You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@yunikorn.apache.org by "PoAn Yang (Jira)" <ji...@apache.org> on 2023/09/13 14:13:00 UTC

[jira] [Updated] (YUNIKORN-1977) Add user info e2e test with an non kube-admin user

     [ https://issues.apache.org/jira/browse/YUNIKORN-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

PoAn Yang updated YUNIKORN-1977:
--------------------------------
    Description: 
Currently,  we always use default kubeconfig to test user info, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.

 

1. Create a new user.

 
{code:java}
kubectl create serviceaccount test-user{code}
 

2. Create  a secret token.
{code:java}
kubectl create  -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: test-user-sa-token
  annotations:
    kubernetes.io/service-account.name: test-user
type: kubernetes.io/service-account-token
EOF{code}
3. Create a cluster role binding.
{code:java}
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: test-user
  namespace: default
EOF {code}
4. Get values.
{code:java}
export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
5. Create a new kubeconfig.
{code:java}
cat << EOF > test-user-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
  context:
    cluster: ${CURRENT_CONTEXT}
    user: test-user
clusters:
- name: ${CURRENT_CONTEXT}
  cluster:
    certificate-authority-data: ${CLUSTER_CA}
    server: ${CLUSTER_SERVER}
users:
- name: test-user
  user:
    token: ${USER_TOKEN_VALUE}
EOF {code}
6. Create a pod.
{code:java}
cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
apiVersion: v1
kind: Pod
metadata:
  labels:
    applicationId: app-sleep
  name: test-sleep
spec:
  containers:
  - command:
    - sleep
    - "300"
    image: alpine:latest
    imagePullPolicy: IfNotPresent
    name: sleepcontainer
    resources:
      requests:
        cpu: 100m
        memory: 300Mi
  restartPolicy: Always
  schedulerName: yunikorn
EOF{code}
7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.

  was:
Currently,  we always use default kubeconfig to test it, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.

 

1. Create a new user.

 
{code:java}
kubectl create serviceaccount test-user{code}
 

2. Create  a secret token.
{code:java}
kubectl create  -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: test-user-sa-token
  annotations:
    kubernetes.io/service-account.name: test-user
type: kubernetes.io/service-account-token
EOF{code}
3. Create a cluster role binding.
{code:java}
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: test-user
  namespace: default
EOF {code}
4. Get values.
{code:java}
export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
5. Create a new kubeconfig.
{code:java}
cat << EOF > test-user-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
  context:
    cluster: ${CURRENT_CONTEXT}
    user: test-user
clusters:
- name: ${CURRENT_CONTEXT}
  cluster:
    certificate-authority-data: ${CLUSTER_CA}
    server: ${CLUSTER_SERVER}
users:
- name: test-user
  user:
    token: ${USER_TOKEN_VALUE}
EOF {code}
6. Create a pod.
{code:java}
cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
apiVersion: v1
kind: Pod
metadata:
  labels:
    applicationId: app-sleep
  name: test-sleep
spec:
  containers:
  - command:
    - sleep
    - "300"
    image: alpine:latest
    imagePullPolicy: IfNotPresent
    name: sleepcontainer
    resources:
      requests:
        cpu: 100m
        memory: 300Mi
  restartPolicy: Always
  schedulerName: yunikorn
EOF{code}
7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.


> Add user info e2e test with an non kube-admin user
> --------------------------------------------------
>
>                 Key: YUNIKORN-1977
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-1977
>             Project: Apache YuniKorn
>          Issue Type: Test
>          Components: test - e2e
>            Reporter: PoAn Yang
>            Assignee: PoAn Yang
>            Priority: Minor
>
> Currently,  we always use default kubeconfig to test user info, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.
>  
> 1. Create a new user.
>  
> {code:java}
> kubectl create serviceaccount test-user{code}
>  
> 2. Create  a secret token.
> {code:java}
> kubectl create  -f - <<EOF
> apiVersion: v1
> kind: Secret
> metadata:
>   name: test-user-sa-token
>   annotations:
>     kubernetes.io/service-account.name: test-user
> type: kubernetes.io/service-account-token
> EOF{code}
> 3. Create a cluster role binding.
> {code:java}
> cat << EOF | kubectl apply -f -
> apiVersion: rbac.authorization.k8s.io/v1
> kind: ClusterRoleBinding
> metadata:
>   name: test-user
> roleRef:
>   apiGroup: rbac.authorization.k8s.io
>   kind: ClusterRole
>   name: cluster-admin
> subjects:
> - kind: ServiceAccount
>   name: test-user
>   namespace: default
> EOF {code}
> 4. Get values.
> {code:java}
> export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
> export CURRENT_CONTEXT=$(kubectl config current-context)
> export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
> export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
> export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
> 5. Create a new kubeconfig.
> {code:java}
> cat << EOF > test-user-config
> apiVersion: v1
> kind: Config
> current-context: ${CURRENT_CONTEXT}
> contexts:
> - name: ${CURRENT_CONTEXT}
>   context:
>     cluster: ${CURRENT_CONTEXT}
>     user: test-user
> clusters:
> - name: ${CURRENT_CONTEXT}
>   cluster:
>     certificate-authority-data: ${CLUSTER_CA}
>     server: ${CLUSTER_SERVER}
> users:
> - name: test-user
>   user:
>     token: ${USER_TOKEN_VALUE}
> EOF {code}
> 6. Create a pod.
> {code:java}
> cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
> apiVersion: v1
> kind: Pod
> metadata:
>   labels:
>     applicationId: app-sleep
>   name: test-sleep
> spec:
>   containers:
>   - command:
>     - sleep
>     - "300"
>     image: alpine:latest
>     imagePullPolicy: IfNotPresent
>     name: sleepcontainer
>     resources:
>       requests:
>         cpu: 100m
>         memory: 300Mi
>   restartPolicy: Always
>   schedulerName: yunikorn
> EOF{code}
> 7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org