Skip to content

Commit ab48cb4

Browse files
katyannakatyanna
committed
cleanup test cases and naming
- Rename privileged to admin - Rename unprivileged to read-only Keeping closer correlation with the okta groups. Stick with `delete` as the write action exercised, so we cover the destructive access similarly to the other tests. Signed-off-by: Katyanna Moura <[email protected]>
1 parent c88c4ad commit ab48cb4

File tree

2 files changed

+81
-74
lines changed

2 files changed

+81
-74
lines changed

cluster/manifests/02-visibility/01-namespace.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,4 @@ kind: Namespace
33
metadata:
44
name: visibility
55
labels:
6-
admission.zalando.org/infrastructure-component: "true"
6+
admission.zalando.org/infrastructure-component: "true" # This label flags the resource as protected

test/e2e/authorization.go

Lines changed: 80 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -596,35 +596,41 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
596596
)
597597

598598
g.BeforeEach(func() {
599-
systemResource = examplePod("kube-system", nil)
600-
collaboratorResource = examplePod("visibility", nil)
601-
nonSystemResource = examplePod(f.Namespace.Name, nil)
599+
var err error
600+
601+
nonSystemResource, err = createPod(context.Background(), f.ClientSet, f.Namespace.Name, nil)
602+
framework.ExpectNoError(err)
603+
604+
collaboratorResource, err = createPod(context.Background(), f.ClientSet, "visibility", nil)
605+
framework.ExpectNoError(err)
606+
607+
systemResource, err = createPod(context.Background(), f.ClientSet, "kube-system", map[string]string{"admission.zalando.org/infrastructure-component": "true"})
608+
framework.ExpectNoError(err)
602609
})
603610

604-
// TODO: see remarks below about privileged acceess / engineer role. Let's rename this to "admin" access to avoid any confusion.
605-
g.Context("as privileged user", func() {
611+
g.Context("as admin user", func() {
606612
var client *kubernetes.Clientset
607613

608614
g.BeforeEach(func() {
609615
var err error
610616

611-
client, err = getPrivilegedClient(eksCluster, awsAccountID)
617+
client, err = getAdminClient(eksCluster, awsAccountID)
612618
framework.ExpectNoError(err)
613619
})
614620

615621
g.It("should allow write access in user namespace", func() {
616-
_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
617-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
622+
err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
623+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
618624
})
619625

620626
g.It("should allow write access in collaborator namespace", func() {
621-
_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
622-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
627+
err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
628+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
623629
})
624630

625631
g.It("should allow write access in system namespace", func() {
626-
_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
627-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", systemResource.Name, systemResource.Namespace)
632+
err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
633+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", systemResource.Name, systemResource.Namespace)
628634
})
629635
})
630636

@@ -639,42 +645,21 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
639645
})
640646

641647
g.It("should allow write access in user namespace", func() {
642-
_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
643-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
648+
err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
649+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
644650
})
645651

646-
// Not needed actually
647-
// // TODO: need to create resource before deleting it
648-
// g.It("should deny delete access in collaborator namespace", func() {
649-
// err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
650-
// gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("delete operations are forbidden")))
651-
// })
652-
653-
// Should allow visibility ns deletion?
654-
// g.It("should allow delete access in collaborator namespace", func() {
655-
// err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
656-
// framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
657-
// })
658-
659652
g.It("should allow write access in collaborator namespace", func() {
660-
_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
661-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
653+
err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
654+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", collaboratorResource.Name, collaboratorResource.Namespace)
662655
})
663656

664657
g.It("should deny write access in system namespace", func() {
665-
_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
658+
err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
666659
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
667660
})
668-
669-
// Not needed actually
670-
// // TODO: need to create resource before deleting it
671-
// g.It("should deny delete access in system namespace", func() {
672-
// err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
673-
// gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("delete operations are forbidden")))
674-
// })
675661
})
676662

677-
// TODO: this is for manual/ememergency access (to be consistent let's rename it to "privleged" because this si now called "privielegd access" by the IAM team)
678663
g.Context("as engineer user", func() {
679664
var client *kubernetes.Clientset
680665

@@ -685,46 +670,44 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
685670
framework.ExpectNoError(err)
686671
})
687672

688-
// these tests are similar to the ones for unprivileged (let's think about that) (also see remarks of the first test in the block below)
689673
g.It("should allow write access in user namespace", func() {
690-
_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
691-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
674+
err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
675+
framework.ExpectNoError(err, "failed to delete pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
692676
})
693677

694678
g.It("should deny write access in collaborator namespace", func() {
695-
_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
679+
err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
696680
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
697681
})
698682

699683
g.It("should deny write access in system namespace", func() {
700-
_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
684+
err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
701685
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
702686
})
703687
})
704688

705-
g.Context("as unprivileged user", func() {
689+
g.Context("as read-only user", func() {
706690
var client *kubernetes.Clientset
707691

708692
g.BeforeEach(func() {
709693
var err error
710694

711-
client, err = getUnprivilegedClient(eksCluster, awsAccountID)
695+
client, err = getReadOnlyClient(eksCluster, awsAccountID)
712696
framework.ExpectNoError(err)
713697
})
714698

715-
// TODO: is that correct?? We use "readonly" as the role in the test case, why should this be able to delete something?
716-
g.It("should allow write access in user namespace", func() {
717-
_, err := client.CoreV1().Pods(nonSystemResource.Namespace).Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{"All"}})
718-
framework.ExpectNoError(err, "failed to create pod: %s in namespace: %s", nonSystemResource.Name, nonSystemResource.Namespace)
699+
g.It("should deny write access in user namespace", func() {
700+
err := client.CoreV1().Pods(nonSystemResource.Namespace).Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
701+
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
719702
})
720703

721704
g.It("should deny write access in collaborator namespace", func() {
722-
_, err := client.CoreV1().Pods(collaboratorResource.Namespace).Create(context.Background(), collaboratorResource, metav1.CreateOptions{DryRun: []string{"All"}})
705+
err := client.CoreV1().Pods(collaboratorResource.Namespace).Delete(context.Background(), collaboratorResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
723706
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
724707
})
725708

726709
g.It("should deny write access in system namespace", func() {
727-
_, err := client.CoreV1().Pods(systemResource.Namespace).Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{"All"}})
710+
err := client.CoreV1().Pods(systemResource.Namespace).Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
728711
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
729712
})
730713
})
@@ -746,13 +729,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
746729
framework.ExpectNoError(err)
747730
})
748731

749-
g.Context("as privileged user", func() {
732+
g.Context("as admin user", func() {
750733
var client *kubernetes.Clientset
751734

752735
g.BeforeEach(func() {
753736
var err error
754737

755-
client, err = getPrivilegedClient(eksCluster, awsAccountID)
738+
client, err = getAdminClient(eksCluster, awsAccountID)
756739
framework.ExpectNoError(err)
757740
})
758741

@@ -761,6 +744,11 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
761744
framework.ExpectNoError(err, "failed to delete cluster role: %s", nonSystemResource.Name)
762745
})
763746

747+
g.It("should allow write access for collaborator resources", func() {
748+
err := client.RbacV1().ClusterRoles().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
749+
framework.ExpectNoError(err, "failed to delete cluster role: %s", "visibility")
750+
})
751+
764752
g.It("should allow write access for system resources", func() {
765753
err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
766754
framework.ExpectNoError(err, "failed to delete cluster role: %s", systemResource.Name)
@@ -782,22 +770,31 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
782770
framework.ExpectNoError(err, "failed to delete cluster role: %s", nonSystemResource.Name)
783771
})
784772

773+
g.It("should allow write access for collaborator resources", func() {
774+
err := client.RbacV1().ClusterRoles().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
775+
framework.ExpectNoError(err, "failed to delete cluster role: %s", "visibility")
776+
})
777+
785778
g.It("should deny write access for system resources", func() {
786779
err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
787780
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
788781
})
789782

790783
// test specific namespaces
791-
792-
g.It("should deny deletion of kube-system namespace", func() {
793-
err := client.CoreV1().Namespaces().Delete(context.Background(), "kube-system", metav1.DeleteOptions{DryRun: []string{"All"}})
794-
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
784+
g.It("should allow deletion of non-system namespace", func() {
785+
err := client.CoreV1().Namespaces().Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
786+
framework.ExpectNoError(err, "failed to delete namespace: %s", nonSystemResource.Name)
795787
})
796788

797789
g.It("should deny deletion of visibility namespace", func() {
798790
err := client.CoreV1().Namespaces().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
799791
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
800792
})
793+
794+
g.It("should deny deletion of kube-system namespace", func() {
795+
err := client.CoreV1().Namespaces().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
796+
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
797+
})
801798
})
802799

803800
g.Context("as engineer user", func() {
@@ -815,39 +812,49 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
815812
framework.ExpectNoError(err, "failed to delete cluster role: %s", nonSystemResource.Name)
816813
})
817814

815+
g.It("should deny write access for collaborator resources", func() {
816+
err := client.RbacV1().ClusterRoles().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
817+
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
818+
})
819+
818820
g.It("should deny write access for system resources", func() {
819821
err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
820822
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
821823
})
822824

823825
// test specific namespaces
824-
825-
g.It("should deny deletion of kube-system namespace", func() {
826-
err := client.CoreV1().Namespaces().Delete(context.Background(), "kube-system", metav1.DeleteOptions{DryRun: []string{"All"}})
827-
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
828-
})
829-
830826
g.It("should deny deletion of visibility namespace", func() {
831827
err := client.CoreV1().Namespaces().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
832828
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
833829
})
830+
831+
g.It("should deny deletion of kube-system namespace", func() {
832+
err := client.CoreV1().Namespaces().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
833+
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("this namespace may not be deleted")))
834+
})
834835
})
835836

836-
g.Context("as unprivileged user", func() {
837+
g.Context("as read-only user", func() {
837838
var client *kubernetes.Clientset
838839

839840
g.BeforeEach(func() {
840841
var err error
841842

842-
client, err = getUnprivilegedClient(eksCluster, awsAccountID)
843+
client, err = getReadOnlyClient(eksCluster, awsAccountID)
843844
framework.ExpectNoError(err)
844845
})
845846

847+
// why allow any write acess for read-only user?
846848
g.It("should allow write access for non-system resources", func() {
847849
err := client.RbacV1().ClusterRoles().Delete(context.Background(), nonSystemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
848850
framework.ExpectNoError(err, "failed to delete cluster role: %s", nonSystemResource.Name)
849851
})
850852

853+
g.It("should deny write access for collaborator resources", func() {
854+
err := client.RbacV1().ClusterRoles().Delete(context.Background(), "visibility", metav1.DeleteOptions{DryRun: []string{"All"}})
855+
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
856+
})
857+
851858
g.It("should deny write access for system resources", func() {
852859
err := client.RbacV1().ClusterRoles().Delete(context.Background(), systemResource.Name, metav1.DeleteOptions{DryRun: []string{"All"}})
853860
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden")))
@@ -901,13 +908,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
901908
})
902909
})
903910

904-
g.Context("as privileged user", func() {
911+
g.Context("as admin user", func() {
905912
var client *kubernetes.Clientset
906913

907914
g.BeforeEach(func() {
908915
var err error
909916

910-
client, err = getPrivilegedClient(eksCluster, awsAccountID)
917+
client, err = getAdminClient(eksCluster, awsAccountID)
911918
framework.ExpectNoError(err)
912919
})
913920

@@ -927,13 +934,13 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
927934
})
928935
})
929936

930-
g.Context("as unprivileged user", func() {
937+
g.Context("as read-only user", func() {
931938
var client *kubernetes.Clientset
932939

933940
g.BeforeEach(func() {
934941
var err error
935942

936-
client, err = getUnprivilegedClient(eksCluster, awsAccountID)
943+
client, err = getReadOnlyClient(eksCluster, awsAccountID)
937944
framework.ExpectNoError(err)
938945
})
939946

@@ -955,8 +962,8 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu
955962
})
956963
})
957964

958-
// getPrivilegedClient returns a client with the `zalando:administrator` group.
959-
func getPrivilegedClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
965+
// getAdminClient returns a client with the `zalando:administrator` group.
966+
func getAdminClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
960967
return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-privileged-role", awsAccountID, aws.ToString(cluster.Name)))
961968
}
962969

@@ -970,8 +977,8 @@ func getEngineerClient(cluster *types.Cluster, awsAccountID string) (*kubernetes
970977
return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-engineer-role", awsAccountID, aws.ToString(cluster.Name)))
971978
}
972979

973-
// getUnprivilegedClient returns a client with the `zalando:readonly` group.
974-
func getUnprivilegedClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
980+
// getReadOnlyClient returns a client with the `zalando:readonly` group.
981+
func getReadOnlyClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) {
975982
return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-unprivileged-role", awsAccountID, aws.ToString(cluster.Name)))
976983
}
977984

0 commit comments

Comments
 (0)