should fail authentication when KSA is not bound to IAM service account

[tanuja-sunda73]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Adds a WIF E2E test that is - should fail authentication when KSA is not bound to IAM service account. Supports both OSS (external WIF via OIDC pool/provider) and GKE (native Workload Identity) clusters via IS_OSS.

Which issue(s) this PR fixes:
N/A

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tanuja-sunda73

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[google-oss-prow]

Hi @tanuja-sunda73. Thanks for your PR.

I'm waiting for a GoogleCloudPlatform member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Code Review

This pull request introduces a new E2E test suite for Workload Identity Federation and updates the GCSFuseCSITestDriver to support WIF-specific IAM member formatting. Review feedback highlights the need to maintain the iamPropagationWaitTime constant rather than using hardcoded values, suggests using idiomatic Gomega functions like Eventually and Consistently for test polling, and recommends removing the unused addWorkloadIdentityBinding function.

[gemini-code-assist]

The removal of the iamPropagationWaitTime constant and replacing it with a hardcoded 5 * time.Minute value reduces maintainability. Furthermore, the reduction from 10 minutes to 5 minutes is not explained and could lead to flakiness if IAM propagation takes longer than expected. It is better to retain the constant and use it here and in other similar locations (e.g., line 172).

[gemini-code-assist]

Using a manual loop with time.Sleep for polling is non-idiomatic in Ginkgo/Gomega. Consider using gomega.Eventually to wait for the expected event. This makes the test more robust and readable.

[gemini-code-assist]

This manual polling loop should be replaced with gomega.Consistently to verify that the pod phase does not become Running over the specified duration. This is more idiomatic and expressive in Ginkgo tests.

[mattcary]

Use one of the polling functions rather than a sleep loop -- see examples elsewhere in this test suite.

[tanuja-sunda73]

Manual testing for this testcase
On OSS:-
E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail authentication when KSA is not bound to IAM service account
/root/gcs-fuse-csi-driver/test/e2e/testsuites/workloadfederation.go:255
STEP: Creating a kubernetes client @ 05/14/26 09:51:57.253
I0514 09:51:57.253189 2274829 util.go:453] >>> kubeConfig: /etc/kubernetes/admin.conf
STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 09:51:57.254
STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 09:51:57.278
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 09:51:57.282
I0514 09:51:57.286042 2274829 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0514 09:51:57.289782 2274829 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "8909a828-ec9e-4732-8704-4b0670e38c83" @ 05/14/26 09:51:57.291
STEP: Getting GCP project number @ 05/14/26 09:51:58.437
STEP: Creating workload identity pool: gcs-fuse-oidc-pool-1 @ 05/14/26 09:51:59.435
STEP: Creating workload identity provider: gcs-fuse-oidc-provider-1 @ 05/14/26 09:52:00.899
STEP: Generating credential configuration @ 05/14/26 09:52:02.587
STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/14/26 09:52:02.587
I0514 09:52:02.592137 2274829 gcsfuse_oidc_auth.go:509] Created service account: gcs-fuse-oidc-ksa
STEP: Creating credential ConfigMap: oidc-auth-failure-credentials @ 05/14/26 09:52:02.592
I0514 09:52:02.596209 2274829 gcsfuse_oidc_auth.go:533] Created ConfigMap: oidc-auth-failure-credentials
STEP: Deploying pod @ 05/14/26 09:52:02.596
I0514 09:52:02.596375 2274829 specs.go:210] Creating Pod
I0514 09:52:02.616786 2274829 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/14/26 09:52:02.617
STEP: CreateContainerError on volume-tester: failed to generate container "e26dd809de9a37a88a260ff37e784a0aa57bc2cf2a2f926299a7328fea56268e" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:52:07.63
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-599/gcsfuse-volume-tester-r82pw to kub-n-1 @ 05/14/26 09:52:07.633
STEP: Event [Pulled]: Container image "gcr.io/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.23.4-gke.1" already present on machine @ 05/14/26 09:52:07.633
STEP: Event [Created]: Created container gke-gcsfuse-sidecar @ 05/14/26 09:52:07.633
STEP: Event [Started]: Started container gke-gcsfuse-sidecar @ 05/14/26 09:52:07.633
STEP: Event [Pulled]: Container image "registry.k8s.io/e2e-test-images/busybox:1.36.1-1" already present on machine @ 05/14/26 09:52:07.633
STEP: Event [Failed]: Error: failed to generate container "e26dd809de9a37a88a260ff37e784a0aa57bc2cf2a2f926299a7328fea56268e" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:52:07.633
STEP: Event [Failed]: Error: failed to generate container "f9e34ff07c9658f124e2037016e219562647ecf39516721d53556f7749251d6c" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/7b2d0fe0-59fe-4e3f-9847-c58212d7f3bf/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:52:07.633
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = gcsfuse failed with error: Error: mountWithStorageHandle: fs.NewServer: create file system: SetUpBucket: BucketHandle: storageLayout call failed: GetStorageLayout for "projects/_/buckets/8909a828-ec9e-4732-8704-4b0670e38c83/storageLayout" failed with a non-retryable error: rpc error: code = PermissionDenied desc = Caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
gcsfuse exited with error: exit status 1
@ 05/14/26 09:52:07.633
STEP: Confirmed PermissionDenied auth failure @ 05/14/26 09:52:07.633
STEP: Confirming pod never reaches Running state @ 05/14/26 09:52:07.633
STEP: Deleting pod gcsfuse-volume-tester-r82pw in namespace workload-identity-federation-599 @ 05/14/26 09:53:07.736
STEP: Deleting bucket "8909a828-ec9e-4732-8704-4b0670e38c83" @ 05/14/26 09:53:07.753
I0514 09:53:08.241025 2274829 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-599" for this suite. @ 05/14/26 09:53:08.246
• [70.999 seconds]

