mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
kyverno/test/e2e/generate/resources.go

248 lines
5.8 KiB
Go
Raw Normal View History

Feature/e2e 575 (#1018) * added api templates * E2E test for generate roles, rolebindings, clusterrole and clusterrolebindings * table driven e2e tests * table driven e2e tests and go fmt * removed unwanted vars * increased sleep time * removed role generation clone * increated sleep time * added rolebinding clone and retry mechanism for get resources * modified test for clone * added namespace to role * added namespace variable * added git actions job * changed build name * removed docker login * added role verbs * removed github actions job and rbac file * added clusterrole test with clone * fixed travis issue
2020-08-06 10:46:10 +05:30
package generate
// Namespace Description
var namespaceYaml = []byte(`
apiVersion: v1
kind: Namespace
metadata:
name: test
`)
// Cluster Policy to generate Role and RoleBinding with synchronize=true
var roleRoleBindingYamlWithSync = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "gen-role-policy"
spec:
background: false
rules:
- name: "gen-role"
match:
resources:
kinds:
- Namespace
generate:
kind: Role
name: "ns-role"
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- name: "gen-role-binding"
match:
resources:
kinds:
- Namespace
generate:
kind: RoleBinding
name: "ns-role-binding"
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-user
roleRef:
kind: Role
name: ns-role
namespace: "{{request.object.metadata.name}}"
apiGroup: rbac.authorization.k8s.io
`)
// Cluster Policy to generate Role and RoleBinding with Clone
var roleRoleBindingYamlWithClone = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "gen-role-policy"
spec:
background: false
rules:
- name: "gen-role"
match:
resources:
kinds:
- Namespace
generate:
kind: Role
name: "ns-role"
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: Role
name: "ns-role"
namespace: "default"
- name: "gen-role-binding"
match:
resources:
kinds:
- Namespace
generate:
kind: RoleBinding
name: "ns-role-binding"
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: RoleBinding
name: "ns-role-binding"
namespace: default
`)
// Source Role from which ROle is Cloned by generate
var sourceRoleYaml = []byte(`
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: ns-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list", "delete", "create"]
`)
// Source RoleBinding from which RoleBinding is Cloned by generate
var sourceRoleBindingYaml = []byte(`
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ns-role-binding
namespace: default
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-user
roleRef:
kind: Role
name: ns-role
apiGroup: rbac.authorization.k8s.io
`)
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with synchronize = true
var genClusterRoleYamlWithSync = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "gen-cluster-policy"
spec:
background: false
rules:
- name: "gen-cluster-role"
match:
resources:
kinds:
- Namespace
generate:
kind: ClusterRole
name: ns-cluster-role
synchronize: true
data:
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- name: "gen-cluster-role-binding"
match:
resources:
kinds:
- Namespace
generate:
kind: ClusterRoleBinding
name: ns-cluster-role-binding
synchronize: true
data:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ns-cluster-role
subjects:
- kind: ServiceAccount
name: "kyverno-service-account"
namespace: "{{request.object.metadata.name}}"
`)
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with clone = true
var genClusterRoleYamlWithClone = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "gen-cluster-policy"
spec:
background: false
rules:
- name: "gen-cluster-role"
match:
resources:
kinds:
- Namespace
generate:
kind: ClusterRole
name: ns-cluster-role
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: ClusterRole
name: base-cluster-role
namespace: default
- name: "gen-cluster-role-binding"
match:
resources:
kinds:
- Namespace
generate:
kind: ClusterRoleBinding
name: ns-cluster-role-binding
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: ClusterRole
name: base-cluster-role-binding
namespace: default
`)
var baseClusterRoleData = []byte(`
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: base-cluster-role
rules:
- apiGroups:
- "*"
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- create # generate new resources
- get # check the contents of exiting resources
- update # update existing resource, if required configuration defined in policy is not present
- delete # clean-up, if the generate trigger resource is deleted
`)
var baseClusterRoleBindingData = []byte(`
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: base-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: base-cluster-role
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
`)
Copy permalink