Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test for checking user-facing resources can be manipulated by non-cluster-admin #3033

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions tests/rbac_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package tests

import (
"context"
"fmt"
"strings"
"time"

. "github.com/onsi/ginkgo/v2"
Expand Down Expand Up @@ -148,6 +150,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() {
Entry("[test_id:3949]can do everything with edit", "edit"),
)

DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe pass in a map or list of resources and rbac rules that a user should be allowed to do. This way we are checking all the aggregate roles and not just the admin ones.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to avoid passing a list of resources, and by doing that, we protect the project from introducing unusable new APIs in the future

var namespacedCDIAPIResourcesPlural []string
// Also retrieves API resources that are not served via CRDs
outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name")
Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources)
for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") {
if strings.HasSuffix(apiResource, "cdi.kubevirt.io") {
plural := strings.Split(apiResource, ".")[0]
namespacedCDIAPIResourcesPlural = append(namespacedCDIAPIResourcesPlural, plural)
}
}
fmt.Fprintf(GinkgoWriter, "CDI namespaced API resources: %+v\n", namespacedCDIAPIResourcesPlural)
Expect(len(namespacedCDIAPIResourcesPlural)).To(BeNumerically(">=", 5))

createServiceAccount(f.K8sClient, f.Namespace.Name, user)
createRoleBinding(f.K8sClient, user, f.Namespace.Name, user)

for _, resource := range namespacedCDIAPIResourcesPlural {
sa := fmt.Sprintf("system:serviceaccount:%s:%s", f.Namespace.Name, user)
result, err := f.RunKubectlCommand("auth", "can-i", "--as", sa, "*", resource, "--namespace", f.Namespace.Name)
Expect(err).ToNot(HaveOccurred(), "no permission for %s, result: %s", resource, result)
Expect(strings.TrimSpace(result)).To(Equal("yes"))
}
},
Entry("[test_id:XXXX]for admin", "admin"),
Entry("[test_id:XXXX]for edit", "edit"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the view user? They have much more limited access. But probably should still have get/list/watch on most resources.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I took a stab at that and only "uploadtokenrequests" diverges. The cluster wide resources may need extra adjustments too

)

It("[test_id:3950]view datavolume permission checks", func() {
const user = "view"
var cdiClient cdiClientset.Interface
Expand Down