mirror of
https://github.com/kubevirt/containerized-data-importer.git
synced 2025-06-03 06:30:22 +00:00
122 lines
4.2 KiB
Go
122 lines
4.2 KiB
Go
package tests_test
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
|
|
"kubevirt.io/containerized-data-importer/tests"
|
|
"kubevirt.io/containerized-data-importer/tests/framework"
|
|
)
|
|
|
|
const (
|
|
TestSuiteName = "Basic Sanity"
|
|
)
|
|
|
|
var _ = Describe(TestSuiteName, func() {
|
|
f, err := framework.NewFramework("sanity", framework.Config{
|
|
SkipNamespaceCreation: true,
|
|
})
|
|
if err != nil {
|
|
Fail("Unable to create framework struct")
|
|
}
|
|
|
|
Context("CDI service account should exist", func() {
|
|
It("Should succeed", func() {
|
|
result, err := tests.RunKubectlCommand(f, "get", "sa", "cdi-sa", "-n", f.CdiInstallNs)
|
|
Expect(err).To(BeNil())
|
|
Expect(result).To(ContainSubstring("cdi-sa"))
|
|
})
|
|
})
|
|
|
|
Context("CDI Cluster role should exist", func() {
|
|
It("Should succeed", func() {
|
|
result, err := tests.RunKubectlCommand(f, "get", "clusterrole", "cdi")
|
|
Expect(err).To(BeNil())
|
|
Expect(result).To(ContainSubstring("cdi"))
|
|
})
|
|
})
|
|
|
|
Context("CDI Cluster role binding should exist", func() {
|
|
It("Should succeed", func() {
|
|
result, err := tests.RunKubectlCommand(f, "get", "clusterrolebinding", "cdi-sa")
|
|
Expect(err).To(BeNil())
|
|
Expect(result).To(ContainSubstring("cdi-sa"))
|
|
})
|
|
})
|
|
|
|
Context("CDI deployment should exist", func() {
|
|
It("Should succeed", func() {
|
|
result, err := tests.RunKubectlCommand(f, "get", "deployment", "cdi-deployment", "-n", f.CdiInstallNs)
|
|
Expect(err).To(BeNil())
|
|
Expect(result).To(ContainSubstring("cdi-deployment"))
|
|
})
|
|
It("There should be 1 replica", func() {
|
|
result, err := tests.RunKubectlCommand(f, "get", "deployment", "cdi-deployment", "-o", "jsonpath={.spec.replicas}", "-n", f.CdiInstallNs)
|
|
Expect(err).To(BeNil())
|
|
Expect(result).To(ContainSubstring("1"))
|
|
})
|
|
})
|
|
|
|
Context("cdi-sa RBAC rules are correct", func() {
|
|
It("rules should match expectation", func() {
|
|
sa := fmt.Sprintf("system:serviceaccount:" + f.CdiInstallNs + ":cdi-sa")
|
|
|
|
eventExpectedResult := make(map[string]string)
|
|
eventExpectedResult["get"] = "no"
|
|
eventExpectedResult["list"] = "no"
|
|
eventExpectedResult["watch"] = "no"
|
|
eventExpectedResult["delete"] = "no"
|
|
eventExpectedResult["create"] = "yes"
|
|
eventExpectedResult["update"] = "yes"
|
|
eventExpectedResult["patch"] = "yes"
|
|
eventExpectedResult["deletecollection"] = "no"
|
|
ValidateRBACForResource(f, eventExpectedResult, "events", sa)
|
|
|
|
pvcExpectedResult := make(map[string]string)
|
|
pvcExpectedResult["get"] = "yes"
|
|
pvcExpectedResult["list"] = "yes"
|
|
pvcExpectedResult["watch"] = "yes"
|
|
pvcExpectedResult["delete"] = "no"
|
|
pvcExpectedResult["create"] = "yes"
|
|
pvcExpectedResult["update"] = "yes"
|
|
pvcExpectedResult["patch"] = "yes"
|
|
pvcExpectedResult["deletecollection"] = "no"
|
|
ValidateRBACForResource(f, pvcExpectedResult, "persistentvolumeclaims", sa)
|
|
ValidateRBACForResource(f, pvcExpectedResult, "persistentvolumeclaims/finalizers", sa)
|
|
|
|
podExpectedResult := make(map[string]string)
|
|
podExpectedResult["get"] = "yes"
|
|
podExpectedResult["list"] = "yes"
|
|
podExpectedResult["watch"] = "yes"
|
|
podExpectedResult["delete"] = "yes"
|
|
podExpectedResult["create"] = "yes"
|
|
podExpectedResult["update"] = "no"
|
|
podExpectedResult["patch"] = "no"
|
|
podExpectedResult["deletecollection"] = "no"
|
|
ValidateRBACForResource(f, podExpectedResult, "pods", sa)
|
|
ValidateRBACForResource(f, podExpectedResult, "pods/finalizers", sa)
|
|
|
|
secretsExpectedResult := make(map[string]string)
|
|
secretsExpectedResult["get"] = "yes"
|
|
secretsExpectedResult["list"] = "yes"
|
|
secretsExpectedResult["watch"] = "yes"
|
|
secretsExpectedResult["delete"] = "no"
|
|
secretsExpectedResult["create"] = "yes"
|
|
secretsExpectedResult["update"] = "no"
|
|
secretsExpectedResult["patch"] = "no"
|
|
secretsExpectedResult["deletecollection"] = "no"
|
|
ValidateRBACForResource(f, secretsExpectedResult, "secrets", sa)
|
|
})
|
|
})
|
|
})
|
|
|
|
func ValidateRBACForResource(f *framework.Framework, expectedResults map[string]string, resource string, sa string) {
|
|
for verb, expectedRes := range expectedResults {
|
|
By(fmt.Sprintf("verifying cdi-sa "+resource+" rules, for verb %s", verb))
|
|
result, _ := tests.RunKubectlCommand(f, "auth", "can-i", "--as", sa, verb, resource)
|
|
Expect(result).To(ContainSubstring(expectedRes))
|
|
}
|
|
}
|