feat(e2e): Remove dependency on oc for SCC (openservicemesh#4014)

* feat(e2e): Remove dependency on oc for SCC

Signed-off-by: Kalya Subramanian <[email protected]>

tests/framework/common.go

@@ -32,6 +32,7 @@ import (
 	helmcli "helm.sh/helm/v3/pkg/cli"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -1434,16 +1435,45 @@ func (td *OsmTestData) GrabLogs() error {
 	return nil
 }
 
-// AddOpenShiftSCC adds the specified SecurityContextConstraint to the given service account
-func (td *OsmTestData) AddOpenShiftSCC(scc, serviceAccount, namespace string) error {
+// addOpenShiftSCC adds the specified SecurityContextConstraint to the given service account
+func (td *OsmTestData) addOpenShiftSCC(scc, serviceAccount, namespace string) error {
 	if !td.DeployOnOpenShift {
 		return errors.Errorf("Tests are not configured for OpenShift. Try again with -deployOnOpenShift=true")
 	}
-	args := []string{"adm", "policy", "add-scc-to-user", scc, "-z", serviceAccount, "-n", namespace}
-	stdout, stderr, err := td.RunLocal("oc", args...)
+
+	roleName := serviceAccount + "-scc"
+	roleDefinition := td.simpleRole(roleName, namespace)
+	policyRule := rbacv1.PolicyRule{
+		APIGroups:     []string{"security.openshift.io"},
+		ResourceNames: []string{scc},
+		Resources:     []string{"securitycontextconstraints"},
+		Verbs:         []string{"use"},
+	}
+	roleDefinition.Rules = []rbacv1.PolicyRule{policyRule}
+
+	_, err := td.createRole(namespace, &roleDefinition)
 	if err != nil {
-		td.T.Logf("stdout:\n%s", stdout)
-		return errors.Errorf("failed to add SCC %s to %s/%s: %s", scc, namespace, serviceAccount, stderr)
+		return errors.Errorf("Failed to create Role %s: %s", roleName, err)
+	}
+
+	roleBindingName := serviceAccount + "-scc"
+	roleBindingDefinition := td.simpleRoleBinding(roleBindingName, namespace)
+	subject := rbacv1.Subject{
+		Kind:      "ServiceAccount",
+		Name:      serviceAccount,
+		Namespace: namespace,
+	}
+	roleBindingDefinition.Subjects = []rbacv1.Subject{subject}
+	roleRef := rbacv1.RoleRef{
+		Kind:     "Role",
+		Name:     roleName,
+		APIGroup: "rbac.authorization.k8s.io",
+	}
+	roleBindingDefinition.RoleRef = roleRef
+
+	_, err = td.createRoleBinding(namespace, &roleBindingDefinition)
+	if err != nil {
+		return errors.Errorf("Failed to create RoleBinding %s: %s", roleBindingName, err)
 	}
 
 	return nil

tests/framework/common_apps.go

@@ -20,6 +20,7 @@ import (
 	admissionregv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -75,12 +76,34 @@ func (td *OsmTestData) CreateServiceAccount(ns string, svcAccount *corev1.Servic
 		return nil, err
 	}
 	if Td.DeployOnOpenShift {
-		err = Td.AddOpenShiftSCC("privileged", svcAc.Name, svcAc.Namespace)
+		err = Td.addOpenShiftSCC("privileged", svcAc.Name, svcAc.Namespace)
 		return svcAc, err
 	}
 	return svcAc, nil
 }
 
+// createRole is a wrapper to create a role
+func (td *OsmTestData) createRole(ns string, role *rbacv1.Role) (*rbacv1.Role, error) {
+	r, err := td.Client.RbacV1().Roles(ns).Create(context.Background(), role, metav1.CreateOptions{})
+	if err != nil {
+		err := fmt.Errorf("Could not create Role: %v", err)
+		return nil, err
+	}
+
+	return r, nil
+}
+
+// createRoleBinding is a wrapper to create a role binding
+func (td *OsmTestData) createRoleBinding(ns string, roleBinding *rbacv1.RoleBinding) (*rbacv1.RoleBinding, error) {
+	rb, err := td.Client.RbacV1().RoleBindings(ns).Create(context.Background(), roleBinding, metav1.CreateOptions{})
+	if err != nil {
+		err := fmt.Errorf("Could not create RoleBinding: %v", err)
+		return nil, err
+	}
+
+	return rb, nil
+}
+
 // CreatePod is a wrapper to create a pod
 func (td *OsmTestData) CreatePod(ns string, pod corev1.Pod) (*corev1.Pod, error) {
 	podRet, err := td.Client.CoreV1().Pods(ns).Create(context.Background(), &pod, metav1.CreateOptions{})
@@ -280,6 +303,28 @@ func (td *OsmTestData) SimpleServiceAccount(name string, namespace string) corev
 	return serviceAccountDefinition
 }
 
+// simpleRole returns a k8s typed definition for a role.
+func (td *OsmTestData) simpleRole(name string, namespace string) rbacv1.Role {
+	roleDefinition := rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+	}
+	return roleDefinition
+}
+
+// simpleRoleBinding returns a k8s typed definition for a role binding.
+func (td *OsmTestData) simpleRoleBinding(name string, namespace string) rbacv1.RoleBinding {
+	roleBindingDefinition := rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+	}
+	return roleBindingDefinition
+}
+
 // getKubernetesServerVersionNumber returns the version number in chunks, ex. v1.19.3 => [1, 19, 3]
 func (td *OsmTestData) getKubernetesServerVersionNumber() ([]int, error) {
 	version, err := td.Client.Discovery().ServerVersion()