Merge pull request #9351 from zalando-incubator/admission-e2e

Add e2e admission-controller role access tests

Author: katyanna

cluster/cluster.yaml

@@ -273,7 +273,7 @@ Resources:
       AddonName: eks-pod-identity-agent
       ClusterName: !Ref EKSCluster
   {{ if eq .Cluster.Environment "e2e" }}
-  E2EEKSIAMTestRoleUnprivileged:
+  E2EEKSIAMTestRoleReadOnly:
     Properties:
       AssumeRolePolicyDocument:
         Statement:
@@ -285,26 +285,26 @@ Resources:
             AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
         Version: 2012-10-17
       Path: /
-      RoleName: "{{.Cluster.LocalID}}-e2e-eks-iam-test-unprivileged-role"
+      RoleName: "{{.Cluster.LocalID}}-e2e-eks-iam-test-read-only-role"
     Type: 'AWS::IAM::Role'
-  E2EEKSIAMTestAccessEntryUnprivileged:
+  E2EEKSIAMTestAccessEntryReadOnly:
     Type: "AWS::EKS::AccessEntry"
     Properties:
       AccessPolicies:
       - AccessScope:
           Type: "cluster"
         PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
       ClusterName: !Ref EKSCluster
-      PrincipalArn: !GetAtt E2EEKSIAMTestRoleUnprivileged.Arn
+      PrincipalArn: !GetAtt E2EEKSIAMTestRoleReadOnly.Arn
       Username: !Join
           - ''
           - - !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/'
-            - !Ref E2EEKSIAMTestRoleUnprivileged
+            - !Ref E2EEKSIAMTestRoleReadOnly
             - '/{{`{{SessionName}}`}}'
       KubernetesGroups:
       - zalando:readonly
       Type: "STANDARD"
-  E2EEKSIAMTestRolePrivileged:
+  E2EEKSIAMTestRoleAdministrator:
     Properties:
       AssumeRolePolicyDocument:
         Statement:
@@ -316,21 +316,21 @@ Resources:
             AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
         Version: 2012-10-17
       Path: /
-      RoleName: "{{.Cluster.LocalID}}-e2e-eks-iam-test-privileged-role"
+      RoleName: "{{.Cluster.LocalID}}-e2e-eks-iam-test-administrator-role"
     Type: 'AWS::IAM::Role'
-  E2EEKSIAMTestAccessEntryPrivileged:
+  E2EEKSIAMTestAccessEntryAdministrator:
     Type: "AWS::EKS::AccessEntry"
     Properties:
       AccessPolicies:
       - AccessScope:
           Type: "cluster"
         PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
       ClusterName: !Ref EKSCluster
-      PrincipalArn: !GetAtt E2EEKSIAMTestRolePrivileged.Arn
+      PrincipalArn: !GetAtt E2EEKSIAMTestRoleAdministrator.Arn
       Username: !Join
           - ''
           - - !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/'
-            - !Ref E2EEKSIAMTestRolePrivileged
+            - !Ref E2EEKSIAMTestRoleAdministrator
             - '/{{`{{SessionName}}`}}'
       KubernetesGroups:
       - zalando:administrator
@@ -366,6 +366,37 @@ Resources:
       KubernetesGroups:
       - zalando:collaborator
       Type: "STANDARD"
+  E2EEKSIAMTestRoleEngineer:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - 'sts:AssumeRole'
+          - 'sts:SetSourceIdentity'
+          Effect: Allow
+          Principal:
+            AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+        Version: 2012-10-17
+      Path: /
+      RoleName: "{{.Cluster.LocalID}}-e2e-eks-iam-test-engineer-role"
+    Type: 'AWS::IAM::Role'
+  E2EEKSIAMTestAccessEntryEngineer:
+    Type: "AWS::EKS::AccessEntry"
+    Properties:
+      AccessPolicies:
+      - AccessScope:
+          Type: "cluster"
+        PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+      ClusterName: !Ref EKSCluster
+      PrincipalArn: !GetAtt E2EEKSIAMTestRoleEngineer.Arn
+      Username: !Join
+          - ''
+          - - !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/'
+            - !Ref E2EEKSIAMTestRoleEngineer
+            - '/{{`{{SessionName}}`}}'
+      KubernetesGroups:
+      - zalando:engineer
+      Type: "STANDARD"
   E2EEKSIAMTestRolePostgresAdministrator:
     Properties:
       AssumeRolePolicyDocument:

cluster/manifests/02-visibility/01-namespace.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: visibility
+  labels:
+    admission.zalando.org/infrastructure-component: "true" # This label flags the resource as protected

test/e2e/authorization.go

@@ -596,34 +596,41 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 		)
 
 		g.BeforeEach(func() {
-			systemResource = examplePod("kube-system", nil)
-			collaboratorResource = examplePod("visibility", nil)
-			nonSystemResource = examplePod(f.Namespace.Name, nil)
+			var err error
+
+			nonSystemResource, err = createPod(context.Background(), f.ClientSet, f.Namespace.Name, nil)
+			framework.ExpectNoError(err)
+
+			collaboratorResource, err = createPod(context.Background(), f.ClientSet, "visibility", nil)
+			framework.ExpectNoError(err)
+
+			systemResource, err = createPod(context.Background(), f.ClientSet, "kube-system", map[string]string{"admission.zalando.org/infrastructure-component": "true"})
+			framework.ExpectNoError(err)
 		})
 
-		g.Context("as privileged user", func() {
+		g.Context("as admin user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getPrivilegedClient(eksCluster, awsAccountID)
+				client, err = getAdminClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
 			g.It("should allow write access in user namespace", func() {
-				_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
+				err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
 			})
 
 			g.It("should allow write access in collaborator namespace", func() {
-				_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
+				err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
 			})
 
 			g.It("should allow write access in system namespace", func() {
-				_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", systemResource.Name, systemResource.Namespace)
+				err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", systemResource.Name, systemResource.Namespace)
 			})
 		})
 
@@ -638,43 +645,43 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 			})
 
 			g.It("should allow write access in user namespace", func() {
-				_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
+				err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
 			})
 
 			g.It("should allow write access in collaborator namespace", func() {
-				_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
+				err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
 			})
 
 			g.It("should deny write access in system namespace", func() {
-				_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
+				err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
 				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
 			})
 		})
 
-		g.Context("as unprivileged user", func() {
+		g.Context("as engineer user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getUnprivilegedClient(eksCluster, awsAccountID)
+				client, err = getEngineerClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
 			g.It("should allow write access in user namespace", func() {
-				_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
-				framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
+				err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
 			})
 
 			g.It("should deny write access in collaborator namespace", func() {
-				_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
+				err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
 				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
 			})
 
 			g.It("should deny write access in system namespace", func() {
-				_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
+				err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
 				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
 			})
 		})
@@ -696,13 +703,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 			framework.ExpectNoError(err)
 		})
 
-		g.Context("as privileged user", func() {
+		g.Context("as admin user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getPrivilegedClient(eksCluster, awsAccountID)
+				client, err = getAdminClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
@@ -717,13 +724,45 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 			})
 		})
 
-		g.Context("as unprivileged user", func() {
+		g.Context("as collaborator user", func() {
+			var client *kubernetes.Clientset
+
+			g.BeforeEach(func() {
+				var err error
+
+				client, err = getCollaboratorClient(eksCluster, awsAccountID)
+				framework.ExpectNoError(err)
+			})
+
+			g.It("should allow write access for non-system resources", func() {
+				err := client.RbacV1().ClusterRoles().Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				framework.ExpectNoError(err, "failed to delete cluster role: %s", nonSystemResource.Name)
+			})
+
+			g.It("should deny write access for system resources", func() {
+				err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
+				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
+			})
+
+			// test specific namespaces
+			g.It("should deny deletion of visibility namespace", func() {
+				err := client.CoreV1().Namespaces().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
+				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
+			})
+
+			g.It("should deny deletion of kube-system namespace", func() {
+				err := client.CoreV1().Namespaces().Delete(context.Background(), "kube-system", metav1.DeleteOptions{DryRun: []string{"All"}})
+				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
+			})
+		})
+
+		g.Context("as engineer user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getUnprivilegedClient(eksCluster, awsAccountID)
+				client, err = getEngineerClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
@@ -736,6 +775,17 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 				err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
 				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
 			})
+
+			// test specific namespaces
+			g.It("should deny deletion of visibility namespace", func() {
+				err := client.CoreV1().Namespaces().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
+				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
+			})
+
+			g.It("should deny deletion of kube-system namespace", func() {
+				err := client.CoreV1().Namespaces().Delete(context.Background(), "kube-system", metav1.DeleteOptions{DryRun: []string{"All"}})
+				gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
+			})
 		})
 	})
 
@@ -785,13 +835,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 			})
 		})
 
-		g.Context("as privileged user", func() {
+		g.Context("as admin user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getPrivilegedClient(eksCluster, awsAccountID)
+				client, err = getAdminClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
@@ -811,13 +861,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 			})
 		})
 
-		g.Context("as unprivileged user", func() {
+		g.Context("as read-only user", func() {
 			var client *kubernetes.Clientset
 
 			g.BeforeEach(func() {
 				var err error
 
-				client, err = getUnprivilegedClient(eksCluster, awsAccountID)
+				client, err = getReadOnlyClient(eksCluster, awsAccountID)
 				framework.ExpectNoError(err)
 			})
 
@@ -839,19 +889,24 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
 	})
 })
 
-// getPrivilegedClient returns a client with the `zalando:administrator` group.
-func getPrivilegedClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
-	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-privileged-role", awsAccountID, aws.ToString(cluster.Name)))
+// getAdminClient returns a client with the `zalando:administrator` group.
+func getAdminClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
+	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-administrator-role", awsAccountID, aws.ToString(cluster.Name)))
 }
 
 // getCollaboratorClient returns a client with the `zalando:collaborator` group.
 func getCollaboratorClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
 	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-collaborator-role", awsAccountID, aws.ToString(cluster.Name)))
 }
 
-// getUnprivilegedClient returns a client with the `zalando:readonly` group.
-func getUnprivilegedClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
-	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-unprivileged-role", awsAccountID, aws.ToString(cluster.Name)))
+// getEngineerClient returns a client with the `zalando:engineer` group.
+func getEngineerClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
+	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-engineer-role", awsAccountID, aws.ToString(cluster.Name)))
+}
+
+// getReadOnlyClient returns a client with the `zalando:readonly` group.
+func getReadOnlyClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
+	return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-read-only-role", awsAccountID, aws.ToString(cluster.Name)))
 }
 
 // getPostgresAdministratorClient returns a client with the `zalando:postgres-admin` group.