diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index 49ea2bf614d3..0649a0179d89 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -875,7 +875,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -889,7 +889,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -903,7 +903,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers.foo in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -917,7 +917,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers.* in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -1068,7 +1068,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: clusterAdminLocalSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "view/default" of ClusterRole "view" to User "danny"`, Namespace: "default", }, }.run(t) @@ -1133,7 +1133,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "view/hammer-project" of ClusterRole "view" to User "valerie"`, Namespace: "hammer-project", }, }.run(t) @@ -1160,7 +1160,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: markSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "edit/mallet-project" of ClusterRole "edit" to User "edgar"`, Namespace: "mallet-project", }, }.run(t) @@ -1214,7 +1214,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -1253,7 +1253,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -1264,7 +1264,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: anonymousSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "edit/hammer-project" of ClusterRole "edit" to User "system:anonymous"`, Namespace: "hammer-project", }, }.run(t) @@ -1368,8 +1368,8 @@ func TestBrowserSafeAuthorizer(t *testing.T) { if errProxy == nil { return false } - return strings.Contains(errProxy.Error(), `cannot "unsafeproxy" "pods" with name "podX1:8080" in project "ns"`) || - strings.Contains(errProxy.Error(), `cannot get pods/unsafeproxy in project "ns"`) + return strings.Contains(errProxy.Error(), `cannot proxy pods in namespace "ns"`) || + strings.Contains(errProxy.Error(), `cannot get pods/proxy in namespace "ns"`) } for _, tc := range []struct { diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go index 9cc349c9a56b..ae8e83970753 100644 --- a/test/integration/bootstrap_policy_test.go +++ b/test/integration/bootstrap_policy_test.go @@ -98,7 +98,7 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { kubeAuthInterface: valerieKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "valerie" cannot create policybindings in project "openshift"`, + Reason: ``, Namespace: "openshift", }, }.run(t) @@ -148,7 +148,7 @@ func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) { kubeAuthInterface: valerieKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "valerie" cannot create pods in project "foo"`, + Reason: ``, Namespace: "foo", }, }.run(t) diff --git a/test/integration/oauth_cert_fallback_test.go b/test/integration/oauth_cert_fallback_test.go index 7cdd057db97e..3e8a867045be 100644 --- a/test/integration/oauth_cert_fallback_test.go +++ b/test/integration/oauth_cert_fallback_test.go @@ -35,7 +35,7 @@ func TestOAuthCertFallback(t *testing.T) { certUser = "system:admin" unauthorizedError = "Unauthorized" - anonymousError = `users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope` + anonymousError = `users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope` ) // Build master config