Examples with RoleBindingList io.fabric8.kubernetes.api.model.rbac.RoleBindingList used on opensource projects

Search in sources :

Example 1 with RoleBindingList

use of io.fabric8.kubernetes.api.model.rbac.RoleBindingList in project che-server by eclipse-che.

the class KubernetesNamespaceFactoryTest method shouldBindToAllConfiguredClusterRoles.

@Test
public void shouldBindToAllConfiguredClusterRoles() throws Exception {
    // given
    var serviceAccountConfigurator = new WorkspaceServiceAccountConfigurator("serviceAccount", "cr2, cr3", clientFactory);
    namespaceFactory = spy(new KubernetesNamespaceFactory("<username>-che", true, true, true, NAMESPACE_LABELS, NAMESPACE_ANNOTATIONS, Set.of(serviceAccountConfigurator), clientFactory, cheClientFactory, userManager, preferenceManager, pool));
    KubernetesNamespace toReturnNamespace = mock(KubernetesNamespace.class);
    prepareNamespace(toReturnNamespace);
    when(toReturnNamespace.getName()).thenReturn("workspace123");
    doReturn(toReturnNamespace).when(namespaceFactory).doCreateNamespaceAccess(any(), any());
    when(k8sClient.supportsApiPath(eq("/apis/metrics.k8s.io"))).thenReturn(true);
    when(cheClientFactory.create()).thenReturn(k8sClient);
    when(clientFactory.create(any())).thenReturn(k8sClient);
    // pre-create the cluster roles
    Stream.of("cr1", "cr2", "cr3").forEach(cr -> k8sClient.rbac().clusterRoles().createOrReplace(new ClusterRoleBuilder().withNewMetadata().withName(cr).endMetadata().build()));
    // when
    RuntimeIdentity identity = new RuntimeIdentityImpl("workspace123", null, USER_ID, "workspace123");
    namespaceFactory.getOrCreate(identity);
    // then
    ServiceAccountList sas = k8sClient.serviceAccounts().inNamespace("workspace123").list();
    assertEquals(sas.getItems().size(), 1);
    assertEquals(sas.getItems().get(0).getMetadata().getName(), "serviceAccount");
    RoleList roles = k8sClient.rbac().roles().inNamespace("workspace123").list();
    assertEquals(roles.getItems().stream().map(r -> r.getMetadata().getName()).collect(Collectors.toSet()), Sets.newHashSet("workspace-configmaps", "workspace-view", "workspace-metrics", "workspace-secrets", "exec"));
    RoleBindingList bindings = k8sClient.rbac().roleBindings().inNamespace("workspace123").list();
    assertEquals(bindings.getItems().stream().map(r -> r.getMetadata().getName()).collect(Collectors.toSet()), Sets.newHashSet("serviceAccount-metrics", "serviceAccount-cluster0", "serviceAccount-cluster1", "serviceAccount-configmaps", "serviceAccount-view", "serviceAccount-exec", "serviceAccount-secrets"));
}
Also used : RuntimeIdentity(org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity) ClusterRoleBuilder(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBuilder) WorkspaceServiceAccountConfigurator(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.WorkspaceServiceAccountConfigurator) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) RuntimeIdentityImpl(org.eclipse.che.api.workspace.server.model.impl.RuntimeIdentityImpl) ServiceAccountList(io.fabric8.kubernetes.api.model.ServiceAccountList) Test(org.testng.annotations.Test)

Example 2 with RoleBindingList

use of io.fabric8.kubernetes.api.model.rbac.RoleBindingList in project che-server by eclipse-che.

the class KubernetesWorkspaceServiceAccountTest method shouldProvisionSARolesEvenIfItAlreadyExists.

@Test
public void shouldProvisionSARolesEvenIfItAlreadyExists() throws Exception {
    ServiceAccountBuilder serviceAccountBuilder = new ServiceAccountBuilder().withNewMetadata().withName(SA_NAME).endMetadata();
    RoleBuilder roleBuilder = new RoleBuilder().withNewMetadata().withName("foo").endMetadata();
    RoleBindingBuilder roleBindingBuilder = new RoleBindingBuilder().withNewMetadata().withName("foo-builder").endMetadata();
    // pre-create SA and some roles
    k8sClient.serviceAccounts().inNamespace(NAMESPACE).createOrReplace(serviceAccountBuilder.build());
    k8sClient.rbac().roles().inNamespace(NAMESPACE).create(roleBuilder.build());
    k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).create(roleBindingBuilder.build());
    // when
    serviceAccount.prepare();
    // then
    // make sure more roles added
    RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
    assertTrue(rl.getItems().size() > 1);
    RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
    assertTrue(rbl.getItems().size() > 1);
}
Also used : RoleBindingBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) ServiceAccountBuilder(io.fabric8.kubernetes.api.model.ServiceAccountBuilder) RoleBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBuilder) Test(org.testng.annotations.Test)

Example 3 with RoleBindingList

use of io.fabric8.kubernetes.api.model.rbac.RoleBindingList in project che-server by eclipse-che.

the class KubernetesWorkspaceServiceAccountTest method shouldNotCreateMetricsRoleIfAPINotEnabledOnServer.

@Test
public void shouldNotCreateMetricsRoleIfAPINotEnabledOnServer() throws Exception {
    KubernetesClient localK8sClient = spy(serverMock.getClient());
    when(localK8sClient.supportsApiPath(eq("/apis/metrics.k8s.io"))).thenReturn(false);
    when(clientFactory.create(anyString())).thenReturn(localK8sClient);
    // when
    serviceAccount.prepare();
    // then
    // make sure metrics role & rb not added
    RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
    assertTrue(rl.getItems().stream().noneMatch(r -> r.getMetadata().getName().equals(METRICS_ROLE_NAME)));
    RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
    assertTrue(rbl.getItems().stream().noneMatch(rb -> rb.getMetadata().getName().equals(SA_NAME + "-metrics")));
}
Also used : Arrays(java.util.Arrays) KubernetesClientFactory(org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesClientFactory) Listeners(org.testng.annotations.Listeners) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) Mock(org.mockito.Mock) Role(io.fabric8.kubernetes.api.model.rbac.Role) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) Mockito.spy(org.mockito.Mockito.spy) Collections.singletonList(java.util.Collections.singletonList) RoleBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBuilder) SECRETS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.SECRETS_ROLE_NAME) CONFIGMAPS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CONFIGMAPS_ROLE_NAME) RoleBindingBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder) KubernetesServer(io.fabric8.kubernetes.client.server.mock.KubernetesServer) MockitoTestNGListener(org.mockito.testng.MockitoTestNGListener) ServiceAccountBuilder(io.fabric8.kubernetes.api.model.ServiceAccountBuilder) BeforeMethod(org.testng.annotations.BeforeMethod) Set(java.util.Set) CREDENTIALS_SECRET_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CREDENTIALS_SECRET_NAME) Mockito.when(org.mockito.Mockito.when) PolicyRule(io.fabric8.kubernetes.api.model.rbac.PolicyRule) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) Assert.assertTrue(org.testng.Assert.assertTrue) Optional(java.util.Optional) METRICS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.METRICS_ROLE_NAME) Collections(java.util.Collections) PREFERENCES_CONFIGMAP_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.PREFERENCES_CONFIGMAP_NAME) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) Test(org.testng.annotations.Test)

Example 4 with RoleBindingList

use of io.fabric8.kubernetes.api.model.rbac.RoleBindingList in project che-server by eclipse-che.

the class KubernetesWorkspaceServiceAccountTest method shouldCreateCredentialsSecretRole.

@Test
public void shouldCreateCredentialsSecretRole() throws Exception {
    KubernetesClient localK8sClient = spy(serverMock.getClient());
    when(clientFactory.create(anyString())).thenReturn(localK8sClient);
    // when
    serviceAccount.prepare();
    // then
    RoleList rl = k8sClient.rbac().roles().inNamespace(NAMESPACE).list();
    Optional<Role> roleOptional = rl.getItems().stream().filter(r -> r.getMetadata().getName().equals(SECRETS_ROLE_NAME)).findFirst();
    assertTrue(roleOptional.isPresent());
    PolicyRule rule = roleOptional.get().getRules().get(0);
    assertEquals(rule.getResources(), singletonList("secrets"));
    assertEquals(rule.getResourceNames(), singletonList(CREDENTIALS_SECRET_NAME));
    assertEquals(rule.getApiGroups(), singletonList(""));
    assertEquals(rule.getVerbs(), Arrays.asList("get", "patch"));
    RoleBindingList rbl = k8sClient.rbac().roleBindings().inNamespace(NAMESPACE).list();
    assertTrue(rbl.getItems().stream().anyMatch(rb -> rb.getMetadata().getName().equals(SA_NAME + "-secrets")));
}
Also used : Role(io.fabric8.kubernetes.api.model.rbac.Role) Arrays(java.util.Arrays) KubernetesClientFactory(org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesClientFactory) Listeners(org.testng.annotations.Listeners) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) Mock(org.mockito.Mock) Role(io.fabric8.kubernetes.api.model.rbac.Role) Assert.assertEquals(org.testng.Assert.assertEquals) Test(org.testng.annotations.Test) Mockito.spy(org.mockito.Mockito.spy) Collections.singletonList(java.util.Collections.singletonList) RoleBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBuilder) SECRETS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.SECRETS_ROLE_NAME) CONFIGMAPS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CONFIGMAPS_ROLE_NAME) RoleBindingBuilder(io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder) KubernetesServer(io.fabric8.kubernetes.client.server.mock.KubernetesServer) MockitoTestNGListener(org.mockito.testng.MockitoTestNGListener) ServiceAccountBuilder(io.fabric8.kubernetes.api.model.ServiceAccountBuilder) BeforeMethod(org.testng.annotations.BeforeMethod) Set(java.util.Set) CREDENTIALS_SECRET_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CREDENTIALS_SECRET_NAME) Mockito.when(org.mockito.Mockito.when) PolicyRule(io.fabric8.kubernetes.api.model.rbac.PolicyRule) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) Assert.assertTrue(org.testng.Assert.assertTrue) Optional(java.util.Optional) METRICS_ROLE_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.METRICS_ROLE_NAME) Collections(java.util.Collections) PREFERENCES_CONFIGMAP_NAME(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.PREFERENCES_CONFIGMAP_NAME) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) PolicyRule(io.fabric8.kubernetes.api.model.rbac.PolicyRule) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) Test(org.testng.annotations.Test)

Example 5 with RoleBindingList

use of io.fabric8.kubernetes.api.model.rbac.RoleBindingList in project devspaces-images by redhat-developer.

the class KubernetesNamespaceFactoryTest method shouldCreateExecAndViewRolesAndBindings.

