re-introduce write protection test cases and add skip rules for them

demonCoder95 · demonCoder95 · commit 6f7f8c96c5ef · 2024-11-22T19:18:18.000+01:00
diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go
@@ -207,10 +207,18 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
 				tc.data.resources = namespacedResources
 				tc.data.verbs = writeOperations
 			})
-			// These should be covered by the admission-controller tests.
-			// They're written here for completeness.
-			g.It("should deny write access in kube-system and visibility namespaces", func() {})
-			g.It("should allow write access in namespaces other than kube-system and visibility", func() {})
+			// These should be covered by the admission-controller tests. They will
+			// be skipped here. Later when we cover everything with RBAC, we can run them again.
+			g.It("should deny write access in kube-system and visibility namespaces", func() {
+				tc.data.namespaces = []string{"kube-system", "visibility"}
+				tc.run(context.TODO(), cs, false)
+				gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String())
+			})
+			g.It("should allow write access in namespaces other than kube-system and visibility", func() {
+				tc.data.namespaces = []string{"", "teapot"}
+				tc.run(context.TODO(), cs, true)
+				gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String())
+			})
 		})
 		g.When("the resource is a global resource", func() {
 			g.BeforeEach(func() {
@@ -279,6 +287,8 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
 			tc.run(context.TODO(), cs, true)
 			gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String())
 		})
+		// This should be covered by the admission-controller tests. It will
+		// be skipped here. Later when we cover everything with RBAC, we can run it again.
 		g.It("should deny deletion of kube-system or visibility namespaces", func() {
 			tc.data.resources = []string{"namespaces"}
 			tc.data.names = []string{"kube-system", "visibility"}
@@ -292,9 +302,13 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
 				tc.data.resources = namespacedResources
 				tc.data.verbs = writeOperations
 			})
-			// This should be covered by the admission-controller tests.
-			// It's written here for completeness.
-			g.It("should deny write access in kube-system namespace", func() {})
+			// This should be covered by the admission-controller tests. It will
+			// be skipped here. Later when we cover everything with RBAC, we can run it again.
+			g.It("should deny write access in kube-system namespace", func() {
+				tc.data.namespaces = []string{"kube-system"}
+				tc.run(context.TODO(), cs, false)
+				gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String())
+			})
 			g.It("should allow write access in namespaces other than kube-system", func() {
 				tc.data.namespaces = []string{"", "teapot"}
 				tc.run(context.TODO(), cs, true)
diff --git a/test/e2e/run_e2e.sh b/test/e2e/run_e2e.sh
@@ -185,6 +185,7 @@ if [ "$e2e" = true ]; then
     ginkgo -procs=25 -flake-attempts=2 \
         -focus="(\[Conformance\]|\[StatefulSetBasic\]|\[Feature:StatefulSet\]\s\[Slow\].*mysql|\[Zalando\])" \
         -skip="(\[Serial\]|validates.that.there.is.no.conflict.between.pods.with.same.hostPort.but.different.hostIP.and.protocol|Should.create.gradual.traffic.routes)" \
+        -skip="should.deny.write.access.in.kube-system.and.visibility.namespaces|should.allow.write.access.in.namespaces.other.than.kube-system.and.visibility|should.deny.write.access.in.kube-system.namespace|should.deny.deletion.of.kube-system.or.visibility.namespaces" \
         "e2e.test" -- \
         -delete-namespace-on-failure=false \
         -non-blocking-taints=node.kubernetes.io/role,nvidia.com/gpu,dedicated \
