From c48076b8f0bdbd814f7398924e138377c2660e97 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 11 Oct 2022 21:08:49 -0500 Subject: [PATCH] test: Adjust k8s roles for integration tests Initially, I thought it was necessary to use a ClusterRole in order to assign permissions in one namespace to a service account in another. It turns out, this is not necessary, as RoleBinding rules can refer to subjects in any namespace. Thus, we can limit the privileges of the *dynk8s-provisioner* service account by only allowing it access to the Secret and ConfigMap resources in the *kube-system* and *kube-public* namespaces, respectively, plus the Secret resources in its own namespace. --- tests/setup.yaml | 81 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 75 insertions(+), 6 deletions(-) diff --git a/tests/setup.yaml b/tests/setup.yaml index 7b58f86..d7f9f15 100644 --- a/tests/setup.yaml +++ b/tests/setup.yaml @@ -14,7 +14,7 @@ metadata: namespace: dynk8s-test labels: app.kubernetes.io/name: dynk8s-provisioner - app.kubernetes.io/instance: default + app.kubernetes.io/instance: integration-test app.kubernetes.io/component: http-api app.kubernetes.io/part-of: dynk8s-provisioner automountServiceAccountToken: true @@ -31,13 +31,13 @@ type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: dynk8s-provisioner namespace: dynk8s-test labels: app.kubernetes.io/name: dynk8s-provisioner - app.kubernetes.io/instance: default + app.kubernetes.io/instance: integration-test app.kubernetes.io/component: http-api app.kubernetes.io/part-of: dynk8s-provisioner rules: @@ -47,6 +47,38 @@ rules: - secrets verbs: - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dynk8s-provisioner-test + namespace: kube-system + labels: + app.kubernetes.io/name: dynk8s-provisioner + app.kubernetes.io/instance: integration-test + app.kubernetes.io/component: http-api + app.kubernetes.io/part-of: dynk8s-provisioner +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dynk8s-provisioner-test + namespace: kube-public + labels: + app.kubernetes.io/name: dynk8s-provisioner + app.kubernetes.io/instance: integration-test + app.kubernetes.io/component: http-api + app.kubernetes.io/part-of: dynk8s-provisioner +rules: - apiGroups: - '' resources: @@ -58,17 +90,54 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: dynk8s-provisioner namespace: dynk8s-test labels: app.kubernetes.io/name: dynk8s-provisioner - app.kubernetes.io/instance: default + app.kubernetes.io/instance: integration-test app.kubernetes.io/part-of: dynk8s-provisioner roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role + name: dynk8s-provisioner +subjects: +- kind: ServiceAccount + name: dynk8s-provisioner + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dynk8s-provisioner-test + namespace: kube-system + labels: + app.kubernetes.io/name: dynk8s-provisioner + app.kubernetes.io/instance: integration-test + app.kubernetes.io/part-of: dynk8s-provisioner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dynk8s-provisioner +subjects: +- kind: ServiceAccount + name: dynk8s-provisioner + namespace: dynk8s-test + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dynk8s-provisioner-test + namespace: kube-public + labels: + app.kubernetes.io/name: dynk8s-provisioner + app.kubernetes.io/instance: integration-test + app.kubernetes.io/part-of: dynk8s-provisioner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role name: dynk8s-provisioner subjects: - kind: ServiceAccount