-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Add E2E test for the TLSAdherence openshift/api field #31309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
richardsonnick
wants to merge
1
commit into
openshift:main
Choose a base branch
from
richardsonnick:tls-adherence-e2e
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+244
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,243 @@ | ||
| package apiserver | ||
|
|
||
| import ( | ||
| "context" | ||
| "crypto/tls" | ||
| "fmt" | ||
|
|
||
| g "github.com/onsi/ginkgo/v2" | ||
| o "github.com/onsi/gomega" | ||
| configv1 "github.com/openshift/api/config/v1" | ||
| authorizationv1 "k8s.io/api/authorization/v1" | ||
| k8serrors "k8s.io/apimachinery/pkg/api/errors" | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| "k8s.io/apimachinery/pkg/types" | ||
|
|
||
| exutil "github.com/openshift/origin/test/extended/util" | ||
| ) | ||
|
|
||
| // tlsAdherenceFeatureGateName is the name of the TLSAdherence feature gate as it | ||
| // appears in featuregate/cluster .status.featureGates[].enabled[].name. | ||
| const tlsAdherenceFeatureGateName = configv1.FeatureGateName("TLSAdherence") | ||
|
|
||
| // isTLSAdherenceFeatureGateEnabled returns true when the TLSAdherence feature gate is | ||
| // listed as enabled in the featuregate/cluster status. | ||
| func isTLSAdherenceFeatureGateEnabled(ctx context.Context, oc *exutil.CLI) (bool, error) { | ||
| fg, err := oc.AdminConfigClient().ConfigV1().FeatureGates().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| if err != nil { | ||
| return false, fmt.Errorf("failed to get featuregate/cluster: %w", err) | ||
| } | ||
| for _, featureGateValues := range fg.Status.FeatureGates { | ||
| for _, enabledGate := range featureGateValues.Enabled { | ||
| if enabledGate.Name == tlsAdherenceFeatureGateName { | ||
| return true, nil | ||
| } | ||
| } | ||
| } | ||
| return false, nil | ||
| } | ||
|
|
||
| // These tests verify the TLSAdherence feature gate and the spec.tlsAdherence field on | ||
| // apiservers/cluster (config.openshift.io/v1). They are gated by [OCPFeatureGate:TLSAdherence] | ||
| // for automatic pre-run filtering and include [FeatureGate:TLSAdherence] in each It description | ||
| // so the test name matches the pattern queried by the openshift/api verify-feature-promotion | ||
| // CI check in Sippy. | ||
| var _ = g.Describe("[sig-api-machinery][OCPFeatureGate:TLSAdherence][Feature:TLSAdherence] TLSAdherence apiservers/cluster", func() { | ||
| defer g.GinkgoRecover() | ||
|
|
||
| oc := exutil.NewCLI("tls-adherence") | ||
|
|
||
| g.BeforeEach(func(ctx context.Context) { | ||
| enabled, err := isTLSAdherenceFeatureGateEnabled(ctx, oc) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| if !enabled { | ||
| g.Skip("TLSAdherence feature gate is not enabled on this cluster") | ||
| } | ||
| }) | ||
|
|
||
| g.It("[FeatureGate:TLSAdherence] should reject an invalid spec.tlsAdherence value on apiservers/cluster [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| current, err := oc.AdminConfigClient().ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), "failed to get apiservers/cluster") | ||
|
|
||
| desired := current.DeepCopy() | ||
| desired.Spec.TLSAdherence = configv1.TLSAdherencePolicy("InvalidValue") | ||
|
|
||
| _, err = oc.AdminConfigClient().ConfigV1().APIServers().Update(ctx, desired, metav1.UpdateOptions{ | ||
| DryRun: []string{metav1.DryRunAll}, | ||
| }) | ||
| o.Expect(err).To(o.HaveOccurred(), | ||
| "apiservers/cluster should reject an invalid spec.tlsAdherence value") | ||
| o.Expect(k8serrors.IsInvalid(err)).To(o.BeTrue(), | ||
| "error should be a 422 Invalid, got: %v", err) | ||
| }) | ||
|
|
||
| g.It("[FeatureGate:TLSAdherence] should accept and reflect all valid spec.tlsAdherence values on apiservers/cluster [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| validValues := []configv1.TLSAdherencePolicy{ | ||
| configv1.TLSAdherencePolicyStrictAllComponents, | ||
| configv1.TLSAdherencePolicyLegacyAdheringComponentsOnly, | ||
| } | ||
|
|
||
| for _, value := range validValues { | ||
| current, err := oc.AdminConfigClient().ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), "failed to get apiservers/cluster") | ||
|
|
||
