test: Adjust k8s roles for integration tests

Initially, I thought it was necessary to use a ClusterRole in order to assign permissions in one namespace to a service account in another. It turns out, this is not necessary, as RoleBinding rules can refer to subjects in any namespace. Thus, we can limit the privileges of the *dynk8s-provisioner* service account by only allowing it access to the Secret and ConfigMap resources in the *kube-system* and *kube-public* namespaces, respectively, plus the Secret resources in its own namespace.
2022-10-11 21:08:49 -05:00 · 2022-10-11 21:08:49 -05:00 · c48076b8f0
parent cd920418aa
commit c48076b8f0
1 changed files with 75 additions and 6 deletions
--- a/tests/setup.yaml
+++ b/tests/setup.yaml
@ -14,7 +14,7 @@ metadata:
  namespace: dynk8s-test
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: default
+    app.kubernetes.io/instance: integration-test
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 automountServiceAccountToken: true
@ -31,13 +31,13 @@ type: kubernetes.io/service-account-token

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s-test
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: default
+    app.kubernetes.io/instance: integration-test
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
@ -47,6 +47,38 @@ rules:
  - secrets
  verbs:
  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner-test
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: integration-test
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner-test
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: integration-test
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
 - apiGroups:
  - ''
  resources:
@ -58,17 +90,54 @@ rules:

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s-test
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: default
+    app.kubernetes.io/instance: integration-test
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner-test
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: integration-test
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s-test
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner-test
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: integration-test
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount