@@ -244,76 +244,334 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
244244 })
245245
246246 g .Context ("For CollaboratorPowerUser, CollaboratorManual and CollaboratorEmergency groups" , func () {
247+ var tc testCase
248+ g .BeforeEach (func () {
249+ tc .data .groups = [][]string {
250+ {"CollaboratorPowerUser" , "PowerUser" },
251+ {"CollaboratorManual" , "Manual" },
252+ {"CollaboratorEmergency" , "Emergency" },
253+ }
254+ tc .data .users = []string {"test-user" }
255+ })
256+
247257 g .When ("the resource is a Secret" , func () {
248- g .It ("should allow read access to visibility namespace" , func () {})
249- g .It ("should deny read access to kube-system namespace" , func () {})
258+ g .BeforeEach (func () {
259+ tc .data .resources = []string {"secrets" }
260+ tc .data .verbs = []string {"get" , "list" , "watch" }
261+ })
262+
263+ g .It ("should allow read access to visibility namespace" , func () {
264+ tc .data .namespaces = []string {"visibility" }
265+ tc .run (context .TODO (), cs , true )
266+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
267+ })
268+ g .It ("should deny read access to kube-system namespace" , func () {
269+ tc .data .namespaces = []string {"kube-system" }
270+ tc .run (context .TODO (), cs , false )
271+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
272+ })
250273 })
251274
252- g .It ("should deny write access to Nodes" , func () {})
253- g .It ("should allow write access to DaemonSets" , func () {})
254- g .It ("should allow deletion of CRDs" , func () {})
255- g .It ("should deny deletion of kube-system or visibility namespaces" , func () {})
275+ g .It ("should deny write access to Nodes" , func () {
276+ tc .data .resources = []string {"nodes" }
277+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
278+ tc .run (context .TODO (), cs , false )
279+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
280+ })
281+ g .It ("should allow write access to DaemonSets" , func () {
282+ tc .data .resources = []string {"apps/daemonsets" }
283+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
284+ tc .run (context .TODO (), cs , true )
285+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
286+ })
287+ g .It ("should allow deletion of CRDs" , func () {
288+ tc .data .resources = []string {"apiextensions.k8s.io/customresourcedefinitions" }
289+ tc .data .verbs = []string {"delete" }
290+ tc .run (context .TODO (), cs , true )
291+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
292+ })
293+ g .It ("should deny deletion of kube-system or visibility namespaces" , func () {
294+ tc .data .resources = []string {"namespaces" }
295+ tc .data .namespaces = []string {"kube-system" , "visibility" }
296+ tc .data .verbs = []string {"delete" }
297+ tc .run (context .TODO (), cs , false )
298+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
299+ })
256300
257301 g .When ("the resource is a namespaced resource" , func () {
258- g .It ("should deny write access in kube-system namespace" , func () {})
259- g .It ("should allow write access in namespaces other than kube-system" , func () {})
302+ g .BeforeEach (func () {
303+ tc .data .resources = []string {
304+ "pods" ,
305+ "apps/deployments" ,
306+ "apps/statefulsets" ,
307+ "services" ,
308+ "persistentvolumes" ,
309+ "persistentvolumeclaims" ,
310+ "configmaps" ,
311+ }
312+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
313+ })
314+ g .It ("should deny write access in kube-system namespace" , func () {
315+ tc .data .namespaces = []string {"kube-system" }
316+ tc .run (context .TODO (), cs , false )
317+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
318+ })
319+ g .It ("should allow write access in namespaces other than kube-system" , func () {
320+ tc .data .namespaces = []string {"" , "teapot" }
321+ tc .run (context .TODO (), cs , true )
322+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
323+ })
260324 })
261325
262326 g .When ("the resource is a global resource" , func () {
263- g .It ("should deny access to Nodes" , func () {})
264- g .It ("should allow access to resources other than Nodes" , func () {})
327+ g .BeforeEach (func () {
328+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
329+ })
330+ g .It ("should deny access to Nodes" , func () {
331+ tc .data .resources = []string {"nodes" }
332+ tc .run (context .TODO (), cs , false )
333+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
334+ })
335+ g .It ("should allow access to resources other than Nodes" , func () {
336+ tc .data .resources = []string {
337+ "namespaces" ,
338+ "storage.k8s.io/storageclasses" ,
339+ "apiextensions.k8s.io/customresourcedefinitions" ,
340+ }
341+ tc .run (context .TODO (), cs , true )
342+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
343+ })
265344 })
266345 })
267346
268347 g .Context ("For system users" , func () {
348+ var tc testCase
349+
269350 g .When ("the user is kubelet" , func () {
270- g .It ("should allow to get Pods" , func () {})
351+ g .BeforeEach (func () {
352+ tc .data .groups = [][]string {{"system:masters" }}
353+ tc .data .users = []string {"kubelet" }
354+ })
355+ g .It ("should allow to get Pods" , func () {
356+ tc .data .resources = []string {"pods" }
357+ tc .data .verbs = []string {"get" }
358+ tc .data .namespaces = []string {"teapot" }
359+ tc .run (context .TODO (), cs , true )
360+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
361+ })
271362 })
272363
273364 g .When ("the service account is daemonset-controller" , func () {
274- g .It ("should allow to update DaemonSet status subresource" , func () {})
275- g .It ("should allow to update DaemonSet finalizers" , func () {})
276- g .It ("should allow to create Pods" , func () {})
365+ g .BeforeEach (func () {
366+ tc .data .users = []string {"system:serviceaccount:kube-system:daemon-set-controller" }
367+ tc .data .groups = [][]string {{"system:serviceaccounts:kube-system" }}
368+ })
369+ g .It ("should allow to update DaemonSet status subresource" , func () {
370+ tc .data .resources = []string {"apps/daemonsets/status" }
371+ tc .data .verbs = []string {"update" }
372+ tc .run (context .TODO (), cs , true )
373+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
374+ })
375+ g .It ("should allow to update DaemonSet finalizers" , func () {
376+ tc .data .resources = []string {"apps/daemonsets/finalizers" }
377+ tc .data .verbs = []string {"update" }
378+ tc .run (context .TODO (), cs , true )
379+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
380+ })
381+ // TODO: Need to verify in the original tests if this is a permission on
382+ // the controller-manager or the daemonset-controller.
383+ // g.It("should allow to create Pods", func() {})
384+ })
385+
386+ g .When ("the default service account is in default namespace" , func () {
387+ g .BeforeEach (func () {
388+ tc .data .users = []string {"system:serviceaccount:default:default" }
389+ })
390+ g .It ("should deny to list StatefulSets" , func () {
391+ tc .data .resources = []string {"apps/statefulsets" }
392+ tc .data .verbs = []string {"list" }
393+ tc .run (context .TODO (), cs , false )
394+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
395+ })
277396 })
278397
279- g .When ("the service account is default" , func () {
280- g .It ("should deny to list StatefulSets when in default namespace" , func () {})
281- g .It ("should deny to list StatefulSets when in non-default namespace" , func () {})
398+ g .When ("the default service account is in non-default namespace" , func () {
399+ g .BeforeEach (func () {
400+ tc .data .users = []string {"system:serviceaccount:non-default:default" }
401+ })
402+ g .It ("should deny to list StatefulSets" , func () {
403+ tc .data .resources = []string {"apps/statefulsets" }
404+ tc .data .verbs = []string {"list" }
405+ tc .run (context .TODO (), cs , false )
406+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
407+ })
282408 })
283409
284410 g .When ("the service account is persistent-volume-binder" , func () {
285- g .It ("should allow to update PersistentVolumeClaims" , func () {})
286- g .It ("should allow to create PersistentVolumes" , func () {})
411+ g .BeforeEach (func () {
412+ tc .data .users = []string {"system:serviceaccount:kube-system:persistent-volume-binder" }
413+ tc .data .groups = [][]string {{"system:serviceaccounts:kube-system" }}
414+ tc .data .namespaces = []string {"kube-system" }
415+ })
416+ g .It ("should allow to update PersistentVolumeClaims" , func () {
417+ tc .data .resources = []string {"persistentvolumeclaims" }
418+ tc .data .verbs = []string {"update" }
419+ tc .run (context .TODO (), cs , true )
420+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
421+ })
422+ g .It ("should allow to create PersistentVolumes" , func () {
423+ tc .data .resources = []string {"persistentvolumes" }
424+ tc .data .verbs = []string {"create" }
425+ tc .run (context .TODO (), cs , true )
426+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
427+ })
287428
288429 })
289430
290431 g .When ("the service account is aws-cloud-provider" , func () {
291- g .It ("should allow to patch Nodes" , func () {})
432+ g .BeforeEach (func () {
433+ tc .data .users = []string {"system:serviceaccount:kube-system:aws-cloud-provider" }
434+ tc .data .groups = [][]string {{"system:serviceaccounts:kube-system" }}
435+ })
436+ g .It ("should allow to patch Nodes" , func () {
437+ tc .data .resources = []string {"nodes" }
438+ tc .data .verbs = []string {"patch" }
439+ tc .run (context .TODO (), cs , true )
440+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
441+ })
292442 })
293443
294444 g .When ("the service account is api-monitoring-controller" , func () {
295- g .It ("should allow to update the skipper-default-filters ConfigMap in kube-system namespace" , func () {})
296- g .It ("should deny to update ConfigMaps other than skipper-default-filters" , func () {})
445+ g .BeforeEach (func () {
446+ tc .data .users = []string {"system:serviceaccount:api-infrastructure:api-monitoring-controller" }
447+ })
448+ g .When ("the namespace is kube-system" , func () {
449+ g .BeforeEach (func () {
450+ tc .data .namespaces = []string {"kube-system" }
451+ })
452+ g .It ("should allow to update 'skipper-default-filters' ConfigMap" , func () {
453+ tc .data .resources = []string {"configmaps" }
454+ tc .data .verbs = []string {"update" }
455+ tc .data .names = []string {"skipper-default-filters" }
456+ tc .run (context .TODO (), cs , true )
457+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
458+ })
459+ g .It ("should deny to update any other ConfigMap" , func () {
460+ tc .data .resources = []string {"configmaps" }
461+ tc .data .verbs = []string {"update" }
462+ // Technically, this should result in access undecided because we allow
463+ // access to 'skipper-default-filters' ConfigMap only and we haven't
464+ // specified a resource name in the test case.
