UPSTREAM: 131409: test/e2e/node/kubelet_authz.go: fix SAR to include SA groups

bertinatto · bertinatto · commit 5c875583659f · 2025-05-26T10:10:51.000-03:00
diff --git a/test/e2e/framework/auth/helpers.go b/test/e2e/framework/auth/helpers.go
@@ -46,11 +46,12 @@ type bindingsGetter interface {
 
 // WaitForAuthzUpdate checks if the give user can perform named verb and action
 // on a resource or subresource.
-func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, ra *authorizationv1.ResourceAttributes, allowed bool) error {
+func WaitForAuthzUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user string, groups []string, ra *authorizationv1.ResourceAttributes, allowed bool) error {
 	review := &authorizationv1.SubjectAccessReview{
 		Spec: authorizationv1.SubjectAccessReviewSpec{
 			ResourceAttributes: ra,
 			User:               user,
+			Groups:             groups,
 		},
 	}
 
diff --git a/test/e2e/node/kubelet_authz.go b/test/e2e/node/kubelet_authz.go
@@ -108,6 +108,7 @@ func runKubeletAuthzTest(ctx context.Context, f *framework.Framework, endpoint,
 
 	err = e2eauth.WaitForAuthzUpdate(ctx, f.ClientSet.AuthorizationV1(),
 		serviceaccount.MakeUsername(ns, saName),
+		append(serviceaccount.MakeGroupNames(ns), "system:authenticated"),
 		&authorizationv1.ResourceAttributes{
 			Namespace:   ns,
 			Verb:        verb,
