Skip to content

Commit 1435371

Browse files
tchaptchap
committed
tests: authorization/rbac: Add restricted-v3 scc
We need to include restricted-v3 scc in the list of rules for authenticated users, but iff the associated ClusterRoleBinding exists. This is a temporary and conditional fix to make tests passing for openshift/cluster-kube-apiserver-operator#1944 A subsequent PR is gonna be opened once the PR above is merged.
1 parent 2bc51b3 commit 1435371

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

test/extended/authorization/rbac/groups_default_rules.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77

88
g "github.com/onsi/ginkgo/v2"
99
o "github.com/onsi/gomega"
10+
apierrors "k8s.io/apimachinery/pkg/api/errors"
1011

1112
corev1 "k8s.io/api/core/v1"
1213
rbacv1 "k8s.io/api/rbac/v1"
@@ -125,6 +126,8 @@ var (
125126
rbacv1helpers.NewRule("list", "watch").Groups(projectGroup, legacyProjectGroup).Resources("projects").RuleOrDie(),
126127

127128
rbacv1helpers.NewRule("use").Groups(security.GroupName).Resources("securitycontextconstraints").Names("restricted-v2").RuleOrDie(),
129+
// TODO: Uncomment this once https://github.com/openshift/cluster-kube-apiserver-operator/pull/1944 is merged.
130+
// rbacv1helpers.NewRule("use").Groups(security.GroupName).Resources("securitycontextconstraints").Names("restricted-v3").RuleOrDie(),
128131

129132
// TODO: remove when openshift-apiserver has removed these
130133
rbacv1helpers.NewRule("get").URLs(
@@ -243,6 +246,18 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] The default clust
243246
exutil.FatalErr("failed to sync RBAC cache")
244247
}
245248

249+
// Temporary fix for https://github.com/openshift/cluster-kube-apiserver-operator/pull/1944
250+
// Add a rule for restricted-v3 to the list in case the associated ClusterRoleBinding exists.
251+
// TODO: Remove the following block once merged.
252+
if _, err := kubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Get("system:openshift:scc:restricted-v3"); err != nil {
253+
if !apierrors.IsNotFound(err) {
254+
e2e.Failf("Failed to get ClusterRoleBindings %q: %v", "system:openshift:scc:restricted-v3", err)
255+
}
256+
} else {
257+
allAuthenticatedRules = append(allAuthenticatedRules,
258+
rbacv1helpers.NewRule("use").Groups(security.GroupName).Resources("securitycontextconstraints").Names("restricted-v3").RuleOrDie())
259+
}
260+
246261
namespaces, err := oc.AdminKubeClient().CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
247262
if err != nil {
248263
exutil.FatalErr(err)

0 commit comments

Comments
 (0)