mirror of
https://github.com/truenas/charts.git
synced 2026-04-23 18:10:06 +08:00
270 lines
6.8 KiB
YAML
270 lines
6.8 KiB
YAML
suite: rbac validation test
|
|
templates:
|
|
- common.yaml
|
|
tests:
|
|
- it: should fail with name longer than 63 characters
|
|
set:
|
|
rbac:
|
|
zmy-rbac:
|
|
enabled: true
|
|
primary: true
|
|
my-rbac-has-super-long-name-that-is-longer-than-63-characters-too-bad:
|
|
enabled: true
|
|
primary: false
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Name [release-name-common-test-my-rbac-has-super-long-name-that-is-longer-than-63-characters-too-bad] is not valid. Must start and end with an alphanumeric lowercase character. It can contain '-'. And must be at most 63 characters.
|
|
|
|
- it: should fail with name starting with underscore
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
_my-rbac2:
|
|
enabled: true
|
|
primary: false
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: Name [release-name-common-test-_my-rbac2] is not valid. Must start and end with an alphanumeric lowercase character. It can contain '-'. And must be at most 63 characters.
|
|
|
|
- it: should fail with labels not a dict
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
labels: "not a dict"
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected <labels> to be a dictionary, but got [string]
|
|
|
|
- it: should fail with annotations not a dict
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
annotations: "not a dict"
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected <annotations> to be a dictionary, but got [string]
|
|
|
|
- it: should fail with more than 1 primary rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
my-rbac2:
|
|
enabled: true
|
|
primary: true
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Only one rbac can be primary
|
|
|
|
- it: should fail without any primary on enabled rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: false
|
|
my-rbac2:
|
|
enabled: true
|
|
primary: false
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - At least one enabled rbac must be primary
|
|
|
|
- it: should fail without rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.rules>
|
|
|
|
- it: should fail without apiGroups in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.rules.apiGroups>
|
|
|
|
- it: should fail without resources in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
verbs:
|
|
- get
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.rules.resources>
|
|
|
|
- it: should fail without verbs in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.rules.verbs>
|
|
|
|
- it: should fail with empty entry in resources in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
- ""
|
|
verbs:
|
|
- get
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty entry in <rbac.rules.resources>
|
|
|
|
- it: should fail with empty entry in resourceNames in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
resourceNames:
|
|
- ""
|
|
verbs:
|
|
- get
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty entry in <rbac.rules.resourceNames>
|
|
|
|
- it: should fail with empty entry in verbs in rules in rbac
|
|
set:
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- ""
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty entry in <rbac.rules.verbs>
|
|
|
|
- it: should fail with empty kind in subjects in rbac
|
|
set:
|
|
serviceAccount:
|
|
my-service-account:
|
|
enabled: true
|
|
primary: true
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
subjects:
|
|
- kind: ""
|
|
name: my-name
|
|
apiGroup: my-apiGroup
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.subjects.kind>
|
|
|
|
- it: should fail with empty name in subjects in rbac
|
|
set:
|
|
serviceAccount:
|
|
my-service-account:
|
|
enabled: true
|
|
primary: true
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
subjects:
|
|
- kind: my-kind
|
|
name: ""
|
|
apiGroup: my-apiGroup
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.subjects.name>
|
|
|
|
- it: should fail with empty apiGroup in subjects in rbac
|
|
set:
|
|
serviceAccount:
|
|
my-service-account:
|
|
enabled: true
|
|
primary: true
|
|
rbac:
|
|
my-rbac:
|
|
enabled: true
|
|
primary: true
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
subjects:
|
|
- kind: my-kind
|
|
name: my-name
|
|
apiGroup: ""
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: RBAC - Expected non-empty <rbac.subjects.apiGroup>
|