Skip to content

Add e2e tests for WIF IAM authorization failures on OSS and GKE clusters#1333

Open
su-sudhir wants to merge 8 commits into
GoogleCloudPlatform:mainfrom
su-sudhir:add-wif-authorization-failure-e2e-tests
Open

Add e2e tests for WIF IAM authorization failures on OSS and GKE clusters#1333
su-sudhir wants to merge 8 commits into
GoogleCloudPlatform:mainfrom
su-sudhir:add-wif-authorization-failure-e2e-tests

Conversation

@su-sudhir
Copy link
Copy Markdown
Contributor

@su-sudhir su-sudhir commented Apr 29, 2026

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds three negative e2e test cases to the workload-identity-federation
test suite to validate IAM-level authorization failures for Workload
Identity Federation on both OSS (self-managed) and GKE clusters:

  • No storage role: A WIF principal with no IAM role on the bucket.
    When the sidecar bucket access check is enabled, the mount is denied
    at setup time with a PermissionDenied error. Without the check, the
    pod runs but gcsfuse logs a permission denied error on first GCS access.

  • Read-only role, write fails: A WIF principal granted
    roles/storage.objectViewer on the bucket. Read operations (e.g. ls)
    succeed; write operations are rejected by GCS with a permission error.

  • Role on a different bucket: A WIF principal granted
    roles/storage.objectUser on an alternate bucket, not the one being
    mounted. GCS denies access to the mounted bucket.

All three tests run on both OSS clusters (via external WIF pool/provider
and credential ConfigMap) and GKE clusters (via native Workload Identity
with GSA impersonation), selected at runtime via the IS_OSS environment
variable.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

NONE

@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Apr 29, 2026

@su-sudhir: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds three negative e2e test cases to the workload-identity-federation
test suite to validate IAM-level authorization failures for Workload
Identity Federation on both OSS (self-managed) and GKE clusters:

  • No storage role: A WIF principal with no IAM role on the bucket.
    When the sidecar bucket access check is enabled, the mount is denied
    at setup time with a PermissionDenied error. Without the check, the
    pod runs but gcsfuse logs a permission denied error on first GCS access.

  • Read-only role, write fails: A WIF principal granted
    roles/storage.objectViewer on the bucket. Read operations (e.g. ls)
    succeed; write operations are rejected by GCS with a permission error.

  • Role on a different bucket: A WIF principal granted
    roles/storage.objectUser on an alternate bucket, not the one being
    mounted. GCS denies access to the mounted bucket.

All three tests run on both OSS clusters (via external WIF pool/provider
and credential ConfigMap) and GKE clusters (via native Workload Identity
with GSA impersonation), selected at runtime via the IS_OSS environment
variable.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 29, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Apr 29, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: su-sudhir

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Apr 29, 2026

Hi @su-sudhir. Thanks for your PR.

I'm waiting for a GoogleCloudPlatform member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new E2E test suite for Workload Identity Federation (WIF) and refactors IAM policy handling to support both GKE and OSS environments. The review identifies critical compilation issues due to missing helper functions and constants. It also recommends refactoring duplicated logic for project ID extraction and service account naming, using shared constants for WIF pool IDs, and replacing fixed sleeps with polling for IAM propagation. Additionally, the reviewer suggests using the GCS Go client library instead of the gcloud CLI for bucket operations to improve portability and error handling.

Comment thread test/e2e/testsuites/workload_identity_federation.go Outdated
Comment on lines +106 to +139
setupOSSWIFPrincipal := func(ksaName, poolID, providerID, configMapName string) string {
projectID := os.Getenv(utils.ProjectEnvVar)
gomega.Expect(projectID).NotTo(gomega.BeEmpty(), fmt.Sprintf("%s environment variable must be set", utils.ProjectEnvVar))

ginkgo.By("Getting GCP project number")
projectNumber := getProjectNumber(projectID)
gomega.Expect(projectNumber).NotTo(gomega.BeEmpty(), "failed to get project number")

ginkgo.By(fmt.Sprintf("Creating workload identity pool: %s", poolID))
createWorkloadIdentityPool(projectID, poolID)

ginkgo.By("Discovering cluster OIDC issuer from cluster service account token")
clusterIssuer := getOSSClusterOIDCIssuer(ctx, f)
gomega.Expect(clusterIssuer).NotTo(gomega.BeEmpty(), "failed to discover cluster OIDC issuer")

ginkgo.By(fmt.Sprintf("Creating workload identity provider: %s", providerID))
createWorkloadIdentityProvider(projectID, poolID, providerID, clusterIssuer)

ginkgo.By("Generating credential configuration")
credentialConfig := generateCredentialConfig(projectNumber, poolID, providerID)

ginkgo.By(fmt.Sprintf("Creating Kubernetes service account: %s", ksaName))
createServiceAccount(ctx, f, ksaName)
ginkgo.DeferCleanup(func() { deleteServiceAccount(ctx, f, ksaName) })

ginkgo.By(fmt.Sprintf("Creating credential ConfigMap: %s", configMapName))
createCredentialConfigMap(ctx, f, configMapName, credentialConfig)
ginkgo.DeferCleanup(func() { deleteConfigMap(ctx, f, configMapName) })

return fmt.Sprintf(
"principal://iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/subject/system:serviceaccount:%s:%s",
projectNumber, poolID, f.Namespace.Name, ksaName,
)
}
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The setupOSSWIFPrincipal function relies on several helper functions that are not defined in this file or imported from other packages, which will cause compilation errors. Specifically, the following functions are missing: getProjectNumber, createWorkloadIdentityPool, createWorkloadIdentityProvider, generateCredentialConfig, createServiceAccount, deleteServiceAccount, createCredentialConfigMap, and deleteConfigMap. Additionally, grantBucketAccess and revokeBucketAccess (used in the It blocks) are also missing from the PR.

Copy link
Copy Markdown
Contributor Author

@su-sudhir su-sudhir May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the listed functions (getProjectNumber, createWorkloadIdentityPool, createWorkloadIdentityProvider, generateCredentialConfig, createServiceAccount, deleteServiceAccount, createCredentialConfigMap, deleteConfigMap, grantBucketAccess, revokeBucketAccess) are defined in gcsfuse_oidc_auth.go, which is in the same testsuites package. Since Go resolves symbols across all files in a package, these are fully accessible without any additional imports.

Comment thread test/e2e/testsuites/workload_identity_federation.go
Comment thread test/e2e/testsuites/workload_identity_federation.go Outdated
Comment on lines +318 to +320
if out, err := exec.Command("gcloud", "storage", "buckets", "create", "gs://"+altBucket, "--project="+projectID).CombinedOutput(); err != nil {
klog.Warningf("Failed to create alternate bucket %s: %v, output: %s", altBucket, err, string(out))
}
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using exec.Command("gcloud", ...) to manage GCS buckets is discouraged in E2E tests as it introduces a dependency on the gcloud CLI and environment configuration. It is better to use the GCS Go client library (via the storageService abstraction) for better portability and consistency. Furthermore, if bucket creation fails, the test should fail immediately using framework.Failf instead of just logging a warning, as subsequent steps will likely fail with confusing errors.

