Add acceptance tests for k8s permissions (#834)

2025-09-08 22:10:50 +00:00 · 2022-03-01 12:22:34 +02:00
parent 1597321e24
commit c5471c501b
12 changed files with 235 additions and 22 deletions
--- a/cli/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
+++ b/cli/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
@@ -17,7 +17,7 @@ metadata:
  name: mizu-runner-debug-clusterrolebindings
 subjects:
 - kind: User
-  name: user1
+  name: user-with-clusterwide-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
--- a/cli/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
+++ b/cli/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
@@ -29,7 +29,7 @@ metadata:
  name: mizu-resolver-clusterrolebindings
 subjects:
 - kind: User
-  name: user1
+  name: user-with-clusterwide-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
--- a/cli/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
+++ b/cli/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
@@ -22,6 +22,9 @@ rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -29,7 +32,7 @@ metadata:
  name: mizu-runner-clusterrolebindings
 subjects:
 - kind: User
-  name: user1
+  name: user-with-clusterwide-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
--- a/cli/cmd/permissionFiles/permissions-ns-debug-optional.yaml
+++ b/cli/cmd/permissionFiles/permissions-ns-debug-optional.yaml
@@ -3,7 +3,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-role
-  namespace: user1
 rules:
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
@@ -16,10 +15,9 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-rolebindings
-  namespace: user1
 subjects:
 - kind: User
-  name: user1
+  name: user-with-restricted-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
--- a/cli/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
+++ b/cli/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
@@ -3,7 +3,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-role
-  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["serviceaccounts"]
@@ -28,10 +27,9 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-rolebindings
-  namespace: user1
 subjects:
 - kind: User
-  name: user1
+  name: user-with-restricted-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
--- a/cli/cmd/permissionFiles/permissions-ns-tap.yaml
+++ b/cli/cmd/permissionFiles/permissions-ns-tap.yaml
@@ -3,7 +3,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-role
-  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["pods"]
@@ -20,15 +19,17 @@ rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-rolebindings
-  namespace: user1
 subjects:
 - kind: User
-  name: user1
+  name: user-with-restricted-access
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role