Merge pull request #253 from jetstack/rbac_struct_2

Weeblin · web-flow · commit 143340833bc2 · 2021-08-06T12:14:06.000+01:00
Rbac struct 2
diff --git a/pkg/permissions/generate.go b/pkg/permissions/generate.go
@@ -6,6 +6,8 @@ import (
 
 	"github.com/jetstack/preflight/pkg/agent"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
+	rbac "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func Generate(dataGatherers []agent.DataGatherer) string {
@@ -37,3 +39,37 @@ rules:
 	ss := strings.TrimSuffix(s, "---")
 	return strings.TrimSuffix(ss, "\n")
 }
+
+func GenerateRoles(dataGatherer []agent.DataGatherer) []rbac.ClusterRole {
+	out := []rbac.ClusterRole{}
+
+	for _, g := range dataGatherer {
+		if g.Kind != "k8s-dynamic" {
+			continue
+		}
+
+		genericConfig := g.Config
+		dyConfig := genericConfig.(*k8s.ConfigDynamic)
+
+		metaName := dyConfig.GroupVersionResource.Resource
+
+		out = append(out, rbac.ClusterRole{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "ClusterRole",
+				APIVersion: "rbac.authorization.k8s.io/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("jetstack-secure-agent-%s-reader", metaName),
+			},
+			Rules: []rbac.PolicyRule{
+				{
+					Verbs:     []string{"get", "list", "watch"},
+					APIGroups: []string{dyConfig.GroupVersionResource.Group},
+					Resources: []string{metaName},
+				},
+			},
+		})
+
+	}
+	return out
+}
diff --git a/pkg/permissions/generate_test.go b/pkg/permissions/generate_test.go
@@ -3,55 +3,116 @@ package permissions
 import (
 	"testing"
 
+	"github.com/d4l3k/messagediff"
 	"github.com/jetstack/preflight/pkg/agent"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
+	rbac "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func TestGenerate(t *testing.T) {
-	inputDatagatherers := []agent.DataGatherer{
+func TestGenerateRBAC(t *testing.T) {
+	// Use these test cases to check if Generate function is correct
+	testCases := []struct {
+		// expectedClusterRoles is the collection of ClusterRole
+		expectedClusterRoles []rbac.ClusterRole
+		dataGatherers        []agent.DataGatherer
+		description          string
+	}{
 		{
-			Name: "k8s/pods",
-			Kind: "k8s-dynamic",
-			Config: &k8s.ConfigDynamic{
-				GroupVersionResource: schema.GroupVersionResource{
-					Version:  "v1",
-					Resource: "pods",
+			description: "Generate RBAC struct for pods datagatherer",
+			dataGatherers: []agent.DataGatherer{
+				{
+					Name: "k8s/pods",
+					Kind: "k8s-dynamic",
+					Config: &k8s.ConfigDynamic{
+						GroupVersionResource: schema.GroupVersionResource{
+							Version:  "v1",
+							Resource: "pods",
+						},
+					},
+				},
+				{
+					Name: "k8s/secrets",
+					Kind: "k8s-dynamic",
+					Config: &k8s.ConfigDynamic{
+						GroupVersionResource: schema.GroupVersionResource{
+							Version:  "v1",
+							Resource: "secrets",
+						},
+					},
+				},
+				{
+					Name: "k8s/awspcaissuer",
+					Kind: "k8s-dynamic",
+					Config: &k8s.ConfigDynamic{
+						GroupVersionResource: schema.GroupVersionResource{
+							Group:    "awspca.cert-manager.io",
+							Version:  "v1",
+							Resource: "awspcaissuers",
+						},
+					},
 				},
 			},
-		},
-		{
-			Name: "k8s/secrets",
-			Kind: "k8s-dynamic",
-			Config: &k8s.ConfigDynamic{
-				GroupVersionResource: schema.GroupVersionResource{
-					Version:  "v1",
-					Resource: "secrets",
+			expectedClusterRoles: []rbac.ClusterRole{
+				{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "ClusterRole",
+						APIVersion: "rbac.authorization.k8s.io/v1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "jetstack-secure-agent-pods-reader",
+					},
+					Rules: []rbac.PolicyRule{
+						{
+							Verbs:     []string{"get", "list", "watch"},
+							APIGroups: []string{""},
+							Resources: []string{"pods"},
+						},
+					},
+				},
+				{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "ClusterRole",
+						APIVersion: "rbac.authorization.k8s.io/v1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "jetstack-secure-agent-secrets-reader",
+					},
+					Rules: []rbac.PolicyRule{
+						{
+							Verbs:     []string{"get", "list", "watch"},
+							APIGroups: []string{""},
+							Resources: []string{"secrets"},
+						},
+					},
+				},
+				{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "ClusterRole",
+						APIVersion: "rbac.authorization.k8s.io/v1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "jetstack-secure-agent-awspcaissuers-reader",
+					},
+					Rules: []rbac.PolicyRule{
+						{
+							Verbs:     []string{"get", "list", "watch"},
+							APIGroups: []string{"awspca.cert-manager.io"},
+							Resources: []string{"awspcaissuers"},
+						},
+					},
 				},
 			},
 		},
+		// Try adding more test cases
 	}
 
-	expectedOutput := `apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: jetstack-secure-agent-pods-reader
-rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: jetstack-secure-agent-secrets-reader
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list", "watch"]`
-
-	if output := Generate(inputDatagatherers); output != expectedOutput {
-		t.Fatalf("unexpected output \n%s \n expected: \n%s", output, expectedOutput)
+	for _, input := range testCases {
+		got := GenerateRoles(input.dataGatherers)
+		if diff, equal := messagediff.PrettyDiff(input.expectedClusterRoles, got); !equal {
+			t.Errorf("%s:\n%s", input.description, diff)
+			t.Fatalf("unexpected difference in RBAC cluster role: \ngot \n%v\nwant\n%v", got, input.expectedClusterRoles)
+		}
 	}
-
 }
