResource]struct{}{
 	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "subjectaccessreviews"}:      {},
 	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "selfsubjectaccessreviews"}:  {},
 	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1beta1", Resource: "localsubjectaccessreviews"}: {},
+	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "subjectaccessreviews"}:           {},
+	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "selfsubjectaccessreviews"}:       {},
+	schema.GroupVersionResource{Group: "authorization.k8s.io", Version: "v1", Resource: "localsubjectaccessreviews"}:      {},
 }

 func NewGarbageCollector(metaOnlyClientPool dynamic.ClientPool, clientPool dynamic.ClientPool, mapper meta.RESTMapper, deletableResources map[schema.GroupVersionResource]struct{}) (*GarbageCollector, error) {
--- a/pkg/master/master.go
+++ b/pkg/master/master.go
@ -36,6 +36,7 @@ import (
 	apiv1 "k8s.io/kubernetes/pkg/api/v1"
 	appsapi "k8s.io/kubernetes/pkg/apis/apps/v1beta1"
 	authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1"
+	authorizationapiv1 "k8s.io/kubernetes/pkg/apis/authorization/v1"
 	authorizationapiv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
 	autoscalingapiv1 "k8s.io/kubernetes/pkg/apis/autoscaling/v1"
 	batchapiv1 "k8s.io/kubernetes/pkg/apis/batch/v1"
@ -399,6 +400,7 @@ func DefaultAPIResourceConfigSource() *genericapiserver.ResourceConfig {
 		rbacapi.SchemeGroupVersion,
 		storageapiv1beta1.SchemeGroupVersion,
 		certificatesapiv1beta1.SchemeGroupVersion,
+		authorizationapiv1.SchemeGroupVersion,
 		authorizationapiv1beta1.SchemeGroupVersion,
 	)

--- a/pkg/registry/authorization/rest/storage_authorization.go
+++ b/pkg/registry/authorization/rest/storage_authorization.go
@ -23,6 +23,7 @@ import (
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/authorization"
+	authorizationv1 "k8s.io/kubernetes/pkg/apis/authorization/v1"
 	authorizationv1beta1 "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
 	"k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview"
 	"k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview"
@ -45,6 +46,11 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapise
 		apiGroupInfo.GroupMeta.GroupVersion = authorizationv1beta1.SchemeGroupVersion
 	}

+	if apiResourceConfigSource.AnyResourcesForVersionEnabled(authorizationv1.SchemeGroupVersion) {
+		apiGroupInfo.VersionedResourcesStorageMap[authorizationv1.SchemeGroupVersion.Version] = p.v1Storage(apiResourceConfigSource, restOptionsGetter)
+		apiGroupInfo.GroupMeta.GroupVersion = authorizationv1.SchemeGroupVersion
+	}
+
 	return apiGroupInfo, true
 }

@ -65,6 +71,23 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource genericapise
 	return storage
 }

+func (p RESTStorageProvider) v1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
+	version := authorizationv1beta1.SchemeGroupVersion
+
+	storage := map[string]rest.Storage{}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("subjectaccessreviews")) {
+		storage["subjectaccessreviews"] = subjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectaccessreviews")) {
+		storage["selfsubjectaccessreviews"] = selfsubjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) {
+		storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer)
+	}
+
+	return storage
+}
+
 func (p RESTStorageProvider) GroupName() string {
 	return authorization.GroupName
 }
--- a/test/e2e/examples.go
+++ b/test/e2e/examples.go
@ -74,7 +74,7 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() {
 		framework.BindClusterRoleInNamespace(c.Rbac(), "edit", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})

-		err := framework.WaitForAuthorizationUpdate(c.Authorization(),
+		err := framework.WaitForAuthorizationUpdate(c.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/e2e/ingress.go
+++ b/test/e2e/ingress.go
@ -71,7 +71,7 @@ var _ = framework.KubeDescribe("Loadbalancing: L7", func() {
 		framework.BindClusterRole(jig.client.Rbac(), "cluster-admin", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})

-		err := framework.WaitForAuthorizationUpdate(jig.client.Authorization(),
+		err := framework.WaitForAuthorizationUpdate(jig.client.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			"", "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/e2e/kubectl.go
+++ b/test/e2e/kubectl.go
@ -583,7 +583,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
 			framework.BindClusterRole(f.ClientSet.Rbac(), "view", f.Namespace.Name,
 				rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})

-			err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(),
+			err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 				serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 				f.Namespace.Name, "list", schema.GroupResource{Resource: "pods"}, true)
 			framework.ExpectNoError(err)
--- a/test/e2e/node_problem_detector.go
+++ b/test/e2e/node_problem_detector.go
@ -66,7 +66,7 @@ var _ = framework.KubeDescribe("NodeProblemDetector", func() {
 		framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})

-		err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(),
+		err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			"", "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/e2e/pre_stop.go
+++ b/test/e2e/pre_stop.go
@ -183,7 +183,7 @@ var _ = framework.KubeDescribe("PreStop", func() {
 		framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name,
 			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: f.Namespace.Name, Name: "default"})

-		err := framework.WaitForAuthorizationUpdate(f.ClientSet.Authorization(),
+		err := framework.WaitForAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
 			serviceaccount.MakeUsername(f.Namespace.Name, "default"),
 			"", "create", schema.GroupResource{Resource: "pods"}, true)
 		framework.ExpectNoError(err)
--- a/test/fixtures/pkg/kubectl/cmd/create/sar-v1.json
+++ b/test/fixtures/pkg/kubectl/cmd/create/sar-v1.json
@ -0,0 +1,16 @@
+{
+  "apiVersion": "authorization.k8s.io/v1",
+  "kind": "SubjectAccessReview",
+  "spec": {
+    "user": "bob",
+    "groups": [
+      "the-group"
+    ],
+    "resourceAttributes": {
+      "namespace": "ns",
+      "verb": "create",
+      "group": "autoscaling",
+      "resource": "horizontalpodautoscalers"
+    }
+  }
+}
--- a/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json
+++ b/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json
@ -3,7 +3,7 @@
  "kind": "SubjectAccessReview",
  "spec": {
    "user": "bob",
-    "groups": [
+    "group": [
      "the-group"
    ],
    "resourceAttributes": {