nixpkgs/nixos/tests/kubernetes/rbac.nix

{ system ? builtins.currentSystem, pkgs ? import <nixpkgs> { inherit system; } }:
with import ./base.nix { inherit system; };
let

  roServiceAccount = pkgs.writeText "ro-service-account.json" (builtins.toJSON {
    kind = "ServiceAccount";
    apiVersion = "v1";
    metadata = {
      name = "read-only";
      namespace = "default";
    };
  });

  roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "RoleBinding";
    metadata = {
      name = "read-pods";
      namespace = "default";
    };
    roleRef = {
      apiGroup = "rbac.authorization.k8s.io";
      kind = "Role";
      name = "pod-reader";
    };
    subjects = [{
      kind = "ServiceAccount";
      name = "read-only";
      namespace = "default";
    }];
  });

  roRole = pkgs.writeText "ro-role.json" (builtins.toJSON {
    apiVersion = "rbac.authorization.k8s.io/v1";
    kind = "Role";
    metadata = {
      name = "pod-reader";
      namespace = "default";
    };
    rules = [{
      apiGroups = [""];
      resources = ["pods"];
      verbs = ["get" "list" "watch"];
    }];
  });

  kubectlPod = pkgs.writeText "kubectl-pod.json" (builtins.toJSON {
    kind = "Pod";
    apiVersion = "v1";
    metadata.name = "kubectl";
    metadata.namespace = "default";
    metadata.labels.name = "kubectl";
    spec.serviceAccountName = "read-only";
    spec.containers = [{
      name = "kubectl";
      image = "kubectl:latest";
      command = ["/bin/tail" "-f"];
      imagePullPolicy = "Never";
      tty = true;
    }];
  });

  kubectlPod2 = pkgs.writeTextDir "kubectl-pod-2.json" (builtins.toJSON {
    kind = "Pod";
    apiVersion = "v1";
    metadata.name = "kubectl-2";
    metadata.namespace = "default";
    metadata.labels.name = "kubectl-2";
    spec.serviceAccountName = "read-only";
    spec.containers = [{
      name = "kubectl-2";
      image = "kubectl:latest";
      command = ["/bin/tail" "-f"];
      imagePullPolicy = "Never";
      tty = true;
    }];
  });

  kubectl = pkgs.runCommand "copy-kubectl" { buildInputs = [ pkgs.kubernetes ]; } ''
    mkdir -p $out/bin
    cp ${pkgs.kubernetes}/bin/kubectl $out/bin/kubectl
  '';

  kubectlImage = pkgs.dockerTools.buildImage {
    name = "kubectl";
    tag = "latest";
    contents = [ kubectl pkgs.busybox kubectlPod2 ];
    config.Entrypoint = "/bin/sh";
  };

  base = {
    name = "rbac";
  };

  singlenode = base // {
    test = ''
      $machine1->waitForUnit("kubernetes.target");

      $machine1->waitUntilSucceeds("kubectl get node machine1.my.zyx | grep -w Ready");

      $machine1->waitUntilSucceeds("docker load < ${kubectlImage}");

      $machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");
      $machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");
      $machine1->waitUntilSucceeds("kubectl apply -f ${roRoleBinding}");
      $machine1->waitUntilSucceeds("kubectl create -f ${kubectlPod}");

      $machine1->waitUntilSucceeds("kubectl get pod kubectl | grep Running");

      $machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");
      $machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");
      $machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");
    '';
  };

  multinode = base // {
    test = ''
      # Node token exchange
      $machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret");
      $machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret | nixos-kubernetes-node-join");
      $machine1->waitForUnit("kubernetes.target");
      $machine2->waitForUnit("kubernetes.target");

      $machine1->waitUntilSucceeds("kubectl get node machine2.my.zyx | grep -w Ready");

      $machine2->waitUntilSucceeds("docker load < ${kubectlImage}");

      $machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");
      $machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");
      $machine1->waitUntilSucceeds("kubectl apply -f ${roRoleBinding}");
      $machine1->waitUntilSucceeds("kubectl create -f ${kubectlPod}");

      $machine1->waitUntilSucceeds("kubectl get pod kubectl | grep Running");

      $machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");
      $machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");
      $machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");
    '';
  };

in {
  singlenode = mkKubernetesSingleNodeTest singlenode;
  multinode = mkKubernetesMultiNodeTest multinode;
}
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`{ system ? builtins.currentSystem, pkgs ? import <nixpkgs> { inherit system; } }:`
			`with import ./base.nix { inherit system; };`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`let`

			`roServiceAccount = pkgs.writeText "ro-service-account.json" (builtins.toJSON {`
			`kind = "ServiceAccount";`
			`apiVersion = "v1";`
			`metadata = {`
			`name = "read-only";`
			`namespace = "default";`
			`};`
			`});`

