-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subject access review tests #547
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Martin Hesko <[email protected]>
testsuite/kubernetes/cluster_role.py
Outdated
cls, | ||
cluster, | ||
name, | ||
rules: Optional[List[Dict[str, Any]]] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's possible to structure and pass these rules as a @dataclass
? Or their structure is too complex?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I experimented with this but due to the ClusterRole rules definition having so many parameters it's a problem not having them show up in the resulting object.
...e/tests/singlecluster/authorino/identity/subject_access_review/test_subject_access_review.py
Outdated
Show resolved
Hide resolved
...e/tests/singlecluster/authorino/identity/subject_access_review/test_subject_access_review.py
Outdated
Show resolved
Hide resolved
testsuite/tests/singlecluster/authorino/identity/subject_access_review/conftest.py
Show resolved
Hide resolved
testsuite/tests/singlecluster/authorino/identity/subject_access_review/conftest.py
Outdated
Show resolved
Hide resolved
Signed-off-by: Martin Hesko <[email protected]>
8143c68
to
028b4f7
Compare
based on User guide: Kubernetes RBAC for service authorization
Added the interface for ClusterRole and ClusterRoleBinding.
For the test I added TokenReview authentication and SubjectAccessReview based on the username.
The test setup creates 2 service accounts, with one bound to the ClusterRole permitting it to access the
/get
endpoint.