should fail when node SA has bucket access but pod KSA does not

[tanuja-sunda73]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Adds a WIF E2E test that is it should fail when node SA has bucket access but pod KSA does not — confirms no node SA fallback. Supports both OSS (external WIF via OIDC pool/provider) and GKE (native Workload Identity) clusters via IS_OSS.

Which issue(s) this PR fixes:
N/A

[google-oss-prow]

@tanuja-sunda73: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?
/kind feature

What this PR does / why we need it:
Adds a WIF E2E test that is it should fail when node SA has bucket access but pod KSA does not — confirms no node SA fallback. Supports both OSS (external WIF via OIDC pool/provider) and GKE (native Workload Identity) clusters via IS_OSS.

Which issue(s) this PR fixes:
N/A

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tanuja-sunda73

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[google-oss-prow]

Hi @tanuja-sunda73. Thanks for your PR.

I'm waiting for a GoogleCloudPlatform member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Code Review

This pull request introduces a new E2E test suite for Workload Identity Federation (WIF) and refactors IAM member generation into a centralized helper method within the test driver. The reviewer identified several issues, including missing helper function definitions, the removal of the iamPropagationWaitTime constant, and potential risks with malformed IAM principal strings. Additionally, the reviewer provided actionable feedback to improve code quality, such as adopting idiomatic polling mechanisms instead of manual loops, using proper context handling for Ginkgo v2, replacing fragile project ID parsing, and reducing hardcoded sleep durations to improve test performance.

[gemini-code-assist]

Several helper functions (e.g., getProjectNumber, createWorkloadIdentityPool, getClusterOIDCIssuer, createWorkloadIdentityProvider, generateCredentialConfig, createServiceAccount, deleteServiceAccount, createCredentialConfigMap, deleteConfigMap) are used but not defined in this file or package. If these are new helpers, they should be included in the PR.

[mattcary]

It looks like this PR is not yet ready to review?

[gemini-code-assist]

The functions grantBucketAccess and revokeBucketAccess are used but not defined. Please ensure they are included in the PR or available in the testsuites package.

[gemini-code-assist]

The constant iamPropagationWaitTime was removed and replaced with hardcoded 5 * time.Minute values at lines 159 and 172. It is better to maintain the constant for readability and to avoid magic numbers. If the reduction from 10 to 5 minutes is intentional, the constant's value should be updated instead of being removed.

[gemini-code-assist]

When OSS_WIF_POOL_ID is set, the code assumes utils.ProjectNumberEnvVar is also available. If it's missing, the IAM principal string will be malformed. Consider adding a check for projectNumber.

	if wifPoolID := os.Getenv("OSS_WIF_POOL_ID"); wifPoolID != "" {
		projectNumber := os.Getenv(utils.ProjectNumberEnvVar)
		if projectNumber == "" {
			e2eframework.Failf("Environment variable %v must be set when OSS_WIF_POOL_ID is used", utils.ProjectNumberEnvVar)
		}
		return fmt.Sprintf("principal://iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/subject/system:serviceaccount:%s:%s",
			projectNumber, wifPoolID, serviceAccountNamespace, serviceAccountName)
	}

[gemini-code-assist]

In Ginkgo v2, it is recommended to use ginkgo.SpecContext or the context provided by the framework instead of context.Background() to ensure proper cancellation and timeout handling during tests.

[gemini-code-assist]

The logic to extract the project ID by taking the last line of the PROJECT environment variable is fragile and seems like a workaround for environment-specific output (like Cloud Shell warnings). It would be better to ensure the environment variable is clean or use a more robust parsing method.

[mattcary]

See other uses of ProjectEnvVar --- it's just used verbatium. So there's no need to add extra processing here.

[gemini-code-assist]

Using a manual loop with time.Sleep for polling is discouraged. Use wait.PollUntilContextTimeout or Gomega's Eventually for more robust and idiomatic polling logic.

[mattcary]

+1, use a poll ftn rather than a sleep loop.

[tanuja-sunda73]

Manual testing for this testcase
On OSS:

