mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
6e827f912f
* added api templates * E2E test for generate roles, rolebindings, clusterrole and clusterrolebindings * table driven e2e tests * table driven e2e tests and go fmt * removed unwanted vars * increased sleep time * removed role generation clone * increated sleep time * added rolebinding clone and retry mechanism for get resources * modified test for clone * added namespace to role * added namespace variable * added git actions job * changed build name * removed docker login * added role verbs * removed github actions job and rbac file * added clusterrole test with clone * fixed travis issue
247 lines
5.8 KiB
Go
247 lines
5.8 KiB
Go
package generate
|
|
|
|
// Namespace Description
|
|
var namespaceYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: test
|
|
`)
|
|
|
|
// Cluster Policy to generate Role and RoleBinding with synchronize=true
|
|
var roleRoleBindingYamlWithSync = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-role-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
data:
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
- name: "gen-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
data:
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: minikube-user
|
|
roleRef:
|
|
kind: Role
|
|
name: ns-role
|
|
namespace: "{{request.object.metadata.name}}"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
`)
|
|
|
|
// Cluster Policy to generate Role and RoleBinding with Clone
|
|
var roleRoleBindingYamlWithClone = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-role-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "default"
|
|
- name: "gen-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: default
|
|
`)
|
|
|
|
// Source Role from which ROle is Cloned by generate
|
|
var sourceRoleYaml = []byte(`
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
namespace: default
|
|
name: ns-role
|
|
rules:
|
|
- apiGroups: ["*"]
|
|
resources: ["*"]
|
|
verbs: ["get", "watch", "list", "delete", "create"]
|
|
`)
|
|
|
|
// Source RoleBinding from which RoleBinding is Cloned by generate
|
|
var sourceRoleBindingYaml = []byte(`
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: ns-role-binding
|
|
namespace: default
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: minikube-user
|
|
roleRef:
|
|
kind: Role
|
|
name: ns-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
`)
|
|
|
|
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with synchronize = true
|
|
var genClusterRoleYamlWithSync = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-cluster-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-cluster-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
synchronize: true
|
|
data:
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
- name: "gen-cluster-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRoleBinding
|
|
name: ns-cluster-role-binding
|
|
synchronize: true
|
|
data:
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: "kyverno-service-account"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
`)
|
|
|
|
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with clone = true
|
|
var genClusterRoleYamlWithClone = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-cluster-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-cluster-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: ClusterRole
|
|
name: base-cluster-role
|
|
namespace: default
|
|
- name: "gen-cluster-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRoleBinding
|
|
name: ns-cluster-role-binding
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: ClusterRole
|
|
name: base-cluster-role-binding
|
|
namespace: default
|
|
`)
|
|
|
|
var baseClusterRoleData = []byte(`
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: base-cluster-role
|
|
rules:
|
|
- apiGroups:
|
|
- "*"
|
|
resources:
|
|
- namespaces
|
|
- networkpolicies
|
|
- secrets
|
|
- configmaps
|
|
- resourcequotas
|
|
- limitranges
|
|
- roles
|
|
- clusterroles
|
|
- rolebindings
|
|
- clusterrolebindings
|
|
verbs:
|
|
- create # generate new resources
|
|
- get # check the contents of exiting resources
|
|
- update # update existing resource, if required configuration defined in policy is not present
|
|
- delete # clean-up, if the generate trigger resource is deleted
|
|
`)
|
|
|
|
var baseClusterRoleBindingData = []byte(`
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: base-cluster-role-binding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: base-cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-service-account
|
|
namespace: kyverno
|
|
`)
|