-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test for checking user-facing resources can be manipulated by non-cluster-admin #3033
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,8 @@ package tests | |
|
||
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
"time" | ||
|
||
. "github.com/onsi/ginkgo/v2" | ||
|
@@ -148,6 +150,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() { | |
Entry("[test_id:3949]can do everything with edit", "edit"), | ||
) | ||
|
||
DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) { | ||
var namespacedCDIAPIResourcesPlural []string | ||
// Also retrieves API resources that are not served via CRDs | ||
outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name") | ||
Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources) | ||
for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") { | ||
if strings.HasSuffix(apiResource, "cdi.kubevirt.io") { | ||
plural := strings.Split(apiResource, ".")[0] | ||
namespacedCDIAPIResourcesPlural = append(namespacedCDIAPIResourcesPlural, plural) | ||
} | ||
} | ||
fmt.Fprintf(GinkgoWriter, "CDI namespaced API resources: %+v\n", namespacedCDIAPIResourcesPlural) | ||
Expect(len(namespacedCDIAPIResourcesPlural)).To(BeNumerically(">=", 5)) | ||
|
||
createServiceAccount(f.K8sClient, f.Namespace.Name, user) | ||
createRoleBinding(f.K8sClient, user, f.Namespace.Name, user) | ||
|
||
for _, resource := range namespacedCDIAPIResourcesPlural { | ||
sa := fmt.Sprintf("system:serviceaccount:%s:%s", f.Namespace.Name, user) | ||
result, err := f.RunKubectlCommand("auth", "can-i", "--as", sa, "*", resource, "--namespace", f.Namespace.Name) | ||
Expect(err).ToNot(HaveOccurred(), "no permission for %s, result: %s", resource, result) | ||
Expect(strings.TrimSpace(result)).To(Equal("yes")) | ||
} | ||
}, | ||
Entry("[test_id:XXXX]for admin", "admin"), | ||
Entry("[test_id:XXXX]for edit", "edit"), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good point. I took a stab at that and only "uploadtokenrequests" diverges. The cluster wide resources may need extra adjustments too |
||
) | ||
|
||
It("[test_id:3950]view datavolume permission checks", func() { | ||
const user = "view" | ||
var cdiClient cdiClientset.Interface | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe pass in a map or list of resources and rbac rules that a user should be allowed to do. This way we are checking all the aggregate roles and not just the admin ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we want to avoid passing a list of resources, and by doing that, we protect the project from introducing unusable new APIs in the future