testsuite icon indicating copy to clipboard operation
testsuite copied to clipboard
verified publisher icon cnti-testcatalog

[BUG] `service_account_mapping` test does not fail if the CNF includes an auto-mounted service account.

Open HashNuke opened this issue 1 year ago • 2 comments

Describe the bug

service_account_mapping should fail if the CNF includes an auto-mounted service account.

CleanShot 2024-04-25 at 03 01 49@2x

Possible cause

When the resources for the CNF are collected, the Service Accounts are not collected.

  • CNFManager in the testsuite uses this helper function - Helm.all_workload_resources
    • https://github.com/cnf-testsuite/helm/blob/46b0c7f75a4bb6aac8318dc2c37daa875903ee2f/helm.cr#L160
  • The above function in turns uses KubectlClient::WORKLOAD_RESOURCES, which does not have Service Accounts listed.
    • https://github.com/cnf-testsuite/kubectl_client/blob/8d68ba21aec7a74058a3cd8c829e7dab36b79e1b/kubectl_client.cr#L10

KubectlClient::WORKLOAD_RESOURCES needs to be updated to include service accounts.

CleanShot 2024-04-25 at 03 08 08@2x

To reproduce

./cnf-testsuite cnf_setup cnf-config=./sample-cnfs/sample-service-accounts/cnf-testsuite.yml
./cnf-testsuite service_account_mapping

The test should fail, but it instead passes.

This output was from upgraded kubescape version from another branch. But that shouldn't matter, it looks like the bug should be present in the main branch too.

HashNuke avatar Apr 24 '24 21:04 HashNuke

This is fixed in #2004 to help the build pass.

HashNuke avatar Apr 25 '24 08:04 HashNuke

The dependency kubectl_client had to be fixed. Will open a PR for that soon.

HashNuke avatar Apr 25 '24 08:04 HashNuke