465+ // We consider access undecided cases also as denied.
466+ tc .run (context .TODO (), cs , false )
467+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
468+ })
469+ })
297470 })
298471
299472 g .When ("the user is k8sapi_credentials-provider" , func () {
300- g .It ("should allow to get Secrets in kube-system namespace" , func () {})
473+ g .BeforeEach (func () {
474+ tc .data .users = []string {"zalando-iam:zalando:service:k8sapi_credentials-provider" }
475+ })
476+ g .It ("should allow to get Secrets in kube-system namespace" , func () {
477+ tc .data .resources = []string {"secrets" }
478+ tc .data .namespaces = []string {"kube-system" }
479+ tc .data .verbs = []string {"get" }
480+ tc .run (context .TODO (), cs , true )
481+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
482+ })
301483 })
302484
303485 g .When ("the user is stups_cdp-controller" , func () {
304- g .It ("should deny access to Secrets in kube-system namespace" , func () {})
486+ g .BeforeEach (func () {
487+ tc .data .users = []string {"zalando-iam:zalando:service:stups_cdp-controller" }
488+ })
489+ g .When ("the namespace is kube-system" , func () {
490+ g .BeforeEach (func () {
491+ tc .data .namespaces = []string {"kube-system" }
492+ })
493+ g .It ("should deny to get Secrets" , func () {
494+ tc .data .resources = []string {"secrets" }
495+ tc .data .verbs = []string {"get" }
496+ tc .run (context .TODO (), cs , false )
497+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
498+ })
499+ })
305500 })
306501
307502 })
308503
309504 g .Context ("For administrators" , func () {
310- g .It ("should allow read access to resources other than Secrets in kube-system namespace" , func () {})
311- g .It ("should allow write access to resources other than Secrets in kube-system namespace" , func () {})
312- g .It ("should allow read access to Secrets in kube-system namespace" , func () {})
313- g .It ("should allow read access to Secrets in namespaces other than kube-system" , func () {})
314- g .It ("should allow write access to namespaces other than kube-system" , func () {})
315- g .It ("should allow to proxy" , func () {})
316- g .It ("should allow write access to DaemonSets" , func () {})
317- })
505+ var tc testCase
506+ g .BeforeEach (func () {
507+ tc .data .groups = [][]string {{"system:masters" }}
508+ tc .data .users = []string {"nmalik" }
509+ })
510+
511+ g .When ("namespace is kube-system" , func () {
512+ g .BeforeEach (func () {
513+ tc .data .namespaces = []string {"kube-system" }
514+ })
515+ g .When ("the resource is a Secret" , func () {
516+ g .BeforeEach (func () {
517+ tc .data .resources = []string {"secrets" }
518+ })
519+ g .It ("should allow read access" , func () {
520+ tc .data .verbs = []string {"get" , "list" , "watch" }
521+ tc .run (context .TODO (), cs , true )
522+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
523+ })
524+ })
525+
526+ g .When ("the resource is not a Secret" , func () {
527+ g .BeforeEach (func () {
528+ tc .data .resources = []string {"pods" }
529+ })
530+ g .It ("should allow read access" , func () {
531+ tc .data .verbs = []string {"get" , "list" , "watch" }
532+ tc .run (context .TODO (), cs , true )
533+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
534+ })
535+ g .It ("should allow write access" , func () {
536+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
537+ tc .run (context .TODO (), cs , true )
538+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
539+ })
540+ })
318541
542+ })
543+
544+ g .When ("namespace is not kube-system" , func () {
545+ g .BeforeEach (func () {
546+ tc .data .namespaces = []string {"teapot" }
547+ })
548+
549+ g .It ("should allow to proxy" , func () {
550+ tc .data .verbs = []string {"proxy" }
551+ tc .run (context .TODO (), cs , true )
552+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
553+ })
554+
555+ g .When ("the resource is a Secret" , func () {
556+ g .BeforeEach (func () {
557+ tc .data .resources = []string {"secrets" }
558+ })
559+ g .It ("should allow read access" , func () {
560+ tc .data .verbs = []string {"get" , "list" , "watch" }
561+ tc .run (context .TODO (), cs , true )
562+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
563+ })
564+ })
565+ g .When ("the resource is not a Secret" , func () {
566+ g .BeforeEach (func () {
567+ tc .data .resources = []string {"pods, apps/daemonsets" }
568+ })
569+ g .It ("should allow write access" , func () {
570+ tc .data .verbs = []string {"create" , "update" , "delete" , "patch" }
571+ tc .run (context .TODO (), cs , true )
572+ gomega .Expect (tc .output .passed ).To (gomega .BeTrue (), tc .output .String ())
573+ })
574+ })
575+ })
576+ })
319577})
0 commit comments