truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-04-15 19:20:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c5d6bb427e7fc4d68405486c190535264ddf85e1
chart/library/common-test/tests/rbac/data_test.yaml
Stavros Kois d06a764b3f fix(common/rbac): adds resourceNames field (#1951)
2023-12-27 13:07:48 +02:00

255 lines
6.7 KiB
YAML
Raw Blame History

suite: rbac data test
templates:
- common.yaml
tests:
- it: should pass with rules and subjects added with tpl and primary rbac/sa
set:
some_verb: list
some_group: apps
some_resource: deployments
some_kind: some-kind
some_name: some-name
some_api_group: rbac.authorization.k8s.io
serviceAccount:
my-sa:
enabled: true
primary: true
my-other-sa:
enabled: true
primary: false
rbac:
my-rbac:
enabled: true
primary: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- "{{ .Values.some_group }}"
resources:
- "{{ .Values.some_resource }}"
resourceNames:
- "{{ .Values.some_name }}"
verbs:
- "{{ .Values.some_verb }}"
subjects:
- kind: a-kind
name: a-name
apiGroup: rbac.authorization.k8s.io
- kind: "{{ .Values.some_kind }}"
name: "{{ .Values.some_name }}"
apiGroup: "{{ .Values.some_api_group }}"
asserts:
- documentIndex: &roleDoc 2
isKind:
of: Role
- documentIndex: *roleDoc
equal:
path: metadata.name
value: release-name-common-test
- documentIndex: *roleDoc
equal:
path: rules
value:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- some-name
verbs:
- list
- documentIndex: &roleBinding 3
isKind:
of: RoleBinding
- documentIndex: *roleBinding
equal:
path: metadata.name
value: release-name-common-test
- documentIndex: *roleBinding
equal:
path: subjects
value:
- kind: ServiceAccount
name: release-name-common-test
namespace: NAMESPACE
- kind: a-kind
name: a-name
apiGroup: rbac.authorization.k8s.io
- kind: some-kind
name: some-name
apiGroup: rbac.authorization.k8s.io
- it: should pass with rules and subjects added with tpl and allSA on clusterWide
set:
some_verb: list
some_group: apps
some_resource: deployments
some_kind: some-kind
some_name: some-name
some_api_group: rbac.authorization.k8s.io
serviceAccount:
my-sa:
enabled: true
primary: true
my-other-sa:
enabled: true
primary: false
rbac:
z-rbac:
enabled: true
primary: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
my-rbac2:
enabled: true
clusterWide: true
allServiceAccounts: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- "{{ .Values.some_group }}"
resources:
- "{{ .Values.some_resource }}"
verbs:
- "{{ .Values.some_verb }}"
subjects:
- kind: a-kind
name: a-name
apiGroup: rbac.authorization.k8s.io
- kind: "{{ .Values.some_kind }}"
name: "{{ .Values.some_name }}"
apiGroup: "{{ .Values.some_api_group }}"
asserts:
- documentIndex: &clusterRoleDoc 2
isKind:
of: ClusterRole
- documentIndex: *clusterRoleDoc
equal:
path: metadata.name
value: release-name-common-test-my-rbac2
- documentIndex: *clusterRoleDoc
equal:
path: rules
value:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- deployments
verbs:
- list
- documentIndex: &clusterRoleBinding 3
isKind:
of: ClusterRoleBinding
- documentIndex: *clusterRoleBinding
equal:
path: metadata.name
value: release-name-common-test-my-rbac2
- documentIndex: *clusterRoleBinding
equal:
path: subjects
value:
- kind: ServiceAccount
name: release-name-common-test-my-other-sa
namespace: NAMESPACE
- kind: ServiceAccount
name: release-name-common-test
namespace: NAMESPACE
- apiGroup: rbac.authorization.k8s.io
kind: a-kind
name: a-name
- apiGroup: rbac.authorization.k8s.io
kind: some-kind
name: some-name
- it: should pass with serviceAccount selector
set:
serviceAccount:
my-sa:
enabled: true
primary: true
my-other-sa:
enabled: true
primary: false
rbac:
z-rbac:
enabled: true
primary: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
my-rbac3:
enabled: true
serviceAccounts:
- my-other-sa
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
asserts:
- documentIndex: &roleDoc 2
isKind:
of: Role
- documentIndex: *roleDoc
equal:
path: metadata.name
value: release-name-common-test-my-rbac3
- documentIndex: *roleDoc
equal:
path: rules
value:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- documentIndex: &roleBinding 3
isKind:
of: RoleBinding
- documentIndex: *roleBinding
equal:
path: metadata.name
value: release-name-common-test-my-rbac3
- documentIndex: *roleBinding
equal:
path: subjects
value:
- kind: ServiceAccount
name: release-name-common-test-my-other-sa
namespace: NAMESPACE
Reference in New Issue View Git Blame Copy Permalink