lcy
/
truenas


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
							suite: rbac data test
templates:
  - common.yaml
tests:
  - it: should pass with rules and subjects added with tpl and primary rbac/sa
    set:
      some_verb: list
      some_group: apps
      some_resource: deployments
      some_kind: some-kind
      some_name: some-name
      some_api_group: rbac.authorization.k8s.io
      serviceAccount:
        my-sa:
          enabled: true
          primary: true
        my-other-sa:
          enabled: true
          primary: false
      rbac:
        my-rbac:
          enabled: true
          primary: true
          rules:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
            - apiGroups:
                - "{{ .Values.some_group }}"
              resources:
                - "{{ .Values.some_resource }}"
              verbs:
                - "{{ .Values.some_verb }}"
          subjects:
            - kind: a-kind
              name: a-name
              apiGroup: rbac.authorization.k8s.io
            - kind: "{{ .Values.some_kind }}"
              name: "{{ .Values.some_name }}"
              apiGroup: "{{ .Values.some_api_group }}"

    asserts:
      - documentIndex: &roleDoc 2
        isKind:
          of: Role
      - documentIndex: *roleDoc
        equal:
          path: metadata.name
          value: release-name-common-test
      - documentIndex: *roleDoc
        equal:
          path: rules
          value:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
            - apiGroups:
                - apps
              resources:
                - deployments
              verbs:
                - list
      - documentIndex: &roleBinding 3
        isKind:
          of: RoleBinding
      - documentIndex: *roleBinding
        equal:
          path: metadata.name
          value: release-name-common-test
      - documentIndex: *roleBinding
        equal:
          path: subjects
          value:
            - kind: ServiceAccount
              name: release-name-common-test
              namespace: NAMESPACE
            - kind: a-kind
              name: a-name
              apiGroup: rbac.authorization.k8s.io
            - kind: some-kind
              name: some-name
              apiGroup: rbac.authorization.k8s.io

  - it: should pass with rules and subjects added with tpl and allSA on clusterWide
    set:
      some_verb: list
      some_group: apps
      some_resource: deployments
      some_kind: some-kind
      some_name: some-name
      some_api_group: rbac.authorization.k8s.io
      serviceAccount:
        my-sa:
          enabled: true
          primary: true
        my-other-sa:
          enabled: true
          primary: false
      rbac:
        z-rbac:
          enabled: true
          primary: true
          rules:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
        my-rbac2:
          enabled: true
          clusterWide: true
          allServiceAccounts: true
          rules:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
            - apiGroups:
                - "{{ .Values.some_group }}"
              resources:
                - "{{ .Values.some_resource }}"
              verbs:
                - "{{ .Values.some_verb }}"
          subjects:
            - kind: a-kind
              name: a-name
              apiGroup: rbac.authorization.k8s.io
            - kind: "{{ .Values.some_kind }}"
              name: "{{ .Values.some_name }}"
              apiGroup: "{{ .Values.some_api_group }}"
    asserts:
      - documentIndex: &clusterRoleDoc 2
        isKind:
          of: ClusterRole
      - documentIndex: *clusterRoleDoc
        equal:
          path: metadata.name
          value: release-name-common-test-my-rbac2
      - documentIndex: *clusterRoleDoc
        equal:
          path: rules
          value:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
            - apiGroups:
                - apps
              resources:
                - deployments
              verbs:
                - list
      - documentIndex: &clusterRoleBinding 3
        isKind:
          of: ClusterRoleBinding
      - documentIndex: *clusterRoleBinding
        equal:
          path: metadata.name
          value: release-name-common-test-my-rbac2
      - documentIndex: *clusterRoleBinding
        equal:
          path: subjects
          value:
            - kind: ServiceAccount
              name: release-name-common-test-my-other-sa
              namespace: NAMESPACE
            - kind: ServiceAccount
              name: release-name-common-test
              namespace: NAMESPACE
            - apiGroup: rbac.authorization.k8s.io
              kind: a-kind
              name: a-name
            - apiGroup: rbac.authorization.k8s.io
              kind: some-kind
              name: some-name

  - it: should pass with serviceAccount selector
    set:
      serviceAccount:
        my-sa:
          enabled: true
          primary: true
        my-other-sa:
          enabled: true
          primary: false
      rbac:
        z-rbac:
          enabled: true
          primary: true
          rules:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
        my-rbac3:
          enabled: true
          serviceAccounts:
            - my-other-sa
          rules:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
    asserts:
      - documentIndex: &roleDoc 2
        isKind:
          of: Role
      - documentIndex: *roleDoc
        equal:
          path: metadata.name
          value: release-name-common-test-my-rbac3
      - documentIndex: *roleDoc
        equal:
          path: rules
          value:
            - apiGroups:
                - ""
              resources:
                - pods
              verbs:
                - get
      - documentIndex: &roleBinding 3
        isKind:
          of: RoleBinding
      - documentIndex: *roleBinding
        equal:
          path: metadata.name
          value: release-name-common-test-my-rbac3
      - documentIndex: *roleBinding
        equal:
          path: subjects
          value:
            - kind: ServiceAccount
              name: release-name-common-test-my-other-sa
              namespace: NAMESPACE