From 9bf3fc0381023f52983169f23a11e778055bab40 Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Thu, 24 Jul 2025 21:43:13 +0200 Subject: [PATCH 1/7] Remove duplicate import Signed-off-by: Katyanna Moura --- test/e2e/authorization.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go index 4e2bc8526b..25d470586d 100644 --- a/test/e2e/authorization.go +++ b/test/e2e/authorization.go @@ -17,7 +17,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubelabels "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/kubernetes" - clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" testutil "k8s.io/kubernetes/test/utils" @@ -940,7 +939,7 @@ func newClientWithRole(cluster *types.Cluster, assumeRole string) (*kubernetes.C if err != nil { return nil, err } - clientset, err := kubernetes.NewForConfig( + kubernetes, err := kubernetes.NewForConfig( &rest.Config{ Host: aws.ToString(cluster.Endpoint), BearerToken: tok.Token, @@ -952,7 +951,7 @@ func newClientWithRole(cluster *types.Cluster, assumeRole string) (*kubernetes.C if err != nil { return nil, err } - return clientset, nil + return kubernetes, nil } // getEKSCluster returns the EKS cluster where its Endpoint matches the given config's Host. @@ -997,7 +996,7 @@ func examplePod(namespace string, labels map[string]string) *corev1.Pod { } // createPod starts a Pod in the specified namespace and with the specific labels. -func createPod(ctx context.Context, client clientset.Interface, namespace string, labels map[string]string) (*corev1.Pod, error) { +func createPod(ctx context.Context, client kubernetes.Interface, namespace string, labels map[string]string) (*corev1.Pod, error) { pod, err := client.CoreV1().Pods(namespace).Create(ctx, examplePod(namespace, labels), metav1.CreateOptions{}) if err != nil { return nil, err @@ -1011,7 +1010,7 @@ func createPod(ctx context.Context, client clientset.Interface, namespace string } // createClusterRole creates a ClusterRole with the specified labels. -func createClusterRole(ctx context.Context, client clientset.Interface, labels map[string]string) (*rbacv1.ClusterRole, error) { +func createClusterRole(ctx context.Context, client kubernetes.Interface, labels map[string]string) (*rbacv1.ClusterRole, error) { clusterRole := &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-cluster-role-", From b0b9789f5b117c2e8da160bfe7ed260bf56030c8 Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Fri, 25 Jul 2025 15:40:48 +0200 Subject: [PATCH 2/7] Rename file to fit pattern Though the company language is BrE, kubernetes tools use AmE. This commit sets file name to the same pattern used in the code. Signed-off-by: Katyanna Moura --- test/e2e/{authorisation_test.go => authorization_test.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename test/e2e/{authorisation_test.go => authorization_test.go} (100%) diff --git a/test/e2e/authorisation_test.go b/test/e2e/authorization_test.go similarity index 100% rename from test/e2e/authorisation_test.go rename to test/e2e/authorization_test.go From aac3e280fc80797ac01494260f3b50979955bb25 Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Thu, 31 Jul 2025 11:16:50 +0200 Subject: [PATCH 3/7] Test secrets read permission for CDP and deployment-service Signed-off-by: Katyanna Moura --- cluster/cluster.yaml | 70 ++++++++++++++++++++ test/e2e/authorization.go | 130 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 200 insertions(+) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index a3f4b17dcd..0c4d139537 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -458,6 +458,76 @@ Resources: KubernetesGroups: - zalando:postgres-admin Type: "STANDARD" + E2EEKSIAMTestCDP: + Properties: + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": [ + "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDC}" + ] + }, + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ], + "Condition": { + "StringEquals": { + "${OIDC}:sub": "system:serviceaccount:default:cdp" + } + } + } + ] + } + - OIDC: !Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]] + Path: / + Policies: + - PolicyDocument: + Statement: + - Action: 'secretsmanager:GetSecretValue' + Effect: Allow + Resource: "arn:aws:secretsmanager:{{.Cluster.Region}}:{{.Cluster.InfrastructureAccountID}}:secret:*.*.*" + RoleName: "{{.Cluster.LocalID}}-cdp" + Type: 'AWS::IAM::Role' + E2EEKSIAMTestDeploymentService: + Properties: + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": [ + "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDC}" + ] + }, + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ], + "Condition": { + "StringEquals": { + "${OIDC}:sub": "system:serviceaccount:kube-system:deployment-service-controller" + } + } + } + ] + } + - OIDC: !Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]] + Path: / + Policies: + - PolicyDocument: + Statement: + - Action: 'secretsmanager:GetSecretValue' + Effect: Allow + Resource: "arn:aws:secretsmanager:{{.Cluster.Region}}:{{.Cluster.InfrastructureAccountID}}:secret:*.*.*" + RoleName: "{{.Cluster.LocalID}}-deployment-service" + Type: 'AWS::IAM::Role' {{ end }} # TODO: IAM POLICY EKSCNIIPv6Policy: diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go index 25d470586d..88671293a3 100644 --- a/test/e2e/authorization.go +++ b/test/e2e/authorization.go @@ -504,6 +504,52 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { }) }) + // Test secret read permissions for CDP and deployment-service + // ============================================================================= + // Validates the RBAC permissions granted to CDP and deployment-service for reading + // secrets across all namespaces, including kube-system. These permissions enable + // the workflow where users deploy cluster roles with secret read permissions that + // are subsequently rewritten by the admission controller. + g.When("the service account is deployment-service-controller", func() { + g.BeforeEach(func() { + tc.data.users = []string{"system:serviceaccount:kube-system:deployment-service-controller"} + tc.data.groups = [][]string{{"system:serviceaccounts:kube-system"}} + }) + g.It("should allow to read secrets on user namespaces", func() { + tc.data.namespaces = []string{"teapot"} + tc.data.resources = []string{"secrets"} + tc.data.verbs = []string{"read"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) + g.It("should allow to read secrets on system namespace", func() { + tc.data.namespaces = []string{"kube-system"} + tc.data.resources = []string{"secrets"} + tc.data.verbs = []string{"read"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) + }) + g.When("the service account is CDP", func() { + g.BeforeEach(func() { + tc.data.users = []string{"system:serviceaccount:default:cdp"} + tc.data.groups = [][]string{{"system:serviceaccounts:default"}} + }) + g.It("should allow to read secrets on user namespaces", func() { + tc.data.namespaces = []string{"teapot"} + tc.data.resources = []string{"secrets"} + tc.data.verbs = []string{"read"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) + g.It("should allow to read secrets on system namespace", func() { + tc.data.namespaces = []string{"kube-system"} + tc.data.resources = []string{"secrets"} + tc.data.verbs = []string{"read"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) + }) }) g.Context("For administrators", func() { @@ -893,6 +939,69 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu gomega.Expect(result.Error()).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden"))) }) }) + }) + + // Test secret read permissions for CDP and deployment-service + // ============================================================================= + // Validates that the admission controller correctly rewrites ClusterRole + // permissions related to secret access, ensuring that secret read permissions + // granted to CDP and deployment-service are revoked. + g.Context("cdp and deployment-service", func() { + var ( + testSecret *corev1.Secret + systemSecret *corev1.Secret + ) + + g.BeforeEach(func() { + var err error + testSecret, err = createSecret(context.Background(), f.ClientSet, f.Namespace.Name, map[string]string{"application": "my-app"}) + framework.ExpectNoError(err) + + systemSecret, err = createSecret(context.Background(), f.ClientSet, "kube-system", map[string]string{"application": "my-app"}) + framework.ExpectNoError(err) + }) + + g.Context("cdp", func() { + var client *kubernetes.Clientset + + g.BeforeEach(func() { + var err error + + client, err = getCDPClient(eksCluster, awsAccountID) + framework.ExpectNoError(err) + }) + + g.It("should deny secret read access to user namespace", func() { + _, err := client.CoreV1().Secrets(testSecret.Namespace).Get(context.Background(), testSecret.Name, metav1.GetOptions{}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + }) + + g.It("should deny secret read access to kube-system namespace", func() { + _, err := client.CoreV1().Secrets(systemSecret.Namespace).Get(context.Background(), systemSecret.Name, metav1.GetOptions{}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + }) + }) + + g.Context("deployment-service", func() { + var client *kubernetes.Clientset + + g.BeforeEach(func() { + var err error + + client, err = getDeploymentServiceClient(eksCluster, awsAccountID) + framework.ExpectNoError(err) + }) + + g.It("should deny secret read access to user namespace", func() { + _, err := client.CoreV1().Secrets(testSecret.Namespace).Get(context.Background(), testSecret.Name, metav1.GetOptions{}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + }) + + g.It("should deny secret read access to kube-system namespace", func() { + _, err := client.CoreV1().Secrets(systemSecret.Namespace).Get(context.Background(), systemSecret.Name, metav1.GetOptions{}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + }) + }) }) }) @@ -921,6 +1030,15 @@ func getPostgresAdministratorClient(cluster *types.Cluster, awsAccountID string) return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-postgres-admin-role", awsAccountID, aws.ToString(cluster.Name))) } +// getCDPClient returns a client with the `zalando:cdp` group. +func getCDPClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) { + return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-cdp-role", awsAccountID, aws.ToString(cluster.Name))) +} +// getDeploymentServiceClient returns a client with the `zalando:deployment-service` group. +func getDeploymentServiceClient(cluster *types.Cluster, awsAccountID string) (*kubernetes.Clientset, error) { + return newClientWithRole(cluster, fmt.Sprintf("arn:aws:iam::%s:role/%s-e2e-eks-iam-test-deployment-service-role", awsAccountID, aws.ToString(cluster.Name))) +} + // newClientWithRole returns a new Kubernetes client with the specified IAM role and its associated AccessEntries. func newClientWithRole(cluster *types.Cluster, assumeRole string) (*kubernetes.Clientset, error) { gen, err := token.NewGenerator(true, false) @@ -1021,6 +1139,18 @@ func createClusterRole(ctx context.Context, client kubernetes.Interface, labels return client.RbacV1().ClusterRoles().Create(ctx, clusterRole, metav1.CreateOptions{}) } +// createSecret creates a Secret with the specified labels. +func createSecret(ctx context.Context, client kubernetes.Interface, namespace string, labels map[string]string) (*corev1.Secret, error) { + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-secret-", + Labels: labels, + }, + } + + return client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}) +} + // getAWSAccountID returns the current AWS account's ID. func getAWSAccountID(ctx context.Context, awsConfig aws.Config) (string, error) { client := sts.NewFromConfig(awsConfig) From 0e6008744639e47022afb67dba58ff2577d6caab Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Thu, 14 Aug 2025 11:21:39 +0200 Subject: [PATCH 4/7] Simplify e2e roles Signed-off-by: Katyanna Moura --- cluster/cluster.yaml | 83 +++++++++++--------------------------------- 1 file changed, 20 insertions(+), 63 deletions(-) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index 0c4d139537..59e6f5a437 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -460,74 +460,31 @@ Resources: Type: "STANDARD" E2EEKSIAMTestCDP: Properties: - AssumeRolePolicyDocument: !Sub - - | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": [ - "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDC}" - ] - }, - "Action": [ - "sts:AssumeRoleWithWebIdentity" - ], - "Condition": { - "StringEquals": { - "${OIDC}:sub": "system:serviceaccount:default:cdp" - } - } - } - ] - } - - OIDC: !Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]] + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + - 'sts:SetSourceIdentity' + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Version: 2012-10-17 Path: / - Policies: - - PolicyDocument: - Statement: - - Action: 'secretsmanager:GetSecretValue' - Effect: Allow - Resource: "arn:aws:secretsmanager:{{.Cluster.Region}}:{{.Cluster.InfrastructureAccountID}}:secret:*.*.*" - RoleName: "{{.Cluster.LocalID}}-cdp" + RoleName: "{{.Cluster.LocalID}}-e2e-cdp" Type: 'AWS::IAM::Role' E2EEKSIAMTestDeploymentService: Properties: - AssumeRolePolicyDocument: !Sub - - | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": [ - "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDC}" - ] - }, - "Action": [ - "sts:AssumeRoleWithWebIdentity" - ], - "Condition": { - "StringEquals": { - "${OIDC}:sub": "system:serviceaccount:kube-system:deployment-service-controller" - } - } - } - ] - } - - OIDC: !Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]] + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + - 'sts:SetSourceIdentity' + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Version: 2012-10-17 Path: / - Policies: - - PolicyDocument: - Statement: - - Action: 'secretsmanager:GetSecretValue' - Effect: Allow - Resource: "arn:aws:secretsmanager:{{.Cluster.Region}}:{{.Cluster.InfrastructureAccountID}}:secret:*.*.*" - RoleName: "{{.Cluster.LocalID}}-deployment-service" - Type: 'AWS::IAM::Role' + RoleName: "{{.Cluster.LocalID}}-e2e-deployment-service" {{ end }} # TODO: IAM POLICY EKSCNIIPv6Policy: From 6cf327d7308ac1ef1c39bcf807439983ea950108 Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Thu, 21 Aug 2025 19:59:30 +0200 Subject: [PATCH 5/7] testcase: cdp user creates clusterrole with read secret permission Signed-off-by: Katyanna Moura --- test/e2e/authorization.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go index 88671293a3..6445f58a57 100644 --- a/test/e2e/authorization.go +++ b/test/e2e/authorization.go @@ -512,8 +512,8 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { // are subsequently rewritten by the admission controller. g.When("the service account is deployment-service-controller", func() { g.BeforeEach(func() { - tc.data.users = []string{"system:serviceaccount:kube-system:deployment-service-controller"} tc.data.groups = [][]string{{"system:serviceaccounts:kube-system"}} + tc.data.users = []string{"system:serviceaccount:kube-system:deployment-service-controller"} }) g.It("should allow to read secrets on user namespaces", func() { tc.data.namespaces = []string{"teapot"} @@ -532,8 +532,8 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { }) g.When("the service account is CDP", func() { g.BeforeEach(func() { - tc.data.users = []string{"system:serviceaccount:default:cdp"} tc.data.groups = [][]string{{"system:serviceaccounts:default"}} + tc.data.users = []string{"system:serviceaccount:default:cdp"} }) g.It("should allow to read secrets on user namespaces", func() { tc.data.namespaces = []string{"teapot"} @@ -549,6 +549,14 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { tc.run(context.TODO(), cs, true) gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) }) + // TODO: create clusterrole with read secret permission + g.It("should create a clusterrole with read secret permission", func() { + tc.data.namespaces = []string{"teapot"} + tc.data.resources = []string{"clusterrole"} + tc.data.verbs = []string{"create"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) }) }) From e042dd987cba33a8a9f2f405592e30452dc25ee9 Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Fri, 22 Aug 2025 10:26:14 +0200 Subject: [PATCH 6/7] fix roles Signed-off-by: Katyanna Moura --- cluster/cluster.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index 59e6f5a437..8d8eea3331 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -472,6 +472,23 @@ Resources: Path: / RoleName: "{{.Cluster.LocalID}}-e2e-cdp" Type: 'AWS::IAM::Role' + E2EEKSIAMTestAccessEntryCDP: + Type: "AWS::EKS::AccessEntry" + Properties: + AccessPolicies: + - AccessScope: + Type: "cluster" + PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + ClusterName: !Ref EKSCluster + PrincipalArn: !GetAtt E2EEKSIAMTestCDP.Arn + Username: !Join + - '' + - - !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/' + - !Ref E2EEKSIAMTestCDP + - '/{{`{{SessionName}}`}}' + KubernetesGroups: + - zalando:cdp + Type: "STANDARD" E2EEKSIAMTestDeploymentService: Properties: AssumeRolePolicyDocument: @@ -485,6 +502,24 @@ Resources: Version: 2012-10-17 Path: / RoleName: "{{.Cluster.LocalID}}-e2e-deployment-service" + Type: 'AWS::IAM::Role' + E2EEKSIAMTestAccessEntryDeploymentService: + Type: "AWS::EKS::AccessEntry" + Properties: + AccessPolicies: + - AccessScope: + Type: "cluster" + PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + ClusterName: !Ref EKSCluster + PrincipalArn: !GetAtt E2EEKSIAMTestDeploymentService.Arn + Username: !Join + - '' + - - !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/' + - !Ref E2EEKSIAMTestDeploymentService + - '/{{`{{SessionName}}`}}' + KubernetesGroups: + - zalando:deployment-service + Type: "STANDARD" {{ end }} # TODO: IAM POLICY EKSCNIIPv6Policy: From 1b7e154b1741dcbad20b32f6f676da766bf5a3ca Mon Sep 17 00:00:00 2001 From: Katyanna Moura Date: Fri, 22 Aug 2025 14:44:55 +0200 Subject: [PATCH 7/7] fix admision-controller test cases Signed-off-by: Katyanna Moura --- test/e2e/authorization.go | 55 +++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go index 6445f58a57..6cf6abbe69 100644 --- a/test/e2e/authorization.go +++ b/test/e2e/authorization.go @@ -529,8 +529,15 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { tc.run(context.TODO(), cs, true) gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) }) + g.It("should create a clusterrole with read secret permission", func() { + tc.data.namespaces = []string{"teapot"} + tc.data.resources = []string{"clusterrole"} + tc.data.verbs = []string{"create"} + tc.run(context.TODO(), cs, true) + gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) + }) }) - g.When("the service account is CDP", func() { + g.When("[Katyanna] the service account is CDP", func() { g.BeforeEach(func() { tc.data.groups = [][]string{{"system:serviceaccounts:default"}} tc.data.users = []string{"system:serviceaccount:default:cdp"} @@ -549,7 +556,6 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() { tc.run(context.TODO(), cs, true) gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String()) }) - // TODO: create clusterrole with read secret permission g.It("should create a clusterrole with read secret permission", func() { tc.data.namespaces = []string{"teapot"} tc.data.resources = []string{"clusterrole"} @@ -956,17 +962,22 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu // granted to CDP and deployment-service are revoked. g.Context("cdp and deployment-service", func() { var ( - testSecret *corev1.Secret - systemSecret *corev1.Secret + systemResource *rbacv1.ClusterRole + nonSystemResource *rbacv1.ClusterRole ) g.BeforeEach(func() { - var err error - testSecret, err = createSecret(context.Background(), f.ClientSet, f.Namespace.Name, map[string]string{"application": "my-app"}) - framework.ExpectNoError(err) - - systemSecret, err = createSecret(context.Background(), f.ClientSet, "kube-system", map[string]string{"application": "my-app"}) - framework.ExpectNoError(err) + systemResource = &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-cluster-role-", + Labels: map[string]string{"admission.zalando.org/infrastructure-component": "true"}, + }, + } + nonSystemResource = &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-cluster-role-", + }, + } }) g.Context("cdp", func() { @@ -979,14 +990,14 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu framework.ExpectNoError(err) }) - g.It("should deny secret read access to user namespace", func() { - _, err := client.CoreV1().Secrets(testSecret.Namespace).Get(context.Background(), testSecret.Name, metav1.GetOptions{}) - gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + g.It("should deny creating clusterrole with read secret permission on system namespace", func() { + _, err := client.RbacV1().ClusterRoles().Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{}}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden"))) }) - g.It("should deny secret read access to kube-system namespace", func() { - _, err := client.CoreV1().Secrets(systemSecret.Namespace).Get(context.Background(), systemSecret.Name, metav1.GetOptions{}) - gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + g.It("should deny creating clusterrole with read secret permission on user namespace", func() { + _, err := client.RbacV1().ClusterRoles().Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{}}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden"))) }) }) @@ -1000,14 +1011,14 @@ var _ = g.Describe("Authorization via admission-controller [RBAC] [Zalando]", fu framework.ExpectNoError(err) }) - g.It("should deny secret read access to user namespace", func() { - _, err := client.CoreV1().Secrets(testSecret.Namespace).Get(context.Background(), testSecret.Name, metav1.GetOptions{}) - gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + g.It("should deny creating clusterrole with read secret permission on system namespace", func() { + _, err := client.RbacV1().ClusterRoles().Create(context.Background(), systemResource, metav1.CreateOptions{DryRun: []string{}}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden"))) }) - g.It("should deny secret read access to kube-system namespace", func() { - _, err := client.CoreV1().Secrets(systemSecret.Namespace).Get(context.Background(), systemSecret.Name, metav1.GetOptions{}) - gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("read operations are forbidden"))) + g.It("should deny creating clusterrole with read secret permission on user namespace", func() { + _, err := client.RbacV1().ClusterRoles().Create(context.Background(), nonSystemResource, metav1.CreateOptions{DryRun: []string{}}) + gomega.Expect(err).To(gomega.MatchError(gomega.ContainSubstring("write operations are forbidden"))) }) }) })