Skip to content

Commit

Permalink
Add test for checking user-facing resources can be manipulated
Browse files Browse the repository at this point in the history
This should gate us from introducing user-facing resources that cannot be
manipulated by non-cluster-admin.

Signed-off-by: Alex Kalenyuk <[email protected]>
  • Loading branch information
akalenyu committed Dec 13, 2023
1 parent 9a5f11e commit 4adb2dc
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions tests/rbac_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package tests

import (
"context"
"fmt"
"strings"
"time"

. "github.com/onsi/ginkgo/v2"
Expand Down Expand Up @@ -147,6 +149,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() {
Entry("[test_id:3949]can do everything with edit", "edit"),
)

DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) {
var namespacedCDIAPIResourcesPlural []string
// Also retrieves API resources that are not served via CRDs
outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name")
Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources)
for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") {
if strings.Contains(apiResource, "cdi.kubevirt.io") {
plural := strings.Split(apiResource, ".")[0]
namespacedCDIAPIResourcesPlural = append(namespacedCDIAPIResourcesPlural, plural)
}
}
fmt.Fprintf(GinkgoWriter, "CDI namespaced API resources: %+v\n", namespacedCDIAPIResourcesPlural)
Expect(len(namespacedCDIAPIResourcesPlural)).To(BeNumerically(">=", 5))

createServiceAccount(f.K8sClient, f.Namespace.Name, user)
createRoleBinding(f.K8sClient, user, f.Namespace.Name, user)

for _, resource := range namespacedCDIAPIResourcesPlural {
sa := fmt.Sprintf("system:serviceaccount:%s:%s", f.Namespace.Name, user)
result, err := f.RunKubectlCommand("auth", "can-i", "--as", sa, "*", resource, "--namespace", f.Namespace.Name)
Expect(err).ToNot(HaveOccurred(), "no permission for %s, result: %s", resource, result)
Expect(strings.TrimSpace(result)).To(Equal("yes"))
}
},
Entry("[test_id:XXXX]for admin", "admin"),
Entry("[test_id:XXXX]for edit", "edit"),
)

It("[test_id:3950]view datavolume permission checks", func() {
const user = "view"
var cdiClient cdiClientset.Interface
Expand Down

0 comments on commit 4adb2dc

Please sign in to comment.