- [X] APISnoop org-flow : CoreV1ServiceAccountTokenTest.org
- [ ] test approval issue : !
- [ ] test pr : !
- [ ] two weeks soak start date : testgrid-link
- [ ] two weeks soak end date : xxxx-xx-xx
- [ ] test promotion pr : !
According to following APIsnoop query, there is a single ServiceAccount endpoint that is untested.
select endpoint,
path,
kind
from testing.untested_stable_endpoint
where eligible is true
and endpoint ilike '%Token'
order by kind, endpoint
limit 10;
endpoint | path | kind
-------------------------------------------+-------------------------------------------------------------+--------------
createCoreV1NamespacedServiceAccountToken | /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token | TokenRequest
(1 row)
- Kubernetes API Reference Docs
- Kubernetes API / Authentication Resources / TokenRequest
- client-go - ServiceAccount
Scenario: Ensure that a created ServiceAccountToken successfully completes a TokenReview Given the e2e test has created the settings for a ServiceAccount When the test creates the ServiceAccount Then the requested action is accepted without any error Given the e2e test has created a ServiceAccount When the test creates the ServiceAccountToken Then the requested action is accepted without any error And the test confirms the Token is not empty Given the e2e test has created the ServiceAccountToken When the test creates the TokenReview Then the requested action is accepted without any error And the test confirms the TokenReview has been authenticated with no errors
Using a number of existing e2e test practices a new ginkgo test has been created to provide future Conformance coverage for the single endpoint. The e2e logs for this test are listed below.
[sig-auth] ServiceAccounts should create a serviceAccountToken and ensure a successful TokenReview [sig-auth] /home/ii/go/src/k8s.io/kubernetes/test/e2e/auth/service_accounts.go:842 STEP: Creating a kubernetes client @ 09/17/24 10:12:49.688 I0917 10:12:49.688678 160421 util.go:502] >>> kubeConfig: /home/ii/.kube/config STEP: Building a namespace api object, basename svcaccounts @ 09/17/24 10:12:49.689 STEP: Waiting for a default service account to be provisioned in namespace @ 09/17/24 10:12:49.713 STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 09/17/24 10:12:49.717 STEP: Creating a Serviceaccount "e2e-sa-f82br" in namespace "svcaccounts-7462" @ 09/17/24 10:12:49.721 STEP: Creating a ServiceaccountToken "e2e-sa-f82br" in namespace "svcaccounts-7462" @ 09/17/24 10:12:49.73 STEP: Creating a TokenReview for "e2e-sa-f82br" in namespace "svcaccounts-7462" @ 09/17/24 10:12:49.738 I0917 10:12:49.741516 160421 helper.go:122] Waiting up to 7m0s for all (but 0) nodes to be ready STEP: Destroying namespace "svcaccounts-7462" for this suite. @ 09/17/24 10:12:49.745
This query shows the following endpoints are hit within a short period of running this e2e test.
select distinct substring(endpoint from '\w+') AS endpoint,
right(useragent,71) AS useragent
from testing.audit_event
where useragent like 'e2e%should%'
and release_date::BIGINT > round(((EXTRACT(EPOCH FROM NOW()))::numeric)*1000,0) - 20000
and endpoint ilike '%Token%'
order by endpoint
limit 10;
endpoint | useragent
-------------------------------------------+-------------------------------------------------------------------------
createAuthenticationV1TokenReview | should create a serviceAccountToken and ensure a successful TokenReview
createCoreV1NamespacedServiceAccountToken | should create a serviceAccountToken and ensure a successful TokenReview
(2 rows)
If a test with these calls gets merged, test coverage will go up by 1 point
This test is also created with the goal of conformance promotion.
/sig testing
/sig architecture
/area conformance