Suggested change
if out, err := exec.Command("gcloud", "storage", "buckets", "create", "gs://"+altBucket, "--project="+projectID).CombinedOutput(); err != nil {
klog.Warningf("Failed to create alternate bucket %s: %v, output: %s", altBucket, err, string(out))
}
if out, err := exec.Command("gcloud", "storage", "buckets", "create", "gs://"+altBucket, "--project="+projectID).CombinedOutput(); err != nil {
framework.Failf("Failed to create alternate bucket %s: %v, output: %s", altBucket, err, string(out))
}

Copy link
Copy Markdown
Contributor Author

@su-sudhir su-sudhir May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already addressed in a prior commit — the alternate bucket creation now uses the GCS Go client (gostorage.NewClient) and framework.Failf on failure, exactly as suggested.

Comment thread test/e2e/testsuites/workload_identity_federation.go
Comment thread test/e2e/testsuites/workload_identity_federation.go Outdated
Comment on lines +149 to +153
lines := strings.Split(strings.TrimSpace(rawProjectID), "\n")
projectID := lines[len(lines)-1]

gomega.Expect(strings.Contains(projectID, "Your active configuration")).To(gomega.BeFalse(),
fmt.Sprintf("invalid projectID detected: %q", projectID))
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The logic to extract the project ID while handling potential Cloud Shell warnings is duplicated here and on lines 306-307. This should be refactored into a shared helper function to improve maintainability. Per repository guidelines, if the logic relies heavily on methods within a specific package, extract it to a file within that same package to minimize new dependencies.

References
  1. Avoid duplicating code by extracting common logic into helper functions to improve maintainability and reduce redundancy.
  2. When refactoring common test setup logic, place the generic function in a location that minimizes new dependencies. If the logic relies heavily on methods within a specific package (e.g., testsuites), extract it to a file within that same package.

Comment thread test/e2e/testsuites/workload_identity_federation.go
Comment thread test/e2e/specs/testdriver.go Outdated
}
if os.Getenv(utils.IsOSSEnvVar) == "true" {
projectNumber := os.Getenv(utils.ProjectNumberEnvVar)
return fmt.Sprintf("principal://iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/gcs-fuse-oidc-pool/subject/system:serviceaccount:%s:%s",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The WIF pool ID gcs-fuse-oidc-pool is hardcoded here and also defined as a constant in workload_identity_federation.go. To ensure consistency and ease of maintenance, this value should be defined as a single shared constant in a utility package.

References
  1. Avoid duplicating code by extracting common logic into helper functions to improve maintainability and reduce redundancy.

Copy link
Copy Markdown
Contributor Author

@su-sudhir su-sudhir May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — removed wifWorkloadIdentityPoolID and wifWorkloadIdentityProviderID from workload_identity_federation.go and replaced all usages with oidcWorkloadIdentityPoolID and oidcWorkloadIdentityProviderID already defined in gcsfuse_oidc_auth.go (same package).

