| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269 |
- suite: rbac validation test
- templates:
- - common.yaml
- tests:
- - it: should fail with name longer than 63 characters
- set:
- rbac:
- zmy-rbac:
- enabled: true
- primary: true
- my-rbac-has-super-long-name-that-is-longer-than-63-characters-too-bad:
- enabled: true
- primary: false
- asserts:
- - failedTemplate:
- errorMessage: Name [release-name-common-test-my-rbac-has-super-long-name-that-is-longer-than-63-characters-too-bad] is not valid. Must start and end with an alphanumeric lowercase character. It can contain '-'. And must be at most 63 characters.
- - it: should fail with name starting with underscore
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- _my-rbac2:
- enabled: true
- primary: false
- asserts:
- - failedTemplate:
- errorMessage: Name [release-name-common-test-_my-rbac2] is not valid. Must start and end with an alphanumeric lowercase character. It can contain '-'. And must be at most 63 characters.
- - it: should fail with labels not a dict
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- labels: "not a dict"
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected <labels> to be a dictionary, but got [string]
- - it: should fail with annotations not a dict
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- annotations: "not a dict"
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected <annotations> to be a dictionary, but got [string]
- - it: should fail with more than 1 primary rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- my-rbac2:
- enabled: true
- primary: true
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Only one rbac can be primary
- - it: should fail without any primary on enabled rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: false
- my-rbac2:
- enabled: true
- primary: false
- asserts:
- - failedTemplate:
- errorMessage: RBAC - At least one enabled rbac must be primary
- - it: should fail without rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.rules>
- - it: should fail without apiGroups in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - resources:
- - pods
- verbs:
- - get
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.rules.apiGroups>
- - it: should fail without resources in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- verbs:
- - get
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.rules.resources>
- - it: should fail without verbs in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.rules.verbs>
- - it: should fail with empty entry in resources in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- - ""
- verbs:
- - get
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty entry in <rbac.rules.resources>
- - it: should fail with empty entry in resourceNames in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- resourceNames:
- - ""
- verbs:
- - get
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty entry in <rbac.rules.resourceNames>
- - it: should fail with empty entry in verbs in rules in rbac
- set:
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - ""
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty entry in <rbac.rules.verbs>
- - it: should fail with empty kind in subjects in rbac
- set:
- serviceAccount:
- my-service-account:
- enabled: true
- primary: true
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- subjects:
- - kind: ""
- name: my-name
- apiGroup: my-apiGroup
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.subjects.kind>
- - it: should fail with empty name in subjects in rbac
- set:
- serviceAccount:
- my-service-account:
- enabled: true
- primary: true
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- subjects:
- - kind: my-kind
- name: ""
- apiGroup: my-apiGroup
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.subjects.name>
- - it: should fail with empty apiGroup in subjects in rbac
- set:
- serviceAccount:
- my-service-account:
- enabled: true
- primary: true
- rbac:
- my-rbac:
- enabled: true
- primary: true
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- subjects:
- - kind: my-kind
- name: my-name
- apiGroup: ""
- asserts:
- - failedTemplate:
- errorMessage: RBAC - Expected non-empty <rbac.subjects.apiGroup>
|
