Merge pull request #2739 from Shell32-Natsu/rolebinding

Role binding for serviceaccount across namesapce.
2026-06-29 09:40:49 +00:00 · 2020-07-22 11:45:05 -07:00
parent 8225ca45a8 3907643880
commit dcab3cbb5f
2 changed files with 164 additions and 6 deletions
--- a/api/krusty/rolebindingacrossnamespace_test.go
+++ b/api/krusty/rolebindingacrossnamespace_test.go
@@ -19,7 +19,25 @@ nameSuffix: -ns2
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: my-sa
+  name: my-sa1
+  namespace: ns1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa2
+  namespace: ns2
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa3
+  namespace: ns3
+---
+apiVersion: v1
+kind: NotServiceAccount
+metadata:
+  name: my-nsa
  namespace: ns1
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -46,7 +64,16 @@ roleRef:
  name: my-role
 subjects:
  - kind: ServiceAccount
-    name: my-sa
+    name: my-sa1
+    namespace: ns1
+  - kind: ServiceAccount
+    name: my-sa2
+    namespace: ns2
+  - kind: ServiceAccount
+    name: my-sa3
+    namespace: ns3
+  - kind: NotServiceAccount
+    name: my-nsa
    namespace: ns1
 `)

@@ -55,7 +82,25 @@ subjects:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: my-sa-ns2
+  name: my-sa1-ns2
+  namespace: ns1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa2-ns2
+  namespace: ns2
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa3-ns2
+  namespace: ns3
+---
+apiVersion: v1
+kind: NotServiceAccount
+metadata:
+  name: my-nsa-ns2
  namespace: ns1
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -82,7 +127,89 @@ roleRef:
  name: my-role-ns2
 subjects:
 - kind: ServiceAccount
-  name: my-sa
+  name: my-sa1-ns2
+  namespace: ns1
+- kind: ServiceAccount
+  name: my-sa2-ns2
+  namespace: ns2
+- kind: ServiceAccount
+  name: my-sa3-ns2
+  namespace: ns3
+- kind: NotServiceAccount
+  name: my-nsa
  namespace: ns1
 `)
 }
+
+func TestRoleBindingAcrossNamespaceWoSubjects(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK("/app", `
+resources:
+- resource.yaml
+nameSuffix: -ns2
+`)
+	th.WriteF("/app/resource.yaml", `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa1
+  namespace: ns1
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role
+  namespace: ns2
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: my-role-binding
+  namespace: ns2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: my-role
+`)
+
+	m := th.Run("/app", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-sa1-ns2
+  namespace: ns1
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role-ns2
+  namespace: ns2
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: my-role-binding-ns2
+  namespace: ns2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: my-role-ns2
+`)
+}