@@ -34,11 +34,11 @@ import (
3434
3535func TestAuthorizationModes (t * testing.T ) {
3636 framework .Suite (t , "control-plane" )
37-
37+ webhookPort := "8081"
3838 ctx , cancelFunc := context .WithCancel (context .Background ())
3939 t .Cleanup (cancelFunc )
4040 // start a webhook that allows kcp to boot up
41- webhookStop := RunWebhook (ctx , t , "8081" , "kubernetes:authz:allow" )
41+ webhookStop := RunWebhook (ctx , t , webhookPort , "kubernetes:authz:allow" )
4242 t .Cleanup (webhookStop )
4343
4444 server := framework .PrivateKcpServer (t , framework .WithCustomArguments (
@@ -68,35 +68,33 @@ func TestAuthorizationModes(t *testing.T) {
6868 restClient , err := rest .UnversionedRESTClientFor (rootShardCfg )
6969 require .NoError (t , err )
7070
71- t .Log ("Verify that you are allowed to access AllowAllPaths endpoints." )
72- for _ , endpoint := range []string {"/livez" , "/readyz" } {
73- req := rest .NewRequest (restClient ).RequestURI (endpoint )
74- t .Logf ("%s should not be accessible." , req .URL ().String ())
75- _ , err := req .Do (ctx ).Raw ()
76- require .NoError (t , err )
77- }
71+ t .Log ("Verify that you are allowed to access one of AllowAllPaths endpoints." )
72+ req := rest .NewRequest (restClient ).RequestURI ("/livez" )
73+ t .Logf ("%s should not be accessible." , req .URL ().String ())
74+ _ , err = req .Do (ctx ).Raw ()
75+ require .NoError (t , err )
7876
7977 t .Log ("Admin should be allowed now to list Workspaces." )
8078 _ , err = kcpClusterClient .Cluster (logicalcluster .NewPath ("root" )).TenancyV1alpha1 ().Workspaces ().List (ctx , metav1.ListOptions {})
8179 require .NoError (t , err )
8280
81+ webhookStop ()
8382 // run the webhook with deny policy
84- webhookStop = RunWebhook (ctx , t , "8081" , "kubernetes:authz:deny" )
83+ webhookStop = RunWebhook (ctx , t , webhookPort , "kubernetes:authz:deny" )
8584 t .Cleanup (webhookStop )
8685
87- t .Log ("Admin should not be allowed now to list Workspaces ." )
88- _ , err = kcpClusterClient .Cluster (logicalcluster .NewPath ("root" )).TenancyV1alpha1 ().Workspaces ().List (ctx , metav1.ListOptions {})
86+ t .Log ("Admin should not be allowed now to list Logical clusters ." )
87+ _ , err = kcpClusterClient .Cluster (logicalcluster .NewPath ("root" )).CoreV1alpha1 ().LogicalClusters ().List (ctx , metav1.ListOptions {})
8988 require .Error (t , err )
9089
91- t .Log ("Admin should not be allowed to list ConfigMaps ." )
92- _ , err = kubeClusterClient .Cluster (logicalcluster .NewPath ("root" )).CoreV1 ().ConfigMaps ("default" ).List (ctx , metav1.ListOptions {})
90+ t .Log ("Admin should not be allowed to list Services ." )
91+ _ , err = kubeClusterClient .Cluster (logicalcluster .NewPath ("root" )).CoreV1 ().Services ("default" ).List (ctx , metav1.ListOptions {})
9392 require .Error (t , err )
9493
9594 t .Log ("Verify that it is not allowed to access AllowAllPaths endpoints." )
96- for _ , endpoint := range []string {"/livez" , "/readyz" } {
97- req := rest .NewRequest (restClient ).RequestURI (endpoint )
98- t .Logf ("%s should not be accessible." , req .URL ().String ())
99- _ , err := req .Do (ctx ).Raw ()
100- require .Error (t , err )
101- }
95+ req = rest .NewRequest (restClient ).RequestURI ("/healthz" )
96+ t .Logf ("%s should not be accessible." , req .URL ().String ())
97+ _ , err = req .Do (ctx ).Raw ()
98+ require .Error (t , err )
99+
102100}
0 commit comments