def test_make_deployer_rolebindings_no_roles(self):
schema = config_helper.Schema.load_yaml("""
x-google-marketplace:
# v2 required fields
schemaVersion: v2
applicationApiVersion: v1beta1
publishedVersion: 0.0.1
publishedVersionMetadata:
releaseNote: Initial release
recommended: True
images: {}
properties:
simple:
type: string
""")
self.assertEqual(
[
# The default namespace rolebinding should be created
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'ClusterRole',
'name': 'cluster-admin',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
},
],
provision.make_deployer_rolebindings(schema, 'namespace-1',
'app-name-1',
{'some-key': 'some-value'},
'app-name-deployer-sa'))
def test_make_deployer_rolebindings_all_roles(self):
schema = config_helper.Schema.load_yaml("""
x-google-marketplace:
# v2 required fields
schemaVersion: v2
applicationApiVersion: v1beta1
publishedVersion: 0.0.1
publishedVersionMetadata:
releaseNote: Initial release
recommended: True
images: {}
deployerServiceAccount:
roles:
- type: Role
rulesType: CUSTOM
rules:
- apiGroups: ['apps/v1']
resources: ['Deployment']
verbs: ['*']
- type: ClusterRole
rulesType: CUSTOM
rules:
- apiGroups: ['v1']
resources: ['Secret']
verbs: ['*']
- type: Role
rulesType: PREDEFINED
rulesFromRoleName: edit
- type: ClusterRole
rulesType: PREDEFINED
rulesFromRoleName: cluster-admin
properties:
simple:
type: string
""")
self.assertCountEqual(
[
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'Role',
'metadata': {
'name': 'app-name-1-deployer-r0',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'rules': [{
'apiGroups': ['apps/v1'],
'resources': ['Deployment'],
'verbs': ['*'],
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-rb0',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
'kind': 'Role',
'name': 'app-name-1-deployer-r0',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}]
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'ClusterRole',
'metadata': {
'name': 'namespace-1:app-name-1:deployer-cr0',
'labels': {
'some-key': 'some-value'
},
},
'rules': [{
'apiGroups': ['v1'],
'resources': ['Secret'],
'verbs': ['*'],
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'ClusterRoleBinding',
'metadata': {
'name': 'namespace-1:app-name-1:deployer-crb0',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
'kind': 'ClusterRole',
'name': 'namespace-1:app-name-1:deployer-cr0',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1:edit-deployer-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'ClusterRole',
'name': 'edit',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'ClusterRoleBinding',
'metadata': {
'name':
'namespace-1:app-name-1:cluster-admin:deployer-crb',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
'kind': 'ClusterRole',
'name': 'cluster-admin',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
}
],
provision.make_deployer_rolebindings(schema, 'namespace-1',
'app-name-1',
{'some-key': 'some-value'},
'app-name-deployer-sa'))