Merge pull request #3033 from Shell32-Natsu/3021

fix multiple match issue in rolebinding
2026-06-11 17:12:51 +00:00 · 2020-09-25 17:22:48 -07:00
parent eb6c715bc3 b51e09d5fe
commit 4c48a4ff83
2 changed files with 141 additions and 4 deletions
--- a/api/krusty/rolebindingacrossnamespace_test.go
+++ b/api/krusty/rolebindingacrossnamespace_test.go
@@ -213,3 +213,132 @@ roleRef:
  name: my-role-ns2
 `)
 }
+
+// The ServiceAccount in subjects in role binding can be across namespace
+// but the roleRef is not. This test is used to cover such case.
+func TestRoleBindingWhenSubjectsAcrossNamespace(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+	th.WriteK("/app", `
+resources:
+- ./ns1
+- ./ns2
+`)
+	th.WriteK("/app/ns1", `
+namespace: namespace-1
+resources:
+- role-ns1.yaml
+- rolebinding-ns1.yaml
+`)
+	th.WriteF("/app/ns1/role-ns1.yaml", `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: testRole
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+`)
+	th.WriteF("/app/ns1/rolebinding-ns1.yaml", `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: testRoleBinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: testRole
+subjects:
+  - kind: ServiceAccount
+    name: testAccount
+    namespace: namespace-2
+`)
+	th.WriteK("/app/ns2", `
+namespace: namespace-2
+resources:
+- role-ns2.yaml
+- rolebinding-ns2.yaml
+`)
+	th.WriteF("/app/ns2/role-ns2.yaml", `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: testRole
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+`)
+	th.WriteF("/app/ns2/rolebinding-ns2.yaml", `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: testRoleBinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: testRole
+subjects:
+  - kind: ServiceAccount
+    name: testAccount
+    namespace: namespace-1
+`)
+
+	m := th.Run("/app", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: testRole
+  namespace: namespace-1
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: testRoleBinding
+  namespace: namespace-1
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: testRole
+subjects:
+- kind: ServiceAccount
+  name: testAccount
+  namespace: namespace-2
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: testRole
+  namespace: namespace-2
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: testRoleBinding
+  namespace: namespace-2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: testRole
+subjects:
+- kind: ServiceAccount
+  name: testAccount
+  namespace: namespace-1
+`)
+}