test/e2e: test allowlist against rolebindings, not cluster role bindings

2025-04-21 11:48:53 +00:00 · 2020-09-01 14:52:20 +02:00 · 2020-09-01 14:52:20 +02:00 · ec3a83bae0
commit ec3a83bae0
parent 4f36b38e6c
8 changed files with 57 additions and 17 deletions
--- a/test/e2e/alertmanager_instance_namespaces_test.go
+++ b/test/e2e/alertmanager_instance_namespaces_test.go
@ -31,7 +31,7 @@ func testAlertmanagerInstanceNamespaces_AllNs(t *testing.T) {
 	nonInstanceNs := ctx.CreateNamespace(t, framework.KubeClient)
 	ctx.SetupPrometheusRBACGlobal(t, instanceNs, framework.KubeClient)

-	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, nil, nil, []string{instanceNs}, false)
+	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, nil, nil, []string{instanceNs}, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -72,7 +72,7 @@ func testAlertmanagerInstanceNamespaces_DenyNs(t *testing.T) {
 	instanceNs := ctx.CreateNamespace(t, framework.KubeClient)
 	ctx.SetupPrometheusRBACGlobal(t, instanceNs, framework.KubeClient)

-	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, []string{instanceNs}, nil, []string{instanceNs}, false)
+	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, []string{instanceNs}, nil, []string{instanceNs}, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/e2e/denylist_test.go
+++ b/test/e2e/denylist_test.go
@ -20,8 +20,8 @@ import (

 	"github.com/gogo/protobuf/proto"

-	testFramework "github.com/prometheus-operator/prometheus-operator/test/framework"
 	"github.com/pkg/errors"
+	testFramework "github.com/prometheus-operator/prometheus-operator/test/framework"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	api_errors "k8s.io/apimachinery/pkg/api/errors"
@ -38,7 +38,7 @@ func testDenyPrometheus(t *testing.T) {

 	ctx.SetupPrometheusRBAC(t, operatorNamespace, framework.KubeClient)

-	_, err := framework.CreatePrometheusOperator(operatorNamespace, *opImage, nil, deniedNamespaces, nil, nil, false)
+	_, err := framework.CreatePrometheusOperator(operatorNamespace, *opImage, nil, deniedNamespaces, nil, nil, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -81,7 +81,7 @@ func testDenyServiceMonitor(t *testing.T) {

 	ctx.SetupPrometheusRBAC(t, operatorNamespace, framework.KubeClient)

-	_, err := framework.CreatePrometheusOperator(operatorNamespace, *opImage, nil, deniedNamespaces, nil, nil, false)
+	_, err := framework.CreatePrometheusOperator(operatorNamespace, *opImage, nil, deniedNamespaces, nil, nil, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/e2e/main_test.go
+++ b/test/e2e/main_test.go
@ -86,7 +86,7 @@ func TestAllNS(t *testing.T) {

 	ns := ctx.CreateNamespace(t, framework.KubeClient)

-	finalizers, err := framework.CreatePrometheusOperator(ns, *opImage, nil, nil, nil, nil, true)
+	finalizers, err := framework.CreatePrometheusOperator(ns, *opImage, nil, nil, nil, nil, true, true)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/e2e/prometheus_instance_namespaces_test.go
+++ b/test/e2e/prometheus_instance_namespaces_test.go
@ -18,8 +18,8 @@ import (
 	"context"
 	"testing"

-	testFramework "github.com/prometheus-operator/prometheus-operator/test/framework"
 	"github.com/pkg/errors"
+	testFramework "github.com/prometheus-operator/prometheus-operator/test/framework"
 	v1 "k8s.io/api/core/v1"
 	api_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -34,7 +34,7 @@ func testPrometheusInstanceNamespaces_AllNs(t *testing.T) {
 	nonInstanceNs := ctx.CreateNamespace(t, framework.KubeClient)
 	ctx.SetupPrometheusRBACGlobal(t, instanceNs, framework.KubeClient)

-	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, nil, []string{instanceNs}, nil, false)
+	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, nil, []string{instanceNs}, nil, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -93,7 +93,7 @@ func testPrometheusInstanceNamespaces_DenyList(t *testing.T) {
 		}
 	}

-	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, []string{deniedNs, instanceNs}, []string{instanceNs}, nil, false)
+	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, nil, []string{deniedNs, instanceNs}, []string{instanceNs}, nil, false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -216,7 +216,7 @@ func testPrometheusInstanceNamespaces_AllowList(t *testing.T) {
 		}
 	}

-	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, []string{allowedNs}, nil, []string{instanceNs}, nil, false)
+	_, err := framework.CreatePrometheusOperator(operatorNs, *opImage, []string{allowedNs}, nil, []string{instanceNs}, nil, false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/test/e2e/prometheus_test.go
+++ b/test/e2e/prometheus_test.go
@ -2337,7 +2337,7 @@ func testOperatorNSScope(t *testing.T) {
 		}

