Use unprivileged client (bound to the controllers role) when wiring webhooks/controllers in integration tests #2660
Assignees
Labels
Comments
danail-branekov
assigned danail-branekov and georgethebeatle and unassigned danail-branekov
gcapizzi
assigned danail-branekov and kieron-dev and unassigned gcapizzi and georgethebeatle
kieron-dev
pushed a commit
that referenced
this issue
Jul 11, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
kieron-dev
pushed a commit
that referenced
this issue
Jul 11, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
kieron-dev
pushed a commit
that referenced
this issue
Jul 11, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
danail-branekov
added a commit
that referenced
this issue
Jul 12, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
danail-branekov
added a commit
that referenced
this issue
Jul 12, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
danail-branekov
added a commit
that referenced
this issue
Jul 13, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
danail-branekov
added a commit
that referenced
this issue
Jul 13, 2023
This also introduces helpers to create and start the manager, and to create other client with different permissions in testEnvs. Issue: #2660 Co-authored-by: Danail Branekov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we are wiring webhooks/controllers in integration tests to use a k8s client created out of the default env test config. That config describes a user that is part of the cluster admin groups, therefore controllers in the env test run as admin user. This is however not the case on productive deployments - there controllers/webhooks are run as part of the controller deployment as the controllers manager service account which is bound to the controller manager role.
This difference hides potential bugs with permissions misconfiguration. In order to address that, we need to wire controllers and webhooks in all integration test suites with clients with controller manager permissions. We have already done that here, we need to spread the pattern in all envtests.
The text was updated successfully, but these errors were encountered: