investigate: test passes even without the proper SA permissions

[MikelAlejoBR]

The "reset namespaces" test passes even though the PR which adds the "member" service account the, in theory, required permission to delete namespaces has not been merged.

The test does not pass when running the tests locally, and in stage and production the feature does not work without that permission.

Jira ticket

[SANDBOX-1067]

Summary by CodeRabbit

• Tests
  • Updated a test to collect additional diagnostic information and to unconditionally fail after existing namespace validation checks, causing the test to stop earlier and surface the gathered diagnostics.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MikelAlejoBR
Once this PR has been reviewed and has the lgtm label, please assign xcoulon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Appends additional test logic to TestResetNamespaces: adds imports, creates a hostAwaitily local, retrieves and logs a ClusterRole for the test member, and then unconditionally fails the test with require.FailNow.

Changes

Cohort / File(s)	Summary
Test file changes test/e2e/namespaces_reset_test.go	Added imports (context, Kubernetes RBAC/types), introduced hostAwaitily local, fetches a ClusterRole object and logs it, then calls require.FailNow unconditionally at the end of the test.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'investigate: test passes even without the proper SA permissions' is directly related to the PR objectives and changes, which involve investigating why a test passes without proper service account permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/namespaces_reset_test.go`:
- Around line 115-123: The test contains an investigation block that
unconditionally aborts via require.FailNow (remove the call to require.FailNow)
— instead replace the temporary dump of clusterRole with a concrete RBAC
assertion: fetch the ClusterRole (variable clusterRole via
hostAwaitily.Client.Get with types.NamespacedName{Name:
"toolchaincluster-"+memberAwaitily.Namespace}), then assert that the role grants
namespace delete permission (e.g., check rules in clusterRole.Rules include
verbs ["delete"] for resources ["namespaces"] and appropriate API groups) and
use require.NoError/require.True assertions rather than forcing a failure; keep
the logging line if helpful but do not call require.FailNow.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 93dfdde and c549348.

📒 Files selected for processing (1)

• test/e2e/namespaces_reset_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove unconditional FailNow; this makes the test permanently fail.

Line 123 aborts the test regardless of behavior, so this cannot be merged as-is. Convert this investigation block into a concrete RBAC assertion (delete on namespaces) instead of forced failure.

Proposed change

-	// DELETEME - printing the member service account's cluster role to check
-	// its permissions.
+	// Verify that the member cluster role can delete namespaces.
 	clusterRole := rbacv1.ClusterRole{}
 	err = hostAwaitily.Client.Get(context.TODO(), types.NamespacedName{Name: "toolchaincluster-" + memberAwaitily.Namespace}, &clusterRole)
 	require.NoError(s.T(), err, "unable to obtain the cluster role")
 
-	s.T().Logf("ClusterRole: %+v", clusterRole)
-
-	require.FailNow(s.T(), "the test succeeded but we are failing to gather information")
+	hasDeleteNamespaces := false
+	for _, rule := range clusterRole.Rules {
+		matchesCoreNamespaces := false
+		for _, apiGroup := range rule.APIGroups {
+			if apiGroup == "" || apiGroup == "*" {
+				for _, resource := range rule.Resources {
+					if resource == "namespaces" || resource == "*" {
+						matchesCoreNamespaces = true
+						break
+					}
+				}
+			}
+			if matchesCoreNamespaces {
+				break
+			}
+		}
+		if !matchesCoreNamespaces {
+			continue
+		}
+		for _, verb := range rule.Verbs {
+			if verb == "delete" || verb == "*" {
+				hasDeleteNamespaces = true
+				break
+			}
+		}
+		if hasDeleteNamespaces {
+			break
+		}
+	}
+	require.True(s.T(), hasDeleteNamespaces, "expected ClusterRole %q to allow deleting namespaces", clusterRole.Name)

As per coding guidelines `**`: -Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/namespaces_reset_test.go` around lines 115 - 123, The test contains
an investigation block that unconditionally aborts via require.FailNow (remove
the call to require.FailNow) — instead replace the temporary dump of clusterRole
with a concrete RBAC assertion: fetch the ClusterRole (variable clusterRole via
hostAwaitily.Client.Get with types.NamespacedName{Name:
"toolchaincluster-"+memberAwaitily.Namespace}), then assert that the role grants
namespace delete permission (e.g., check rules in clusterRole.Rules include
verbs ["delete"] for resources ["namespaces"] and appropriate API groups) and
use require.NoError/require.True assertions rather than forcing a failure; keep
the logging line if helpful but do not call require.FailNow.

[MikelAlejoBR]

/retest

[openshift-ci]

@MikelAlejoBR: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	c549348	link	true	/test e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.