E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail when node SA has bucket access but pod KSA does not — confirms no node SA fallback
/root/gcs-fuse-csi-driver/test/e2e/testsuites/workloadfederation.go:297
STEP: Creating a kubernetes client @ 05/14/26 09:33:08.754
I0514 09:33:08.754956 2269884 util.go:453] >>> kubeConfig: /etc/kubernetes/admin.conf
STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 09:33:08.755
STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 09:33:08.775
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 09:33:08.779
I0514 09:33:08.784017 2269884 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0514 09:33:08.787642 2269884 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "fb5c5686-8424-4530-b8a2-284b88a26f4c" @ 05/14/26 09:33:08.789
STEP: Getting GCP project number @ 05/14/26 09:33:09.942
STEP: Creating workload identity pool: gcs-fuse-oidc-pool-1 @ 05/14/26 09:33:10.949
STEP: Creating workload identity provider: gcs-fuse-oidc-provider-1 @ 05/14/26 09:33:12.428
STEP: Generating credential configuration @ 05/14/26 09:33:14.146
STEP: Creating Kubernetes service account: wif-node-access-pod-no-access-ksa @ 05/14/26 09:33:14.146
I0514 09:33:14.150810 2269884 gcsfuse_oidc_auth.go:509] Created service account: wif-node-access-pod-no-access-ksa
STEP: Creating credential ConfigMap: wif-node-access-pod-no-access-credentials @ 05/14/26 09:33:14.15
I0514 09:33:14.154691 2269884 gcsfuse_oidc_auth.go:533] Created ConfigMap: wif-node-access-pod-no-access-credentials
STEP: Granting bucket access to node SA only: serviceAccount:283386259326-compute@developer.gserviceaccount.com @ 05/14/26 09:33:14.154
I0514 09:33:16.114275 2269884 gcsfuse_oidc_auth.go:553] Granted roles/storage.objectAdmin access to bucket fb5c5686-8424-4530-b8a2-284b88a26f4c for principal serviceAccount:283386259326-compute@developer.gserviceaccount.com
STEP: Confirming pod principal has NO bucket access: principal://iam.googleapis.com/projects/283386259326/locations/global/workloadIdentityPools/gcs-fuse-oidc-pool-1/subject/system:serviceaccount:workload-identity-federation-7662:wif-node-access-pod-no-access-ksa @ 05/14/26 09:33:16.114
I0514 09:35:16.115860 2269884 specs.go:210] Creating Pod
I0514 09:35:16.144917 2269884 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/14/26 09:35:16.145
STEP: CreateContainerError on volume-tester: failed to generate container "bdb7ad29e8df89267282202ed9bf710b65ffa98aff58287c1ceba2a6f36c207f" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:35:21.158
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-7662/gcsfuse-volume-tester-4rnhq to kub-n-1 @ 05/14/26 09:35:21.161
STEP: Event [Pulled]: Container image "gcr.io/gke-release/gcs-fuse-csi-driver-sidecar-mounter:v1.23.4-gke.1" already present on machine @ 05/14/26 09:35:21.161
STEP: Event [Created]: Created container gke-gcsfuse-sidecar @ 05/14/26 09:35:21.161
STEP: Event [Started]: Started container gke-gcsfuse-sidecar @ 05/14/26 09:35:21.161
STEP: Event [Pulled]: Container image "registry.k8s.io/e2e-test-images/busybox:1.36.1-1" already present on machine @ 05/14/26 09:35:21.161
STEP: Event [Failed]: Error: failed to generate container "bdb7ad29e8df89267282202ed9bf710b65ffa98aff58287c1ceba2a6f36c207f" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:35:21.161
STEP: Event [Failed]: Error: failed to generate container "6df6de96b0164f8213ccb163db5bfcdbe2d6bb749814fba667847953c01f8369" spec: failed to generate spec: failed to stat "/var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount": stat /var/lib/kubelet/pods/fc856dee-2d3d-4ce9-838c-7a5c17f0991a/volumes/kubernetes.iocsi/gcs-volume/mount: transport endpoint is not connected @ 05/14/26 09:35:21.161
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = gcsfuse failed with error: Error: mountWithStorageHandle: fs.NewServer: create file system: SetUpBucket: BucketHandle: storageLayout call failed: GetStorageLayout for "projects/_/buckets/fb5c5686-8424-4530-b8a2-284b88a26f4c/storageLayout" failed with a non-retryable error: rpc error: code = PermissionDenied desc = Caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
gcsfuse exited with error: exit status 1
@ 05/14/26 09:35:21.161
STEP: Confirmed PermissionDenied auth failure @ 05/14/26 09:35:21.161
STEP: Confirming pod never reaches Running state @ 05/14/26 09:35:21.161
STEP: Deleting pod gcsfuse-volume-tester-4rnhq in namespace workload-identity-federation-7662 @ 05/14/26 09:36:21.262
STEP: Deleting bucket "fb5c5686-8424-4530-b8a2-284b88a26f4c" @ 05/14/26 09:36:23.204
I0514 09:36:23.579683 2269884 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-7662" for this suite. @ 05/14/26 09:36:23.584
• [194.834 seconds]

SSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 478 Specs in 194.865 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 477 Skipped
PASS

On GKE:

E2E Test Suite [Driver: gcsfuse.csi.storage.gke.io] [Testpattern: CSI Ephemeral-volume (default fs)] workload-identity-federation should fail when node SA has bucket access but pod KSA does not — confirms no node SA fallback
/home/gcptest2404/pravin/upstream/gcs-fuse-csi-driver/test/e2e/testsuites/workload_identity_federation.go:297
STEP: Creating a kubernetes client @ 05/14/26 09:28:46.371
I0514 09:28:46.371298 46159 util.go:453] >>> kubeConfig: /home/gcptest2404/.kube/config
STEP: Building a namespace api object, basename workload-identity-federation @ 05/14/26 09:28:46.372
STEP: Waiting for a default service account to be provisioned in namespace @ 05/14/26 09:28:49.18
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace @ 05/14/26 09:28:49.596
I0514 09:28:50.057087 46159 iam_utils.go:94] Creating Kubernetes Service Account gcsfuse-csi-sa
I0514 09:28:50.304710 46159 volume_resource.go:128] Creating resource for CSI ephemeral inline volume
STEP: Creating bucket "c6d3a440-0af5-4ddc-9caf-6886c3988aa9" @ 05/14/26 09:28:50.306
STEP: Creating GCP service account: wif-node-access-pod-no-access @ 05/14/26 09:28:52.941
I0514 09:28:52.941141 46159 iam_utils.go:120] Creating GCP IAM Service Account wif-node-access-pod-no-access
STEP: Binding KSA wif-node-access-pod-no-access-ksa to GCP service account wif-node-access-pod-no-access@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com with roles/iam.workloadIdentityUser @ 05/14/26 09:28:56.297
STEP: Creating Kubernetes service account wif-node-access-pod-no-access-ksa annotated with GCP service account wif-node-access-pod-no-access@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com @ 05/14/26 09:28:59.101
I0514 09:28:59.101734 46159 iam_utils.go:94] Creating Kubernetes Service Account wif-node-access-pod-no-access-ksa
STEP: Waiting for Workload Identity binding to propagate globally (~60s) @ 05/14/26 09:28:59.332
STEP: Granting bucket access to node SA only: serviceAccount:1019643271805-compute@developer.gserviceaccount.com @ 05/14/26 09:30:59.333
I0514 09:31:04.010567 46159 gcsfuse_oidc_auth.go:518] Granted roles/storage.objectAdmin access to bucket c6d3a440-0af5-4ddc-9caf-6886c3988aa9 for principal serviceAccount:1019643271805-compute@developer.gserviceaccount.com
STEP: Confirming pod principal has NO bucket access: serviceAccount:wif-node-access-pod-no-access@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com @ 05/14/26 09:31:04.01
I0514 09:33:04.011356 46159 specs.go:210] Creating Pod
I0514 09:33:04.756497 46159 warnings.go:110] "Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "volume-tester" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "volume-tester" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "volume-tester" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "volume-tester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"
STEP: Waiting for PermissionDenied auth failure @ 05/14/26 09:33:04.756
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-4966/gcsfuse-volume-tester-lfq82 to gke-my-gke-cluster-default-pool-ee2edc56-39zq @ 05/14/26 09:33:05.226
STEP: Event [Scheduled]: Successfully assigned workload-identity-federation-4966/gcsfuse-volume-tester-lfq82 to gke-my-gke-cluster-default-pool-ee2edc56-39zq @ 05/14/26 09:33:10.672
STEP: Event [FailedMount]: MountVolume.SetUp failed for volume "gcs-volume" : rpc error: code = PermissionDenied desc = failed to get GCS bucket "c6d3a440-0af5-4ddc-9caf-6886c3988aa9": rpc error: code = PermissionDenied desc = wif-node-access-pod-no-access@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). @ 05/14/26 09:33:10.672
STEP: Confirmed PermissionDenied auth failure @ 05/14/26 09:33:10.672
STEP: Confirming pod never reaches Running state @ 05/14/26 09:33:10.672
STEP: Deleting pod gcsfuse-volume-tester-lfq82 in namespace workload-identity-federation-4966 @ 05/14/26 09:34:12.081
I0514 09:34:15.789050 46159 iam_utils.go:101] Deleting Kubernetes Service Account wif-node-access-pod-no-access-ksa
I0514 09:34:16.043504 46159 iam_utils.go:174] Deleting GCP IAM Service Account projects/project-b78250c9-d753-4d2f-ad7/serviceAccounts/wif-node-access-pod-no-access@project-b78250c9-d753-4d2f-ad7.iam.gserviceaccount.com
STEP: Deleting bucket "c6d3a440-0af5-4ddc-9caf-6886c3988aa9" @ 05/14/26 09:34:17.387
I0514 09:34:19.221834 46159 iam_utils.go:101] Deleting Kubernetes Service Account gcsfuse-csi-sa
STEP: Destroying namespace "workload-identity-federation-4966" for this suite. @ 05/14/26 09:34:19.481
• [333.381 seconds]

SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Ran 1 of 479 Specs in 333.411 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 478 Skipped
PASS

[mattcary]

/ok-to-test