Add e2e tests for OIDC authentication failures with misconfigured and non-existent WIF providers

[su-sudhir]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds two negative e2e test cases to the existing oidc test suite to validate STS-level authentication failures for Workload Identity Federation:

• Misconfigured provider: a WIF provider is created with a deliberately wrong issuer URI. Google STS cannot verify the KSA token's iss claim and the gcsfuse sidecar logs "Error connecting to the given credential's issuer."
• Non-existent pool/provider: credential config points to a pool and provider that do not exist in GCP. STS returns invalid_target and the sidecar logs it accordingly.

Both tests use SkipCSIBucketAccessCheckPrefix so the failure surface is entirely inside the gcsfuse sidecar, not the CSI node driver pre-flight check.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

NONE

[google-oss-prow]

@su-sudhir: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds two negative e2e test cases to the existing oidc test suite to validate STS-level authentication failures for Workload Identity Federation:

• Misconfigured provider: a WIF provider is created with a deliberately wrong issuer URI. Google STS cannot verify the KSA token's iss claim and the gcsfuse sidecar logs "Error connecting to the given credential's issuer."
• Non-existent pool/provider: credential config points to a pool and provider that do not exist in GCP. STS returns invalid_target and the sidecar logs it accordingly.

Both tests use SkipCSIBucketAccessCheckPrefix so the failure surface is entirely inside the gcsfuse sidecar, not the CSI node driver pre-flight check.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[google-oss-prow]

Hi @su-sudhir. Thanks for your PR.

I'm waiting for a GoogleCloudPlatform member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Code Review

This pull request introduces new E2E test cases to verify authentication failures in the GCS Fuse CSI driver when using misconfigured or non-existent OIDC workload identity providers and pools. The feedback suggests an improvement to test efficiency by removing redundant bucket access configuration and sleep intervals in negative test cases where authentication is expected to fail before any bucket interaction occurs.

[mattcary]

/ok-to-test

[mattcary]

looks good, but waiting on dependent PR (the one that sets the oss env vars, etc)

[mattcary]

Just waiting on the CLA to be resolved for this one.

[su-sudhir]

Manual testing for this testcase

On OSS:

  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] oidc should fail authentication when workload identity provider is misconfigured
  /root/pravin/upstreamDir/gcs-fuse-csi-driver/test/e2e/testsuites/gcsfuse_oidc_auth.go:512
    STEP: Creating a kubernetes client @ 05/14/26 09:16:24.319
    I0514 09:16:24.319068 2699784 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename oidc @ 05/14/26 09:16:24.319
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 09:16:24.342
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 09:16:24.346
    I0514 09:16:24.349319 2699784 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0514 09:16:24.352922 2699784 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "6b6a7c2e-2a3d-4c0d-8fd1-3cdb723e265d" @ 05/14/26 09:16:24.353
    STEP: Getting GCP project number @ 05/14/26 09:16:25.45
    STEP: Creating workload identity pool: gcs-fuse-oidc-pool @ 05/14/26 09:16:26.539
    STEP: Creating misconfigured workload identity provider "gcs-fuse-oidc-provider-bad" with wrong issuer "https://wrong-issuer.example.com" @ 05/14/26 09:16:28.269
    STEP: Generating credential config pointing to the misconfigured provider @ 05/14/26 09:16:30.197
    STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/14/26 09:16:30.197
    I0514 09:16:30.201179 2699784 gcsfuse_oidc_auth.go:623] Created service account: gcs-fuse-oidc-ksa
    STEP: Creating ConfigMap with misconfigured credentials: workload-identity-credentials-bad @ 05/14/26 09:16:30.201
    I0514 09:16:30.205416 2699784 gcsfuse_oidc_auth.go:647] Created ConfigMap: workload-identity-credentials-bad
    STEP: Configuring test pod with misconfigured OIDC provider @ 05/14/26 09:16:30.205
    STEP: Deploying test pod and expecting STS authentication failure in sidecar @ 05/14/26 09:16:30.205
    I0514 09:16:30.205531 2699784 specs.go:210] Creating Pod 
    I0514 09:16:30.219273 2699784 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that gcsfuse logs an STS authentication error due to misconfigured provider @ 05/14/26 09:16:30.219
^[[1;5B    I0514 09:18:32.236727 2699784 specs.go:305] Operation succeeded.
    STEP: Deleting pod gcsfuse-volume-tester-dl9f4 in namespace oidc-1007 @ 05/14/26 09:18:32.236
    STEP: Deleting bucket "6b6a7c2e-2a3d-4c0d-8fd1-3cdb723e265d" @ 05/14/26 09:18:32.254
    I0514 09:18:32.634030 2699784 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "oidc-1007" for this suite. @ 05/14/26 09:18:32.638
  • [128.325 seconds]
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.041 seconds]
  ------------------------------

