e2e tests for access entries

Author: joshfrench

test/e2e/data/eks/cluster-template-eks-control-plane-only-with-accessentries.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: "${CLUSTER_NAME}"
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks: ["192.168.0.0/16"]
+  infrastructureRef:
+    kind: AWSManagedControlPlane
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    name: "${CLUSTER_NAME}-control-plane"
+  controlPlaneRef:
+    kind: AWSManagedControlPlane
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    name: "${CLUSTER_NAME}-control-plane"
+---
+kind: AWSManagedControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+metadata:
+  name: "${CLUSTER_NAME}-control-plane"
+spec:
+  region: "${AWS_REGION}"
+  sshKeyName: "${AWS_SSH_KEY_NAME}"
+  version: "${KUBERNETES_VERSION}"
+  accessConfig:
+    authenticationMode: API
+    accessEntries:
+      - principalARN: "arn:aws:iam::123456789012:role/KubernetesAdmin"
+        type: STANDARD
+        username: kubernetes-admin
+        kubernetesGroups:
+          - system:masters
+        accessPolicies:
+          - policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+            accessScope:
+              type: "cluster"
+      - principalARN: "arn:aws:iam::123456789012:role/DeveloperRole"
+        type: STANDARD
+        username: developer
+        kubernetesGroups:
+          - developers
+        accessPolicies:
+          - policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+            accessScope:
+              type: "namespace"
+              namespaces: ["default"]
+  identityRef:
+    kind: AWSClusterStaticIdentity
+    name: e2e-account

test/e2e/suites/managed/eks_test.go

@@ -165,6 +165,56 @@ var _ = ginkgo.Describe("[managed] [general] EKS cluster tests", func() {
 			}
 		})
 
+		ginkgo.By("should create a cluster with access entries")
+		ManagedClusterSpec(ctx, func() ManagedClusterSpecInput {
+			return ManagedClusterSpecInput{
+				E2EConfig:                e2eCtx.E2EConfig,
+				ConfigClusterFn:          defaultConfigCluster,
+				BootstrapClusterProxy:    e2eCtx.Environment.BootstrapClusterProxy,
+				AWSSession:               e2eCtx.BootstrapUserAWSSession,
+				AWSSessionV2:             e2eCtx.BootstrapUserAWSSessionV2,
+				Namespace:                namespace,
+				ClusterName:              clusterName,
+				Flavour:                  EKSControlPlaneOnlyWithAccessEntriesFlavor,
+				ControlPlaneMachineCount: 1, // NOTE: this cannot be zero as clusterctl returns an error
+				WorkerMachineCount:       0,
+			}
+		})
+
+		ginkgo.By("should have created the expected access entries")
+		expectedEntries := []ekscontrolplanev1.AccessEntry{
+			{
+				PrincipalARN:     "arn:aws:iam::123456789012:role/KubernetesAdmin",
+				Type:             "STANDARD",
+				Username:         "kubernetes-admin",
+				KubernetesGroups: []string{"system:masters"},
+				AccessPolicies: []ekscontrolplanev1.AccessPolicyReference{
+					{
+						PolicyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy",
+						AccessScope: ekscontrolplanev1.AccessScope{
+							Type: "cluster",
+						},
+					},
+				},
+			},
+			{
+				PrincipalARN:     "arn:aws:iam::123456789012:role/DeveloperRole",
+				Type:             "STANDARD",
+				Username:         "developer",
+				KubernetesGroups: []string{"developers"},
+				AccessPolicies: []ekscontrolplanev1.AccessPolicyReference{
+					{
+						PolicyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy",
+						AccessScope: ekscontrolplanev1.AccessScope{
+							Type:       "namespace",
+							Namespaces: []string{"default"},
+						},
+					},
+				},
+			},
+		}
+		verifyAccessEntries(ctx, eksClusterName, expectedEntries, e2eCtx.BootstrapUserAWSSessionV2)
+
 		ginkgo.By(fmt.Sprintf("getting cluster with name %s", clusterName))
 		cluster := framework.GetClusterByName(ctx, framework.GetClusterByNameInput{
 			Getter:    e2eCtx.Environment.BootstrapClusterProxy.GetClient(),

test/e2e/suites/managed/helpers.go

@@ -22,6 +22,7 @@ package managed
 import (
 	"context"
 	"fmt"
+	"slices"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -35,6 +36,7 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
 	"sigs.k8s.io/cluster-api/test/framework/clusterctl"
 )
 
