k8s.io/apiserver@v0.31.1/pkg/apis/audit/validation/validation_test.go

k8s.io/apiserver@v0.31.1/pkg/apis/audit/validation/validation_test.go (about)

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package validation
    18  
    19  import (
    20  	"testing"
    21  
    22  	"k8s.io/apiserver/pkg/apis/audit"
    23  )
    24  
    25  func TestValidatePolicy(t *testing.T) {
    26  	validRules := []audit.PolicyRule{
    27  		{ // Defaulting rule
    28  			Level: audit.LevelMetadata,
    29  		}, { // Matching non-humans
    30  			Level:      audit.LevelNone,
    31  			UserGroups: []string{"system:serviceaccounts", "system:nodes"},
    32  		}, { // Specific request
    33  			Level:      audit.LevelRequestResponse,
    34  			Verbs:      []string{"get"},
    35  			Resources:  []audit.GroupResources{{Group: "rbac.authorization.k8s.io", Resources: []string{"roles", "rolebindings"}}},
    36  			Namespaces: []string{"kube-system"},
    37  		}, { // Some non-resource URLs
    38  			Level:      audit.LevelMetadata,
    39  			UserGroups: []string{"developers"},
    40  			NonResourceURLs: []string{
    41  				"/logs*",
    42  				"/healthz*",
    43  				"/metrics",
    44  				"*",
    45  			},
    46  		}, { // Omit RequestReceived stage
    47  			Level: audit.LevelMetadata,
    48  			OmitStages: []audit.Stage{
    49  				audit.Stage("RequestReceived"),
    50  			},
    51  		},
    52  	}
    53  	successCases := []audit.Policy{}
    54  	for _, rule := range validRules {
    55  		successCases = append(successCases, audit.Policy{Rules: []audit.PolicyRule{rule}})
    56  	}
    57  	successCases = append(successCases, audit.Policy{})                         // Empty policy is valid.
    58  	successCases = append(successCases, audit.Policy{OmitStages: []audit.Stage{ // Policy with omitStages
    59  		audit.Stage("RequestReceived")}})
    60  	successCases = append(successCases, audit.Policy{Rules: validRules}) // Multiple rules.
    61  
    62  	for i, policy := range successCases {
    63  		if errs := ValidatePolicy(&policy); len(errs) != 0 {
    64  			t.Errorf("[%d] Expected policy %#v to be valid: %v", i, policy, errs)
    65  		}
    66  	}
    67  
    68  	invalidRules := []audit.PolicyRule{
    69  		{}, // Empty rule (missing Level)
    70  		{ // Missing level
    71  			Verbs:      []string{"get"},
    72  			Resources:  []audit.GroupResources{{Resources: []string{"secrets"}}},
    73  			Namespaces: []string{"kube-system"},
    74  		}, { // Invalid Level
    75  			Level: "FooBar",
    76  		}, { // NonResourceURLs + Namespaces
    77  			Level:           audit.LevelMetadata,
    78  			Namespaces:      []string{"default"},
    79  			NonResourceURLs: []string{"/logs*"},
    80  		}, { // NonResourceURLs + ResourceKinds
    81  			Level:           audit.LevelMetadata,
    82  			Resources:       []audit.GroupResources{{Resources: []string{"secrets"}}},
    83  			NonResourceURLs: []string{"/logs*"},
    84  		}, { // invalid group name
    85  			Level:     audit.LevelMetadata,
    86  			Resources: []audit.GroupResources{{Group: "rbac.authorization.k8s.io/v1beta1", Resources: []string{"roles"}}},
    87  		}, { // invalid non-resource URLs
    88  			Level: audit.LevelMetadata,
    89  			NonResourceURLs: []string{
    90  				"logs",
    91  				"/healthz*",
    92  			},
    93  		}, { // empty non-resource URLs
    94  			Level: audit.LevelMetadata,
    95  			NonResourceURLs: []string{
    96  				"",
    97  				"/healthz*",
    98  			},
    99  		}, { // invalid non-resource URLs with multi "*"
   100  			Level: audit.LevelMetadata,
   101  			NonResourceURLs: []string{
   102  				"/logs/*/*",
   103  				"/metrics",
   104  			},
   105  		}, { // invalid non-resrouce URLs with "*" not in the end
   106  			Level: audit.LevelMetadata,
   107  			NonResourceURLs: []string{
   108  				"/logs/*.log",
   109  				"/metrics",
   110  			},
   111  		},
   112  		{ // ResourceNames without Resources
   113  			Level:      audit.LevelMetadata,
   114  			Verbs:      []string{"get"},
   115  			Resources:  []audit.GroupResources{{ResourceNames: []string{"leader"}}},
   116  			Namespaces: []string{"kube-system"},
   117  		},
   118  		{ // invalid omitStages in rule
   119  			Level: audit.LevelMetadata,
   120  			OmitStages: []audit.Stage{
   121  				audit.Stage("foo"),
   122  			},
   123  		},
   124  	}
   125  	errorCases := []audit.Policy{}
   126  	for _, rule := range invalidRules {
   127  		errorCases = append(errorCases, audit.Policy{Rules: []audit.PolicyRule{rule}})
   128  	}
   129  
   130  	// Multiple rules.
   131  	errorCases = append(errorCases, audit.Policy{Rules: append(validRules, audit.PolicyRule{})})
   132  
   133  	// invalid omitStages in policy
   134  	policy := audit.Policy{OmitStages: []audit.Stage{
   135  		audit.Stage("foo"),
   136  	},
   137  		Rules: []audit.PolicyRule{{
   138  			Level: audit.LevelMetadata,
   139  		}},
   140  	}
   141  	errorCases = append(errorCases, policy)
   142  
   143  	for i, policy := range errorCases {
   144  		if errs := ValidatePolicy(&policy); len(errs) == 0 {
   145  			t.Errorf("[%d] Expected policy %#v to be invalid!", i, policy)
   146  		}
   147  	}
   148  }