			`roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON {`
nixos: kubernetes fixes * Fix reference CNI plugins * The plugins were split out of the upstream cni repo around version 0.6.0 * Fix RBAC and DNS tests * Fix broken apiVersion fields * Change plugin linking to look in ${package}/bin rather than ${package.plugins} * Initial work towards a working e2e test * Test still fails, but at least the expression evaluates now Continues @srhb's work in #37199 Fixes #37199 2018-03-17 01:35:35 -04:00			`apiVersion = "rbac.authorization.k8s.io/v1";`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`kind = "RoleBinding";`
			`metadata = {`
			`name = "read-pods";`
			`namespace = "default";`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`};`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`roleRef = {`
			`apiGroup = "rbac.authorization.k8s.io";`
			`kind = "Role";`
			`name = "pod-reader";`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`};`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`subjects = [{`
			`kind = "ServiceAccount";`
			`name = "read-only";`
			`namespace = "default";`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`}];`
			`});`

			`roRole = pkgs.writeText "ro-role.json" (builtins.toJSON {`
nixos: kubernetes fixes * Fix reference CNI plugins * The plugins were split out of the upstream cni repo around version 0.6.0 * Fix RBAC and DNS tests * Fix broken apiVersion fields * Change plugin linking to look in ${package}/bin rather than ${package.plugins} * Initial work towards a working e2e test * Test still fails, but at least the expression evaluates now Continues @srhb's work in #37199 Fixes #37199 2018-03-17 01:35:35 -04:00			`apiVersion = "rbac.authorization.k8s.io/v1";`
kubernetes: fix minor issues 2017-05-24 19:05:54 +02:00			`kind = "Role";`
			`metadata = {`
			`name = "pod-reader";`
			`namespace = "default";`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`};`
kubernetes: fix minor issues 2017-05-24 19:05:54 +02:00			`rules = [{`
			`apiGroups = [""];`
			`resources = ["pods"];`
			`verbs = ["get" "list" "watch"];`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`}];`
			`});`

			`kubectlPod = pkgs.writeText "kubectl-pod.json" (builtins.toJSON {`
			`kind = "Pod";`
			`apiVersion = "v1";`
			`metadata.name = "kubectl";`
			`metadata.namespace = "default";`
			`metadata.labels.name = "kubectl";`
			`spec.serviceAccountName = "read-only";`
			`spec.containers = [{`
			`name = "kubectl";`
			`image = "kubectl:latest";`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`command = ["/bin/tail" "-f"];`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`imagePullPolicy = "Never";`
			`tty = true;`
			`}];`
			`});`

			`kubectlPod2 = pkgs.writeTextDir "kubectl-pod-2.json" (builtins.toJSON {`
			`kind = "Pod";`
			`apiVersion = "v1";`
			`metadata.name = "kubectl-2";`
			`metadata.namespace = "default";`
			`metadata.labels.name = "kubectl-2";`
			`spec.serviceAccountName = "read-only";`
			`spec.containers = [{`
			`name = "kubectl-2";`
			`image = "kubectl:latest";`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`command = ["/bin/tail" "-f"];`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`imagePullPolicy = "Never";`
			`tty = true;`
			`}];`
			`});`

kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`kubectl = pkgs.runCommand "copy-kubectl" { buildInputs = [ pkgs.kubernetes ]; } ''`
			`mkdir -p $out/bin`
			`cp ${pkgs.kubernetes}/bin/kubectl $out/bin/kubectl`
			`'';`

kubernetes: add tests 2017-05-03 01:20:32 +02:00			`kubectlImage = pkgs.dockerTools.buildImage {`
			`name = "kubectl";`
			`tag = "latest";`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`contents = [ kubectl pkgs.busybox kubectlPod2 ];`
			`config.Entrypoint = "/bin/sh";`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`};`

kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`base = {`
			`name = "rbac";`
			`};`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`singlenode = base // {`
			`test = ''`
nixos/kubernetes: Stabilize services startup across machines by adding targets and curl wait loops to services to ensure services are not started before their depended services are reachable. Extra targets cfssl-online.target and kube-apiserver-online.target syncronize starts across machines and node-online.target ensures docker is restarted and ready to deploy containers on after flannel has discussed the network cidr with apiserver. Since flannel needs to be started before addon-manager to configure the docker interface, it has to have its own rbac bootstrap service. The curl wait loops within the other services exists to ensure that when starting the service it is able to do its work immediately without clobbering the log about failing conditions. By ensuring kubernetes.target is only reached after starting the cluster it can be used in the tests as a wait condition. In kube-certmgr-bootstrap mkdir is needed for it to not fail to start. The following is the relevant part of systemctl list-dependencies default.target ● ├─certmgr.service ● ├─cfssl.service ● ├─docker.service ● ├─etcd.service ● ├─flannel.service ● ├─kubernetes.target ● │ ├─kube-addon-manager.service ● │ ├─kube-proxy.service ● │ ├─kube-apiserver-online.target ● │ │ ├─flannel-rbac-bootstrap.service ● │ │ ├─kube-apiserver-online.service ● │ │ ├─kube-apiserver.service ● │ │ ├─kube-controller-manager.service ● │ │ └─kube-scheduler.service ● │ └─node-online.target ● │ ├─node-online.service ● │ ├─flannel.target ● │ │ ├─flannel.service ● │ │ └─mk-docker-opts.service ● │ └─kubelet.target ● │ └─kubelet.service ● ├─network-online.target ● │ └─cfssl-online.target ● │ ├─certmgr.service ● │ ├─cfssl-online.service ● │ └─kube-certmgr-bootstrap.service 2019-03-01 08:44:45 +01:00			`$machine1->waitForUnit("kubernetes.target");`

kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->waitUntilSucceeds("kubectl get node machine1.my.zyx \| grep -w Ready");`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
nixos/kubernetes: (test) Fix race-condition in test cases. docker load might fail due to dockerd restarting 2019-02-14 10:51:44 +01:00			`$machine1->waitUntilSucceeds("docker load < ${kubectlImage}");`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");`
			`$machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");`
			`$machine1->waitUntilSucceeds("kubectl apply -f ${roRoleBinding}");`
			`$machine1->waitUntilSucceeds("kubectl create -f ${kubectlPod}");`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->waitUntilSucceeds("kubectl get pod kubectl \| grep Running");`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`$machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");`
			`$machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");`
			`'';`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`};`

kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`multinode = base // {`
			`test = ''`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`# Node token exchange`
			`$machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret");`
			`$machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret \| nixos-kubernetes-node-join");`
nixos/kubernetes: Stabilize services startup across machines by adding targets and curl wait loops to services to ensure services are not started before their depended services are reachable. Extra targets cfssl-online.target and kube-apiserver-online.target syncronize starts across machines and node-online.target ensures docker is restarted and ready to deploy containers on after flannel has discussed the network cidr with apiserver. Since flannel needs to be started before addon-manager to configure the docker interface, it has to have its own rbac bootstrap service. The curl wait loops within the other services exists to ensure that when starting the service it is able to do its work immediately without clobbering the log about failing conditions. By ensuring kubernetes.target is only reached after starting the cluster it can be used in the tests as a wait condition. In kube-certmgr-bootstrap mkdir is needed for it to not fail to start. The following is the relevant part of systemctl list-dependencies default.target ● ├─certmgr.service ● ├─cfssl.service ● ├─docker.service ● ├─etcd.service ● ├─flannel.service ● ├─kubernetes.target ● │ ├─kube-addon-manager.service ● │ ├─kube-proxy.service ● │ ├─kube-apiserver-online.target ● │ │ ├─flannel-rbac-bootstrap.service ● │ │ ├─kube-apiserver-online.service ● │ │ ├─kube-apiserver.service ● │ │ ├─kube-controller-manager.service ● │ │ └─kube-scheduler.service ● │ └─node-online.target ● │ ├─node-online.service ● │ ├─flannel.target ● │ │ ├─flannel.service ● │ │ └─mk-docker-opts.service ● │ └─kubelet.target ● │ └─kubelet.service ● ├─network-online.target ● │ └─cfssl-online.target ● │ ├─certmgr.service ● │ ├─cfssl-online.service ● │ └─kube-certmgr-bootstrap.service 2019-03-01 08:44:45 +01:00			`$machine1->waitForUnit("kubernetes.target");`
			`$machine2->waitForUnit("kubernetes.target");`
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->waitUntilSucceeds("kubectl get node machine2.my.zyx \| grep -w Ready");`
kubernetes: add tests 2017-05-03 01:20:32 +02:00
nixos/kubernetes: (test) Fix race-condition in test cases. docker load might fail due to dockerd restarting 2019-02-14 10:51:44 +01:00			`$machine2->waitUntilSucceeds("docker load < ${kubectlImage}");`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00
			`$machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");`
			`$machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");`
			`$machine1->waitUntilSucceeds("kubectl apply -f ${roRoleBinding}");`
			`$machine1->waitUntilSucceeds("kubectl create -f ${kubectlPod}");`

			`$machine1->waitUntilSucceeds("kubectl get pod kubectl \| grep Running");`

nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 13:14:20 +02:00			`$machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");`
kubernetes: fix tests 2017-09-09 02:00:35 +02:00			`$machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");`
			`$machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");`
			`'';`
			`};`

			`in {`
			`singlenode = mkKubernetesSingleNodeTest singlenode;`
			`multinode = mkKubernetesMultiNodeTest multinode;`
kubernetes: add tests 2017-05-03 01:20:32 +02:00			`}`