@mattcary
Copy link
Copy Markdown
Member

mattcary commented May 7, 2026

/ok-to-test

@su-sudhir
Copy link
Copy Markdown
Contributor Author

su-sudhir commented May 12, 2026

/retest

@su-sudhir
Copy link
Copy Markdown
Contributor Author

su-sudhir commented May 15, 2026

Run tests manually

On OSS

  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal has no storage role
  /root/pravin/upstreamDir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:196
    STEP: Creating a kubernetes client @ 05/14/26 04:52:03.48
    I0514 04:52:03.480037 2604440 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 04:52:03.48
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 04:52:03.505
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 04:52:03.509
    I0514 04:52:03.512849 2604440 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0514 04:52:03.516635 2604440 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "82ac8db2-1aae-453f-b747-b3ac86ebc583" @ 05/14/26 04:52:03.517
    STEP: Getting GCP project number @ 05/14/26 04:52:04.541
    STEP: Creating workload identity pool: gcs-fuse-oidc-pool @ 05/14/26 04:52:05.706
    STEP: Getting cluster OIDC issuer URL @ 05/14/26 04:52:07.463
    STEP: Creating workload identity provider: gcs-fuse-oidc-provider @ 05/14/26 04:52:07.463
    STEP: Generating credential configuration @ 05/14/26 04:52:09.34
    STEP: Creating Kubernetes service account: wif-no-role-ksa @ 05/14/26 04:52:09.34
    I0514 04:52:09.346460 2604440 gcsfuse_oidc_auth.go:474] Created service account: wif-no-role-ksa
    STEP: Creating credential ConfigMap: wif-credentials-no-role @ 05/14/26 04:52:09.346
    I0514 04:52:09.351653 2604440 gcsfuse_oidc_auth.go:498] Created ConfigMap: wif-credentials-no-role
    I0514 04:52:09.351739 2604440 specs.go:210] Creating Pod 
    I0514 04:52:09.368024 2604440 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/14/26 04:52:09.368
    STEP: Deleting pod gcsfuse-volume-tester-858jz in namespace workload-identity-federation-7565 @ 05/14/26 04:52:13.371
    STEP: Deleting bucket "82ac8db2-1aae-453f-b747-b3ac86ebc583" @ 05/14/26 04:52:13.386
    I0514 04:52:13.706278 2604440 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-7565" for this suite. @ 05/14/26 04:52:13.71
  • [10.235 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail write operations when WI principal has read-only storage role
  /root/pravin/upstreamDir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:237
    STEP: Creating a kubernetes client @ 05/14/26 04:52:13.721
    I0514 04:52:13.721976 2604440 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 04:52:13.723
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 04:52:13.734
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 04:52:13.737
    I0514 04:52:13.740236 2604440 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0514 04:52:13.743595 2604440 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "7ab7b999-0d9e-43cc-8935-e28f9ba9ef91" @ 05/14/26 04:52:13.744
    STEP: Getting GCP project number @ 05/14/26 04:52:14.744
    STEP: Creating workload identity pool: gcs-fuse-oidc-pool @ 05/14/26 04:52:15.849
    STEP: Getting cluster OIDC issuer URL @ 05/14/26 04:52:17.616
    STEP: Creating workload identity provider: gcs-fuse-oidc-provider @ 05/14/26 04:52:17.616
    STEP: Generating credential configuration @ 05/14/26 04:52:19.613
    STEP: Creating Kubernetes service account: wif-readonly-ksa @ 05/14/26 04:52:19.613
    I0514 04:52:19.617742 2604440 gcsfuse_oidc_auth.go:474] Created service account: wif-readonly-ksa
    STEP: Creating credential ConfigMap: wif-credentials-readonly @ 05/14/26 04:52:19.617
    I0514 04:52:19.621919 2604440 gcsfuse_oidc_auth.go:498] Created ConfigMap: wif-credentials-readonly
    STEP: Granting read-only (objectViewer) access to bucket @ 05/14/26 04:52:19.622
    I0514 04:52:21.476635 2604440 gcsfuse_oidc_auth.go:518] Granted roles/storage.objectViewer access to bucket 7ab7b999-0d9e-43cc-8935-e28f9ba9ef91 for principal principal://iam.googleapis.com/projects/983965539966/locations/global/workloadIdentityPools/gcs-fuse-oidc-pool/subject/system:serviceaccount:workload-identity-federation-3807:wif-readonly-ksa
    STEP: Waiting for IAM policy propagation @ 05/14/26 04:52:21.476
    I0514 04:52:26.480590 2604440 specs.go:210] Creating Pod 
    I0514 04:52:26.494446 2604440 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying read operations succeed with objectViewer role @ 05/14/26 04:52:30.509
    I0514 04:52:30.509691 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:52:30.509736 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:52:30.509822 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs&container=volume-tester&stderr=true&stdout=true)
    I0514 04:52:30.534746 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:52:30.699448 2604440 specs.go:305] Operation succeeded.
    STEP: Verifying write operations fail with objectViewer role @ 05/14/26 04:52:30.699
    I0514 04:52:30.699619 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:52:30.699696 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:52:30.699823 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0514 04:52:30.720304 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:52:30.921014 2604440 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0514 04:52:36.262567 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:52:36.262661 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:52:36.262743 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0514 04:52:36.281897 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:52:36.433771 2604440 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0514 04:52:46.627604 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:52:46.627688 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:52:46.627892 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0514 04:52:46.650201 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:52:46.820748 2604440 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0514 04:53:07.979605 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:53:07.979670 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:53:07.979802 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0514 04:53:07.997733 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:53:08.229017 2604440 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0514 04:53:51.767843 2604440 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3807 PodName:gcsfuse-volume-tester-7c89x ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0514 04:53:51.767978 2604440 exec_util.go:68] ExecWithOptions: Clientset creation
    I0514 04:53:51.768094 2604440 exec_util.go:84] ExecWithOptions: execute(https://34.70.213.145:6443/api/v1/namespaces/workload-identity-federation-3807/pods/gcsfuse-volume-tester-7c89x/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0514 04:53:51.786868 2604440 exec_util.go:198] fallback to secondary dialer from primary dialer err: unable to upgrade streaming request: websocket: bad handshake (403 Forbidden)
    I0514 04:53:52.021568 2604440 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0514 04:55:12.567860 2604440 specs.go:303] Operation failed after 8 steps (total time/cap: 2m0s). Last error: command terminated with exit code 1
    STEP: Deleting pod gcsfuse-volume-tester-7c89x in namespace workload-identity-federation-3807 @ 05/14/26 04:55:12.567
    STEP: Deleting bucket "7ab7b999-0d9e-43cc-8935-e28f9ba9ef91" @ 05/14/26 04:55:14.501
    I0514 04:55:14.879221 2604440 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-3807" for this suite. @ 05/14/26 04:55:14.884
  • [181.168 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal role is on a different bucket
  /root/pravin/upstreamDir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:288
    STEP: Creating a kubernetes client @ 05/14/26 04:55:14.893
    I0514 04:55:14.893803 2604440 util.go:453] >>> kubeConfig: /root/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 04:55:14.895
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 04:55:14.907
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 04:55:14.911
    I0514 04:55:14.914584 2604440 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0514 04:55:14.918466 2604440 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "fdbc1e46-241d-403e-a536-a5c17ff0a625" @ 05/14/26 04:55:14.919
    STEP: Getting GCP project number @ 05/14/26 04:55:16.146
    STEP: Creating workload identity pool: gcs-fuse-oidc-pool @ 05/14/26 04:55:17.303
    STEP: Getting cluster OIDC issuer URL @ 05/14/26 04:55:19.095
    STEP: Creating workload identity provider: gcs-fuse-oidc-provider @ 05/14/26 04:55:19.095
    STEP: Generating credential configuration @ 05/14/26 04:55:21.155
    STEP: Creating Kubernetes service account: wif-wrong-bucket-ksa @ 05/14/26 04:55:21.155
    I0514 04:55:21.160260 2604440 gcsfuse_oidc_auth.go:474] Created service account: wif-wrong-bucket-ksa
    STEP: Creating credential ConfigMap: wif-credentials-wrong-bucket @ 05/14/26 04:55:21.16
    I0514 04:55:21.163891 2604440 gcsfuse_oidc_auth.go:498] Created ConfigMap: wif-credentials-wrong-bucket
    STEP: Creating alternate bucket: gcs-fuse-wif-alt-workload-identity-federation-4607 @ 05/14/26 04:55:21.163
    STEP: Granting objectUser on alternate bucket gcs-fuse-wif-alt-workload-identity-federation-4607 (not on test bucket fdbc1e46-241d-403e-a536-a5c17ff0a625) @ 05/14/26 04:55:21.976
    I0514 04:55:24.340677 2604440 gcsfuse_oidc_auth.go:518] Granted roles/storage.objectUser access to bucket gcs-fuse-wif-alt-workload-identity-federation-4607 for principal principal://iam.googleapis.com/projects/983965539966/locations/global/workloadIdentityPools/gcs-fuse-oidc-pool/subject/system:serviceaccount:workload-identity-federation-4607:wif-wrong-bucket-ksa
    STEP: Waiting for IAM policy propagation @ 05/14/26 04:55:24.34
    I0514 04:55:29.344834 2604440 specs.go:210] Creating Pod 
    I0514 04:55:29.363067 2604440 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/14/26 04:55:29.363
    STEP: Deleting pod gcsfuse-volume-tester-74njt in namespace workload-identity-federation-4607 @ 05/14/26 04:55:33.367
    STEP: Deleting bucket "fdbc1e46-241d-403e-a536-a5c17ff0a625" @ 05/14/26 04:55:36.247
    I0514 04:55:36.501091 2604440 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-4607" for this suite. @ 05/14/26 04:55:36.506
  • [21.617 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.032 seconds]
  ------------------------------

  Ran 3 of 588 Specs in 213.071 seconds
  SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 585 Skipped
  PASS

