Skip to content

Commit 7930e75

Browse files
akalenyuakalenyu
committed
Add test for checking user-facing resources can be manipulated
This should gate us from introducing user-facing resources that cannot be manipulated by non-cluster-admin. Signed-off-by: Alex Kalenyuk <[email protected]>
1 parent 35979e8 commit 7930e75

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

tests/rbac_test.go

+30
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ package tests
22

33
import (
44
"context"
5+
"fmt"
6+
"strings"
57
"time"
68

79
. "github.com/onsi/ginkgo/v2"
@@ -147,6 +149,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() {
147149
Entry("[test_id:3949]can do everything with edit", "edit"),
148150
)
149151

152+
DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) {
153+
var namespacedCDIAPIResourcesPlural []string
154+
// Also retrieves API resources that are not served via CRDs
155+
outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name")
156+
Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources)
157+
for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") {
158+
if strings.HasSuffix(apiResource, "cdi.kubevirt.io") {
159+
plural := strings.Split(apiResource, ".")[0]
160+
namespacedCDIAPIResourcesPlural = append(namespacedCDIAPIResourcesPlural, plural)
161+
}
162+
}
163+
fmt.Fprintf(GinkgoWriter, "CDI namespaced API resources: %+v\n", namespacedCDIAPIResourcesPlural)
164+
Expect(len(namespacedCDIAPIResourcesPlural)).To(BeNumerically(">=", 5))
165+
166+
createServiceAccount(f.K8sClient, f.Namespace.Name, user)
167+
createRoleBinding(f.K8sClient, user, f.Namespace.Name, user)
168+
169+
for _, resource := range namespacedCDIAPIResourcesPlural {
170+
sa := fmt.Sprintf("system:serviceaccount:%s:%s", f.Namespace.Name, user)
171+
result, err := f.RunKubectlCommand("auth", "can-i", "--as", sa, "*", resource, "--namespace", f.Namespace.Name)
172+
Expect(err).ToNot(HaveOccurred(), "no permission for %s, result: %s", resource, result)
173+
Expect(strings.TrimSpace(result)).To(Equal("yes"))
174+
}
175+
},
176+
Entry("[test_id:XXXX]for admin", "admin"),
177+
Entry("[test_id:XXXX]for edit", "edit"),
178+
)
179+
150180
It("[test_id:3950]view datavolume permission checks", func() {
151181
const user = "view"
152182
var cdiClient cdiClientset.Interface

0 commit comments

Comments
 (0)