---

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 478 Specs in 71.026 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 477 Skipped
PASS

Ginkgo ran 1 suite in 1m17.051477382s
Test Suite Passed

On GKE:-
E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail authentication when KSA is not bound to IAM service account
/home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workloads_identity_federation.go:255
STEP: Creating a kubernetes client @ 05/14/26 10:31:12.618
I0514 10:31:12.618500 71423 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 10:31:12.619
STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 10:31:13.751
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 10:31:14.17
I0514 10:31:14.620200 71423 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0514 10:31:14.871725 71423 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "defd808a-ad04-4ddd-8761-04810809f1e4" @ 05/14/26 10:31:14.873
STEP: Creating unbound KSA @ 05/14/26 10:31:18.755
STEP: Deploying pod @ 05/14/26 10:31:18.982
I0514 10:31:18.982575 71423 specs.go:210] Creating Pod
I0514 10:31:19.266048 71423 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/14/26 10:31:19.266
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-7760/gcsfuse-volume-tester-r95zv to gke-my-gke-cluster-default-pool-ee2edc56-39zq @ 05/14/26 10:31:19.748
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = failed to get GCS bucket "defd808a-ad04-4ddd-8761-04810809f1e4": rpc error: code = PermissionDenied desc = Caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). @ 05/14/26 10:31:19.749
STEP: Confirmed PermissionDenied auth failure @ 05/14/26 10:31:19.749
STEP: Confirming pod never reaches Running state @ 05/14/26 10:31:19.749
STEP: Deleting pod gcsfuse-volume-tester-r95zv in namespace workload-identity-federation-7760 @ 05/14/26 10:32:21.266
STEP: Deleting bucket "defd808a-ad04-4ddd-8761-04810809f1e4" @ 05/14/26 10:32:21.801
I0514 10:32:23.647664 71423 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-7760" for this suite. @ 05/14/26 10:32:23.903
• [71.548 seconds]

---

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 479 Specs in 71.576 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 478 Skipped
PASS

Ginkgo ran 1 suite in 1m19.448944168s
Test Suite Passed

[mattcary]

/ok-to-test

[tanuja-sunda73]

solved the conflicts and reran the tests
Logs
OSS:-

E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail authentication when KSA is not bound to IAM service account
/root/gcs-fuse-csi-driver/test/e2e/testsuites/workloadfederation.go:294

