@@ -11,17 +11,17 @@ import (
1111
1212var (
1313 allGroups = [][]string {
14- [] string {"FooBar" },
15- [] string {"ReadOnly" },
16- [] string {"PowerUser" },
17- [] string {"Emergency" },
18- [] string {"Manual" },
19- [] string {"system:serviceaccounts:kube-system" },
20- [] string {"CollaboratorEmergency" },
21- [] string {"CollaboratorManual" },
22- [] string {"Collaborator24x7" },
23- [] string {"CollaboratorPowerUser" },
24- [] string {"Administrator" },
14+ {"FooBar" },
15+ {"ReadOnly" },
16+ {"PowerUser" },
17+ {"Emergency" },
18+ {"Manual" },
19+ {"system:serviceaccounts:kube-system" },
20+ {"CollaboratorEmergency" },
21+ {"CollaboratorManual" },
22+ {"Collaborator24x7" },
23+ {"CollaboratorPowerUser" },
24+ {"Administrator" },
2525 }
2626)
2727
@@ -141,7 +141,6 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
141141 "nodes" ,
142142 "rbac.authorization.k8s.io/clusterroles" ,
143143 "storage.k8s.io/storageclasses" ,
144- "policy/podsecuritypolicies" ,
145144 "apiextensions.k8s.io/customresourcedefinitions" ,
146145 }
147146 g .It ("should allow read access" , func () {
@@ -162,20 +161,109 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
162161 })
163162
164163 g .Context ("For PowerUser, Manual and Emergency groups" , func () {
164+ var tc testCase
165+ g .BeforeEach (func () {
166+ tc .data .groups = [][]string {
167+ {"PowerUser" },
168+ {"Manual" },
169+ {"Emergency" },
170+ }
171+ tc .data .users = []string {"test-user" }
172+ })
165173
166- g .It ("should deny read access to Secrets in kube-system and visibility namespaces" , func () {})
167- g .It ("should deny write access to Nodes" , func () {})
168- g .It ("should deny write access to DaemonSets" , func () {})
169- g .It ("should deny deleting CRDs" , func () {})
170- g .It ("should deny deleting kube-system or visibility namespaces" , func () {})
174+ g .It ("should deny read access to Secrets in kube-system and visibility namespaces" , func () {
175+ tc .data .resources = []string {"secrets" }
176+ tc .data .namespaces = []string {"kube-system" , "visibility" }
177+ tc .data .verbs = []string {"get" , "list" , "watch" }
178+ tc .run (context .TODO (), cs )
179+ output := tc .output
180+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
181+ })
182+
183+ g .It ("should deny write access to Nodes" , func () {
184+ tc .data .resources = []string {"nodes" }
185+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
186+ tc .run (context .TODO (), cs )
187+ output := tc .output
188+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
189+ })
190+
191+ g .It ("should deny write access to DaemonSets" , func () {
192+ tc .data .resources = []string {"apps/daemonsets" }
193+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
194+ tc .run (context .TODO (), cs )
195+ output := tc .output
196+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
197+ })
198+
199+ // TODO: Double check if the original test case is correct
200+ g .It ("should allow deleting CRDs" , func () {
201+ tc .data .resources = []string {"apiextensions.k8s.io/customresourcedefinitions" }
202+ tc .data .verbs = []string {"delete" }
203+ tc .run (context .TODO (), cs )
204+ output := tc .output
205+ gomega .Expect (output .allowed ).To (gomega .BeTrue ())
206+ })
207+
208+ g .It ("should deny deleting kube-system or visibility namespaces" , func () {
209+ tc .data .resources = []string {"namespaces" }
210+ tc .data .namespaces = []string {"kube-system" , "visibility" }
211+ tc .data .verbs = []string {"delete" }
212+ tc .run (context .TODO (), cs )
213+ output := tc .output
214+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
215+ })
171216
172217 g .When ("the resource is a namespaced resource" , func () {
173- g .It ("should deny write access in kube-system and visibility namespaces" , func () {})
174- g .It ("should allow write access in namespaces other than kube-system and visibility" , func () {})
218+ g .BeforeEach (func () {
219+ tc .data .resources = []string {
220+ "pods" ,
221+ "apps/deployments" ,
222+ "apps/statefulsets" ,
223+ "apps/deployments/scale" ,
224+ "apps/statefulsets/scale" ,
225+ "services" ,
226+ "persistentvolumes" ,
227+ "persistentvolumeclaims" ,
228+ "configmaps" ,
229+ }
230+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
231+ })
232+ g .It ("should deny write access in kube-system and visibility namespaces" , func () {
233+ tc .data .namespaces = []string {"kube-system" , "visibility" }
234+ tc .run (context .TODO (), cs )
235+ output := tc .output
236+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
237+ })
238+ g .It ("should allow write access in namespaces other than kube-system and visibility" , func () {
239+ tc .data .namespaces = []string {"" , "teapot" }
240+ tc .run (context .TODO (), cs )
241+ output := tc .output
242+ gomega .Expect (output .allowed ).To (gomega .BeTrue (),
243+ "Reason: %v" , output .reason )
244+ })
175245 })
176246 g .When ("the resource is a global resource" , func () {
177- g .It ("should deny access to Nodes" , func () {})
178- g .It ("should allow access to resources other than Nodes" , func () {})
247+ g .BeforeEach (func () {
248+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
249+ })
250+ g .It ("should deny write access to Nodes" , func () {
251+ tc .data .resources = []string {"nodes" }
252+ tc .run (context .TODO (), cs )
253+ output := tc .output
254+ gomega .Expect (output .denied ).To (gomega .BeTrue ())
255+ })
256+ g .It ("should allow write access to resources other than Nodes" , func () {
257+ tc .data .resources = []string {
258+ "namespaces" ,
259+ "storage.k8s.io/storageclasses" ,
260+ "apiextensions.k8s.io/customresourcedefinitions" ,
261+ }
262+ tc .run (context .TODO (), cs )
263+ output := tc .output
264+ gomega .Expect (output .allowed ).To (gomega .BeTrue (),
265+ "Reason: %v" , output .reason )
266+ })
179267 })
180268 })
181269
0 commit comments