chainsaw icon indicating copy to clipboard operation
chainsaw copied to clipboard

Published 20 hours ago verified publisher icon kyverno

[Feature] Support switching to another service account user while testing

Open Raazor opened this issue 9 months ago • 1 comments

Problem Statement

I am currently testing a kyverno ClusterPolicy against a kind cluster using chainsaw. This specific policy is used to limit a service account user's permissions, e.g. creating namespaces but only when they start with chainsaw-test-* / create Roles & Rolebindings but only in namespaces with chainsaw-test-*. To test this policy I am using chainsaw to create the policy and the service account with necessary cluster roles and bindings. Then I need to switch my user to the created service account to test that the policy would actually prevent me from, e.g. creating a namespace with arbitrary name. I understand that this is a very specific case, but maybe it can be useful for any tests related to token users / service accounts.

Currently it is working like so:

# Policy and service account users were created before
  - name: Validate Policy error cases
    try:
      - script:
          content: |
           # Paste next two lines in script -> switch-to-chainsaw-sa-user.sh
            kubectl config set-credentials user --token=$(kubectl get secret chainsaw-test-secret -o json | jq -r '.data."token"' | base64 -d 2>/dev/null)
            kubectl config set-context --current --user=user
            kubectl apply -f ./tests/ns-invalid.yaml
          check:
            ($error != null): true
      - script:
          content: |
            ./switch-to-chainsaw-sa-user.sh
            kubectl apply -f ./tests/role-invalid.yaml
          check:
            ($error != null): true
      - script:
          content: |
            ./switch-to-chainsaw-sa-user.sh
            kubectl apply -f ./tests/rolebinding-invalid.yaml
          check:
            ($error != null): true

Conveniently chainsaw somehow already handles the user switch only locally, meaning afterwards I am not locked out and have to reset to using the kind-kind user. It is inconvenient, however, that I have to always run the script for every step, also I cannot use the chainsaw apply to multiple yaml files as I would do normaly to test error cases (on all files with "*-invalid.yaml). Mostly I also have to cleanup myself and cannot use chainsaw's automatic @cleanup step.

Solution Description

Either implement a functionality so that you can switch to another user or similar to the "cluster" keyword you could use a keyword "service-account" attached to chainsaw operations to make clear this should run using the service account / or the secret token used in the service account.

Alternatives

I have tried before to use the following, which would be overriden however by the admin user that is still configured in kubeconfig. kubectl --token=$TOKEN some commands

Additional Context

No response

Slack discussion

No response

Research

  • [X] I have searched other issues in this repository and mine is not recorded.

Raazor avatar May 07 '24 10:05 Raazor