k8s.io/kubernetes@v1.29.3/test/cmd/rbac.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2018 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -o errexit 18 set -o nounset 19 set -o pipefail 20 21 run_clusterroles_tests() { 22 set -o nounset 23 set -o errexit 24 25 create_and_use_new_namespace 26 kube::log::status "Testing clusterroles" 27 28 # make sure the server was properly bootstrapped with clusterroles and bindings 29 kube::test::get_object_assert clusterroles/cluster-admin "{{.metadata.name}}" 'cluster-admin' 30 kube::test::get_object_assert clusterrolebindings/cluster-admin "{{.metadata.name}}" 'cluster-admin' 31 32 # Pre-condition: no ClusterRole pod-admin exists 33 output_message=$(! kubectl get clusterrole pod-admin 2>&1 "${kube_flags[@]:?}") 34 kube::test::if_has_string "${output_message}" 'clusterroles.rbac.authorization.k8s.io "pod-admin" not found' 35 # Dry-run test `kubectl create clusterrole` 36 kubectl create "${kube_flags[@]:?}" clusterrole pod-admin --dry-run=client --verb=* --resource=pods 37 kubectl create "${kube_flags[@]:?}" clusterrole pod-admin --dry-run=server --verb=* --resource=pods 38 output_message=$(! kubectl get clusterrole pod-admin 2>&1 "${kube_flags[@]:?}") 39 kube::test::if_has_string "${output_message}" 'clusterroles.rbac.authorization.k8s.io "pod-admin" not found' 40 # test `kubectl create clusterrole` 41 kubectl create "${kube_flags[@]:?}" clusterrole pod-admin --verb=* --resource=pods 42 kube::test::get_object_assert clusterrole/pod-admin "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" '\*:' 43 output_message=$(kubectl delete clusterrole pod-admin -n test 2>&1 "${kube_flags[@]}") 44 kube::test::if_has_string "${output_message}" 'Warning: deleting cluster-scoped resources' 45 kube::test::if_has_string "${output_message}" 'clusterrole.rbac.authorization.k8s.io "pod-admin" deleted' 46 47 kubectl create "${kube_flags[@]}" clusterrole pod-admin --verb=* --resource=pods 48 kube::test::get_object_assert clusterrole/pod-admin "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" '\*:' 49 kube::test::get_object_assert clusterrole/pod-admin "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:' 50 kube::test::get_object_assert clusterrole/pod-admin "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' 51 kubectl create "${kube_flags[@]}" clusterrole resource-reader --verb=get,list --resource=pods,deployments.apps 52 kube::test::get_object_assert clusterrole/resource-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:get:list:' 53 kube::test::get_object_assert clusterrole/resource-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:deployments:' 54 kube::test::get_object_assert clusterrole/resource-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':apps:' 55 kubectl create "${kube_flags[@]}" clusterrole resourcename-reader --verb=get,list --resource=pods --resource-name=foo 56 kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:' 57 kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:' 58 kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' 59 kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.resourceNames}}{{.}}:{{end}}{{end}}" 'foo:' 60 kubectl create "${kube_flags[@]}" clusterrole url-reader --verb=get --non-resource-url=/logs/* --non-resource-url=/healthz/* 61 kube::test::get_object_assert clusterrole/url-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:' 62 kube::test::get_object_assert clusterrole/url-reader "{{range.rules}}{{range.nonResourceURLs}}{{.}}:{{end}}{{end}}" '/logs/\*:/healthz/\*:' 63 kubectl create "${kube_flags[@]}" clusterrole aggregation-reader --aggregation-rule="foo1=foo2" 64 kube::test::get_object_assert clusterrole/aggregation-reader "{{${id_field:?}}}" 'aggregation-reader' 65 66 # Pre-condition: no ClusterRoleBinding super-admin exists 67 output_message=$(! kubectl get clusterrolebinding super-admin 2>&1 "${kube_flags[@]}") 68 kube::test::if_has_string "${output_message}" 'clusterrolebindings.rbac.authorization.k8s.io "super-admin" not found' 69 # Dry-run test `kubectl create clusterrolebinding` 70 kubectl create "${kube_flags[@]}" clusterrolebinding super-admin --dry-run=client --clusterrole=admin --user=super-admin 71 kubectl create "${kube_flags[@]}" clusterrolebinding super-admin --dry-run=server --clusterrole=admin --user=super-admin 72 output_message=$(! kubectl get clusterrolebinding super-admin 2>&1 "${kube_flags[@]}") 73 kube::test::if_has_string "${output_message}" 'clusterrolebindings.rbac.authorization.k8s.io "super-admin" not found' 74 # test `kubectl create clusterrolebinding` 75 # test `kubectl set subject clusterrolebinding` 76 kubectl create "${kube_flags[@]}" clusterrolebinding super-admin --clusterrole=admin --user=super-admin 77 kube::test::get_object_assert clusterrolebinding/super-admin "{{range.subjects}}{{.name}}:{{end}}" 'super-admin:' 78 kubectl set subject --dry-run=client "${kube_flags[@]}" clusterrolebinding super-admin --user=foo 79 kubectl set subject --dry-run=server "${kube_flags[@]}" clusterrolebinding super-admin --user=foo 80 kube::test::get_object_assert clusterrolebinding/super-admin "{{range.subjects}}{{.name}}:{{end}}" 'super-admin:' 81 kubectl set subject "${kube_flags[@]}" clusterrolebinding super-admin --user=foo 82 kube::test::get_object_assert clusterrolebinding/super-admin "{{range.subjects}}{{.name}}:{{end}}" 'super-admin:foo:' 83 kubectl create "${kube_flags[@]}" clusterrolebinding multi-users --clusterrole=admin --user=user-1 --user=user-2 84 kube::test::get_object_assert clusterrolebinding/multi-users "{{range.subjects}}{{.name}}:{{end}}" 'user-1:user-2:' 85 86 kubectl create "${kube_flags[@]}" clusterrolebinding super-group --clusterrole=admin --group=the-group 87 kube::test::get_object_assert clusterrolebinding/super-group "{{range.subjects}}{{.name}}:{{end}}" 'the-group:' 88 kubectl set subject "${kube_flags[@]}" clusterrolebinding super-group --group=foo 89 kube::test::get_object_assert clusterrolebinding/super-group "{{range.subjects}}{{.name}}:{{end}}" 'the-group:foo:' 90 kubectl create "${kube_flags[@]}" clusterrolebinding multi-groups --clusterrole=admin --group=group-1 --group=group-2 91 kube::test::get_object_assert clusterrolebinding/multi-groups "{{range.subjects}}{{.name}}:{{end}}" 'group-1:group-2:' 92 93 kubectl create "${kube_flags[@]}" clusterrolebinding super-sa --clusterrole=admin --serviceaccount=otherns:sa-name 94 kube::test::get_object_assert clusterrolebinding/super-sa "{{range.subjects}}{{.namespace}}:{{end}}" 'otherns:' 95 kube::test::get_object_assert clusterrolebinding/super-sa "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:' 96 kubectl set subject "${kube_flags[@]}" clusterrolebinding super-sa --serviceaccount=otherfoo:foo 97 kube::test::get_object_assert clusterrolebinding/super-sa "{{range.subjects}}{{.namespace}}:{{end}}" 'otherns:otherfoo:' 98 kube::test::get_object_assert clusterrolebinding/super-sa "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:foo:' 99 100 # test `kubectl set subject clusterrolebinding --all` 101 kubectl set subject "${kube_flags[@]}" clusterrolebinding --all --user=test-all-user 102 kube::test::get_object_assert clusterrolebinding/super-admin "{{range.subjects}}{{.name}}:{{end}}" 'super-admin:foo:test-all-user:' 103 kube::test::get_object_assert clusterrolebinding/super-group "{{range.subjects}}{{.name}}:{{end}}" 'the-group:foo:test-all-user:' 104 kube::test::get_object_assert clusterrolebinding/super-sa "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:foo:test-all-user:' 105 106 # test `kubectl create rolebinding` 107 # test `kubectl set subject rolebinding` 108 kubectl create "${kube_flags[@]}" rolebinding admin --dry-run=client --clusterrole=admin --user=default-admin 109 kubectl create "${kube_flags[@]}" rolebinding admin --dry-run=server --clusterrole=admin --user=default-admin 110 output_message=$(! kubectl get rolebinding/admin 2>&1 "${kube_flags[@]}") 111 kube::test::if_has_string "${output_message}" ' not found' 112 kubectl create "${kube_flags[@]}" rolebinding admin --clusterrole=admin --user=default-admin 113 kube::test::get_object_assert rolebinding/admin "{{.roleRef.kind}}" 'ClusterRole' 114 kube::test::get_object_assert rolebinding/admin "{{range.subjects}}{{.name}}:{{end}}" 'default-admin:' 115 kubectl set subject "${kube_flags[@]}" rolebinding admin --user=foo 116 kube::test::get_object_assert rolebinding/admin "{{range.subjects}}{{.name}}:{{end}}" 'default-admin:foo:' 117 118 kubectl create "${kube_flags[@]}" rolebinding localrole --role=localrole --group=the-group 119 kube::test::get_object_assert rolebinding/localrole "{{.roleRef.kind}}" 'Role' 120 kube::test::get_object_assert rolebinding/localrole "{{range.subjects}}{{.name}}:{{end}}" 'the-group:' 121 kubectl set subject "${kube_flags[@]}" rolebinding localrole --group=foo 122 kube::test::get_object_assert rolebinding/localrole "{{range.subjects}}{{.name}}:{{end}}" 'the-group:foo:' 123 124 kubectl create "${kube_flags[@]}" rolebinding sarole --role=localrole --serviceaccount=otherns:sa-name 125 kube::test::get_object_assert rolebinding/sarole "{{range.subjects}}{{.namespace}}:{{end}}" 'otherns:' 126 kube::test::get_object_assert rolebinding/sarole "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:' 127 kubectl set subject "${kube_flags[@]}" rolebinding sarole --serviceaccount=otherfoo:foo 128 kube::test::get_object_assert rolebinding/sarole "{{range.subjects}}{{.namespace}}:{{end}}" 'otherns:otherfoo:' 129 kube::test::get_object_assert rolebinding/sarole "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:foo:' 130 131 # test `kubectl set subject rolebinding --all` 132 kubectl set subject "${kube_flags[@]}" rolebinding --all --user=test-all-user 133 kube::test::get_object_assert rolebinding/admin "{{range.subjects}}{{.name}}:{{end}}" 'default-admin:foo:test-all-user:' 134 kube::test::get_object_assert rolebinding/localrole "{{range.subjects}}{{.name}}:{{end}}" 'the-group:foo:test-all-user:' 135 kube::test::get_object_assert rolebinding/sarole "{{range.subjects}}{{.name}}:{{end}}" 'sa-name:foo:test-all-user:' 136 137 # Describe command should respect the chunk size parameter 138 kube::test::describe_resource_chunk_size_assert clusterrolebindings 139 kube::test::describe_resource_chunk_size_assert clusterroles 140 141 set +o nounset 142 set +o errexit 143 } 144 145 run_role_tests() { 146 set -o nounset 147 set -o errexit 148 149 create_and_use_new_namespace 150 kube::log::status "Testing role" 151 152 # Dry-run create 153 kubectl create "${kube_flags[@]}" role pod-admin --dry-run=client --verb=* --resource=pods 154 kubectl create "${kube_flags[@]}" role pod-admin --dry-run=server --verb=* --resource=pods 155 output_message=$(! kubectl get role/pod-admin 2>&1 "${kube_flags[@]}") 156 kube::test::if_has_string "${output_message}" ' not found' 157 # Create Role from command (only resource) 158 kubectl create "${kube_flags[@]}" role pod-admin --verb=* --resource=pods 159 kube::test::get_object_assert role/pod-admin "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" '\*:' 160 kube::test::get_object_assert role/pod-admin "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:' 161 kube::test::get_object_assert role/pod-admin "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' 162 output_message=$(! kubectl create "${kube_flags[@]}" role invalid-pod-admin --verb=* --resource=invalid-resource 2>&1) 163 kube::test::if_has_string "${output_message}" "the server doesn't have a resource type \"invalid-resource\"" 164 # Create Role from command (resource + group) 165 kubectl create "${kube_flags[@]}" role group-reader --verb=get,list --resource=deployments.apps 166 kube::test::get_object_assert role/group-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:' 167 kube::test::get_object_assert role/group-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'deployments:' 168 kube::test::get_object_assert role/group-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" 'apps:' 169 output_message=$(! kubectl create "${kube_flags[@]}" role invalid-group --verb=get,list --resource=deployments.invalid-group 2>&1) 170 kube::test::if_has_string "${output_message}" "the server doesn't have a resource type \"deployments\" in group \"invalid-group\"" 171 # Create Role from command (resource / subresource) 172 kubectl create "${kube_flags[@]}" role subresource-reader --verb=get,list --resource=pods/status 173 kube::test::get_object_assert role/subresource-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:' 174 kube::test::get_object_assert role/subresource-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods/status:' 175 kube::test::get_object_assert role/subresource-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' 176 # Create Role from command (resource + group / subresource) 177 kubectl create "${kube_flags[@]}" role group-subresource-reader --verb=get,list --resource=replicasets.apps/scale 178 kube::test::get_object_assert role/group-subresource-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:' 179 kube::test::get_object_assert role/group-subresource-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'replicasets/scale:' 180 kube::test::get_object_assert role/group-subresource-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" 'apps:' 181 output_message=$(! kubectl create "${kube_flags[@]}" role invalid-group --verb=get,list --resource=rs.invalid-group/scale 2>&1) 182 kube::test::if_has_string "${output_message}" "the server doesn't have a resource type \"rs\" in group \"invalid-group\"" 183 # Create Role from command (resource + resourcename) 184 kubectl create "${kube_flags[@]}" role resourcename-reader --verb=get,list --resource=pods --resource-name=foo 185 kube::test::get_object_assert role/resourcename-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:' 186 kube::test::get_object_assert role/resourcename-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:' 187 kube::test::get_object_assert role/resourcename-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' 188 kube::test::get_object_assert role/resourcename-reader "{{range.rules}}{{range.resourceNames}}{{.}}:{{end}}{{end}}" 'foo:' 189 # Create Role from command (multi-resources) 190 kubectl create "${kube_flags[@]}" role resource-reader --verb=get,list --resource=pods/status,deployments.apps 191 kube::test::get_object_assert role/resource-reader "{{range.rules}}{{range.verbs}}{{.}}:{{end}}{{end}}" 'get:list:get:list:' 192 kube::test::get_object_assert role/resource-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods/status:deployments:' 193 kube::test::get_object_assert role/resource-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':apps:' 194 195 # Describe command should respect the chunk size parameter 196 kube::test::describe_resource_chunk_size_assert roles 197 kube::test::describe_resource_chunk_size_assert rolebindings 198 199 set +o nounset 200 set +o errexit 201 }