  Ran 1 of 586 Specs in 128.360 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 585 Skipped
  PASS

  Ginkgo ran 1 suite in 2m14.42929467s
  Test Suite Passed

  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] oidc should fail authentication when workload identity pool or provider does not exist
  /root/pravin/upstreamDir/gcs-fuse-csi-driver/test/e2e/testsuites/gcsfuse_oidc_auth.go:516
    STEP: Creating a kubernetes client @ 05/14/26 09:12:39.607
    I0514 09:12:39.607673 2698594 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename oidc @ 05/14/26 09:12:39.608
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 09:12:39.625
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 09:12:39.629
    I0514 09:12:39.632735 2698594 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0514 09:12:39.635973 2698594 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "ebc01569-8d9c-486d-9f61-e7fafb81959e" @ 05/14/26 09:12:39.636
    STEP: Getting GCP project number @ 05/14/26 09:12:40.763
    STEP: Generating credential config pointing to non-existent pool "gcs-fuse-nonexistent-pool" and provider "gcs-fuse-nonexistent-provider" @ 05/14/26 09:12:41.858
    STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/14/26 09:12:41.858
    I0514 09:12:41.862605 2698594 gcsfuse_oidc_auth.go:623] Created service account: gcs-fuse-oidc-ksa
    STEP: Creating ConfigMap with non-existent pool credentials: workload-identity-credentials-nonexistent-pool @ 05/14/26 09:12:41.862
    I0514 09:12:41.866377 2698594 gcsfuse_oidc_auth.go:647] Created ConfigMap: workload-identity-credentials-nonexistent-pool
    STEP: Configuring test pod with non-existent pool credential config @ 05/14/26 09:12:41.866
    STEP: Deploying test pod and expecting STS authentication failure in sidecar @ 05/14/26 09:12:41.866
    I0514 09:12:41.866465 2698594 specs.go:210] Creating Pod 
    I0514 09:12:41.879564 2698594 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that gcsfuse logs an STS authentication error due to non-existent pool or provider @ 05/14/26 09:12:41.879
    I0514 09:14:43.901061 2698594 specs.go:305] Operation succeeded.
    STEP: Deleting pod gcsfuse-volume-tester-4g9dp in namespace oidc-9927 @ 05/14/26 09:14:43.901
    STEP: Deleting bucket "ebc01569-8d9c-486d-9f61-e7fafb81959e" @ 05/14/26 09:14:43.918
    I0514 09:14:44.292699 2698594 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "oidc-9927" for this suite. @ 05/14/26 09:14:44.297
  • [124.694 seconds]
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.036 seconds]
  ------------------------------

  Ran 1 of 586 Specs in 124.731 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 585 Skipped
  PASS

  Ginkgo ran 1 suite in 2m13.047284074s
  Test Suite Passed

[su-sudhir]

Resolved the conflicts and reran the tests.

