use of io.fabric8.kubernetes.api.model.rbac.Role in project devspaces-images by redhat-developer.
the class KubernetesWorkspaceServiceAccountTest method shouldNotCreateMetricsRoleIfAPINotEnabledOnServer.
@Test
public void shouldNotCreateMetricsRoleIfAPINotEnabledOnServer() throws Exception {
KubernetesClient localK8sClient = spy(serverMock.getClient());
when(localK8sClient.supportsApiPath(eq("/apis/metrics.k8s.io"))).thenReturn(false);
when(clientFactory.create(anyString())).thenReturn(localK8sClient);
// when
serviceAccount.prepare();
// then
// make sure metrics role & rb not added
RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
assertTrue(rl.getItems().stream().noneMatch(r -> r.getMetadata().getName().equals(METRICS_ROLE_NAME)));
RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
assertTrue(rbl.getItems().stream().noneMatch(rb -> rb.getMetadata().getName().equals(SA_NAME + "-metrics")));
}
use of io.fabric8.kubernetes.api.model.rbac.Role in project devspaces-images by redhat-developer.
the class KubernetesWorkspaceServiceAccountTest method shouldCreateCredentialsSecretRole.
@Test
public void shouldCreateCredentialsSecretRole() throws Exception {
KubernetesClient localK8sClient = spy(serverMock.getClient());
when(clientFactory.create(anyString())).thenReturn(localK8sClient);
// when
serviceAccount.prepare();
// then
RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
Optional<Role> roleOptional = rl.getItems().stream().filter(r -> r.getMetadata().getName().equals(SECRETS_ROLE_NAME)).findFirst();
assertTrue(roleOptional.isPresent());
PolicyRule rule = roleOptional.get().getRules().get(0);
assertEquals(rule.getResources(), singletonList("secrets"));
assertEquals(rule.getResourceNames(), singletonList(CREDENTIALS_SECRET_NAME));
assertEquals(rule.getApiGroups(), singletonList(""));
assertEquals(rule.getVerbs(), Arrays.asList("get", "patch"));
RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
assertTrue(rbl.getItems().stream().anyMatch(rb -> rb.getMetadata().getName().equals(SA_NAME + "-secrets")));
}
use of io.fabric8.kubernetes.api.model.rbac.Role in project devspaces-images by redhat-developer.
the class KubernetesWorkspaceServiceAccountTest method shouldCreateMetricsRoleIfAPIEnabledOnServer.
@Test
public void shouldCreateMetricsRoleIfAPIEnabledOnServer() throws Exception {
KubernetesClient localK8sClient = spy(serverMock.getClient());
when(localK8sClient.supportsApiPath(eq("/apis/metrics.k8s.io"))).thenReturn(true);
when(clientFactory.create(anyString())).thenReturn(localK8sClient);
// when
serviceAccount.prepare();
// then
// make sure metrics role & rb added
RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
assertTrue(rl.getItems().stream().anyMatch(r -> r.getMetadata().getName().equals(METRICS_ROLE_NAME)));
RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
assertTrue(rbl.getItems().stream().anyMatch(rb -> rb.getMetadata().getName().equals(SA_NAME + "-metrics")));
}
use of io.fabric8.kubernetes.api.model.rbac.Role in project kubernetes-client by fabric8io.
the class UserImpersonationIT method init.
@Before
public void init() {
currentNamespace = session.getNamespace();
// Create impersonator cluster role
impersonatorRole = new ClusterRoleBuilder().withNewMetadata().withName("impersonator").endMetadata().addToRules(new PolicyRuleBuilder().addToApiGroups("").addToResources("users", "groups", "userextras", "serviceaccounts").addToVerbs("impersonate").build()).build();
client.rbac().clusterRoles().createOrReplace(impersonatorRole);
// Create Service Account
serviceAccount1 = new ServiceAccountBuilder().withNewMetadata().withName(SERVICE_ACCOUNT).endMetadata().build();
client.serviceAccounts().inNamespace(currentNamespace).create(serviceAccount1);
// Bind Impersonator Role to current user
impersonatorRoleBinding = new ClusterRoleBindingBuilder().withNewMetadata().withName("impersonate-role").endMetadata().addToSubjects(new SubjectBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("User").withName(client.currentUser().getMetadata().getName()).withNamespace(currentNamespace).build()).withRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("ClusterRole").withName("impersonator").build()).build();
client.rbac().clusterRoleBindings().createOrReplace(impersonatorRoleBinding);
}
use of io.fabric8.kubernetes.api.model.rbac.Role in project kubernetes-client by fabric8io.
the class K8sAuthorizationOnOpenShiftIT method createRoleK8s.
@Test
public void createRoleK8s() {
// Given
String name = "create-role-k8s";
Role role = new RoleBuilder().withNewMetadata().withName(name).endMetadata().addNewRule().withApiGroups("").withResources("pods").withVerbs("get", "watch", "list").endRule().build();
// When
Role createdRole = client.rbac().roles().inNamespace(session.getNamespace()).create(role);
// Then
assertNotNull(createdRole);
assertNotNull(createdRole.getMetadata().getUid());
assertEquals(name, createdRole.getMetadata().getName());
client.rbac().roles().inNamespace(session.getNamespace()).withName(name).delete();
}
Aggregations