You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@yunikorn.apache.org by "PoAn Yang (Jira)" <ji...@apache.org> on 2023/09/13 14:13:00 UTC
[jira] [Updated] (YUNIKORN-1977) Add user info e2e test with an non kube-admin user
[ https://issues.apache.org/jira/browse/YUNIKORN-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
PoAn Yang updated YUNIKORN-1977:
--------------------------------
Description:
Currently, we always use default kubeconfig to test user info, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.
1. Create a new user.
{code:java}
kubectl create serviceaccount test-user{code}
2. Create a secret token.
{code:java}
kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: test-user-sa-token
annotations:
kubernetes.io/service-account.name: test-user
type: kubernetes.io/service-account-token
EOF{code}
3. Create a cluster role binding.
{code:java}
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: test-user
namespace: default
EOF {code}
4. Get values.
{code:java}
export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
5. Create a new kubeconfig.
{code:java}
cat << EOF > test-user-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
context:
cluster: ${CURRENT_CONTEXT}
user: test-user
clusters:
- name: ${CURRENT_CONTEXT}
cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_SERVER}
users:
- name: test-user
user:
token: ${USER_TOKEN_VALUE}
EOF {code}
6. Create a pod.
{code:java}
cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
apiVersion: v1
kind: Pod
metadata:
labels:
applicationId: app-sleep
name: test-sleep
spec:
containers:
- command:
- sleep
- "300"
image: alpine:latest
imagePullPolicy: IfNotPresent
name: sleepcontainer
resources:
requests:
cpu: 100m
memory: 300Mi
restartPolicy: Always
schedulerName: yunikorn
EOF{code}
7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.
was:
Currently, we always use default kubeconfig to test it, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.
1. Create a new user.
{code:java}
kubectl create serviceaccount test-user{code}
2. Create a secret token.
{code:java}
kubectl create -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: test-user-sa-token
annotations:
kubernetes.io/service-account.name: test-user
type: kubernetes.io/service-account-token
EOF{code}
3. Create a cluster role binding.
{code:java}
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: test-user
namespace: default
EOF {code}
4. Get values.
{code:java}
export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
5. Create a new kubeconfig.
{code:java}
cat << EOF > test-user-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
context:
cluster: ${CURRENT_CONTEXT}
user: test-user
clusters:
- name: ${CURRENT_CONTEXT}
cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_SERVER}
users:
- name: test-user
user:
token: ${USER_TOKEN_VALUE}
EOF {code}
6. Create a pod.
{code:java}
cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
apiVersion: v1
kind: Pod
metadata:
labels:
applicationId: app-sleep
name: test-sleep
spec:
containers:
- command:
- sleep
- "300"
image: alpine:latest
imagePullPolicy: IfNotPresent
name: sleepcontainer
resources:
requests:
cpu: 100m
memory: 300Mi
restartPolicy: Always
schedulerName: yunikorn
EOF{code}
7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.
> Add user info e2e test with an non kube-admin user
> --------------------------------------------------
>
> Key: YUNIKORN-1977
> URL: https://issues.apache.org/jira/browse/YUNIKORN-1977
> Project: Apache YuniKorn
> Issue Type: Test
> Components: test - e2e
> Reporter: PoAn Yang
> Assignee: PoAn Yang
> Priority: Minor
>
> Currently, we always use default kubeconfig to test user info, so the user will be `kube-admin`. It's good to add an e2e test with non kube-admin user and check the `User` field.
>
> 1. Create a new user.
>
> {code:java}
> kubectl create serviceaccount test-user{code}
>
> 2. Create a secret token.
> {code:java}
> kubectl create -f - <<EOF
> apiVersion: v1
> kind: Secret
> metadata:
> name: test-user-sa-token
> annotations:
> kubernetes.io/service-account.name: test-user
> type: kubernetes.io/service-account-token
> EOF{code}
> 3. Create a cluster role binding.
> {code:java}
> cat << EOF | kubectl apply -f -
> apiVersion: rbac.authorization.k8s.io/v1
> kind: ClusterRoleBinding
> metadata:
> name: test-user
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: cluster-admin
> subjects:
> - kind: ServiceAccount
> name: test-user
> namespace: default
> EOF {code}
> 4. Get values.
> {code:java}
> export USER_TOKEN_VALUE=$(kubectl get secret/test-user-sa-token -o=go-template='{{.data.token}}' | base64 --decode)
> export CURRENT_CONTEXT=$(kubectl config current-context)
> export CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
> export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
> export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') {code}
> 5. Create a new kubeconfig.
> {code:java}
> cat << EOF > test-user-config
> apiVersion: v1
> kind: Config
> current-context: ${CURRENT_CONTEXT}
> contexts:
> - name: ${CURRENT_CONTEXT}
> context:
> cluster: ${CURRENT_CONTEXT}
> user: test-user
> clusters:
> - name: ${CURRENT_CONTEXT}
> cluster:
> certificate-authority-data: ${CLUSTER_CA}
> server: ${CLUSTER_SERVER}
> users:
> - name: test-user
> user:
> token: ${USER_TOKEN_VALUE}
> EOF {code}
> 6. Create a pod.
> {code:java}
> cat << EOF > kubectl --kubeconfig $(pwd)/test-user-config apply -f -
> apiVersion: v1
> kind: Pod
> metadata:
> labels:
> applicationId: app-sleep
> name: test-sleep
> spec:
> containers:
> - command:
> - sleep
> - "300"
> image: alpine:latest
> imagePullPolicy: IfNotPresent
> name: sleepcontainer
> resources:
> requests:
> cpu: 100m
> memory: 300Mi
> restartPolicy: Always
> schedulerName: yunikorn
> EOF{code}
> 7. Get the pod and check whether `test-user` is in the `yunikorn.apache.org/user.info` annotation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org