From 8d656551db3a84c5438966879a65205330d081f0 Mon Sep 17 00:00:00 2001 From: Kui Wang Date: Mon, 2 Feb 2026 17:53:58 +0800 Subject: [PATCH] UPSTREAM: : adjust sa and permission test cases per new change from boxcutterruntime --- openshift/tests-extension/Makefile | 64 +- .../tests-extension/pkg/bindata/qe/bindata.go | 926 +++++++++++++++++- .../tests-extension/test/qe/specs/olmv1_ce.go | 424 +++++--- ...a-nginx-insufficient-bundle-boxcutter.yaml | 198 ++++ ...ficient-operand-clusterrole-boxcutter.yaml | 185 ++++ ...x-insufficient-operand-rbac-boxcutter.yaml | 188 ++++ .../olm/sa-nginx-limited-boxcutter.yaml | 211 ++++ 7 files changed, 2011 insertions(+), 185 deletions(-) create mode 100644 openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml create mode 100644 openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml create mode 100644 openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml create mode 100644 openshift/tests-extension/test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml diff --git a/openshift/tests-extension/Makefile b/openshift/tests-extension/Makefile index c11c83a17..40c5381b8 100644 --- a/openshift/tests-extension/Makefile +++ b/openshift/tests-extension/Makefile @@ -42,7 +42,48 @@ TOOLS_BIN_DIR := $(CURDIR)/bin #SECTION Development .PHONY: verify #HELP To verify the code -verify: tidy fmt vet lint +verify: + @errors=0; \ + warnings=0; \ + failed_steps=""; \ + if ! $(MAKE) tidy; then \ + echo "ERROR: 'make tidy' failed"; \ + errors=$$((errors+1)); \ + failed_steps="$$failed_steps tidy"; \ + fi; \ + if [ -n "$$PROW_JOB_ID" ]; then \ + if ! $(MAKE) fmt-without-fix; then \ + echo "ERROR: 'make fmt-without-fix' failed"; \ + errors=$$((errors+1)); \ + failed_steps="$$failed_steps fmt"; \ + fi; \ + else \ + files_before=$$(find . -name '*.go' -not -path './vendor/*' -not -path './pkg/bindata/*' -exec gofmt -l {} \;); \ + if ! $(MAKE) fmt; then \ + echo "ERROR: 'make fmt' failed"; \ + errors=$$((errors+1)); \ + failed_steps="$$failed_steps fmt"; \ + elif [ -n "$$files_before" ]; then \ + echo "WARNING: 'make fmt' auto-fixed files. Don't forget to commit these changes!"; \ + warnings=1; \ + fi; \ + fi; \ + if ! $(MAKE) vet; then \ + echo "ERROR: 'make vet' failed"; \ + errors=$$((errors+1)); \ + failed_steps="$$failed_steps vet"; \ + fi; \ + if ! $(MAKE) lint; then \ + echo "ERROR: 'make lint' failed"; \ + errors=$$((errors+1)); \ + failed_steps="$$failed_steps lint"; \ + fi; \ + if [ $$errors -gt 0 ]; then \ + echo "FAILED: The following verification check(s) failed:$$failed_steps"; \ + exit 1; \ + elif [ $$warnings -gt 0 ]; then \ + echo "WARNING: All verification checks passed, but some files were auto-fixed. Don't forget to commit!"; \ + fi .PHONY: tidy #HELP Run go mod tidy. tidy: @@ -50,7 +91,26 @@ tidy: .PHONY: fmt fmt: #HELP Run go fmt against code. - go fmt ./... + @files=$$(find . -name '*.go' -not -path './vendor/*' -not -path './pkg/bindata/*' -exec gofmt -l {} \;); \ + echo "go fmt ./..."; \ + go fmt ./...; \ + if [ -n "$$files" ]; then \ + echo ""; \ + echo "Files have been formatted. Don't forget to commit these changes!"; \ + fi + +.PHONY: fmt-without-fix +fmt-without-fix: #HELP Run go fmt against code. + @files=$$(find . -name '*.go' -not -path './vendor/*' -not -path './pkg/bindata/*' -exec gofmt -l {} \;); \ + echo "Checking code formatting..."; \ + if [ -n "$$files" ]; then \ + echo "Files that need formatting:"; \ + echo "$$files"; \ + echo ""; \ + echo "To fix formatting, run:"; \ + echo " make fmt"; \ + exit 1; \ + fi .PHONY: vet vet: #HELP Run go vet against code. diff --git a/openshift/tests-extension/pkg/bindata/qe/bindata.go b/openshift/tests-extension/pkg/bindata/qe/bindata.go index 08cb18a68..e203f0426 100644 --- a/openshift/tests-extension/pkg/bindata/qe/bindata.go +++ b/openshift/tests-extension/pkg/bindata/qe/bindata.go @@ -29,9 +29,13 @@ // test/qe/testdata/olm/itdms-full-mirror.yaml // test/qe/testdata/olm/prefligth-clusterrole.yaml // test/qe/testdata/olm/sa-admin.yaml +// test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml // test/qe/testdata/olm/sa-nginx-insufficient-bundle.yaml +// test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml // test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole.yaml +// test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml // test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac.yaml +// test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml // test/qe/testdata/olm/sa-nginx-limited.yaml // test/qe/testdata/olm/sa.yaml package testdata @@ -1519,6 +1523,221 @@ func testQeTestdataOlmSaAdminYaml() (*asset, error) { return a, nil } +var _testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYaml = []byte(`apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-bundle-boxcutter-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + # resourceNames: + # - nginx-ok-v3283-754-15pkpuong3owt1jn01uoyj8lm6p8jlxh03kuouq67dmv + # - nginx-ok-v3283-754-2r5zqsa9t9nk0tln1f8x36ws3ks9r8cgwi70s2dgnl82 + # - nginx-ok-v3283-75493-metrics-reader + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + # resourceNames: + # - nginx-ok-v3283-754-15pkpuong3owt1jn01uoyj8lm6p8jlxh03kuouq67dmv + # - nginx-ok-v3283-754-2r5zqsa9t9nk0tln1f8x36ws3ks9r8cgwi70s2dgnl82 + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager] + # - apiGroups: [""] + # resources: [serviceaccounts] + # verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager-metrics-service] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + - pods + - pods/exec + - pods/log + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS +`) + +func testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYaml, nil +} + +func testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _testQeTestdataOlmSaNginxInsufficientBundleYaml = []byte(`apiVersion: template.openshift.io/v1 kind: Template metadata: @@ -1734,10 +1953,10 @@ func testQeTestdataOlmSaNginxInsufficientBundleYaml() (*asset, error) { return a, nil } -var _testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml = []byte(`apiVersion: template.openshift.io/v1 +var _testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYaml = []byte(`apiVersion: template.openshift.io/v1 kind: Template metadata: - name: olmv1-sa-nginx-insufficient-operand-clusterrole-template + name: olmv1-sa-nginx-insufficient-operand-clusterrole-boxcutter-template objects: - apiVersion: v1 kind: ServiceAccount @@ -1921,25 +2140,25 @@ parameters: - name: KINDS `) -func testQeTestdataOlmSaNginxInsufficientOperandClusterroleYamlBytes() ([]byte, error) { - return _testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml, nil +func testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYaml, nil } -func testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml() (*asset, error) { - bytes, err := testQeTestdataOlmSaNginxInsufficientOperandClusterroleYamlBytes() +func testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYamlBytes() if err != nil { return nil, err } - info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} a := &asset{bytes: bytes, info: info} return a, nil } -var _testQeTestdataOlmSaNginxInsufficientOperandRbacYaml = []byte(`apiVersion: template.openshift.io/v1 +var _testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml = []byte(`apiVersion: template.openshift.io/v1 kind: Template metadata: - name: olmv1-sa-nginx-insufficient-operand-rbac-template + name: olmv1-sa-nginx-insufficient-operand-clusterrole-template objects: - apiVersion: v1 kind: ServiceAccount @@ -1951,9 +2170,6 @@ objects: metadata: name: "${NAME}-installer-clusterrole" rules: - - apiGroups: [olm.operatorframework.io] - resources: [clusterextensions/finalizers] - verbs: [update] - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [create, list, watch] @@ -2126,17 +2342,655 @@ parameters: - name: KINDS `) -func testQeTestdataOlmSaNginxInsufficientOperandRbacYamlBytes() ([]byte, error) { - return _testQeTestdataOlmSaNginxInsufficientOperandRbacYaml, nil +func testQeTestdataOlmSaNginxInsufficientOperandClusterroleYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml, nil } -func testQeTestdataOlmSaNginxInsufficientOperandRbacYaml() (*asset, error) { - bytes, err := testQeTestdataOlmSaNginxInsufficientOperandRbacYamlBytes() +func testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxInsufficientOperandClusterroleYamlBytes() if err != nil { return nil, err } - info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYaml = []byte(`apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-operand-rbac-boxcutter-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [olm.operatorframework.io] + resources: [clusterextensionrevisions/finalizers] + verbs: [update] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS +`) + +func testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYaml, nil +} + +func testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _testQeTestdataOlmSaNginxInsufficientOperandRbacYaml = []byte(`apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-operand-rbac-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [olm.operatorframework.io] + resources: [clusterextensions/finalizers] + verbs: [update] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS +`) + +func testQeTestdataOlmSaNginxInsufficientOperandRbacYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxInsufficientOperandRbacYaml, nil +} + +func testQeTestdataOlmSaNginxInsufficientOperandRbacYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxInsufficientOperandRbacYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _testQeTestdataOlmSaNginxLimitedBoxcutterYaml = []byte(`apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-limited-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [olm.operatorframework.io] + resources: [clusterextensionrevisions/finalizers] + verbs: [update] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts/finalizers] + verbs: [update] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts/finalizers] + verbs: [update] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + - pods + - pods/exec + - pods/log + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS +`) + +func testQeTestdataOlmSaNginxLimitedBoxcutterYamlBytes() ([]byte, error) { + return _testQeTestdataOlmSaNginxLimitedBoxcutterYaml, nil +} + +func testQeTestdataOlmSaNginxLimitedBoxcutterYaml() (*asset, error) { + bytes, err := testQeTestdataOlmSaNginxLimitedBoxcutterYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -2474,9 +3328,13 @@ var _bindata = map[string]func() (*asset, error){ "test/qe/testdata/olm/itdms-full-mirror.yaml": testQeTestdataOlmItdmsFullMirrorYaml, "test/qe/testdata/olm/prefligth-clusterrole.yaml": testQeTestdataOlmPrefligthClusterroleYaml, "test/qe/testdata/olm/sa-admin.yaml": testQeTestdataOlmSaAdminYaml, + "test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml": testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYaml, "test/qe/testdata/olm/sa-nginx-insufficient-bundle.yaml": testQeTestdataOlmSaNginxInsufficientBundleYaml, + "test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml": testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYaml, "test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole.yaml": testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml, + "test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml": testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYaml, "test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac.yaml": testQeTestdataOlmSaNginxInsufficientOperandRbacYaml, + "test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml": testQeTestdataOlmSaNginxLimitedBoxcutterYaml, "test/qe/testdata/olm/sa-nginx-limited.yaml": testQeTestdataOlmSaNginxLimitedYaml, "test/qe/testdata/olm/sa.yaml": testQeTestdataOlmSaYaml, } @@ -2547,21 +3405,25 @@ var _bintree = &bintree{nil, map[string]*bintree{ "clusterextension-withselectorlabel-WithoutVersion.yaml": {testQeTestdataOlmClusterextensionWithselectorlabelWithoutversionYaml, map[string]*bintree{}}, "clusterextension-withselectorlabel-withoutChannel-OwnSingle.yaml": {testQeTestdataOlmClusterextensionWithselectorlabelWithoutchannelOwnsingleYaml, map[string]*bintree{}}, "clusterextension-withselectorlabel.yaml": {testQeTestdataOlmClusterextensionWithselectorlabelYaml, map[string]*bintree{}}, - "clusterextension.yaml": {testQeTestdataOlmClusterextensionYaml, map[string]*bintree{}}, - "clusterextensionWithoutChannel.yaml": {testQeTestdataOlmClusterextensionwithoutchannelYaml, map[string]*bintree{}}, - "clusterextensionWithoutChannelVersion.yaml": {testQeTestdataOlmClusterextensionwithoutchannelversionYaml, map[string]*bintree{}}, - "clusterextensionWithoutVersion.yaml": {testQeTestdataOlmClusterextensionwithoutversionYaml, map[string]*bintree{}}, - "cr-webhookTest.yaml": {testQeTestdataOlmCrWebhooktestYaml, map[string]*bintree{}}, - "crd-nginxolm74923.yaml": {testQeTestdataOlmCrdNginxolm74923Yaml, map[string]*bintree{}}, - "icsp-single-mirror.yaml": {testQeTestdataOlmIcspSingleMirrorYaml, map[string]*bintree{}}, - "itdms-full-mirror.yaml": {testQeTestdataOlmItdmsFullMirrorYaml, map[string]*bintree{}}, - "prefligth-clusterrole.yaml": {testQeTestdataOlmPrefligthClusterroleYaml, map[string]*bintree{}}, - "sa-admin.yaml": {testQeTestdataOlmSaAdminYaml, map[string]*bintree{}}, - "sa-nginx-insufficient-bundle.yaml": {testQeTestdataOlmSaNginxInsufficientBundleYaml, map[string]*bintree{}}, - "sa-nginx-insufficient-operand-clusterrole.yaml": {testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml, map[string]*bintree{}}, - "sa-nginx-insufficient-operand-rbac.yaml": {testQeTestdataOlmSaNginxInsufficientOperandRbacYaml, map[string]*bintree{}}, - "sa-nginx-limited.yaml": {testQeTestdataOlmSaNginxLimitedYaml, map[string]*bintree{}}, - "sa.yaml": {testQeTestdataOlmSaYaml, map[string]*bintree{}}, + "clusterextension.yaml": {testQeTestdataOlmClusterextensionYaml, map[string]*bintree{}}, + "clusterextensionWithoutChannel.yaml": {testQeTestdataOlmClusterextensionwithoutchannelYaml, map[string]*bintree{}}, + "clusterextensionWithoutChannelVersion.yaml": {testQeTestdataOlmClusterextensionwithoutchannelversionYaml, map[string]*bintree{}}, + "clusterextensionWithoutVersion.yaml": {testQeTestdataOlmClusterextensionwithoutversionYaml, map[string]*bintree{}}, + "cr-webhookTest.yaml": {testQeTestdataOlmCrWebhooktestYaml, map[string]*bintree{}}, + "crd-nginxolm74923.yaml": {testQeTestdataOlmCrdNginxolm74923Yaml, map[string]*bintree{}}, + "icsp-single-mirror.yaml": {testQeTestdataOlmIcspSingleMirrorYaml, map[string]*bintree{}}, + "itdms-full-mirror.yaml": {testQeTestdataOlmItdmsFullMirrorYaml, map[string]*bintree{}}, + "prefligth-clusterrole.yaml": {testQeTestdataOlmPrefligthClusterroleYaml, map[string]*bintree{}}, + "sa-admin.yaml": {testQeTestdataOlmSaAdminYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-bundle-boxcutter.yaml": {testQeTestdataOlmSaNginxInsufficientBundleBoxcutterYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-bundle.yaml": {testQeTestdataOlmSaNginxInsufficientBundleYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml": {testQeTestdataOlmSaNginxInsufficientOperandClusterroleBoxcutterYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-operand-clusterrole.yaml": {testQeTestdataOlmSaNginxInsufficientOperandClusterroleYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-operand-rbac-boxcutter.yaml": {testQeTestdataOlmSaNginxInsufficientOperandRbacBoxcutterYaml, map[string]*bintree{}}, + "sa-nginx-insufficient-operand-rbac.yaml": {testQeTestdataOlmSaNginxInsufficientOperandRbacYaml, map[string]*bintree{}}, + "sa-nginx-limited-boxcutter.yaml": {testQeTestdataOlmSaNginxLimitedBoxcutterYaml, map[string]*bintree{}}, + "sa-nginx-limited.yaml": {testQeTestdataOlmSaNginxLimitedYaml, map[string]*bintree{}}, + "sa.yaml": {testQeTestdataOlmSaYaml, map[string]*bintree{}}, }}, }}, }}, diff --git a/openshift/tests-extension/test/qe/specs/olmv1_ce.go b/openshift/tests-extension/test/qe/specs/olmv1_ce.go index ec19ebbea..d1d106e97 100644 --- a/openshift/tests-extension/test/qe/specs/olmv1_ce.go +++ b/openshift/tests-extension/test/qe/specs/olmv1_ce.go @@ -166,47 +166,57 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh exutil.SkipForSNOCluster(oc) olmv1util.ValidateAccessEnvironment(oc) var ( - caseID = "68936" - ns = "ns-" + caseID - sa = caseID - labelValue = caseID - baseDir = exutil.FixturePath("testdata", "olm") - clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") - clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") - saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-clusterrole.yaml") - saCrb = olmv1util.SaCLusterRolebindingDescription{ - Name: sa, - Namespace: ns, - RBACObjects: []olmv1util.ChildResource{ - {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, - {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, - {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), - fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, - {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), - fmt.Sprintf("%s-installer-clusterrole", sa)}}, - {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, - }, - Kinds: "okv68936s", - Template: saClusterRoleBindingOperandTemplate, - } - clustercatalog = olmv1util.ClusterCatalogDescription{ - Name: "clustercatalog-68936", - Imageref: "quay.io/olmqe/nginx-ok-index:vokv68936", - LabelValue: labelValue, - Template: clustercatalogTemplate, - } - ceInsufficient = olmv1util.ClusterExtensionDescription{ - Name: "insufficient-68936", - PackageName: "nginx-ok-v68936", - Channel: "alpha", - Version: ">=0.0.1", - InstallNamespace: ns, - SaName: sa, - LabelValue: labelValue, - Template: clusterextensionTemplate, - } + caseID = "68936" + ns = "ns-" + caseID + sa = caseID + labelValue = caseID + baseDir = exutil.FixturePath("testdata", "olm") + clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") + clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") + // Select template based on Boxcutter runtime feature gate + saClusterRoleBindingOperandTemplate string ) + // Use Boxcutter template if BoxcutterRuntime is enabled, otherwise use Helm template + // Note: Both templates have the same content for this test (both lack finalizers permissions) + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml") + } else { + saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-clusterrole.yaml") + } + + saCrb := olmv1util.SaCLusterRolebindingDescription{ + Name: sa, + Namespace: ns, + RBACObjects: []olmv1util.ChildResource{ + {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, + {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, + {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), + fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, + {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), + fmt.Sprintf("%s-installer-clusterrole", sa)}}, + {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, + }, + Kinds: "okv68936s", + Template: saClusterRoleBindingOperandTemplate, + } + clustercatalog := olmv1util.ClusterCatalogDescription{ + Name: "clustercatalog-68936", + Imageref: "quay.io/olmqe/nginx-ok-index:vokv68936", + LabelValue: labelValue, + Template: clustercatalogTemplate, + } + ceInsufficient := olmv1util.ClusterExtensionDescription{ + Name: "insufficient-68936", + PackageName: "nginx-ok-v68936", + Channel: "alpha", + Version: ">=0.0.1", + InstallNamespace: ns, + SaName: sa, + LabelValue: labelValue, + Template: clusterextensionTemplate, + } + g.By("Create namespace") defer func() { _ = oc.WithoutNamespace().AsAdmin().Run("delete").Args("ns", ns, "--ignore-not-found", "--force").Execute() @@ -227,9 +237,20 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh defer ceInsufficient.Delete(oc) _ = ceInsufficient.CreateWithoutCheck(oc) if olmv1util.IsFeaturegateEnabled(oc, "NewOLMPreflightPermissionChecks") { + // Env2 (Helm, preflight) or Env3 (Boxcutter, preflight): Both return same preflight error ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "pre-authorization failed", 10, 60, 0) } else { - ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "cannot set blockOwnerDeletion", 10, 60, 0) + // Env1 (Helm, no preflight) or Env4 (Boxcutter, no preflight) + // Error checking order differs between runtimes: + // - Helm (Env1): checks blockOwnerDeletion first, then privilege escalation + // - Boxcutter (Env4): checks privilege escalation first, then blockOwnerDeletion + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + // Env4: Boxcutter encounters privilege escalation error before blockOwnerDeletion check + ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "is attempting to grant RBAC permissions not currently held", 10, 60, 0) + } else { + // Env1: Helm encounters blockOwnerDeletion error + ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "cannot set blockOwnerDeletion", 10, 60, 0) + } } }) @@ -239,47 +260,56 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh exutil.SkipForSNOCluster(oc) olmv1util.ValidateAccessEnvironment(oc) var ( - caseID = "68937" - ns = "ns-" + caseID - sa = caseID - labelValue = caseID - baseDir = exutil.FixturePath("testdata", "olm") - clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") - clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") - saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-rbac.yaml") - saCrb = olmv1util.SaCLusterRolebindingDescription{ - Name: sa, - Namespace: ns, - RBACObjects: []olmv1util.ChildResource{ - {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, - {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, - {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), - fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, - {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), - fmt.Sprintf("%s-installer-clusterrole", sa)}}, - {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, - }, - Kinds: "okv68937s", - Template: saClusterRoleBindingOperandTemplate, - } - clustercatalog = olmv1util.ClusterCatalogDescription{ - Name: "clustercatalog-68937", - Imageref: "quay.io/olmqe/nginx-ok-index:vokv68937", - LabelValue: labelValue, - Template: clustercatalogTemplate, - } - ceInsufficient = olmv1util.ClusterExtensionDescription{ - Name: "insufficient-68937", - PackageName: "nginx-ok-v68937", - Channel: "alpha", - Version: ">=0.0.1", - InstallNamespace: ns, - SaName: sa, - LabelValue: labelValue, - Template: clusterextensionTemplate, - } + caseID = "68937" + ns = "ns-" + caseID + sa = caseID + labelValue = caseID + baseDir = exutil.FixturePath("testdata", "olm") + clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") + clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") + // Select template based on Boxcutter runtime feature gate + saClusterRoleBindingOperandTemplate string ) + // Use Boxcutter template if BoxcutterRuntime is enabled, otherwise use Helm template + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-rbac-boxcutter.yaml") + } else { + saClusterRoleBindingOperandTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-operand-rbac.yaml") + } + + saCrb := olmv1util.SaCLusterRolebindingDescription{ + Name: sa, + Namespace: ns, + RBACObjects: []olmv1util.ChildResource{ + {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, + {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, + {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), + fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, + {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), + fmt.Sprintf("%s-installer-clusterrole", sa)}}, + {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, + }, + Kinds: "okv68937s", + Template: saClusterRoleBindingOperandTemplate, + } + clustercatalog := olmv1util.ClusterCatalogDescription{ + Name: "clustercatalog-68937", + Imageref: "quay.io/olmqe/nginx-ok-index:vokv68937", + LabelValue: labelValue, + Template: clustercatalogTemplate, + } + ceInsufficient := olmv1util.ClusterExtensionDescription{ + Name: "insufficient-68937", + PackageName: "nginx-ok-v68937", + Channel: "alpha", + Version: ">=0.0.1", + InstallNamespace: ns, + SaName: sa, + LabelValue: labelValue, + Template: clusterextensionTemplate, + } + g.By("Create namespace") defer func() { _ = oc.WithoutNamespace().AsAdmin().Run("delete").Args("ns", ns, "--ignore-not-found", "--force").Execute() @@ -300,8 +330,11 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh defer ceInsufficient.Delete(oc) _ = ceInsufficient.CreateWithoutCheck(oc) if olmv1util.IsFeaturegateEnabled(oc, "NewOLMPreflightPermissionChecks") { + // Env2 (Helm, preflight) or Env3 (Boxcutter, preflight): Both return same preflight error ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "pre-authorization failed", 10, 60, 0) } else { + // Env1 (Helm, no preflight) or Env4 (Boxcutter, no preflight): Both return K8s API RBAC error + // The specific error message is the same for both runtimes when encountering the same permission issue ceInsufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "permissions not currently held", 10, 60, 0) } @@ -371,60 +404,70 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh exutil.SkipForSNOCluster(oc) olmv1util.ValidateAccessEnvironment(oc) var ( - caseID = "75492" - ns = "ns-" + caseID - sa = "sa" + caseID - labelValue = caseID - catalogName = "clustercatalog-" + caseID - ceInsufficientName = "ce-insufficient-" + caseID - ceWrongSaName = "ce-wrongsa-" + caseID - baseDir = exutil.FixturePath("testdata", "olm") - clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") - clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") - saClusterRoleBindingTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-bundle.yaml") - saCrb = olmv1util.SaCLusterRolebindingDescription{ - Name: sa, - Namespace: ns, - RBACObjects: []olmv1util.ChildResource{ - {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, - {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, - {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), - fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, - {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), - fmt.Sprintf("%s-installer-clusterrole", sa)}}, - {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, - }, - Kinds: "okv3277775492s", - Template: saClusterRoleBindingTemplate, - } - clustercatalog = olmv1util.ClusterCatalogDescription{ - Name: catalogName, - Imageref: "quay.io/olmqe/nginx-ok-index:vokv3283", - LabelValue: labelValue, - Template: clustercatalogTemplate, - } - ce75492Insufficient = olmv1util.ClusterExtensionDescription{ - Name: ceInsufficientName, - PackageName: "nginx-ok-v3277775492", - Channel: "alpha", - Version: ">=0.0.1", - InstallNamespace: ns, - SaName: sa, - LabelValue: labelValue, - Template: clusterextensionTemplate, - } - ce75492WrongSa = olmv1util.ClusterExtensionDescription{ - Name: ceWrongSaName, - PackageName: "nginx-ok-v3277775492", - Channel: "alpha", - Version: ">=0.0.1", - InstallNamespace: ns, - SaName: sa + "1", - LabelValue: labelValue, - Template: clusterextensionTemplate, - } + caseID = "75492" + ns = "ns-" + caseID + sa = "sa" + caseID + labelValue = caseID + catalogName = "clustercatalog-" + caseID + ceInsufficientName = "ce-insufficient-" + caseID + ceWrongSaName = "ce-wrongsa-" + caseID + baseDir = exutil.FixturePath("testdata", "olm") + clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") + clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") + // Select template based on Boxcutter runtime feature gate + saClusterRoleBindingTemplate string ) + // Use Boxcutter template if BoxcutterRuntime is enabled, otherwise use Helm template + // Note: Both templates have the same content for this test (both lack finalizers permissions) + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + saClusterRoleBindingTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-bundle-boxcutter.yaml") + } else { + saClusterRoleBindingTemplate = filepath.Join(baseDir, "sa-nginx-insufficient-bundle.yaml") + } + + saCrb := olmv1util.SaCLusterRolebindingDescription{ + Name: sa, + Namespace: ns, + RBACObjects: []olmv1util.ChildResource{ + {Kind: "RoleBinding", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role-binding", sa)}}, + {Kind: "Role", Ns: ns, Names: []string{fmt.Sprintf("%s-installer-role", sa)}}, + {Kind: "ClusterRoleBinding", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole-binding", sa), + fmt.Sprintf("%s-installer-clusterrole-binding", sa)}}, + {Kind: "ClusterRole", Ns: "", Names: []string{fmt.Sprintf("%s-installer-rbac-clusterrole", sa), + fmt.Sprintf("%s-installer-clusterrole", sa)}}, + {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, + }, + Kinds: "okv3277775492s", + Template: saClusterRoleBindingTemplate, + } + clustercatalog := olmv1util.ClusterCatalogDescription{ + Name: catalogName, + Imageref: "quay.io/olmqe/nginx-ok-index:vokv3283", + LabelValue: labelValue, + Template: clustercatalogTemplate, + } + ce75492Insufficient := olmv1util.ClusterExtensionDescription{ + Name: ceInsufficientName, + PackageName: "nginx-ok-v3277775492", + Channel: "alpha", + Version: ">=0.0.1", + InstallNamespace: ns, + SaName: sa, + LabelValue: labelValue, + Template: clusterextensionTemplate, + } + ce75492WrongSa := olmv1util.ClusterExtensionDescription{ + Name: ceWrongSaName, + PackageName: "nginx-ok-v3277775492", + Channel: "alpha", + Version: ">=0.0.1", + InstallNamespace: ns, + SaName: sa + "1", + LabelValue: labelValue, + Template: clusterextensionTemplate, + } + g.By("Create namespace") defer func() { _ = oc.WithoutNamespace().AsAdmin().Run("delete").Args("ns", ns, "--ignore-not-found", "--force").Execute() @@ -445,31 +488,83 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh defer ce75492Insufficient.Delete(oc) _ = ce75492Insufficient.CreateWithoutCheck(oc) if olmv1util.IsFeaturegateEnabled(oc, "NewOLMPreflightPermissionChecks") { + // Env2 (Helm, preflight) or Env3 (Boxcutter, preflight): Both return same preflight error ce75492Insufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "pre-authorization failed", 10, 60, 0) } else { - ce75492Insufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "could not get information about the resource CustomResourceDefinition", 10, 60, 0) + // Env1 (Helm, no preflight) or Env4 (Boxcutter, no preflight) + // Error checking order differs between runtimes: + // - Helm (Env1): may encounter CRD creation errors first + // - Boxcutter (Env4): encounters privilege escalation errors first + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + // Env4: Boxcutter encounters privilege escalation error (missing namespace permissions) + ce75492Insufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "is attempting to grant RBAC permissions not currently held", 10, 60, 0) + } else { + // Env1: Helm may encounter CRD-related errors + ce75492Insufficient.CheckClusterExtensionCondition(oc, "Progressing", "message", "could not get information about the resource CustomResourceDefinition", 10, 60, 0) + } } g.By("check wrong sa") defer ce75492WrongSa.Delete(oc) _ = ce75492WrongSa.CreateWithoutCheck(oc) - ce75492WrongSa.CheckClusterExtensionCondition(oc, "Installed", "message", "not found", 10, 60, 0) + // IMPORTANT: Non-existent SA error behavior difference between Helm and Boxcutter runtimes. + // This is a KNOWN ISSUE documented in https://github.com/openshift/cluster-olm-operator/pull/163#issuecomment-3842361284 + // + // Current behavior: + // - Boxcutter + Preflight (Env3): Returns "pre-authorization failed" (SA validated during token creation) + // - Boxcutter + No Preflight (Env4): Returns "not found" (SA validation happens at runtime) + // - Helm runtime (Env1/Env2): Returns "not found" regardless of preflight setting + // + // Root cause: Boxcutter applier does not use scoped client to create revisions. + // The "service account not found" error comes from token getter, which doesn't get called + // for the revision creation operation in Boxcutter without preflight. + // + // Potential future fixes (under discussion): + // 1. Use scoped client - breaking change, requires adding clusterextensionrevision permissions to SA + // 2. Have boxcutter applier check SA existence explicitly + // 3. Move SA check to clusterextension reconciliation pipeline (affects all appliers) + // + // TODO: Update these error expectations when the upstream fix is implemented. + // The expected behavior should be consistent across all runtimes. + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMPreflightPermissionChecks") { + // Env3 (Boxcutter + Preflight): + // Preflight validates SA during token creation, returns pre-authorization error + ce75492WrongSa.CheckClusterExtensionCondition(oc, "Progressing", "message", "pre-authorization failed", 10, 60, 0) + } else { + // Env4 (Boxcutter + No Preflight): + // No preflight, SA validation happens at runtime, returns "not found" error + ce75492WrongSa.CheckClusterExtensionCondition(oc, "Progressing", "message", "not found", 10, 60, 0) + } + } else { + // Env1 or Env2 (Helm runtime): + // Helm runtime discovers SA not found at runtime, regardless of preflight setting + ce75492WrongSa.CheckClusterExtensionCondition(oc, "Installed", "message", "not found", 10, 60, 0) + } }) g.It("PolarionID:75493-[OTP][Level0]cluster extension can be installed with enough permission sa", g.Label("original-name:[sig-olmv1][Jira:OLM] clusterextension PolarionID:75493-[Skipped:Disconnected]cluster extension can be installed with enough permission sa"), func() { exutil.SkipForSNOCluster(oc) olmv1util.ValidateAccessEnvironment(oc) var ( - caseID = "75493" - ns = "ns-" + caseID - sa = "sa" + caseID - labelValue = caseID - catalogName = "clustercatalog-" + caseID - ceSufficientName = "ce-sufficient" + caseID - baseDir = exutil.FixturePath("testdata", "olm") - clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") - clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") - saClusterRoleBindingTemplate = filepath.Join(baseDir, "sa-nginx-limited.yaml") - saCrb = olmv1util.SaCLusterRolebindingDescription{ + caseID = "75493" + ns = "ns-" + caseID + sa = "sa" + caseID + labelValue = caseID + catalogName = "clustercatalog-" + caseID + ceSufficientName = "ce-sufficient" + caseID + baseDir = exutil.FixturePath("testdata", "olm") + clustercatalogTemplate = filepath.Join(baseDir, "clustercatalog-withlabel.yaml") + clusterextensionTemplate = filepath.Join(baseDir, "clusterextension-withselectorlabel.yaml") + // Select template based on runtime: Boxcutter needs clusterextensionrevisions/finalizers, Helm needs clusterextensions/finalizers + saTemplate string + ) + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + saTemplate = filepath.Join(baseDir, "sa-nginx-limited-boxcutter.yaml") + } else { + saTemplate = filepath.Join(baseDir, "sa-nginx-limited.yaml") + } + var ( + saCrb = olmv1util.SaCLusterRolebindingDescription{ Name: sa, Namespace: ns, RBACObjects: []olmv1util.ChildResource{ @@ -482,7 +577,7 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh {Kind: "ServiceAccount", Ns: ns, Names: []string{sa}}, }, Kinds: "okv3277775493s", - Template: saClusterRoleBindingTemplate, + Template: saTemplate, } clustercatalog = olmv1util.ClusterCatalogDescription{ Name: catalogName, @@ -607,8 +702,17 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh `Namespace:"" Verbs:[get] NonResourceURLs:[/metrics]`, 3, 150, 0) ce.CheckClusterExtensionCondition(oc, "Progressing", "message", `Namespace:"ns-81538" APIGroups:[] Resources:[services] ResourceNames:[nginx-ok-v81538-controller-manager-metrics-service] Verbs:[delete,get,patch,update]`, 3, 150, 0) - ce.CheckClusterExtensionCondition(oc, "Progressing", "message", - `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81538] Verbs:[update]`, 3, 150, 0) + // Check finalizers permission based on Boxcutter runtime feature gate + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + // Env3: Boxcutter with preflight - expects clusterextensionrevisions/finalizers + // Note: In Boxcutter, the ResourceName is the ClusterExtensionRevision name (ce-81538-1 for first revision) + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensionrevisions/finalizers] ResourceNames:[ce-81538-1] Verbs:[update]`, 3, 150, 0) + } else { + // Env2: Helm with preflight - expects clusterextensions/finalizers + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81538] Verbs:[update]`, 3, 150, 0) + } g.By("generate rbac per missing rule and delete ce") jsonpath := fmt.Sprintf(`jsonpath={.status.conditions[?(@.type=="%s")].%s}`, "Progressing", "message") @@ -708,8 +812,17 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh `Namespace:"" Verbs:[get] NonResourceURLs:[/metrics]`, 3, 150, 0) ce.CheckClusterExtensionCondition(oc, "Progressing", "message", `Namespace:"ns-81664" APIGroups:[] Resources:[services] ResourceNames:[nginx-ok-v81664-controller-manager-metrics-service] Verbs:[delete,get,patch,update]`, 3, 150, 0) - ce.CheckClusterExtensionCondition(oc, "Progressing", "message", - `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81664] Verbs:[update]`, 3, 150, 0) + // Check finalizers permission based on Boxcutter runtime feature gate + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + // Env3: Boxcutter with preflight - expects clusterextensionrevisions/finalizers + // Note: In Boxcutter, the ResourceName is the ClusterExtensionRevision name (ce-81664-1 for first revision) + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensionrevisions/finalizers] ResourceNames:[ce-81664-1] Verbs:[update]`, 3, 150, 0) + } else { + // Env2: Helm with preflight - expects clusterextensions/finalizers + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81664] Verbs:[update]`, 3, 150, 0) + } g.By("generate rbac per missing rule and delete ce") jsonpath := fmt.Sprintf(`jsonpath={.status.conditions[?(@.type=="%s")].