chore: run rbac testsuite using chainsaw (#8950)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

.github/workflows/conformance.yaml

@@ -178,7 +178,6 @@ jobs:
             version: v1.28.0
         tests:
           # - autogen
-          # - background-only
           # - cleanup
           # - deferred
           # - events
@@ -190,13 +189,13 @@ jobs:
           # - mutate
           # - policy-validation
           # - rangeoperators
-          # - rbac
           # - reports
           # - validate
           # - verify-manifests
           # - verifyImages
           - webhooks
           - background-only
+          - rbac
     needs: prepare-images
     name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
     steps:

test/conformance/chainsaw/rbac/aggregate-to-admin/00-cluster-role.yaml

@@ -0,0 +1,14 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: rbac
+spec:
+  try:
+  - assert:
+      file: admin-policies.yaml
+  - assert:
+      file: admin-policyreport.yaml
+  - assert:
+      file: admin-reports.yaml
+  - assert:
+      file: admin-updaterequest.yaml

test/conformance/chainsaw/rbac/aggregate-to-admin/README.md

@@ -0,0 +1,3 @@
+## Description
+
+This test verifies that kyverno admin cluster roles exist in the cluster and are labelled correctly to be aggregated to the `admin` cluster role.

test/conformance/chainsaw/rbac/aggregate-to-admin/admin-policies.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:rbac:admin:policies
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

test/conformance/chainsaw/rbac/aggregate-to-admin/admin-policyreport.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:rbac:admin:policyreports
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:rbac:admin:reports
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

test/conformance/chainsaw/rbac/aggregate-to-admin/admin-updaterequest.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:rbac:admin:updaterequests
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch