raoulmillais · March 22, 2019 09:49
diff --git a/test-rbac.sh b/test-rbac.sh
 #!/usr/bin/env bats

 # Default to sandbox
 ENV=${ENV:=sandbox}
 NAMESPACES=${NAMESPACES:=}

 GROUP_PREFIX=${GROUP_PREFIX:=}

 @test "Team namespaces can scale deployments within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i update deployments.apps --subresource="scale" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output, group: $group"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can rollback deployments within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i update deployments --subresource="rollback" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output, group: $group"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can port-forward to any pod within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i create pod --subresource="portforward" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can list deployments within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i -n $n get deployments --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can list pods within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i get pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can get resourcequotas within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i get resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces can list resourcequotas within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i list resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }

 @test "Team namespaces cannot update resourcequotas within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i update resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 1 ]
    [ "$output" == "no" ]
  done
 }

 @test "Team namespaces cannot create deployments within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i create deployments --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 1 ]
    [ "$output" == "no" ]
  done
 }

 @test "Team namespaces cannot create pods within their own namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i create pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns 
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 1 ]
    [ "$output" == "no" ]
  done
 }

 @test "Team namespaces cannot list pods from the authentication namespace" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i get pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n authentication
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 1 ]
    [ "$output" == "no" ]
  done
 }

 @test "Teams cannot create ingresses in their own namespaces" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i create ingresses --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
    echo "namespace: $ns, output: $output"
    [ "$status" -eq 1 ]
    [ "$output" == "no" ]
  done
 }

 @test "Admin team can list ingresses in all NAMESPACES's" {
  for n in ${NAMESPACES[@]}; do
    IFS=',' read ns group <<< "${n}"
    run kubectl auth can-i get ingresses --as-group="${GROUP_PREFIX}:kubernetes-admin" --as="test" -n $ns
    echo $output
    [ "$status" -eq 0 ]
    [ "$output" == "yes" ]
  done
 }
	#!/usr/bin/env bats

	# Default to sandbox
	ENV=${ENV:=sandbox}
	NAMESPACES=${NAMESPACES:=}

	GROUP_PREFIX=${GROUP_PREFIX:=}

	@test "Team namespaces can scale deployments within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i update deployments.apps --subresource="scale" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output, group: $group"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can rollback deployments within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i update deployments --subresource="rollback" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output, group: $group"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can port-forward to any pod within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i create pod --subresource="portforward" --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can list deployments within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i -n $n get deployments --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can list pods within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i get pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can get resourcequotas within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i get resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces can list resourcequotas within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i list resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}

	@test "Team namespaces cannot update resourcequotas within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i update resourcequotas --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 1 ]
	[ "$output" == "no" ]
	done
	}

	@test "Team namespaces cannot create deployments within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i create deployments --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 1 ]
	[ "$output" == "no" ]
	done
	}

	@test "Team namespaces cannot create pods within their own namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i create pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 1 ]
	[ "$output" == "no" ]
	done
	}

	@test "Team namespaces cannot list pods from the authentication namespace" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i get pods --as-group="${GROUP_PREFIX}:$group" --as="test" -n authentication
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 1 ]
	[ "$output" == "no" ]
	done
	}

	@test "Teams cannot create ingresses in their own namespaces" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i create ingresses --as-group="${GROUP_PREFIX}:$group" --as="test" -n $ns
	echo "namespace: $ns, output: $output"
	[ "$status" -eq 1 ]
	[ "$output" == "no" ]
	done
	}

	@test "Admin team can list ingresses in all NAMESPACES's" {
	for n in ${NAMESPACES[@]}; do
	IFS=',' read ns group <<< "${n}"
	run kubectl auth can-i get ingresses --as-group="${GROUP_PREFIX}:kubernetes-admin" --as="test" -n $ns
	echo $output
	[ "$status" -eq 0 ]
	[ "$output" == "yes" ]
	done
	}