@Test
public void shouldCreateExecAndViewRolesAndBindings() throws Exception {
    // given
    namespaceFactory = spy(new KubernetesNamespaceFactory("<username>-che", true, true, true, NAMESPACE_LABELS, NAMESPACE_ANNOTATIONS, Set.of(new WorkspaceServiceAccountConfigurator("serviceAccount", "", clientFactory)), clientFactory, cheClientFactory, userManager, preferenceManager, pool));
    KubernetesNamespace toReturnNamespace = mock(KubernetesNamespace.class);
    prepareNamespace(toReturnNamespace);
    when(toReturnNamespace.getName()).thenReturn("workspace123");
    doReturn(toReturnNamespace).when(namespaceFactory).doCreateNamespaceAccess(any(), any());
    when(k8sClient.supportsApiPath(eq("/apis/metrics.k8s.io"))).thenReturn(true);
    when(clientFactory.create(any())).thenReturn(k8sClient);
    when(cheClientFactory.create()).thenReturn(k8sClient);
    // when
    RuntimeIdentity identity = new RuntimeIdentityImpl("workspace123", null, USER_ID, "workspace123");
    namespaceFactory.getOrCreate(identity);
    // then
    ServiceAccountList sas = k8sClient.serviceAccounts().inNamespace("workspace123").list();
    assertEquals(sas.getItems().size(), 1);
    assertEquals(sas.getItems().get(0).getMetadata().getName(), "serviceAccount");
    RoleList roles = k8sClient.rbac().roles().inNamespace("workspace123").list();
    assertEquals(roles.getItems().stream().map(r -> r.getMetadata().getName()).collect(Collectors.toSet()), Sets.newHashSet("workspace-configmaps", "workspace-view", "workspace-metrics", "workspace-secrets", "exec"));
    Role role1 = roles.getItems().get(0);
    Role role2 = roles.getItems().get(1);
    assertFalse(role1.getRules().containsAll(role2.getRules()) && role2.getRules().containsAll(role1.getRules()), "exec and view roles should not be the same");
    RoleBindingList bindings = k8sClient.rbac().roleBindings().inNamespace("workspace123").list();
    assertEquals(bindings.getItems().stream().map(r -> r.getMetadata().getName()).collect(Collectors.toSet()), Sets.newHashSet("serviceAccount-metrics", "serviceAccount-view", "serviceAccount-exec", "serviceAccount-configmaps", "serviceAccount-secrets"));
}
Also used : RuntimeIdentity(org.eclipse.che.api.core.model.workspace.runtime.RuntimeIdentity) Role(io.fabric8.kubernetes.api.model.rbac.Role) WorkspaceServiceAccountConfigurator(org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.WorkspaceServiceAccountConfigurator) RoleList(io.fabric8.kubernetes.api.model.rbac.RoleList) RoleBindingList(io.fabric8.kubernetes.api.model.rbac.RoleBindingList) RuntimeIdentityImpl(org.eclipse.che.api.workspace.server.model.impl.RuntimeIdentityImpl) ServiceAccountList(io.fabric8.kubernetes.api.model.ServiceAccountList) Test(org.testng.annotations.Test)

Aggregations

RoleBindingList (io.fabric8.kubernetes.api.model.rbac.RoleBindingList)17 RoleList (io.fabric8.kubernetes.api.model.rbac.RoleList)14 Test (org.testng.annotations.Test)14 RoleBindingBuilder (io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder)11 ServiceAccountBuilder (io.fabric8.kubernetes.api.model.ServiceAccountBuilder)10 Role (io.fabric8.kubernetes.api.model.rbac.Role)10 RoleBuilder (io.fabric8.kubernetes.api.model.rbac.RoleBuilder)10 KubernetesClient (io.fabric8.kubernetes.client.KubernetesClient)9 PolicyRule (io.fabric8.kubernetes.api.model.rbac.PolicyRule)8 KubernetesServer (io.fabric8.kubernetes.client.server.mock.KubernetesServer)8 Arrays (java.util.Arrays)8 Collections (java.util.Collections)8 Collections.singletonList (java.util.Collections.singletonList)8 Optional (java.util.Optional)8 Set (java.util.Set)8 KubernetesClientFactory (org.eclipse.che.workspace.infrastructure.kubernetes.KubernetesClientFactory)8 CONFIGMAPS_ROLE_NAME (org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CONFIGMAPS_ROLE_NAME)8 CREDENTIALS_SECRET_NAME (org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.CREDENTIALS_SECRET_NAME)8 METRICS_ROLE_NAME (org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.METRICS_ROLE_NAME)8 PREFERENCES_CONFIGMAP_NAME (org.eclipse.che.workspace.infrastructure.kubernetes.namespace.AbstractWorkspaceServiceAccount.PREFERENCES_CONFIGMAP_NAME)8
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial