Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration tests with reduced privileges #2502

Closed
corneliusweig opened this issue Jul 19, 2019 · 3 comments
Closed

Integration tests with reduced privileges #2502

corneliusweig opened this issue Jul 19, 2019 · 3 comments
Labels
kind/todo implementation task/epic for the skaffold team meta/testing Issues focused on testing Skaffold itself priority/p3 agreed that this would be good to have, but no one is available at the moment.

Comments

@corneliusweig
Copy link
Contributor

Currently, integration tests always run with a user who has unconstrained privileges. This misses bugs that only manifest when a user has constrained privileges -- however enough privileges to reasonably expect a Skaffold run to succeed.

For example, #2495 describes a problem which only manifests when a user cannot list deployments at cluster scope.

It would be good to have some integration tests run with a reduced set of privileges, to catch these kind of issues early.

A reasonable restriction would be edit rights in a single namespace. This can be set up via [1]

kubectl config set-context reduced-privileges-context --user skaffold-test-user --cluster (..)

and define a RoleBinding in namespace tbd which references the default edit ClusterRole:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: skaffold-test-user
     namespace: tbd
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: edit
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: default-user
     namespace: default

This new reduced-privileges-context can then be enabled with the new --kube-context flag.

Depends on #2447

[1]: probably incomplete instructions
@balopat balopat added the meta/testing Issues focused on testing Skaffold itself label Jul 19, 2019
@balopat balopat mentioned this issue Aug 2, 2019
Closed
@balopat balopat added the kind/todo implementation task/epic for the skaffold team label Aug 14, 2019
@tstromberg tstromberg added the priority/p3 agreed that this would be good to have, but no one is available at the moment. label Apr 20, 2020
@tstromberg
Copy link
Contributor

@nkubala @balopat - Is there documentation on how the existing integration tests work? I google'd for skaffold integration tests but came up short.

I wouldn't mind trying to take this on as a lower-priority item.

@nkubala
Copy link
Contributor

nkubala commented May 1, 2020

@tstromberg the best we have is https://github.com/GoogleContainerTools/skaffold/blob/master/DEVELOPMENT.md#integration-tests. it's definitely not a full guide though. if you do decide to go after this one, those docs could use a little love based on what you find :)

@nkubala nkubala added this to the Icebox [P2+] milestone Sep 1, 2020
@nkubala
Copy link
Contributor

nkubala commented Mar 19, 2021

closing due to inactivity.

@nkubala nkubala closed this as completed Mar 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/todo implementation task/epic for the skaffold team meta/testing Issues focused on testing Skaffold itself priority/p3 agreed that this would be good to have, but no one is available at the moment.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tstromberg @balopat @nkubala @corneliusweig