 		// Prometheus Operator only watches single namespace mainNS, not arbitraryNS.
-		_, err := framework.CreatePrometheusOperator(operatorNS, *opImage, []string{mainNS}, nil, nil, nil, false)
+		_, err := framework.CreatePrometheusOperator(operatorNS, *opImage, []string{mainNS}, nil, nil, nil, false, true)
 		if err != nil {
 			t.Fatal(err)
 		}
@ -2407,7 +2407,7 @@ func testOperatorNSScope(t *testing.T) {
 		}

 		// Prometheus Operator only watches prometheusNS and ruleNS, not arbitraryNS.
-		_, err := framework.CreatePrometheusOperator(operatorNS, *opImage, []string{prometheusNS, ruleNS}, nil, nil, nil, false)
+		_, err := framework.CreatePrometheusOperator(operatorNS, *opImage, []string{prometheusNS, ruleNS}, nil, nil, nil, false, true)
 		if err != nil {
 			t.Fatal(err)
 		}
--- a/test/framework/framework.go
+++ b/test/framework/framework.go
@ -35,10 +35,10 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	certutil "k8s.io/client-go/util/cert"

-	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
-	monitoringclient "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1"
 	"github.com/gogo/protobuf/proto"
 	"github.com/pkg/errors"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	monitoringclient "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1"
 )

 const (
@ -163,7 +163,7 @@ func (f *Framework) MakeEchoDeployment(group string) *appsv1.Deployment {
 // Returns the CA, which can bs used to access the operator over TLS
 func (f *Framework) CreatePrometheusOperator(ns, opImage string, namespaceAllowlist,
 	namespaceDenylist, prometheusInstanceNamespaces, alertmanagerInstanceNamespaces []string,
-	createRuleAdmissionHooks bool) ([]finalizerFn, error) {
+	createRuleAdmissionHooks, createClusterRoleBindings bool) ([]finalizerFn, error) {

 	var finalizers []finalizerFn

@ -187,8 +187,20 @@ func (f *Framework) CreatePrometheusOperator(ns, opImage string, namespaceAllowl
 		return nil, errors.Wrap(err, "failed to update prometheus cluster role")
 	}

-	if _, err := CreateClusterRoleBinding(f.KubeClient, ns, "../../example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml"); err != nil && !apierrors.IsAlreadyExists(err) {
-		return nil, errors.Wrap(err, "failed to create prometheus cluster role binding")
+	if createClusterRoleBindings {
+		if _, err := CreateClusterRoleBinding(f.KubeClient, ns, "../../example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml"); err != nil && !apierrors.IsAlreadyExists(err) {
+			return nil, errors.Wrap(err, "failed to create prometheus cluster role binding")
+		}
+	} else {
+		namespaces := namespaceAllowlist
+		namespaces = append(namespaces, prometheusInstanceNamespaces...)
+		namespaces = append(namespaces, alertmanagerInstanceNamespaces...)
+
+		for _, n := range namespaces {
+			if _, err := CreateRoleBindingForSubjectNamespace(f.KubeClient, n, ns, "../framework/ressources/prometheus-operator-role-binding.yaml"); err != nil && !apierrors.IsAlreadyExists(err) {
+				return nil, errors.Wrap(err, "failed to create prometheus operator role binding")
+			}
+		}
 	}

 	certBytes, keyBytes, err := certutil.GenerateSelfSignedCertKey(fmt.Sprintf("%s.%s.svc", prometheusOperatorServiceDeploymentName, ns), nil, nil)
--- a/test/framework/ressources/prometheus-operator-role-binding.yaml
+++ b/test/framework/ressources/prometheus-operator-role-binding.yaml
@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
--- a/test/framework/role-binding.go
+++ b/test/framework/role-binding.go
@ -16,6 +16,7 @@ package framework

 import (
 	"context"
+
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/yaml"
@ -33,6 +34,22 @@ func CreateRoleBinding(kubeClient kubernetes.Interface, ns string, relativePath
 	return finalizerFn, err
 }

+func CreateRoleBindingForSubjectNamespace(kubeClient kubernetes.Interface, ns, subjectNs string, relativePath string) (finalizerFn, error) {
+	finalizerFn := func() error { return DeleteRoleBinding(kubeClient, ns, relativePath) }
+	roleBinding, err := parseRoleBindingYaml(relativePath)
+
+	for i := range roleBinding.Subjects {
+		roleBinding.Subjects[i].Namespace = subjectNs
+	}
+
+	if err != nil {
+		return finalizerFn, err
+	}
+
+	_, err = kubeClient.RbacV1().RoleBindings(ns).Create(context.TODO(), roleBinding, metav1.CreateOptions{})
+	return finalizerFn, err
+}
+
 func DeleteRoleBinding(kubeClient kubernetes.Interface, ns string, relativePath string) error {
 	roleBinding, err := parseRoleBindingYaml(relativePath)
 	if err != nil {