2020-01-07 10:33:28 -08:00
|
|
|
package rbac
|
2019-11-11 14:29:36 -08:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"flag"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2019-11-13 13:41:08 -08:00
|
|
|
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
2019-11-11 14:29:36 -08:00
|
|
|
"gotest.tools/assert"
|
|
|
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
|
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func Test_matchAdmissionInfo(t *testing.T) {
|
|
|
|
|
flag.Parse()
|
|
|
|
|
flag.Set("logtostderr", "true")
|
|
|
|
|
flag.Set("v", "3")
|
|
|
|
|
tests := []struct {
|
|
|
|
|
rule kyverno.Rule
|
2020-01-07 10:33:28 -08:00
|
|
|
info kyverno.RequestInfo
|
2019-11-11 14:29:36 -08:00
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
MatchResources: kyverno.MatchResources{},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{},
|
2019-11-11 14:29:36 -08:00
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
MatchResources: kyverno.MatchResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Roles: []string{"ns-a:role-a"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns-a:role-a"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
MatchResources: kyverno.MatchResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Roles: []string{"ns-a:role-a"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns-a:role"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
MatchResources: kyverno.MatchResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Subjects: testSubjects(),
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
AdmissionUserInfo: authenticationv1.UserInfo{
|
|
|
|
|
Username: "serviceaccount:mynamespace:mysa",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
ExcludeResources: kyverno.ExcludeResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Subjects: testSubjects(),
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
AdmissionUserInfo: authenticationv1.UserInfo{
|
|
|
|
|
UID: "1",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
rule: kyverno.Rule{
|
|
|
|
|
ExcludeResources: kyverno.ExcludeResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Subjects: testSubjects(),
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
},
|
|
|
|
|
},
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
AdmissionUserInfo: authenticationv1.UserInfo{
|
|
|
|
|
Username: "kubernetes-admin",
|
|
|
|
|
Groups: []string{"system:masters", "system:authenticated"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, test := range tests {
|
2020-01-07 10:33:28 -08:00
|
|
|
assert.Assert(t, test.expected == MatchAdmissionInfo(test.rule, test.info))
|
2019-11-11 14:29:36 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_validateMatch(t *testing.T) {
|
|
|
|
|
requestInfo := []struct {
|
2020-01-07 10:33:28 -08:00
|
|
|
info kyverno.RequestInfo
|
2019-11-11 14:29:36 -08:00
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns-b:role-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns:role"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
matchRoles := kyverno.MatchResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Roles: []string{"ns-a:role-a", "ns-b:role-b"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, info := range requestInfo {
|
|
|
|
|
assert.Assert(t, info.expected == validateMatch(matchRoles, info.info))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requestInfo = []struct {
|
2020-01-07 10:33:28 -08:00
|
|
|
info kyverno.RequestInfo
|
2019-11-11 14:29:36 -08:00
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"role-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"clusterrole-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"clusterrole-a", "clusterrole-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"fake-a", "fake-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
matchClusterRoles := kyverno.MatchResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
ClusterRoles: []string{"clusterrole-a", "clusterrole-b"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, info := range requestInfo {
|
|
|
|
|
assert.Assert(t, info.expected == validateMatch(matchClusterRoles, info.info))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_validateExclude(t *testing.T) {
|
|
|
|
|
requestInfo := []struct {
|
2020-01-07 10:33:28 -08:00
|
|
|
info kyverno.RequestInfo
|
2019-11-11 14:29:36 -08:00
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns-b:role-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
Roles: []string{"ns:role"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
excludeRoles := kyverno.ExcludeResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
Roles: []string{"ns-a:role-a", "ns-b:role-b"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, info := range requestInfo {
|
|
|
|
|
assert.Assert(t, info.expected == validateExclude(excludeRoles, info.info))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requestInfo = []struct {
|
2020-01-07 10:33:28 -08:00
|
|
|
info kyverno.RequestInfo
|
2019-11-11 14:29:36 -08:00
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"role-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"clusterrole-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
2020-01-07 10:33:28 -08:00
|
|
|
info: kyverno.RequestInfo{
|
2019-11-11 14:29:36 -08:00
|
|
|
ClusterRoles: []string{"fake-a", "fake-b"},
|
|
|
|
|
},
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
excludeClusterRoles := kyverno.ExcludeResources{
|
2019-12-30 17:08:50 -08:00
|
|
|
UserInfo: kyverno.UserInfo{
|
|
|
|
|
ClusterRoles: []string{"clusterrole-a", "clusterrole-b"},
|
|
|
|
|
},
|
2019-11-11 14:29:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, info := range requestInfo {
|
|
|
|
|
assert.Assert(t, info.expected == validateExclude(excludeClusterRoles, info.info))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_matchSubjects(t *testing.T) {
|
|
|
|
|
group := authenticationv1.UserInfo{
|
|
|
|
|
Username: "kubernetes-admin",
|
|
|
|
|
Groups: []string{"system:masters", "system:authenticated"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sa := authenticationv1.UserInfo{
|
|
|
|
|
Username: "system:serviceaccount:mynamespace:mysa",
|
|
|
|
|
Groups: []string{"system:serviceaccounts", "system:serviceaccounts:mynamespace", "system:authenticated"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user := authenticationv1.UserInfo{
|
|
|
|
|
Username: "system:kube-scheduler",
|
|
|
|
|
Groups: []string{"system:authenticated"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
subjects := testSubjects()
|
|
|
|
|
|
|
|
|
|
assert.Assert(t, matchSubjects(subjects, sa))
|
|
|
|
|
assert.Assert(t, !matchSubjects(subjects, user))
|
|
|
|
|
assert.Assert(t, matchSubjects(subjects, group))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func testSubjects() []rbacv1.Subject {
|
|
|
|
|
return []rbacv1.Subject{
|
|
|
|
|
{
|
|
|
|
|
Kind: "User",
|
|
|
|
|
Name: "kube-scheduler",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Kind: "Group",
|
|
|
|
|
Name: "system:masters",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Kind: "ServiceAccount",
|
|
|
|
|
Name: "mysa",
|
|
|
|
|
Namespace: "mynamespace",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
