1
2
3
4 package krusty_test
5
6 import (
7 "testing"
8
9 kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
10 )
11
12 func TestRoleBindingAcrossNamespace(t *testing.T) {
13 th := kusttest_test.MakeEnhancedHarness(t)
14 defer th.Reset()
15
16 th.WriteK(".", `
17 resources:
18 - resource.yaml
19 nameSuffix: -ns2
20 `)
21 th.WriteF("resource.yaml", `
22 apiVersion: v1
23 kind: ServiceAccount
24 metadata:
25 name: my-sa1
26 namespace: ns1
27 ---
28 apiVersion: v1
29 kind: ServiceAccount
30 metadata:
31 name: my-sa2
32 namespace: ns2
33 ---
34 apiVersion: v1
35 kind: ServiceAccount
36 metadata:
37 name: my-sa3
38 namespace: ns3
39 ---
40 apiVersion: v1
41 kind: NotServiceAccount
42 metadata:
43 name: my-nsa
44 namespace: ns1
45 ---
46 apiVersion: rbac.authorization.k8s.io/v1
47 kind: Role
48 metadata:
49 name: my-role
50 namespace: ns2
51 rules:
52 - apiGroups:
53 - '*'
54 resources:
55 - '*'
56 verbs:
57 - '*'
58 ---
59 apiVersion: rbac.authorization.k8s.io/v1
60 kind: RoleBinding
61 metadata:
62 name: my-role-binding
63 namespace: ns2
64 roleRef:
65 apiGroup: rbac.authorization.k8s.io
66 kind: Role
67 name: my-role
68 subjects:
69 - kind: ServiceAccount
70 name: my-sa1
71 namespace: ns1
72 - kind: ServiceAccount
73 name: my-sa2
74 namespace: ns2
75 - kind: ServiceAccount
76 name: my-sa3
77 namespace: ns3
78 - kind: NotServiceAccount
79 name: my-nsa
80 namespace: ns1
81 `)
82
83 m := th.Run(".", th.MakeDefaultOptions())
84 th.AssertActualEqualsExpected(m, `
85 apiVersion: v1
86 kind: ServiceAccount
87 metadata:
88 name: my-sa1-ns2
89 namespace: ns1
90 ---
91 apiVersion: v1
92 kind: ServiceAccount
93 metadata:
94 name: my-sa2-ns2
95 namespace: ns2
96 ---
97 apiVersion: v1
98 kind: ServiceAccount
99 metadata:
100 name: my-sa3-ns2
101 namespace: ns3
102 ---
103 apiVersion: v1
104 kind: NotServiceAccount
105 metadata:
106 name: my-nsa-ns2
107 namespace: ns1
108 ---
109 apiVersion: rbac.authorization.k8s.io/v1
110 kind: Role
111 metadata:
112 name: my-role-ns2
113 namespace: ns2
114 rules:
115 - apiGroups:
116 - '*'
117 resources:
118 - '*'
119 verbs:
120 - '*'
121 ---
122 apiVersion: rbac.authorization.k8s.io/v1
123 kind: RoleBinding
124 metadata:
125 name: my-role-binding-ns2
126 namespace: ns2
127 roleRef:
128 apiGroup: rbac.authorization.k8s.io
129 kind: Role
130 name: my-role-ns2
131 subjects:
132 - kind: ServiceAccount
133 name: my-sa1-ns2
134 namespace: ns1
135 - kind: ServiceAccount
136 name: my-sa2-ns2
137 namespace: ns2
138 - kind: ServiceAccount
139 name: my-sa3-ns2
140 namespace: ns3
141 - kind: NotServiceAccount
142 name: my-nsa
143 namespace: ns1
144 `)
145 }
146
147 func TestRoleBindingAcrossNamespaceWoSubjects(t *testing.T) {
148 th := kusttest_test.MakeEnhancedHarness(t)
149 defer th.Reset()
150
151 th.WriteK(".", `
152 resources:
153 - resource.yaml
154 nameSuffix: -ns2
155 `)
156 th.WriteF("resource.yaml", `
157 apiVersion: v1
158 kind: ServiceAccount
159 metadata:
160 name: my-sa1
161 namespace: ns1
162 ---
163 apiVersion: rbac.authorization.k8s.io/v1
164 kind: Role
165 metadata:
166 name: my-role
167 namespace: ns2
168 rules:
169 - apiGroups:
170 - '*'
171 resources:
172 - '*'
173 verbs:
174 - '*'
175 ---
176 apiVersion: rbac.authorization.k8s.io/v1
177 kind: RoleBinding
178 metadata:
179 name: my-role-binding
180 namespace: ns2
181 roleRef:
182 apiGroup: rbac.authorization.k8s.io
183 kind: Role
