package integration import ( "testing" kapi "k8s.io/kubernetes/pkg/api" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" configapi "github.com/openshift/origin/pkg/cmd/server/api" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" serviceadmit "github.com/openshift/origin/pkg/service/admission" testutil "github.com/openshift/origin/test/util" testserver "github.com/openshift/origin/test/util/server" ) const ( clusterNetworkCIDR = "10.128.0.0/14" serviceNetworkCIDR = "172.30.0.0/16" ) var exampleAddresses = map[string]string{ "cluster": "10.128.0.2", "service": "172.30.0.2", "external": "1.2.3.4", } func testOne(t *testing.T, client kclientset.Interface, namespace, addrType string, success bool) *kapi.Endpoints { testEndpoint := &kapi.Endpoints{} testEndpoint.GenerateName = "test" testEndpoint.Subsets = []kapi.EndpointSubset{ { Addresses: []kapi.EndpointAddress{ { IP: exampleAddresses[addrType], }, }, Ports: []kapi.EndpointPort{ { Port: 9999, Protocol: kapi.ProtocolTCP, }, }, }, } ep, err := client.Core().Endpoints(namespace).Create(testEndpoint) if err != nil && success { t.Fatalf("unexpected error creating %s network endpoint: %v", addrType, err) } else if err == nil && !success { t.Fatalf("unexpected success creating %s network endpoint", addrType) } return ep } func TestEndpointAdmission(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) masterConfig, err := testserver.DefaultMasterOptions() if err != nil { t.Fatalf("error creating config: %v", err) } masterConfig.KubernetesMasterConfig.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{ serviceadmit.RestrictedEndpointsPluginName: { Configuration: &configapi.DefaultAdmissionConfig{}, }, } masterConfig.NetworkConfig.ClusterNetworkCIDR = clusterNetworkCIDR masterConfig.NetworkConfig.ServiceNetworkCIDR = serviceNetworkCIDR kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig) if err != nil { t.Fatalf("error starting server: %v", err) } clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile) if err != nil { t.Fatalf("error getting kube client: %v", err) } clusterAdminOSClient, err := testutil.GetClusterAdminClient(kubeConfigFile) if err != nil { t.Fatalf("error getting client: %v", err) } clientConfig, err := testutil.GetClusterAdminClientConfig(kubeConfigFile) if err != nil { t.Fatalf("error getting client config: %v", err) } // Cluster admin testOne(t, clusterAdminKubeClient, "default", "cluster", true) testOne(t, clusterAdminKubeClient, "default", "service", true) testOne(t, clusterAdminKubeClient, "default", "external", true) // Endpoint controller service account _, serviceAccountClient, _, err := testutil.GetClientForServiceAccount(clusterAdminKubeClient, *clientConfig, bootstrappolicy.DefaultOpenShiftInfraNamespace, bootstrappolicy.InfraEndpointControllerServiceAccountName) if err != nil { t.Fatalf("error getting endpoint controller service account: %v", err) } testOne(t, serviceAccountClient, "default", "cluster", true) testOne(t, serviceAccountClient, "default", "service", true) testOne(t, serviceAccountClient, "default", "external", true) // Project admin _, err = testserver.CreateNewProject(clusterAdminOSClient, *clientConfig, "myproject", "myadmin") if err != nil { t.Fatalf("error creating project: %v", err) } _, projectAdminClient, _, err := testutil.GetClientForUser(*clientConfig, "myadmin") if err != nil { t.Fatalf("error getting project admin client: %v", err) } testOne(t, projectAdminClient, "myproject", "cluster", false) testOne(t, projectAdminClient, "myproject", "service", false) testOne(t, projectAdminClient, "myproject", "external", true) // User without restricted endpoint permission can't modify IPs but can still do other modifications ep := testOne(t, clusterAdminKubeClient, "myproject", "cluster", true) ep.Annotations = map[string]string{"foo": "bar"} ep, err = projectAdminClient.Core().Endpoints("myproject").Update(ep) if err != nil { t.Fatalf("unexpected error updating endpoint annotation: %v", err) } ep.Subsets[0].Addresses[0].IP = exampleAddresses["service"] ep, err = projectAdminClient.Core().Endpoints("myproject").Update(ep) if err == nil { t.Fatalf("unexpected success modifying endpoint") } }