Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test for checking user-facing resources can be manipulated by non-cluster-admin #3033

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

akalenyu
Copy link
Collaborator

What this PR does / why we need it:
This should keep us from introducing user-facing resources that cannot be
manipulated by non-cluster-admin.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

NONE

@kubevirt-bot kubevirt-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Dec 13, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from akalenyu. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@akalenyu
Copy link
Collaborator Author

/cc @awels

@akalenyu akalenyu changed the title Add test for checking user-facing resources can be manipulated Add test for checking user-facing resources can be manipulated by non-cluster-admin Dec 13, 2023
outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name")
Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources)
for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") {
if strings.Contains(apiResource, "cdi.kubevirt.io") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe use HasSuffix instead of Contains. limits the matches a bit.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, updated for now

}
},
Entry("[test_id:XXXX]for admin", "admin"),
Entry("[test_id:XXXX]for edit", "edit"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the view user? They have much more limited access. But probably should still have get/list/watch on most resources.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I took a stab at that and only "uploadtokenrequests" diverges. The cluster wide resources may need extra adjustments too

@@ -147,6 +149,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() {
Entry("[test_id:3949]can do everything with edit", "edit"),
)

DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe pass in a map or list of resources and rbac rules that a user should be allowed to do. This way we are checking all the aggregate roles and not just the admin ones.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to avoid passing a list of resources, and by doing that, we protect the project from introducing unusable new APIs in the future

@akalenyu akalenyu force-pushed the gate-user-facing-rbac branch from 4adb2dc to 7930e75 Compare December 27, 2023 13:40
@akalenyu
Copy link
Collaborator Author

/hold

let's see if we can gate against view user and thus cluster wide resources too

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 17, 2024
@kubevirt-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@kubevirt-bot kubevirt-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 16, 2024
@kubevirt-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

@kubevirt-bot kubevirt-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 16, 2024
This should gate us from introducing user-facing resources that cannot be
manipulated by non-cluster-admin.

Signed-off-by: Alex Kalenyuk <[email protected]>
@akalenyu akalenyu force-pushed the gate-user-facing-rbac branch from 7930e75 to 9d801f3 Compare June 11, 2024 07:33
@kubevirt-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

@kubevirt-bot
Copy link
Contributor

@kubevirt-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@akalenyu
Copy link
Collaborator Author

/reopen

@kubevirt-bot kubevirt-bot reopened this Jul 11, 2024
@kubevirt-bot
Copy link
Contributor

@akalenyu: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubevirt-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

@kubevirt-bot
Copy link
Contributor

@kubevirt-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@akalenyu
Copy link
Collaborator Author

/reopen

@kubevirt-bot kubevirt-bot reopened this Aug 11, 2024
@kubevirt-bot
Copy link
Contributor

@akalenyu: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coveralls
Copy link

coveralls commented Aug 11, 2024

Coverage Status

coverage: 59.192% (-0.05%) from 59.238%
when pulling 9d801f3 on akalenyu:gate-user-facing-rbac
into 12b5b61 on kubevirt:main.

@kubevirt-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

@kubevirt-bot
Copy link
Contributor

@kubevirt-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@akalenyu
Copy link
Collaborator Author

/reopen
/remove-lifecycle rotten

@kubevirt-bot
Copy link
Contributor

@akalenyu: Reopened this PR.

In response to this:

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubevirt-bot kubevirt-bot reopened this Sep 10, 2024
@kubevirt-bot kubevirt-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Sep 10, 2024
@kubevirt-bot
Copy link
Contributor

@akalenyu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-containerized-data-importer-e2e-ceph-wffc 9d801f3 link true /test pull-containerized-data-importer-e2e-ceph-wffc
pull-containerized-data-importer-e2e-nfs 9d801f3 link true /test pull-containerized-data-importer-e2e-nfs
pull-containerized-data-importer-non-csi-hpp 9d801f3 link true /test pull-containerized-data-importer-non-csi-hpp
pull-containerized-data-importer-e2e-istio 9d801f3 link true /test pull-containerized-data-importer-e2e-istio
pull-containerized-data-importer-e2e-hpp-latest 9d801f3 link true /test pull-containerized-data-importer-e2e-hpp-latest
pull-containerized-data-importer-e2e-upg 9d801f3 link true /test pull-containerized-data-importer-e2e-upg
pull-containerized-data-importer-e2e-hpp-previous 9d801f3 link true /test pull-containerized-data-importer-e2e-hpp-previous
pull-containerized-data-importer-e2e-ceph 9d801f3 link true /test pull-containerized-data-importer-e2e-ceph

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubevirt-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@kubevirt-bot kubevirt-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. release-note-none Denotes a PR that doesn't merit a release note. size/M
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants