kustomize/api/krusty/rolebindingacrossnamespace_test.go

// Copyright 2022 The Kubernetes Authors.
// SPDX-License-Identifier: Apache-2.0

package krusty_test

import (
	"testing"

	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
)

func TestRoleBindingAcrossNamespace(t *testing.T) {
	th := kusttest_test.MakeEnhancedHarness(t)
	defer th.Reset()

	th.WriteK(".", `
resources:
- resource.yaml
nameSuffix: -ns2
`)
	th.WriteF("resource.yaml", `
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa1
  namespace: ns1
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa2
  namespace: ns2
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa3
  namespace: ns3
---
apiVersion: v1
kind: NotServiceAccount
metadata:
  name: my-nsa
  namespace: ns1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role
  namespace: ns2
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-role-binding
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: my-role
subjects:
  - kind: ServiceAccount
    name: my-sa1
    namespace: ns1
  - kind: ServiceAccount
    name: my-sa2
    namespace: ns2
  - kind: ServiceAccount
    name: my-sa3
    namespace: ns3
  - kind: NotServiceAccount
    name: my-nsa
    namespace: ns1
`)

	m := th.Run(".", th.MakeDefaultOptions())
	th.AssertActualEqualsExpected(m, `
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa1-ns2
  namespace: ns1
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa2-ns2
  namespace: ns2
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa3-ns2
  namespace: ns3
---
apiVersion: v1
kind: NotServiceAccount
metadata:
  name: my-nsa-ns2
  namespace: ns1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role-ns2
  namespace: ns2
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-role-binding-ns2
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: my-role-ns2
subjects:
- kind: ServiceAccount
  name: my-sa1-ns2
  namespace: ns1
- kind: ServiceAccount
  name: my-sa2-ns2
  namespace: ns2
- kind: ServiceAccount
  name: my-sa3-ns2
  namespace: ns3
- kind: NotServiceAccount
  name: my-nsa
  namespace: ns1
`)
}

func TestRoleBindingAcrossNamespaceWoSubjects(t *testing.T) {
	th := kusttest_test.MakeEnhancedHarness(t)
	defer th.Reset()

	th.WriteK(".", `
resources:
- resource.yaml
nameSuffix: -ns2
`)
	th.WriteF("resource.yaml", `
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa1
  namespace: ns1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role
  namespace: ns2
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-role-binding
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: my-role
`)

	m := th.Run(".", th.MakeDefaultOptions())
	th.AssertActualEqualsExpected(m, `
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa1-ns2
  namespace: ns1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role-ns2
  namespace: ns2
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-role-binding-ns2
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: my-role-ns2
`)
}

// The ServiceAccount in subjects in role binding can be across namespace
// but the roleRef is not. This test is used to cover such case.
func TestRoleBindingWhenSubjectsAcrossNamespace(t *testing.T) {
	th := kusttest_test.MakeEnhancedHarness(t)
	defer th.Reset()
	th.WriteK(".", `
resources:
- ./ns1
- ./ns2
`)
	th.WriteK("ns1", `
namespace: namespace-1
resources:
- role-ns1.yaml
- rolebinding-ns1.yaml
`)
	th.WriteF("ns1/role-ns1.yaml", `
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testRole
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]
`)
	th.WriteF("ns1/rolebinding-ns1.yaml", `
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testRole
subjects:
  - kind: ServiceAccount
    name: testAccount
    namespace: namespace-2
`)
	th.WriteK("ns2", `
namespace: namespace-2
resources:
- role-ns2.yaml
- rolebinding-ns2.yaml
`)
	th.WriteF("ns2/role-ns2.yaml", `
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testRole
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]
`)
	th.WriteF("ns2/rolebinding-ns2.yaml", `
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testRole
subjects:
  - kind: ServiceAccount
    name: testAccount
    namespace: namespace-1
`)

	m := th.Run(".", th.MakeDefaultOptions())
	th.AssertActualEqualsExpected(m, `
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testRole
  namespace: namespace-1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testRoleBinding
  namespace: namespace-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testRole
subjects:
- kind: ServiceAccount
  name: testAccount
  namespace: namespace-2
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testRole
  namespace: namespace-2
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testRoleBinding
  namespace: namespace-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testRole
subjects:
- kind: ServiceAccount
  name: testAccount
  namespace: namespace-1
`)
}