fix: switch to cluster-admin instead of edit cluster role to include CRDs. Additional tests

Author: DenisBiondic

Models/K8sRoleBinding.cs

@@ -52,9 +52,11 @@ public static K8sRoleBinding NamespaceFullAccess(string namespacename,
                 Kind = "RoleBinding",
                 ApiVersion = "rbac.authorization.k8s.io/v1",
                 Metadata = new K8sMetadata { Name = $"copsnamespace-user", Namespace = namespacename },
-                // the in-built clusterrole edit has all the api resources and CRDs aalways up to date,
-                // so we use that clusterrole instead of writing our own which is far more brittle
-                RoleRef = new K8sRoleRef("ClusterRole", "edit", "rbac.authorization.k8s.io")
+                // The in-built clusterrole cluster-admin allows access to all resources (wildcard),
+                // so that we can use that clusterrole instead of writing our own which is far more brittle.
+                // Since we scope the cluster-admin to a namespace using RoleBinding (in contrast to ClusterRoleBinding)
+                // this is a good approach.
+                RoleRef = new K8sRoleRef("ClusterRole", "cluster-admin", "rbac.authorization.k8s.io")
             };
 
             var subjects = users.ToList()

tests/allowed-resources/networking.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: test-ingress
+  namespace: {{NAMESPACE}}
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /testpath
+        backend:
+          serviceName: test
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-ingress
+  namespace: {{NAMESPACE}}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress

tests/allowed-resources/notes.txt

@@ -0,0 +1 @@
+Actually all the resources should be allowed to be deployed inside a namespace, so this is more of a collection of those that we actually test.

tests/allowed-resources/rbac.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: test-role
+  namespace: {{NAMESPACE}}
+  labels: 
+    tests: cops-controller-component-tests
+rules: # rules here are completely irrelevant
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-role-binding
+  namespace: {{NAMESPACE}}
+  labels: 
+    tests: cops-controller-component-tests
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: test-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: test.user@conplement.de

tests/tests.sh

@@ -108,6 +108,18 @@ function ensureAccessToNamespace {
     kubectl get pods,svc,deploy -n $namespaceName || fail "It was expected that the namespace setup is completed at this point."
 }
 
+function ensureAllResourcesAreSupported {
+    namespaceName=$1
+
+    # IMPORTANT
+    # you should not test custom CRD resources here, because that is an additional test dependency which might
+    # come in conflict with existing CRDs, depending on the cluster where this test is run
+    cat "tests/allowed-resources/rbac.yaml" | sed "s/{{NAMESPACE}}/$namespaceName/g" \
+     | kubectl apply -f -
+    cat "tests/allowed-resources/networking.yaml" | sed "s/{{NAMESPACE}}/$namespaceName/g" \
+     | kubectl apply -f -
+}
+
 function expectApplyToFail {
     hasFailed="no"
 
@@ -167,6 +179,7 @@ function test_invalidDefinitions {
 
 # Tests following business cases:
 # - user can create a cops namespace and gain rights inside it
+# - the rights are additionaly tested by deploying different sample k8s resources, which should all succeed
 # - all other users are denied access
 function test_shouldDeployEmpireCnsWithValidRbac {
     logTestStarted ${FUNCNAME[0]}
@@ -183,6 +196,7 @@ function test_shouldDeployEmpireCnsWithValidRbac {
 
     # Assert
     ensureAccessToNamespace $namespaceName
+    ensureAllResourcesAreSupported $namespaceName
 
     # no access for other accounts
     kubectl config use-context $kyloRenAccount