Merge pull request #56382 from mikkeloscar/e2e-psp-and-rbac

Automatic merge from submit-queue (batch tested with PRs 56382, 57549). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. e2e: Only create PSP if RBAC is enabled **What this PR does / why we need it**: Creating privileged PSPs during e2e tests depends on RBAC being enabled in the target cluster. However it is possible to use PSPs without having RBAC enabled thus only enable creating PSPs during e2e tests if both PSP and RBAC is enabled. Fix #57840 **Special notes for your reviewer**: **Release note**: ```release-note Only create Privileged PSP binding during e2e tests if RBAC is enabled. ```
2018-01-04 06:40:31 -08:00 · 2018-01-04 06:40:31 -08:00 · a1db9436cd
parent 8971a516ed a37d8ec1f9
commit a1db9436cd
1 changed files with 28 additions and 24 deletions
--- a/test/e2e/framework/psp_util.go
+++ b/test/e2e/framework/psp_util.go
@ -114,30 +114,34 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
 		psp, err = f.ClientSet.ExtensionsV1beta1().PodSecurityPolicies().Create(psp)
 		ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)

-		// Create the Role to bind it to the namespace.
-		_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
-			Rules: []rbacv1beta1.PolicyRule{{
-				APIGroups:     []string{"extensions"},
-				Resources:     []string{"podsecuritypolicies"},
-				ResourceNames: []string{podSecurityPolicyPrivileged},
-				Verbs:         []string{"use"},
-			}},
-		})
-		ExpectNoError(err, "Failed to create PSP role")
+		if IsRBACEnabled(f) {
+			// Create the Role to bind it to the namespace.
+			_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
+				ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
+				Rules: []rbacv1beta1.PolicyRule{{
+					APIGroups:     []string{"extensions"},
+					Resources:     []string{"podsecuritypolicies"},
+					ResourceNames: []string{podSecurityPolicyPrivileged},
+					Verbs:         []string{"use"},
+				}},
+			})
+			ExpectNoError(err, "Failed to create PSP role")
+		}
 	})

-	By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
-		podSecurityPolicyPrivileged, namespace))
-	BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
-		podSecurityPolicyPrivileged,
-		namespace,
-		rbacv1beta1.Subject{
-			Kind:      rbacv1beta1.ServiceAccountKind,
-			Namespace: namespace,
-			Name:      "default",
-		})
-	ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
-		serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
-		schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
+	if IsRBACEnabled(f) {
+		By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
+			podSecurityPolicyPrivileged, namespace))
+		BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
+			podSecurityPolicyPrivileged,
+			namespace,
+			rbacv1beta1.Subject{
+				Kind:      rbacv1beta1.ServiceAccountKind,
+				Namespace: namespace,
+				Name:      "default",
+			})
+		ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
+			serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
+			schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
+	}
 }