  Ginkgo ran 1 suite in 3m45.427216486s
  Test Suite Passed

On GKE

  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal role is on a different bucket
  /home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:288
    STEP: Creating a kubernetes client @ 05/15/26 02:34:20.297
    I0515 02:34:20.297134 3262 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/15/26 02:34:20.298
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/15/26 02:34:21.445
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/15/26 02:34:21.865
    I0515 02:34:22.338780    3262 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0515 02:34:22.611608 3262 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "47e01b9f-a205-495c-87fb-f0ffb3c5d364" @ 05/15/26 02:34:22.612
    STEP: Creating GCP service account: workload-identity-federation-6 @ 05/15/26 02:34:25.249
    I0515 02:34:25.249248    3262 iam_utils.go:120] Creating GCP IAM Service Account workload-identity-federation-6
    STEP: Binding KSA wif-wrong-bucket-ksa to GCP service account workload-identity-federation-6@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/15/26 02:34:28.289
    STEP: Creating Kubernetes service account wif-wrong-bucket-ksa annotated with GCP service account workload-identity-federation-6@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com @ 05/15/26 02:34:30.995
    I0515 02:34:30.995720    3262 iam_utils.go:94] Creating Kubernetes Service Account wif-wrong-bucket-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/15/26 02:34:31.224
    STEP: Creating alternate bucket: gcs-fuse-wif-alt-workload-identity-federation-6929 @ 05/15/26 02:36:31.226
    STEP: Granting objectUser on alternate bucket gcs-fuse-wif-alt-workload-identity-federation-6929 (not on test bucket 47e01b9f-a205-495c-87fb-f0ffb3c5d364) @ 05/15/26 02:36:32.452
    I0515 02:36:35.611378    3262 gcsfuse_oidc_auth.go:518] Granted roles/storage.objectUser access to bucket gcs-fuse-wif-alt-workload-identity-federation-6929 for principal serviceAccount:workload-identity-federation-6@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
    STEP: Waiting for IAM policy propagation @ 05/15/26 02:36:35.611
    I0515 02:36:40.611718 3262 specs.go:210] Creating Pod 
    I0515 02:36:41.503387    3262 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/15/26 02:36:41.503
    STEP: Deleting pod gcsfuse-volume-tester-mlvdm in namespace workload-identity-federation-6929 @ 05/15/26 02:36:43.73
    I0515 02:36:48.213500    3262 iam_utils.go:101] Deleting Kubernetes Service Account wif-wrong-bucket-ksa
    I0515 02:36:48.487501    3262 iam_utils.go:174] Deleting GCP IAM Service Account projects/project-b78250c9-d753-4d2f-ad7/serviceAccounts/workload-identity-federation-6@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
    STEP: Deleting bucket "47e01b9f-a205-495c-87fb-f0ffb3c5d364" @ 05/15/26 02:36:49.826
    I0515 02:36:51.584535    3262 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-6929" for this suite. @ 05/15/26 02:36:51.837
  • [151.807 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail write operations when WI principal has read-only storage role
  /home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:237
    STEP: Creating a kubernetes client @ 05/15/26 02:36:52.104
    I0515 02:36:52.105013 3262 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/15/26 02:36:52.106
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/15/26 02:36:52.833
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/15/26 02:36:53.262
    I0515 02:36:53.738638    3262 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0515 02:36:54.015211 3262 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "30f61ca6-11ab-4c09-b8ed-718e14c2bc47" @ 05/15/26 02:36:54.015
    STEP: Creating GCP service account: workload-identity-federation-3 @ 05/15/26 02:36:56.661
    I0515 02:36:56.661328    3262 iam_utils.go:120] Creating GCP IAM Service Account workload-identity-federation-3
    STEP: Binding KSA wif-readonly-ksa to GCP service account workload-identity-federation-3@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/15/26 02:36:58.749
    STEP: Creating Kubernetes service account wif-readonly-ksa annotated with GCP service account workload-identity-federation-3@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com @ 05/15/26 02:37:01.418
    I0515 02:37:01.418128    3262 iam_utils.go:94] Creating Kubernetes Service Account wif-readonly-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/15/26 02:37:01.646
    STEP: Granting read-only (objectViewer) access to bucket @ 05/15/26 02:39:01.647
    I0515 02:39:04.340766    3262 gcsfuse_oidc_auth.go:518] Granted roles/storage.objectViewer access to bucket 30f61ca6-11ab-4c09-b8ed-718e14c2bc47 for principal serviceAccount:workload-identity-federation-3@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
    STEP: Waiting for IAM policy propagation @ 05/15/26 02:39:04.34
    I0515 02:39:09.345365 3262 specs.go:210] Creating Pod 
    I0515 02:39:10.221924    3262 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying read operations succeed with objectViewer role @ 05/15/26 02:39:15.164
    I0515 02:39:15.164630 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:39:15.164668 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:39:15.164752 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs&container=volume-tester&stderr=true&stdout=true)
    I0515 02:39:16.004366 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0515 02:39:16.004427 3262 specs.go:305] Operation succeeded.
    STEP: Verifying write operations fail with objectViewer role @ 05/15/26 02:39:16.004
    I0515 02:39:16.004493 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:39:16.004505 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:39:16.004569 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0515 02:39:16.926592 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0515 02:39:16.926640 3262 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0515 02:39:22.079851 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:39:22.079913 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:39:22.080087 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0515 02:39:22.995679 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0515 02:39:22.995752 3262 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0515 02:39:33.108976 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:39:33.109064 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:39:33.109147 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0515 02:39:33.926109 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0515 02:39:33.926158 3262 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0515 02:39:55.051416 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:39:55.051485 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:39:55.051543 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0515 02:39:55.925168 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0515 02:39:55.925216 3262 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0515 02:40:38.206932 3262 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-3290 PodName:gcsfuse-volume-tester-8c6gr ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0515 02:40:38.206990 3262 exec_util.go:68] ExecWithOptions: Clientset creation
    I0515 02:40:38.207169 3262 exec_util.go:84] ExecWithOptions: execute(https://34.60.138.81/api/v1/namespaces/workload-identity-federation-3290/pods/gcsfuse-volume-tester-8c6gr/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0515 02:40:39.128861 3262 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0515 02:40:39.128926 3262 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0515 02:42:04.143493 3262 specs.go:303] Operation failed after 8 steps (total time/cap: 2m0s). Last error: command terminated with exit code 1
    STEP: Deleting pod gcsfuse-volume-tester-8c6gr in namespace workload-identity-federation-3290 @ 05/15/26 02:42:04.143
    I0515 02:42:07.052706    3262 iam_utils.go:101] Deleting Kubernetes Service Account wif-readonly-ksa
    I0515 02:42:07.310515    3262 iam_utils.go:174] Deleting GCP IAM Service Account projects/project-b78250c9-d753-4d2f-ad7/serviceAccounts/workload-identity-federation-3@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
    STEP: Deleting bucket "30f61ca6-11ab-4c09-b8ed-718e14c2bc47" @ 05/15/26 02:42:08.77
    I0515 02:42:10.856572    3262 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-3290" for this suite. @ 05/15/26 02:42:11.123
  • [319.298 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal has no storage role
  /home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:196
    STEP: Creating a kubernetes client @ 05/15/26 02:42:11.404
    I0515 02:42:11.404117 3262 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/15/26 02:42:11.405
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/15/26 02:42:12.135
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/15/26 02:42:12.557
    I0515 02:42:13.047309    3262 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0515 02:42:13.324444 3262 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "4d3593c7-d379-4d18-8815-9b4cec5d76a4" @ 05/15/26 02:42:13.324
    STEP: Creating GCP service account: workload-identity-federation-4 @ 05/15/26 02:42:15.255
    I0515 02:42:15.255824    3262 iam_utils.go:120] Creating GCP IAM Service Account workload-identity-federation-4
    STEP: Binding KSA wif-no-role-ksa to GCP service account workload-identity-federation-4@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/15/26 02:42:17.169
    STEP: Creating Kubernetes service account wif-no-role-ksa annotated with GCP service account workload-identity-federation-4@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com @ 05/15/26 02:42:18.394
    I0515 02:42:18.394364    3262 iam_utils.go:94] Creating Kubernetes Service Account wif-no-role-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/15/26 02:42:18.631
    I0515 02:44:18.632680 3262 specs.go:210] Creating Pod 
    I0515 02:44:19.420135    3262 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/15/26 02:44:19.42
    STEP: Deleting pod gcsfuse-volume-tester-tqmm4 in namespace workload-identity-federation-4389 @ 05/15/26 02:44:21.646
    I0515 02:44:21.928353    3262 iam_utils.go:101] Deleting Kubernetes Service Account wif-no-role-ksa
    I0515 02:44:22.209569    3262 iam_utils.go:174] Deleting GCP IAM Service Account projects/project-b78250c9-d753-4d2f-ad7/serviceAccounts/workload-identity-federation-4@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
    STEP: Deleting bucket "4d3593c7-d379-4d18-8815-9b4cec5d76a4" @ 05/15/26 02:44:23.636
    I0515 02:44:25.406147    3262 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-4389" for this suite. @ 05/15/26 02:44:25.681
  • [134.539 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.024 seconds]
  ------------------------------

  Ran 3 of 562 Specs in 605.664 seconds
  SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 559 Skipped
  PASS

  Ginkgo ran 1 suite in 10m10.364455726s
  Test Suite Passed

@mattcary
Copy link
Copy Markdown
Member

mattcary commented May 19, 2026

/assign @mattcary

@su-sudhir su-sudhir force-pushed the add-wif-authorization-failure-e2e-tests branch from 2c7ca30 to 9887e3d Compare May 22, 2026 08:14
@su-sudhir
Copy link
Copy Markdown
Contributor Author

su-sudhir commented May 22, 2026

Resolved the merge conflicts and tested it

Logs

 Will run 6 of 566 specs
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal role is on a different bucket
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:724
    STEP: Creating a kubernetes client @ 05/22/26 09:11:35.961
    I0522 09:11:35.961819 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:11:35.965
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:11:37.164
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:11:37.588
    I0522 09:11:38.069713   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:11:38.334616 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "fb80e770-a0ec-42ca-b7ef-d0962f11a78f" @ 05/22/26 09:11:38.335
    STEP: Creating GCP service account: wif-wrong-bucket-ksa-6157 @ 05/22/26 09:11:41.167
    I0522 09:11:41.167656   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-wrong-bucket-ksa-6157
    STEP: Binding KSA wif-wrong-bucket-ksa to GCP service account wif-wrong-bucket-ksa-6157@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:11:47.466
    STEP: Creating Kubernetes service account wif-wrong-bucket-ksa annotated with GCP service account wif-wrong-bucket-ksa-6157@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:11:49.239
    I0522 09:11:49.239491   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-wrong-bucket-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:11:49.474
    STEP: Creating alternate bucket: gcs-fuse-wif-alt-workload-identity-federation-6157 @ 05/22/26 09:13:49.475
    STEP: Granting objectUser on alternate bucket gcs-fuse-wif-alt-workload-identity-federation-6157 (not on test bucket fb80e770-a0ec-42ca-b7ef-d0962f11a78f) @ 05/22/26 09:13:51.006
    I0522 09:13:53.918448   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectUser access to bucket gcs-fuse-wif-alt-workload-identity-federation-6157 for principal serviceAccount:wif-wrong-bucket-ksa-6157@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Waiting for IAM policy propagation @ 05/22/26 09:13:53.918
    I0522 09:13:58.918844 18333 specs.go:210] Creating Pod 
    I0522 09:13:59.841801   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/22/26 09:13:59.842
    STEP: Deleting pod gcsfuse-volume-tester-zqxhb in namespace workload-identity-federation-6157 @ 05/22/26 09:14:02.067
    I0522 09:14:06.549828   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-wrong-bucket-ksa
    I0522 09:14:06.812697   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-wrong-bucket-ksa-6157@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "fb80e770-a0ec-42ca-b7ef-d0962f11a78f" @ 05/22/26 09:14:08.215
    I0522 09:14:09.991086   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-6157" for this suite. @ 05/22/26 09:14:10.27
  • [154.589 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail write operations when WI principal has read-only storage role
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:673
    STEP: Creating a kubernetes client @ 05/22/26 09:14:10.555
    I0522 09:14:10.555167 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:14:10.559
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:14:11.281
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:14:11.71
    I0522 09:14:12.188218   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:14:12.440680 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "cd273edf-bb45-454f-8450-6e742fc90177" @ 05/22/26 09:14:12.441
    STEP: Creating GCP service account: wif-readonly-ksa-2613 @ 05/22/26 09:14:15.369
    I0522 09:14:15.369762   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-readonly-ksa-2613
    STEP: Binding KSA wif-readonly-ksa to GCP service account wif-readonly-ksa-2613@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:14:17.651
    STEP: Creating Kubernetes service account wif-readonly-ksa annotated with GCP service account wif-readonly-ksa-2613@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:14:20.416
    I0522 09:14:20.416493   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-readonly-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:14:20.643
    STEP: Granting read-only (objectViewer) access to bucket @ 05/22/26 09:16:20.644
    I0522 09:16:25.566624   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectViewer access to bucket cd273edf-bb45-454f-8450-6e742fc90177 for principal serviceAccount:wif-readonly-ksa-2613@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Waiting for IAM policy propagation @ 05/22/26 09:16:25.566
    I0522 09:16:30.571150 18333 specs.go:210] Creating Pod 
    I0522 09:16:32.604148   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying read operations succeed with objectViewer role @ 05/22/26 09:16:37.512
    I0522 09:16:37.512992 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:16:37.540446 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:16:37.540608 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs&container=volume-tester&stderr=true&stdout=true)
    I0522 09:16:38.368027 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:16:38.368125 18333 specs.go:305] Operation succeeded.
    STEP: Verifying write operations fail with objectViewer role @ 05/22/26 09:16:38.368
    I0522 09:16:38.368308 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:16:38.368355 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:16:38.368471 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:16:39.239120 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:16:39.239195 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:16:44.712442 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:16:44.712562 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:16:44.712702 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:16:45.640545 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:16:45.640632 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:16:56.323214 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:16:56.323374 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:16:56.323497 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:16:57.240506 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:16:57.240608 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:17:17.883490 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:17:17.883601 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:17:17.883711 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:17:18.747744 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:17:18.747941 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:17:59.322019 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c echo 'write-test' > /mnt/gcs/wif-write-test.txt] Namespace:workload-identity-federation-2613 PodName:gcsfuse-volume-tester-jg5jq ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:17:59.322169 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:17:59.322383 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-2613/pods/gcsfuse-volume-tester-jg5jq/exec?command=%2Fbin%2Fsh&command=-c&command=echo+%27write-test%27+%3E+%2Fmnt%2Fgcs%2Fwif-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:18:00.237803 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:18:00.237932 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:19:25.706164 18333 specs.go:303] Operation failed after 8 steps (total time/cap: 2m0s). Last error: command terminated with exit code 1
    STEP: Deleting pod gcsfuse-volume-tester-jg5jq in namespace workload-identity-federation-2613 @ 05/22/26 09:19:25.706
    I0522 09:19:30.016452   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-readonly-ksa
    I0522 09:19:30.282987   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-readonly-ksa-2613@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "cd273edf-bb45-454f-8450-6e742fc90177" @ 05/22/26 09:19:31.67
    I0522 09:19:33.672468   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-2613" for this suite. @ 05/22/26 09:19:33.941
  • [323.656 seconds]
  ------------------------------
  SSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access when WI principal has no storage role
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:632
    STEP: Creating a kubernetes client @ 05/22/26 09:19:34.21
    I0522 09:19:34.210175 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:19:34.213
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:19:34.918
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:19:35.332
    I0522 09:19:35.784205   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:19:36.022466 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "23efbdf4-6b81-470a-b071-e9d2ab24d21f" @ 05/22/26 09:19:36.023
    STEP: Creating GCP service account: wif-no-role-ksa-1981 @ 05/22/26 09:19:40.056
    I0522 09:19:40.056709   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-no-role-ksa-1981
    STEP: Binding KSA wif-no-role-ksa to GCP service account wif-no-role-ksa-1981@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:19:43.199
    STEP: Creating Kubernetes service account wif-no-role-ksa annotated with GCP service account wif-no-role-ksa-1981@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:19:44.968
    I0522 09:19:44.968677   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-no-role-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:19:45.192
    I0522 09:21:45.193223 18333 specs.go:210] Creating Pod 
    I0522 09:21:45.956631   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Checking that the sidecar bucket access check returns PermissionDenied @ 05/22/26 09:21:45.956
    STEP: Deleting pod gcsfuse-volume-tester-dr2m7 in namespace workload-identity-federation-1981 @ 05/22/26 09:21:48.193
    I0522 09:21:48.460972   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-no-role-ksa
    I0522 09:21:48.708035   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-no-role-ksa-1981@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "23efbdf4-6b81-470a-b071-e9d2ab24d21f" @ 05/22/26 09:21:50.176
    I0522 09:21:52.190887   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-1981" for this suite. @ 05/22/26 09:21:52.465
  • [138.514 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail GCS access after workload identity federation principal permissions are removed while pod is running
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:197
    STEP: Creating a kubernetes client @ 05/22/26 09:21:52.725
    I0522 09:21:52.725646 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:21:52.728
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:21:53.434
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:21:53.85
    I0522 09:21:54.302132   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:21:54.544232 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "bb266bf9-69e9-45ed-adbf-a546da322e5f" @ 05/22/26 09:21:54.544
    STEP: Creating GCP service account: wif-revoke-ksa-7711 @ 05/22/26 09:21:56.359
    I0522 09:21:56.359783   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-revoke-ksa-7711
    STEP: Binding KSA wif-revoke-ksa to GCP service account wif-revoke-ksa-7711@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:21:59.577
    STEP: Creating Kubernetes service account wif-revoke-ksa annotated with GCP service account wif-revoke-ksa-7711@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:22:02.445
    I0522 09:22:02.526710   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-revoke-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:22:02.767
    STEP: Granting bucket access to workload identity principal @ 05/22/26 09:24:02.768
    I0522 09:24:06.098253   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectAdmin access to bucket bb266bf9-69e9-45ed-adbf-a546da322e5f for principal serviceAccount:wif-revoke-ksa-7711@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Waiting for IAM policy and WIF infrastructure propagation @ 05/22/26 09:24:06.099
    STEP: Creating and deploying test pod with continuous write loop @ 05/22/26 09:26:06.1
    I0522 09:26:06.101815 18333 specs.go:210] Creating Pod 
    I0522 09:26:06.868232   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Waiting for pod to reach Running state @ 05/22/26 09:26:06.868
    STEP: Polling until at least one chunk is written to GCS (confirms active writes before revocation) @ 05/22/26 09:26:11.822
    I0522 09:26:11.822292 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c test -f /mnt/gcs/chunk-1.bin && echo WRITTEN || echo PENDING] Namespace:workload-identity-federation-7711 PodName:gcsfuse-volume-tester-c6dk4 ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:26:11.822342 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:26:11.822467 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-7711/pods/gcsfuse-volume-tester-c6dk4/exec?command=%2Fbin%2Fsh&command=-c&command=test+-f+%2Fmnt%2Fgcs%2Fchunk-1.bin+%26%26+echo+WRITTEN+%7C%7C+echo+PENDING&container=volume-tester&stderr=true&stdout=true)
    I0522 09:26:12.602094 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:26:12.602186 18333 specs.go:305] Operation succeeded.
    STEP: Revoking bucket access while pod is actively writing @ 05/22/26 09:26:12.602
    STEP: Waiting for IAM revocation to propagate @ 05/22/26 09:26:16.32
    STEP: Waiting until writes stop progressing @ 05/22/26 09:26:36.339
    I0522 09:26:36.339313 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs/chunk-* 2>/dev/null | wc -l] Namespace:workload-identity-federation-7711 PodName:gcsfuse-volume-tester-c6dk4 ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:26:36.339376 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:26:36.339598 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-7711/pods/gcsfuse-volume-tester-c6dk4/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs%2Fchunk-%2A+2%3E%2Fdev%2Fnull+%7C+wc+-l&container=volume-tester&stderr=true&stdout=true)
    I0522 09:26:37.332617 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:26:37.332728 18333 specs.go:305] Operation succeeded.
    I0522 09:26:47.334000 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs/chunk-* 2>/dev/null | wc -l] Namespace:workload-identity-federation-7711 PodName:gcsfuse-volume-tester-c6dk4 ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:26:47.334313 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:26:47.334678 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-7711/pods/gcsfuse-volume-tester-c6dk4/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs%2Fchunk-%2A+2%3E%2Fdev%2Fnull+%7C+wc+-l&container=volume-tester&stderr=true&stdout=true)
    I0522 09:26:48.336792 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:26:48.337058 18333 specs.go:305] Operation succeeded.
    STEP: Verifying GCS FUSE sidecar logs contain a 403 Forbidden error @ 05/22/26 09:26:48.337
    STEP: Deleting pod gcsfuse-volume-tester-c6dk4 in namespace workload-identity-federation-7711 @ 05/22/26 09:26:48.826
    I0522 09:26:49.082202   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-revoke-ksa
    I0522 09:26:49.347026   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-revoke-ksa-7711@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "bb266bf9-69e9-45ed-adbf-a546da322e5f" @ 05/22/26 09:26:50.779
    I0522 09:26:57.719487   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-7711" for this suite. @ 05/22/26 09:26:57.979
  • [305.522 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should isolate workload identity federation access for Kubernetes service accounts with the same name across different namespaces
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:342
    STEP: Creating a kubernetes client @ 05/22/26 09:26:58.252
    I0522 09:26:58.252278 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:26:58.256
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:26:58.965
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:26:59.386