STEP: Creating a kubernetes client @ 05/25/26 04:43:19.946
I0525 04:43:19.946180 2139380 util.go:453] >>> kubeConfig: /etc/kubernetes/admin.conf
STEP: Building a namespace api object, basename workload-identity-federation @ 05/25/26 04:43:19.947
STEP: Waiting for a default service account to be provisioned in namespace @ 05/25/26 04:43:19.98
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/25/26 04:43:19.984
I0525 04:43:19.987571 2139380 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0525 04:43:19.991492 2139380 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "209182cc-8508-4af6-88a0-0ae12d80f442" @ 05/25/26 04:43:19.992
STEP: Getting GCP project number @ 05/25/26 04:43:21.042
STEP: Creating workload identity pool: gcs-fuse-oidc-pool-1 @ 05/25/26 04:43:22.191
STEP: Getting cluster OIDC issuer URL @ 05/25/26 04:43:23.747
STEP: Creating workload identity provider: gcs-fuse-oidc-provider-1 @ 05/25/26 04:43:23.747
STEP: Generating credential configuration @ 05/25/26 04:43:25.422
STEP: Creating Kubernetes service account: gcs-fuse-oidc-ksa @ 05/25/26 04:43:25.423
I0525 04:43:25.427029 2139380 gcsfuse_oidc_auth.go:479] Created service account: gcs-fuse-oidc-ksa in namespace workload-identity-federation-389
STEP: Creating credential ConfigMap: oidc-auth-failure-credentials @ 05/25/26 04:43:25.427
I0525 04:43:25.431498 2139380 gcsfuse_oidc_auth.go:513] Created ConfigMap: oidc-auth-failure-credentials in namespace workload-identity-federation-389
STEP: Deploying pod @ 05/25/26 04:43:25.431
I0525 04:43:25.431634 2139380 specs.go:210] Creating Pod
I0525 04:43:25.451530 2139380 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/25/26 04:43:25.451
STEP: CreateContainerError on volume-tester: failed to generate container "ad01d2bb66052b66ee004660edf17f9cbcb356b78e40b727451a1a8e65b2ad85" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/25/26 04:43:30.459
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-389/gcsfuse-volume-tester-4zwz7 to kub-n-1 @ 05/25/26 04:43:30.462
STEP: Event [Pulled]: Container image "gcr.io/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.23.4-gke.1" already present on machine @ 05/25/26 04:43:30.462
STEP: Event [Created]: Created container gke-gcsfuse-sidecar @ 05/25/26 04:43:30.462
STEP: Event [Started]: Started container gke-gcsfuse-sidecar @ 05/25/26 04:43:30.462
STEP: Event [Pulled]: Container image "registry.k8s.io/e2e-test-images/busybox:1.36.1-1" already present on machine @ 05/25/26 04:43:30.462
STEP: Event [Failed]: Error: failed to generate container "ad01d2bb66052b66ee004660edf17f9cbcb356b78e40b727451a1a8e65b2ad85" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/25/26 04:43:30.462
STEP: WARNING: non-auth signal (may be side effect): Error: failed to generate container "ad01d2bb66052b66ee004660edf17f9cbcb356b78e40b727451a1a8e65b2ad85" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/25/26 04:43:30.462
STEP: Event [Failed]: Error: failed to generate container "c1e32dd122791e588f2c1160502cc311bf716b34f6d48a5152424a7df2ac74d7" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/25/26 04:43:30.462
STEP: WARNING: non-auth signal (may be side effect): Error: failed to generate container "c1e32dd122791e588f2c1160502cc311bf716b34f6d48a5152424a7df2ac74d7" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/48320062-5118-48d9-9eaf-324b1a962f5b/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/25/26 04:43:30.462
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = gcsfuse failed with error: Error: mountWithStorageHandle: fs.NewServer: create file system: SetUpBucket: BucketHandle: storageLayout call failed: GetStorageLayout for "projects/_/buckets/209182cc-8508-4af6-88a0-0ae12d80f442/storageLayout" failed with a non-retryable error: rpc error: code = PermissionDenied desc = Caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
gcsfuse exited with error: exit status 1
@ 05/25/26 04:43:30.462
STEP: Confirmed PermissionDenied auth failure @ 05/25/26 04:43:30.462
STEP: Confirming pod never reaches Running state @ 05/25/26 04:43:30.462
STEP: Deleting pod gcsfuse-volume-tester-4zwz7 in namespace workload-identity-federation-389 @ 05/25/26 04:44:30.464
STEP: Deleting bucket "209182cc-8508-4af6-88a0-0ae12d80f442" @ 05/25/26 04:44:30.484
I0525 04:44:30.748664 2139380 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-389" for this suite. @ 05/25/26 04:44:30.753
• [70.813 seconds]

---

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 481 Specs in 70.842 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 480 Skipped
PASS

Ginkgo ran 1 suite in 2m15.825898823s
Test Suite Passed

GKE:-
E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail authentication when KSA is not bound to IAM service account
/home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:294
STEP: Creating a kubernetes client @ 05/25/26 04:57:34.615
I0525 04:57:34.615660 1353 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
STEP: Building a namespace api object, basename workload-identity-federation @ 05/25/26 04:57:34.617
STEP: Waiting for a default service account to be provisioned in namespace @ 05/25/26 04:57:37.061
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/25/26 04:57:37.487
I0525 04:57:37.999701 1353 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0525 04:57:38.270887 1353 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "5682d9b8-eab9-4adb-8cad-e303fb061a16" @ 05/25/26 04:57:38.272
STEP: Creating unbound KSA @ 05/25/26 04:57:40.932
STEP: Deploying pod @ 05/25/26 04:57:41.158
I0525 04:57:41.158616 1353 specs.go:210] Creating Pod
I0525 04:57:41.552340 1353 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/25/26 04:57:41.552
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-1287/gcsfuse-volume-tester-jhtmv to gke-cluster-2-default-pool-df481c8e-vfmx @ 05/25/26 04:57:47.017
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = failed to get GCS bucket "5682d9b8-eab9-4adb-8cad-e303fb061a16": rpc error: code = PermissionDenied desc = Caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). @ 05/25/26 04:57:47.017
STEP: Confirmed PermissionDenied auth failure @ 05/25/26 04:57:47.017
STEP: Confirming pod never reaches Running state @ 05/25/26 04:57:47.017
STEP: Deleting pod gcsfuse-volume-tester-jhtmv in namespace workload-identity-federation-1287 @ 05/25/26 04:58:47.019
STEP: Deleting bucket "5682d9b8-eab9-4adb-8cad-e303fb061a16" @ 05/25/26 04:58:47.611
I0525 04:58:49.637612 1353 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-1287" for this suite. @ 05/25/26 04:58:49.897
• [75.554 seconds]

---

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 482 Specs in 75.581 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 481 Skipped
PASS

Ginkgo ran 1 suite in 3m29.564968948s
Test Suite Passed

[mattcary]

Tests look good. You need to get the CLA worked out though.