| desired := current.DeepCopy() | ||
| desired.Spec.TLSAdherence = value | ||
|
|
||
| result, err := oc.AdminConfigClient().ConfigV1().APIServers().Update(ctx, desired, metav1.UpdateOptions{ | ||
| DryRun: []string{metav1.DryRunAll}, | ||
| }) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), | ||
| "apiservers/cluster should accept spec.tlsAdherence=%s", value) | ||
| o.Expect(result.Spec.TLSAdherence).To( | ||
| o.Equal(value), | ||
| "apiservers/cluster should reflect spec.tlsAdherence=%s", value) | ||
| } | ||
| }) | ||
|
|
||
| g.It("[FeatureGate:TLSAdherence] should only permit cluster-admins to update apiservers/cluster [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| sarClient := oc.AdminKubeClient().AuthorizationV1().SubjectAccessReviews() | ||
| resourceAttrs := &authorizationv1.ResourceAttributes{ | ||
| Group: "config.openshift.io", | ||
| Resource: "apiservers", | ||
| Name: "cluster", | ||
| Verb: "update", | ||
| } | ||
|
|
||
| // A plain authenticated user must not be allowed. | ||
| noAccessSAR, err := sarClient.Create(ctx, &authorizationv1.SubjectAccessReview{ | ||
| Spec: authorizationv1.SubjectAccessReviewSpec{ | ||
| User: "regularuser", | ||
| Groups: []string{"system:authenticated"}, | ||
| ResourceAttributes: resourceAttrs, | ||
| }, | ||
| }, metav1.CreateOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| o.Expect(noAccessSAR.Status.Allowed).To(o.BeFalse(), | ||
| "a non-admin user should not be permitted to update apiservers/cluster") | ||
|
|
||
| // A member of system:masters (cluster-admin) must be allowed. | ||
| adminSAR, err := sarClient.Create(ctx, &authorizationv1.SubjectAccessReview{ | ||
| Spec: authorizationv1.SubjectAccessReviewSpec{ | ||
| User: "system:admin", | ||
| Groups: []string{"system:masters"}, | ||
| ResourceAttributes: resourceAttrs, | ||
| }, | ||
| }, metav1.CreateOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| o.Expect(adminSAR.Status.Allowed).To(o.BeTrue(), | ||
| "a cluster-admin (system:masters) must be permitted to update apiservers/cluster") | ||
| }) | ||
|
|
||
| // Test 4 – verify that authenticated non-admin users can read apiservers/cluster. | ||
| // Components and operators need to be able to read spec.tlsAdherence even if they | ||
| // cannot write it. | ||
| g.It("[FeatureGate:TLSAdherence] should allow authenticated users to read apiservers/cluster [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| sar, err := oc.AdminKubeClient().AuthorizationV1().SubjectAccessReviews().Create(ctx, | ||
| &authorizationv1.SubjectAccessReview{ | ||
| Spec: authorizationv1.SubjectAccessReviewSpec{ | ||
| User: "regularuser", | ||
| Groups: []string{"system:authenticated"}, | ||
| ResourceAttributes: &authorizationv1.ResourceAttributes{ | ||
| Group: "config.openshift.io", | ||
| Resource: "apiservers", | ||
| Name: "cluster", | ||
| Verb: "get", | ||
| }, | ||
| }, | ||
| }, metav1.CreateOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| o.Expect(sar.Status.Allowed).To(o.BeTrue(), | ||
| "authenticated users must be able to read apiservers/cluster to observe spec.tlsAdherence") | ||
| }) | ||
|
|
||
| // Test 5 – verify that an invalid spec.tlsAdherence value is rejected via PATCH as | ||
| // well as UPDATE, confirming validation is enforced across HTTP verbs. | ||
| g.It("[FeatureGate:TLSAdherence] should reject an invalid spec.tlsAdherence value sent via PATCH on apiservers/cluster [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| _, err := oc.AdminConfigClient().ConfigV1().APIServers().Patch(ctx, "cluster", | ||
| types.MergePatchType, | ||
| []byte(`{"spec":{"tlsAdherence":"InvalidValue"}}`), | ||
| metav1.PatchOptions{DryRun: []string{metav1.DryRunAll}}, | ||
| ) | ||
| o.Expect(err).To(o.HaveOccurred(), | ||
| "PATCH with an invalid spec.tlsAdherence value should be rejected") | ||
| o.Expect(k8serrors.IsInvalid(err)).To(o.BeTrue(), | ||
| "error should be a 422 Invalid, got: %v", err) | ||
| }) | ||
|
|
||
| // Test 6 – set spec.tlsAdherence to each valid value on the live cluster and verify | ||
| // that the legacy-adhering control-plane components continue to enforce the configured | ||
| // TLS security profile at the wire level after each change. | ||
| // [Serial] because it mutates a cluster-wide singleton. | ||