%s}`, "Progressing", "message") @@ -828,8 +941,17 @@ var _ = g.Describe("[sig-olmv1][Jira:OLM] clusterextension", g.Label("NonHyperSh `Namespace:"" Verbs:[get] NonResourceURLs:[/metrics]`, 3, 150, 0) ce.CheckClusterExtensionCondition(oc, "Progressing", "message", `Namespace:"ns-81696" APIGroups:[] Resources:[services] ResourceNames:[nginx-ok-v81696-controller-manager-metrics-service] Verbs:[delete,get,patch,update]`, 3, 150, 0) - ce.CheckClusterExtensionCondition(oc, "Progressing", "message", - `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81696] Verbs:[update]`, 3, 150, 0) + // Check finalizers permission based on Boxcutter runtime feature gate + if olmv1util.IsFeaturegateEnabled(oc, "NewOLMBoxCutterRuntime") { + // Env3: Boxcutter with preflight - expects clusterextensionrevisions/finalizers + // Note: In Boxcutter, the ResourceName is the ClusterExtensionRevision name (ce-81696-1 for first revision) + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensionrevisions/finalizers] ResourceNames:[ce-81696-1] Verbs:[update]`, 3, 150, 0) + } else { + // Env2: Helm with preflight - expects clusterextensions/finalizers + ce.CheckClusterExtensionCondition(oc, "Progressing", "message", + `Namespace:"" APIGroups:[olm.operatorframework.io] Resources:[clusterextensions/finalizers] ResourceNames:[ce-81696] Verbs:[update]`, 3, 150, 0) + } g.By("generate rbac per missing rule and delete ce") jsonpath := fmt.Sprintf(`jsonpath={.status.conditions[?(@.type=="%s")].%s}`, "Progressing", "message") diff --git a/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml new file mode 100644 index 000000000..6fd8cf7bb --- /dev/null +++ b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-bundle-boxcutter.yaml @@ -0,0 +1,198 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-bundle-boxcutter-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + # resourceNames: + # - nginx-ok-v3283-754-15pkpuong3owt1jn01uoyj8lm6p8jlxh03kuouq67dmv + # - nginx-ok-v3283-754-2r5zqsa9t9nk0tln1f8x36ws3ks9r8cgwi70s2dgnl82 + # - nginx-ok-v3283-75493-metrics-reader + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + # resourceNames: + # - nginx-ok-v3283-754-15pkpuong3owt1jn01uoyj8lm6p8jlxh03kuouq67dmv + # - nginx-ok-v3283-754-2r5zqsa9t9nk0tln1f8x36ws3ks9r8cgwi70s2dgnl82 + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager] + # - apiGroups: [""] + # resources: [serviceaccounts] + # verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager-metrics-service] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + # resourceNames: [nginx-ok-v3283-75493-controller-manager] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + - pods + - pods/exec + - pods/log + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS diff --git a/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml new file mode 100644 index 000000000..84b673ae7 --- /dev/null +++ b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-clusterrole-boxcutter.yaml @@ -0,0 +1,185 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-operand-clusterrole-boxcutter-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS diff --git a/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml new file mode 100644 index 000000000..8b6e52000 --- /dev/null +++ b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml @@ -0,0 +1,188 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-insufficient-operand-rbac-boxcutter-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [olm.operatorframework.io] + resources: [clusterextensionrevisions/finalizers] + verbs: [update] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [services] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS diff --git a/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml new file mode 100644 index 000000000..f8b117094 --- /dev/null +++ b/openshift/tests-extension/test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml @@ -0,0 +1,211 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: olmv1-sa-nginx-limited-template +objects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-clusterrole" + rules: + - apiGroups: [olm.operatorframework.io] + resources: [clusterextensionrevisions/finalizers] + verbs: [update] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create, list, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts/finalizers] + verbs: [update] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "${NAME}-installer-role" + namespace: "${NAMESPACE}" + rules: + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [""] + resources: [serviceaccounts/finalizers] + verbs: [update] + - apiGroups: [""] + resources: [services] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "${NAME}-installer-role-binding" + namespace: "${NAMESPACE}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "${NAME}-installer-role" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "${NAME}-installer-rbac-clusterrole" + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + - pods + - pods/exec + - pods/log + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cache.example.com + resources: + - "${KINDS}" + - "${KINDS}/status" + - "${KINDS}/finalizers" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - nonResourceURLs: + - /metrics + verbs: + - get + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "${NAME}-installer-rbac-clusterrole-binding" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-installer-rbac-clusterrole" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: "${NAMESPACE}" +parameters: + - name: NAME + - name: NAMESPACE + - name: KINDS