Skip to content

Add e2e tests for cdp and deployment-service secret read permissions #9735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: dev
Choose a base branch
from
Draft

Add e2e tests for cdp and deployment-service secret read permissions #9735

wants to merge 7 commits into from

Conversation

katyanna
Copy link
Member

@katyanna katyanna commented Jul 31, 2025
edited
Loading

This PR adds e2e tests to verify that CDP and deployment-service can read secrets from any namespace (including kube-system) and that this permission is later revoked by the Admission Controller.

  • RBAC: Allows CDP and deployment-service to read secrets across namespaces
  • Admission Controller: Rewrites these permissions to deny further access to read secrets

This test coverage helps validate the secret access workflow end-to-end on the redesign of RBAC for EKS.

Ref.: #8871

@katyanna katyanna added the minor Minor changes, e.g. low risk config updates, changes that do not introduce a new API call. label Jul 31, 2025
linki
linki reviewed Aug 13, 2025
View reviewed changes
test/e2e/authorization.go
g.It("should deny secret read access to kube-system namespace", func() {
_, err := client.CoreV1().Secrets(systemSecret.Namespace).Get(context.Background(), systemSecret.Name, metav1.GetOptions{})
gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden")))
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, that doesn't add up. First of all, why do we "deny" in both cases? Isn't the point of all this stuff the ability to give permissions on all but one namespace (or some variation of this)? If we want to deny access in all namespaces we could just use RBAC.

Secondly, admission-controller isn't involved in GET requests, so these won't go through admission-controller anyways.

Can we define again what we actually wanted to achieve?

@katyanna
Remove duplicate import
acc7e70 
Signed-off-by: Katyanna Moura <[email protected]>
@katyanna
Rename file to fit pattern
f3fd5ed 
Though the company language is BrE, kubernetes tools use AmE.
This commit sets file name to the same pattern used in the code.

Signed-off-by: Katyanna Moura <[email protected]>
@katyanna
Test secrets read permission for CDP and deployment-service
662e352 
Signed-off-by: Katyanna Moura <[email protected]>
@katyanna
Simplify e2e roles
4361d4b 
Signed-off-by: Katyanna Moura <[email protected]>
@katyanna
testcase: cdp user creates clusterrole with read secret permission
b125bf0 
Signed-off-by: Katyanna Moura <[email protected]>
@katyanna
fix roles
a35f5ce 
Signed-off-by: Katyanna Moura <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linki linki linki left review comments

Assignees
No one assigned
Labels
minor Minor changes, e.g. low risk config updates, changes that do not introduce a new API call.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@katyanna @linki