@@ -49,6 +51,7 @@ const (
 	EKSMachinePoolOnlyFlavor                          = "eks-machinepool-only"
 	EKSIPv6ClusterFlavor                              = "eks-ipv6-cluster"
 	EKSControlPlaneOnlyLegacyFlavor                   = "eks-control-plane-only-legacy"
+	EKSControlPlaneOnlyWithAccessEntriesFlavor        = "eks-control-plane-only-with-accessentries"
 )
 
 const (
@@ -231,3 +234,68 @@ func verifyASG(eksClusterName, asgName string, checkOwned bool, cfg *aws.Config)
 		Expect(found).To(BeTrue(), "expecting the cluster owned tag to exist")
 	}
 }
+
+func verifyAccessEntries(ctx context.Context, eksClusterName string, expectedEntries []ekscontrolplanev1.AccessEntry, cfg *aws.Config) {
+	eksClient := eks.NewFromConfig(*cfg)
+
+	listOutput, err := eksClient.ListAccessEntries(ctx, &eks.ListAccessEntriesInput{
+		ClusterName: &eksClusterName,
+	})
+	Expect(err).ToNot(HaveOccurred(), "failed to list access entries")
+
+	expectedEntriesMap := make(map[string]ekscontrolplanev1.AccessEntry, len(expectedEntries))
+	for _, entry := range expectedEntries {
+		expectedEntriesMap[entry.PrincipalARN] = entry
+	}
+
+	for _, principalARN := range listOutput.AccessEntries {
+		expectedEntry, exists := expectedEntriesMap[principalARN]
+		Expect(exists).To(BeTrue(), fmt.Sprintf("unexpected access entry: %s", principalARN))
+
+		describeOutput, err := eksClient.DescribeAccessEntry(ctx, &eks.DescribeAccessEntryInput{
+			ClusterName:  &eksClusterName,
+			PrincipalArn: &principalARN,
+		})
+		Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to describe access entry: %s", principalARN))
+
+		Expect(describeOutput.AccessEntry.Type).To(Equal(expectedEntry.Type), "access entry type does not match")
+		Expect(describeOutput.AccessEntry.Username).To(Equal(expectedEntry.Username), "access entry username does not match")
+
+		if len(expectedEntry.KubernetesGroups) > 0 {
+			slices.Sort(expectedEntry.KubernetesGroups)
+			slices.Sort(describeOutput.AccessEntry.KubernetesGroups)
+			Expect(describeOutput.AccessEntry.KubernetesGroups).To(Equal(expectedEntry.KubernetesGroups), "access entry kubernetes groups do not match")
+		}
+
+		if len(expectedEntry.AccessPolicies) > 0 {
+			listOutput, err := eksClient.ListAssociatedAccessPolicies(ctx, &eks.ListAssociatedAccessPoliciesInput{
+				ClusterName:  &eksClusterName,
+				PrincipalArn: &principalARN,
+			})
+			Expect(err).ToNot(HaveOccurred(), "failed to list access policies")
+
+			expectedPolicies := make(map[string]ekscontrolplanev1.AccessPolicyReference, len(expectedEntry.AccessPolicies))
+			for _, policy := range expectedEntry.AccessPolicies {
+				expectedPolicies[policy.PolicyARN] = policy
+			}
+
+			for _, policy := range listOutput.AssociatedAccessPolicies {
+				expectedPolicy, exists := expectedPolicies[*policy.PolicyArn]
+				Expect(exists).To(BeTrue(), fmt.Sprintf("unexpected access policy: %s", *policy.PolicyArn))
+
+				Expect(policy.AccessScope.Type).To(Equal(expectedPolicy.AccessScope.Type), "access policy scope type does not match")
+
+				if expectedPolicy.AccessScope.Type == "namespace" {
+					slices.Sort(expectedPolicy.AccessScope.Namespaces)
+					slices.Sort(policy.AccessScope.Namespaces)
+					Expect(policy.AccessScope.Namespaces).To(Equal(expectedPolicy.AccessScope.Namespaces), "access policy scope namespaces do not match")
+				}
+
+				delete(expectedPolicies, *policy.PolicyArn)
+			}
+			Expect(expectedPolicies).To(BeEmpty(), "not all expected access policies were found")
+		}
+		delete(expectedEntriesMap, principalARN)
+	}
+	Expect(expectedEntriesMap).To(BeEmpty(), "not all expected access entries were found")
+}