From 775ee71a06bb7b9faf206e6632e9743c83bfce56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= <charled.breteche@gmail.com> Date: Tue, 15 Nov 2022 11:15:59 +0100 Subject: [PATCH] test: add rbac kuttl test (#5337) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --- test/conformance/kuttl/kuttl-test.yaml | 2 ++ .../aggregate-to-admin/00-cluster-role.yaml | 8 +++++++ .../kuttl/rbac/aggregate-to-admin/README.md | 3 +++ .../admin-generaterequest.yaml | 19 ++++++++++++++++ .../aggregate-to-admin/admin-policies.yaml | 20 +++++++++++++++++ .../admin-policyreport.yaml | 20 +++++++++++++++++ .../aggregate-to-admin/admin-reports.yaml | 22 +++++++++++++++++++ .../admin-updaterequest.yaml | 19 ++++++++++++++++ 8 files changed, 113 insertions(+) create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/00-cluster-role.yaml create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/README.md create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/admin-generaterequest.yaml create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml create mode 100644 test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml diff --git a/test/conformance/kuttl/kuttl-test.yaml b/test/conformance/kuttl/kuttl-test.yaml index ff74b20090..e7051c9a04 100644 --- a/test/conformance/kuttl/kuttl-test.yaml +++ b/test/conformance/kuttl/kuttl-test.yaml @@ -22,6 +22,8 @@ testDirs: # Report tests - ./test/conformance/kuttl/reports/admission - ./test/conformance/kuttl/reports/background +# RBAC +- ./test/conformance/kuttl/rbac # Webhooks - ./test/conformance/kuttl/webhooks startKIND: false diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/00-cluster-role.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/00-cluster-role.yaml new file mode 100644 index 0000000000..8aa02e6c5f --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/00-cluster-role.yaml @@ -0,0 +1,8 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- admin-generaterequest.yaml +- admin-policies.yaml +- admin-policyreport.yaml +- admin-reports.yaml +- admin-updaterequest.yaml diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/README.md b/test/conformance/kuttl/rbac/aggregate-to-admin/README.md new file mode 100644 index 0000000000..7d5c9c76dc --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/README.md @@ -0,0 +1,3 @@ +## Description + +This test verifies that kyverno admin cluster roles exist in the cluster and are labelled correctly to be aggregated to the `admin` cluster role. diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-generaterequest.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-generaterequest.yaml new file mode 100644 index 0000000000..1312ba3eed --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-generaterequest.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-generaterequest +rules: +- apiGroups: + - kyverno.io + resources: + - generaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml new file mode 100644 index 0000000000..327d21f28f --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-policies +rules: +- apiGroups: + - kyverno.io + resources: + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml new file mode 100644 index 0000000000..6b2843d348 --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-policyreport +rules: +- apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml new file mode 100644 index 0000000000..f57be215c9 --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-reports +rules: +- apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml new file mode 100644 index 0000000000..b9f3093954 --- /dev/null +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-updaterequest +rules: +- apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch