Skip to content

Commit

Permalink
Fix logic with service accounts. Update e2e tests. Add test coverage (#…
Browse files Browse the repository at this point in the history
…141)

* Write tests to prove that #42 is a bug

* Fix logic with subject key

* add more test coverage

* more e2e tests to cover bugs

* udpate kind and kube images for e2e tests
  • Loading branch information
Andrew Suderman authored Oct 23, 2020
1 parent feaf45b commit 030e248
Show file tree
Hide file tree
Showing 13 changed files with 322 additions and 85 deletions.
21 changes: 9 additions & 12 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ references:
executor: golang-exec
pre_script: e2e/pre.sh
store-test-results: /tmp/test-results
kind_version: 0.9.0
script: e2e/test.sh
requires:
- test
Expand Down Expand Up @@ -66,24 +67,20 @@ workflows:
branches:
only: /.*/
- rok8s-scripts/kubernetes_e2e_tests:
name: e2e test kube 1.15.7
kind_node_image: >-
"kindest/node:v1.15.7@sha256:e2df133f80ef633c53c0200114fce2ed5e1f6947477dbc83261a6a921169488d"
name: e2e test kube 1.16
kind_node_image: "kindest/node:v1.16.15@sha256:a89c771f7de234e6547d43695c7ab047809ffc71a0c3b65aa54eda051c45ed20"
<<: *e2e_config
- rok8s-scripts/kubernetes_e2e_tests:
name: e2e test kube 1.16.4
kind_node_image: >-
"kindest/node:v1.16.4@sha256:b91a2c2317a000f3a783489dfb755064177dbc3a0b2f4147d50f04825d016f55"
name: e2e test kube 1.17
kind_node_image: "kindest/node:v1.17.11@sha256:5240a7a2c34bf241afb54ac05669f8a46661912eab05705d660971eeb12f6555"
<<: *e2e_config
- rok8s-scripts/kubernetes_e2e_tests:
name: e2e test kube 1.17.0
kind_node_image: >-
"kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62"
name: e2e test kube 1.18
kind_node_image: "kindest/node:v1.18.8@sha256:f4bcc97a0ad6e7abaf3f643d890add7efe6ee4ab90baeb374b4f41a4c95567eb"
<<: *e2e_config
- rok8s-scripts/kubernetes_e2e_tests:
name: e2e test kube 1.18.0
kind_node_image: >-
"kindest/node:v1.18.0@sha256:0e20578828edd939d25eb98496a685c76c98d54084932f76069f886ec315d694"
name: e2e test kube 1.19
kind_node_image: "kindest/node:v1.19.1@sha256:98cf5288864662e37115e362b23e4369c8c4a408f99cbc06e58ac30ddc721600"
<<: *e2e_config
- release:
filters:
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ coverage.txt
cover.html

/rbac-lookup
/e2e/tests/rbac-lookup
3 changes: 2 additions & 1 deletion e2e/test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ curl -LO https://github.com/ovh/venom/releases/download/v0.27.0/venom.linux-amd6
mv venom.linux-amd64 /usr/local/bin/venom
chmod +x /usr/local/bin/venom

mv /rbac-lookup/rbac-lookup /rbac-lookup/e2e/tests

cd /rbac-lookup/e2e
mkdir -p /tmp/test-results
venom run tests/* --log debug --output-dir=/tmp/test-results --strict
exit $?

32 changes: 32 additions & 0 deletions e2e/tests/00_assets/0_namespaces.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: one
spec:
finalizers:
- kubernetes
---
apiVersion: v1
kind: Namespace
metadata:
name: two
spec:
finalizers:
- kubernetes
---
apiVersion: v1
kind: Namespace
metadata:
name: three
spec:
finalizers:
- kubernetes
---
apiVersion: v1
kind: Namespace
metadata:
name: circleci
spec:
finalizers:
- kubernetes
12 changes: 12 additions & 0 deletions e2e/tests/00_assets/1_serviceaccounts.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: e2e-test
namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: circleci
namespace: circleci
54 changes: 54 additions & 0 deletions e2e/tests/00_assets/2_bindings.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: e2e-test-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: e2e-test
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: circleci-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: circleci
namespace: circleci
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: circleci-cluster-admin
namespace: one
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: circleci
namespace: circleci
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: circleci-cluster-admin
namespace: two
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: circleci
namespace: circleci
12 changes: 0 additions & 12 deletions e2e/tests/00_assets/clusterrolebinding.yaml

This file was deleted.

5 changes: 0 additions & 5 deletions e2e/tests/00_assets/serviceaccount.yaml

This file was deleted.

10 changes: 9 additions & 1 deletion e2e/tests/00_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,18 @@ testcases:
- script: kubectl apply -f 00_assets/
- name: Rbac Lookup
steps:
- script: /rbac-lookup/rbac-lookup e2e-test
- script: ./rbac-lookup e2e-test
assertions:
- result.code ShouldEqual 0
- result.systemerr ShouldNotEqual "No RBAC Bindings found"
- name: rbac lookup circleci
steps:
- script: ./rbac-lookup circleci -owide
assertions:
- result.code ShouldEqual 0
- result.systemout ShouldContainSubstring "ServiceAccount/circleci:circleci two ClusterRole/cluster-admin RoleBinding/circleci-cluster-admin"
- result.systemout ShouldContainSubstring "ServiceAccount/circleci:circleci cluster-wide ClusterRole/cluster-admin ClusterRoleBinding/circleci-cluster-admin"
- result.systemout ShouldContainSubstring "ServiceAccount/circleci:circleci one ClusterRole/cluster-admin RoleBinding/circleci-cluster-admin"
- name: Cleanup
steps:
- script: kubectl delete -f 00_assets/
Loading

0 comments on commit 030e248

Please sign in to comment.