184 name: my-role
185 `)
186
187 m := th.Run(".", th.MakeDefaultOptions())
188 th.AssertActualEqualsExpected(m, `
189 apiVersion: v1
190 kind: ServiceAccount
191 metadata:
192 name: my-sa1-ns2
193 namespace: ns1
194 ---
195 apiVersion: rbac.authorization.k8s.io/v1
196 kind: Role
197 metadata:
198 name: my-role-ns2
199 namespace: ns2
200 rules:
201 - apiGroups:
202 - '*'
203 resources:
204 - '*'
205 verbs:
206 - '*'
207 ---
208 apiVersion: rbac.authorization.k8s.io/v1
209 kind: RoleBinding
210 metadata:
211 name: my-role-binding-ns2
212 namespace: ns2
213 roleRef:
214 apiGroup: rbac.authorization.k8s.io
215 kind: Role
216 name: my-role-ns2
217 `)
218 }
219
220
221
222 func TestRoleBindingWhenSubjectsAcrossNamespace(t *testing.T) {
223 th := kusttest_test.MakeEnhancedHarness(t)
224 defer th.Reset()
225 th.WriteK(".", `
226 resources:
227 - ./ns1
228 - ./ns2
229 `)
230 th.WriteK("ns1", `
231 namespace: namespace-1
232 resources:
233 - role-ns1.yaml
234 - rolebinding-ns1.yaml
235 `)
236 th.WriteF("ns1/role-ns1.yaml", `
237 apiVersion: rbac.authorization.k8s.io/v1
238 kind: Role
239 metadata:
240 name: testRole
241 rules:
242 - apiGroups: [""]
243 resources: ["pods"]
244 verbs: ["get"]
245 `)
246 th.WriteF("ns1/rolebinding-ns1.yaml", `
247 apiVersion: rbac.authorization.k8s.io/v1
248 kind: RoleBinding
249 metadata:
250 name: testRoleBinding
251 roleRef:
252 apiGroup: rbac.authorization.k8s.io
253 kind: Role
254 name: testRole
255 subjects:
256 - kind: ServiceAccount
257 name: testAccount
258 namespace: namespace-2
259 `)
260 th.WriteK("ns2", `
261 namespace: namespace-2
262 resources:
263 - role-ns2.yaml
264 - rolebinding-ns2.yaml
265 `)
266 th.WriteF("ns2/role-ns2.yaml", `
267 apiVersion: rbac.authorization.k8s.io/v1
268 kind: Role
269 metadata:
270 name: testRole
271 rules:
272 - apiGroups: [""]
273 resources: ["pods"]
274 verbs: ["get"]
275 `)
276 th.WriteF("ns2/rolebinding-ns2.yaml", `
277 apiVersion: rbac.authorization.k8s.io/v1
278 kind: RoleBinding
279 metadata:
280 name: testRoleBinding
281 roleRef:
282 apiGroup: rbac.authorization.k8s.io
283 kind: Role
284 name: testRole
285 subjects:
286 - kind: ServiceAccount
287 name: testAccount
288 namespace: namespace-1
289 `)
290
291 m := th.Run(".", th.MakeDefaultOptions())
292 th.AssertActualEqualsExpected(m, `
293 apiVersion: rbac.authorization.k8s.io/v1
294 kind: Role
295 metadata:
296 name: testRole
297 namespace: namespace-1
298 rules:
299 - apiGroups:
300 - ""
301 resources:
302 - pods
303 verbs:
304 - get
305 ---
306 apiVersion: rbac.authorization.k8s.io/v1
307 kind: RoleBinding
308 metadata:
309 name: testRoleBinding
310 namespace: namespace-1
311 roleRef:
312 apiGroup: rbac.authorization.k8s.io
313 kind: Role
314 name: testRole
315 subjects:
316 - kind: ServiceAccount
317 name: testAccount
318 namespace: namespace-2
319 ---
320 apiVersion: rbac.authorization.k8s.io/v1
321 kind: Role
322 metadata:
323 name: testRole
324 namespace: namespace-2
325 rules:
326 - apiGroups:
327 - ""
328 resources:
329 - pods
330 verbs:
331 - get
332 ---
333 apiVersion: rbac.authorization.k8s.io/v1
334 kind: RoleBinding
335 metadata:
336 name: testRoleBinding
337 namespace: namespace-2
338 roleRef:
339 apiGroup: rbac.authorization.k8s.io
340 kind: Role
341 name: testRole
342 subjects:
343 - kind: ServiceAccount
344 name: testAccount
345 namespace: namespace-1
346 `)
347 }
348
View as plain text