| g.It("[FeatureGate:TLSAdherence] [Serial] should accept spec.tlsAdherence changes and legacy-adhering components should continue to enforce the cluster TLS profile [apigroup:config.openshift.io]", func(ctx context.Context) { | ||
| isMicroShift, err := exutil.IsMicroShiftCluster(oc.AdminKubeClient()) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| isHyperShift, err := exutil.IsHypershift(ctx, oc.AdminConfigClient()) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| if isMicroShift || isHyperShift { | ||
| g.Skip("control-plane port-forward checks are not applicable to MicroShift or HyperShift") | ||
| } | ||
|
|
||
| original, err := oc.AdminConfigClient().ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), "failed to get apiservers/cluster") | ||
|
|
||
| // Restore to the original tlsAdherence value when possible. | ||
| // The field cannot be removed once set, so if it was unset we leave it at | ||
| // LegacyAdheringComponentsOnly (the documented default behaviour). | ||
| g.DeferCleanup(func(ctx context.Context) { | ||
| if original.Spec.TLSAdherence == "" { | ||
| return | ||
| } | ||
| current, err := oc.AdminConfigClient().ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| current.Spec.TLSAdherence = original.Spec.TLSAdherence | ||
| _, err = oc.AdminConfigClient().ConfigV1().APIServers().Update(ctx, current, metav1.UpdateOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), "failed to restore spec.tlsAdherence") | ||
| }) | ||
|
richardsonnick marked this conversation as resolved.
|
||
|
|
||
| // Derive expected TLS handshake outcomes from the current security profile. | ||
| var tlsShouldWork, tlsShouldNotWork *tls.Config | ||
| switch { | ||
| case original.Spec.TLSSecurityProfile == nil, | ||
| original.Spec.TLSSecurityProfile.Type == configv1.TLSProfileIntermediateType: | ||
| tlsShouldWork = &tls.Config{MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS13, InsecureSkipVerify: true} | ||
| tlsShouldNotWork = &tls.Config{MinVersion: tls.VersionTLS11, MaxVersion: tls.VersionTLS11, InsecureSkipVerify: true} | ||
| case original.Spec.TLSSecurityProfile.Type == configv1.TLSProfileModernType: | ||
| tlsShouldWork = &tls.Config{MinVersion: tls.VersionTLS13, MaxVersion: tls.VersionTLS13, InsecureSkipVerify: true} | ||
| tlsShouldNotWork = &tls.Config{MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12, InsecureSkipVerify: true} | ||
| default: | ||
| g.Skip("wire-level checks are only defined for Intermediate and Modern TLS profiles") | ||
| } | ||
|
|
||
| // checkLegacyAdheringComponents verifies that kube-apiserver and the OpenShift | ||
| // API servers honour the cluster-wide TLS profile at the wire level. | ||
| checkLegacyAdheringComponents := func() { | ||
| for _, target := range []struct{ name, namespace, port string }{ | ||
| {"apiserver", "openshift-kube-apiserver", "443"}, | ||
| {"api", "openshift-apiserver", "443"}, | ||
| {"api", "openshift-oauth-apiserver", "443"}, | ||
| } { | ||
| g.By(fmt.Sprintf("checking %s/%s TLS at the wire", target.namespace, target.name)) | ||
| err := forwardPortAndExecute(target.name, target.namespace, target.port, | ||
| func(port int) error { return checkTLSConnection(port, tlsShouldWork, tlsShouldNotWork) }) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), | ||
| "%s/%s must enforce the cluster-wide TLS profile", target.namespace, target.name) | ||
| } | ||
| } | ||
|
|
||
| for _, value := range []configv1.TLSAdherencePolicy{ | ||
| configv1.TLSAdherencePolicyLegacyAdheringComponentsOnly, | ||
| configv1.TLSAdherencePolicyStrictAllComponents, | ||
| } { | ||
| g.By(fmt.Sprintf("setting spec.tlsAdherence=%s", value)) | ||
| current, err := oc.AdminConfigClient().ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred()) | ||
| current.Spec.TLSAdherence = value | ||
| _, err = oc.AdminConfigClient().ConfigV1().APIServers().Update(ctx, current, metav1.UpdateOptions{}) | ||
| o.Expect(err).NotTo(o.HaveOccurred(), "failed to set spec.tlsAdherence=%s", value) | ||
|
|
||
| g.By(fmt.Sprintf("verifying legacy-adhering components enforce the TLS profile with spec.tlsAdherence=%s", value)) | ||
| checkLegacyAdheringComponents() | ||
| } | ||
| }) | ||
| }) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.