    I0522 09:26:59.872721   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:27:00.129883 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "008ebe1c-aa27-4654-b587-b76b59c034c2" @ 05/22/26 09:27:00.131
    STEP: Creating second namespace for identity isolation test @ 05/22/26 09:27:03.546
    STEP: Creating GCP service account for ns-2 (no bucket access): wif-isolation-tgkvg @ 05/22/26 09:27:03.77
    I0522 09:27:03.770633   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-isolation-tgkvg
    STEP: Binding KSA gcsfuse-test-sa in ns-2 to GCP service account wif-isolation-tgkvg@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:27:08.121
    STEP: Creating Kubernetes service account gcsfuse-test-sa in ns-2 annotated with GCP service account wif-isolation-tgkvg@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:27:10.807
    I0522 09:27:10.807240   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-test-sa
    STEP: Creating GCP service account: gcsfuse-test-sa-4401 @ 05/22/26 09:27:11.043
    I0522 09:27:11.043664   18333 iam_utils.go:120] Creating GCP IAM Service Account gcsfuse-test-sa-4401
    STEP: Binding KSA gcsfuse-test-sa to GCP service account gcsfuse-test-sa-4401@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:27:13.314
    STEP: Creating Kubernetes service account gcsfuse-test-sa annotated with GCP service account gcsfuse-test-sa-4401@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:27:15.231
    I0522 09:27:15.231409   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-test-sa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:27:15.453
    STEP: Granting GCS bucket access to ns-1 principal only @ 05/22/26 09:29:15.454
    I0522 09:29:19.359459   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectAdmin access to bucket 008ebe1c-aa27-4654-b587-b76b59c034c2 for principal serviceAccount:gcsfuse-test-sa-4401@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Waiting for IAM policy and WIF infrastructure propagation @ 05/22/26 09:29:19.359
    STEP: Deploying authorized pod in ns-1 with GCS write access @ 05/22/26 09:31:19.36
    I0522 09:31:19.360798 18333 specs.go:210] Creating Pod 
    I0522 09:31:20.311179   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Deploying unauthorized pod in ns-2 with same KSA name but no GCS access @ 05/22/26 09:31:20.311
    I0522 09:31:20.311592 18333 specs.go:210] Creating Pod 
    STEP: Waiting for ns-1 pod (authorized identity) to reach Running state — confirms GCS mount succeeded @ 05/22/26 09:31:20.61
    STEP: Verifying the GCS volume is mounted read-write in ns-1 pod @ 05/22/26 09:31:25.514
    I0522 09:31:25.514396 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c mount | grep /mnt/gcs | grep rw,] Namespace:workload-identity-federation-4401 PodName:gcsfuse-volume-tester-m7nzs ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:31:25.514467 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:31:25.514655 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-4401/pods/gcsfuse-volume-tester-m7nzs/exec?command=%2Fbin%2Fsh&command=-c&command=mount+%7C+grep+%2Fmnt%2Fgcs+%7C+grep+rw%2C&container=volume-tester&stderr=true&stdout=true)
    I0522 09:31:26.386826 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:31:26.386973 18333 specs.go:305] Operation succeeded.
    STEP: Verifying ns-1 pod (authorized identity) can write to the GCS bucket @ 05/22/26 09:31:26.387
    I0522 09:31:26.387087 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c dd if=/dev/urandom bs=1M count=1 of=/mnt/gcs/ns1-test.bin 2>&1] Namespace:workload-identity-federation-4401 PodName:gcsfuse-volume-tester-m7nzs ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:31:26.387110 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:31:26.387216 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-4401/pods/gcsfuse-volume-tester-m7nzs/exec?command=%2Fbin%2Fsh&command=-c&command=dd+if%3D%2Fdev%2Furandom+bs%3D1M+count%3D1+of%3D%2Fmnt%2Fgcs%2Fns1-test.bin+2%3E%261&container=volume-tester&stderr=true&stdout=true)
    I0522 09:31:27.376857 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:31:27.376988 18333 specs.go:305] Operation succeeded.
    STEP: Polling ns-2 GCS FUSE sidecar logs for 403 Forbidden (confirms IAM denial, not a mount issue) @ 05/22/26 09:31:27.377
    STEP: Deleting pod gcsfuse-volume-tester-fwzrd in namespace wif-isolation-tgkvg @ 05/22/26 09:31:27.654
    STEP: Deleting pod gcsfuse-volume-tester-m7nzs in namespace workload-identity-federation-4401 @ 05/22/26 09:31:27.926
    I0522 09:31:31.899604   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-test-sa
    I0522 09:31:32.167209   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/gcsfuse-test-sa-4401@prod-y-in2508995.iam.gserviceaccount.com
    I0522 09:31:33.567645   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-test-sa
    I0522 09:31:33.823936   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-isolation-tgkvg@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "008ebe1c-aa27-4654-b587-b76b59c034c2" @ 05/22/26 09:31:35.465
    I0522 09:31:38.177879   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-4401" for this suite. @ 05/22/26 09:31:38.421
  • [280.433 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSS
  ------------------------------
  E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should enforce different GCS bucket permissions for different Kubernetes service accounts
  /home/sudhir_shanmugam/sudhir/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:546
    STEP: Creating a kubernetes client @ 05/22/26 09:31:38.685
    I0522 09:31:38.685297 18333 util.go:453] >>> kubeConfig: /home/sudhir_shanmugam/.kube/config
    STEP: Building a namespace api object, basename workload-identity-federation @ 05/22/26 09:31:38.69
    STEP: Waiting for a default service account to be provisioned in namespace @ 05/22/26 09:31:39.395
    STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/22/26 09:31:39.812
    I0522 09:31:40.272133   18333 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
    I0522 09:31:40.517783 18333 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
    STEP: Creating bucket "d9ff41dc-8a84-4201-98df-387c0080f429" @ 05/22/26 09:31:40.518
    STEP: Creating GCP service account: wif-reader-ksa-5375 @ 05/22/26 09:31:44.674
    I0522 09:31:44.674608   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-reader-ksa-5375
    STEP: Binding KSA wif-reader-ksa to GCP service account wif-reader-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:31:47.803
    STEP: Creating Kubernetes service account wif-reader-ksa annotated with GCP service account wif-reader-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:31:50.741
    I0522 09:31:50.741817   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-reader-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:31:50.963
    STEP: Creating GCP service account: wif-readwriter-ksa-5375 @ 05/22/26 09:33:50.965
    I0522 09:33:50.965601   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-readwriter-ksa-5375
    STEP: Binding KSA wif-readwriter-ksa to GCP service account wif-readwriter-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:33:53.266
    STEP: Creating Kubernetes service account wif-readwriter-ksa annotated with GCP service account wif-readwriter-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:33:56.269
    I0522 09:33:56.269066   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-readwriter-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:33:56.99
    STEP: Creating GCP service account: wif-noaccess-ksa-5375 @ 05/22/26 09:35:56.992
    I0522 09:35:56.992846   18333 iam_utils.go:120] Creating GCP IAM Service Account wif-noaccess-ksa-5375
    STEP: Binding KSA wif-noaccess-ksa to GCP service account wif-noaccess-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/22/26 09:36:00.36
    STEP: Creating Kubernetes service account wif-noaccess-ksa annotated with GCP service account wif-noaccess-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com @ 05/22/26 09:36:03.278
    I0522 09:36:03.278883   18333 iam_utils.go:94] Creating Kubernetes Service Account wif-noaccess-ksa
    STEP: Waiting for Workload Identity binding to propagate globally (~2 minutes) @ 05/22/26 09:36:04.004
    STEP: Granting objectViewer to reader KSA and objectAdmin to read-writer KSA; no binding for no-access KSA @ 05/22/26 09:38:04.005
    I0522 09:38:07.734443   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectViewer access to bucket d9ff41dc-8a84-4201-98df-387c0080f429 for principal serviceAccount:wif-reader-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com
    I0522 09:38:11.567422   18333 gcsfuse_oidc_auth.go:539] Granted roles/storage.objectAdmin access to bucket d9ff41dc-8a84-4201-98df-387c0080f429 for principal serviceAccount:wif-readwriter-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Waiting for IAM policy propagation @ 05/22/26 09:38:11.567
    STEP: Deploying reader pod (objectViewer) @ 05/22/26 09:40:11.568
    I0522 09:40:11.569124 18333 specs.go:210] Creating Pod 
    I0522 09:40:12.368013   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying reader KSA can list objects in the bucket @ 05/22/26 09:40:17.292
    I0522 09:40:17.292530 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:40:17.292989 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:40:17.293135 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs&container=volume-tester&stderr=true&stdout=true)
    I0522 09:40:18.137322 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:40:18.137406 18333 specs.go:305] Operation succeeded.
    STEP: Verifying reader KSA cannot write to the bucket (objectViewer denies object creation) @ 05/22/26 09:40:18.137
    I0522 09:40:18.137506 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:40:18.137530 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:40:18.137682 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:40:19.039476 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:40:19.039635 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:40:24.521131 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:40:24.521231 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:40:24.521381 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:40:25.342188 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:40:25.342294 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:40:36.111116 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:40:36.111198 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:40:36.111464 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:40:36.944248 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:40:36.944349 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:40:57.341052 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:40:57.341152 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:40:57.341312 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:40:58.238098 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:40:58.238182 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:41:38.534407 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-7r5qc ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:41:38.534501 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:41:38.534686 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-7r5qc/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:41:39.337761 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: command terminated with exit code 1
    I0522 09:41:39.337893 18333 specs.go:296] Operation failed with error: command terminated with exit code 1. Retrying...
    I0522 09:43:06.265174 18333 specs.go:303] Operation failed after 8 steps (total time/cap: 2m0s). Last error: command terminated with exit code 1
    STEP: Deleting pod gcsfuse-volume-tester-7r5qc in namespace workload-identity-federation-5375 @ 05/22/26 09:43:06.265
    STEP: Deploying read-writer pod (objectAdmin) @ 05/22/26 09:43:07.067
    I0522 09:43:07.067835 18333 specs.go:210] Creating Pod 
    I0522 09:43:07.376586   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying read-writer KSA can list objects in the bucket @ 05/22/26 09:43:12.27
    I0522 09:43:12.270496 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c ls /mnt/gcs] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-rnf92 ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:43:12.270541 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:43:12.270633 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-rnf92/exec?command=%2Fbin%2Fsh&command=-c&command=ls+%2Fmnt%2Fgcs&container=volume-tester&stderr=true&stdout=true)
    I0522 09:43:13.104602 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:43:13.104694 18333 specs.go:305] Operation succeeded.
    STEP: Verifying read-writer KSA can write a file to the bucket @ 05/22/26 09:43:13.104
    I0522 09:43:13.104803 18333 exec_util.go:63] ExecWithOptions {Command:[/bin/sh -c touch /mnt/gcs/readwriter-write-test.txt] Namespace:workload-identity-federation-5375 PodName:gcsfuse-volume-tester-rnf92 ContainerName:volume-tester Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:false Quiet:false}
    I0522 09:43:13.104830 18333 exec_util.go:68] ExecWithOptions: Clientset creation
    I0522 09:43:13.104963 18333 exec_util.go:84] ExecWithOptions: execute(https://35.184.6.253/api/v1/namespaces/workload-identity-federation-5375/pods/gcsfuse-volume-tester-rnf92/exec?command=%2Fbin%2Fsh&command=-c&command=touch+%2Fmnt%2Fgcs%2Freadwriter-write-test.txt&container=volume-tester&stderr=true&stdout=true)
    I0522 09:43:13.919010 18333 exec_util.go:201] unexpected error trying to use websockets for pod exec: <nil>
    I0522 09:43:13.919120 18333 specs.go:305] Operation succeeded.
    STEP: Deleting pod gcsfuse-volume-tester-rnf92 in namespace workload-identity-federation-5375 @ 05/22/26 09:43:13.919
    STEP: Deploying no-access pod (no bucket IAM binding) @ 05/22/26 09:43:14.184
    I0522 09:43:14.184596 18333 specs.go:210] Creating Pod 
    I0522 09:43:15.115399   18333 warnings.go:110] "Warning: would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"volume-tester\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"volume-tester\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"volume-tester\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"volume-tester\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
    STEP: Verifying no-access KSA cannot mount the bucket (expects FailedMount event with PermissionDenied) @ 05/22/26 09:43:15.115
    STEP: Deleting pod gcsfuse-volume-tester-fpsgq in namespace workload-identity-federation-5375 @ 05/22/26 09:45:17.343
    I0522 09:45:24.696022   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-noaccess-ksa
    I0522 09:45:24.968519   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-noaccess-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com
    I0522 09:45:26.412326   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-readwriter-ksa
    I0522 09:45:26.673875   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-readwriter-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com
    I0522 09:45:28.075216   18333 iam_utils.go:101] Deleting Kubernetes Service Account wif-reader-ksa
    I0522 09:45:28.347951   18333 iam_utils.go:174] Deleting GCP IAM Service Account projects/prod-y-in2508995/serviceAccounts/wif-reader-ksa-5375@prod-y-in2508995.iam.gserviceaccount.com
    STEP: Deleting bucket "d9ff41dc-8a84-4201-98df-387c0080f429" @ 05/22/26 09:45:29.721
    I0522 09:45:32.987713   18333 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
    STEP: Destroying namespace "workload-identity-federation-5375" for this suite. @ 05/22/26 09:45:33.252
  • [834.839 seconds]
  ------------------------------
  SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
  ------------------------------
  [ReportAfterSuite] Autogenerated ReportAfterSuite for --junit-report
  autogenerated by Ginkgo
  [ReportAfterSuite] PASSED [0.062 seconds]
  ------------------------------

  Ran 6 of 566 Specs in 2037.616 seconds
  SUCCESS! -- 6 Passed | 0 Failed | 0 Pending | 560 Skipped
  PASS

  Ginkgo ran 1 suite in 34m7.809256276s
  Test Suite Passed
sudhir_shanmugam@cloudshell:~/sudhir/gcs-fuse-csi-driver (prod-y-in2508995)$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattcary mattcary mattcary left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@mattcary mattcary

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@su-sudhir @mattcary