Logs

  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] oidc should fail authentication when workload identity provider is misconfigured
  /root/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/gcsfuse_oidc_auth.go:512
    STEP: Creating a kubernetes client @ 05/22/26 11:33:33.242
    I0522 11:33:33.243016 1539817 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename oidc @ 05/22/26 11:33:33.244
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 11:33:33.265
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 11:33:33.269
    I0522 11:33:33.272230 1539817 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 11:33:33.275570 1539817 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "0dfe3757-9266-4763-adc1-3c150f7e808a" @ 05/22/26 11:33:33.276
    STEP: Getting GCP project number @ 05/22/26 11:33:34.456
    STEP: Creating workload identity pool: gcs-fuse-oidc-pool @ 05/22/26 11:33:35.545
    STEP: Creating misconfigured workload identity provider "gcs-fuse-oidc-provider-bad" with wrong issuer "https://wrong-issuer.example.com" @ 05/22/26 11:33:37.255
    STEP: Generating credential config pointing to the misconfigured provider @ 05/22/26 11:33:39.25
    STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/22/26 11:33:39.25
    I0522 11:33:39.254236 1539817 gcsfuse_oidc_auth.go:629] Created service account: gcs-fuse-oidc-ksa in namespace oidc-2516
    STEP: Creating ConfigMap with misconfigured credentials: workload-identity-credentials-bad @ 05/22/26 11:33:39.254
    I0522 11:33:39.257710 1539817 gcsfuse_oidc_auth.go:663] Created ConfigMap: workload-identity-credentials-bad in namespace oidc-2516
    STEP: Configuring test pod with misconfigured OIDC provider @ 05/22/26 11:33:39.257
    STEP: Deploying test pod and expecting STS authentication failure in sidecar @ 05/22/26 11:33:39.257
    I0522 11:33:39.257865 1539817 specs.go:210] Creating Pod 
    I0522 11:33:39.270638 1539817 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that gcsfuse logs an STS authentication error due to misconfigured provider @ 05/22/26 11:33:39.27
    I0522 11:35:41.289844 1539817 specs.go:305] Operation succeeded.
    STEP: Deleting pod gcsfuse-volume-tester-c9m4x in namespace oidc-2516 @ 05/22/26 11:35:41.29
    STEP: Deleting bucket "0dfe3757-9266-4763-adc1-3c150f7e808a" @ 05/22/26 11:35:41.308
    I0522 11:35:41.700878 1539817 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "oidc-2516" for this suite. @ 05/22/26 11:35:41.705
  • [128.467 seconds]
  ------------------------------
  SSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] oidc should fail authentication when workload identity pool or provider does not exist
  /root/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/gcsfuse_oidc_auth.go:516
    STEP: Creating a kubernetes client @ 05/22/26 11:35:41.709
    I0522 11:35:41.710025 1539817 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename oidc @ 05/22/26 11:35:41.711
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 11:35:41.724
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 11:35:41.727
    I0522 11:35:41.730557 1539817 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 11:35:41.733848 1539817 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "1c36aade-edf4-4cf9-849c-d9c2f1aff62a" @ 05/22/26 11:35:41.734
    STEP: Getting GCP project number @ 05/22/26 11:35:42.948
    STEP: Generating credential config pointing to non-existent pool "gcs-fuse-nonexistent-pool" and provider "gcs-fuse-nonexistent-provider" @ 05/22/26 11:35:44.065
    STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/22/26 11:35:44.065
    I0522 11:35:44.070456 1539817 gcsfuse_oidc_auth.go:629] Created service account: gcs-fuse-oidc-ksa in namespace oidc-6363
    STEP: Creating ConfigMap with non-existent pool credentials: workload-identity-credentials-nonexistent-pool @ 05/22/26 11:35:44.07
    I0522 11:35:44.074303 1539817 gcsfuse_oidc_auth.go:663] Created ConfigMap: workload-identity-credentials-nonexistent-pool in namespace oidc-6363
    STEP: Configuring test pod with non-existent pool credential config @ 05/22/26 11:35:44.074
    STEP: Deploying test pod and expecting STS authentication failure in sidecar @ 05/22/26 11:35:44.074
    I0522 11:35:44.074413 1539817 specs.go:210] Creating Pod 
    I0522 11:35:44.094715 1539817 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that gcsfuse logs an STS authentication error due to non-existent pool or provider @ 05/22/26 11:35:44.094
    I0522 11:37:48.113434 1539817 specs.go:305] Operation succeeded.
    STEP: Deleting pod gcsfuse-volume-tester-m44s6 in namespace oidc-6363 @ 05/22/26 11:37:48.113
    STEP: Deleting bucket "1c36aade-edf4-4cf9-849c-d9c2f1aff62a" @ 05/22/26 11:37:48.131
    I0522 11:37:48.672348 1539817 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "oidc-6363" for this suite. @ 05/22/26 11:37:48.676
  • [126.972 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.037 seconds]
  ------------------------------

  Ran 2 of 565 Specs in 255.475 seconds
  SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 563 Skipped
  PASS

  Ginkgo ran 1 suite in 4m21.492263572s
  Test Suite Passed

[mattcary]

Need to update gofmt (run hack/verify-all.sh to check that kind of thing)

[samyukthapa]

Need to update gofmt (run hack/verify-all.sh to check that kind of thing)

Formatting for the PR is done and It's ready to be merged. Thanks!

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mattcary, su-sudhir

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment