eac7202774
This commit adds roles to kubernetes-keystone-webook policy which has permissions similar to clusterrols cluster-admin, edit and view present in kubernetes. Check.sh script is also modified to test and verify the new roles. Change-Id: I43621d2e1036259064c805d97b340589a5b68c93
156 lines
6.1 KiB
Bash
Executable File
156 lines
6.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
set -xe
|
|
|
|
export OS_CLOUD=openstack_helm
|
|
function keystone_token () {
|
|
openstack token issue -f value -c id
|
|
}
|
|
|
|
function report_failed_policy () {
|
|
echo "$1 was $2 to perform $3, which contradicts current policy"
|
|
exit 1
|
|
}
|
|
|
|
function test_user_is_authorized () {
|
|
TOKEN=$(keystone_token)
|
|
if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN $1 ; then
|
|
report_failed_policy "$OS_USERNAME" "not allowed" "$1"
|
|
fi
|
|
}
|
|
|
|
function test_user_is_unauthorized () {
|
|
TOKEN=$(keystone_token)
|
|
if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN $1 ; then
|
|
echo "Denied, as expected by policy"
|
|
else
|
|
report_failed_policy "$OS_USERNAME" "allowed" "$1"
|
|
fi
|
|
}
|
|
|
|
sudo cp -va $HOME/.kube/config /tmp/kubeconfig.yaml
|
|
sudo kubectl --kubeconfig /tmp/kubeconfig.yaml config unset users.kubernetes-admin
|
|
|
|
# Test
|
|
# This issues token with admin role
|
|
TOKEN=$(keystone_token)
|
|
kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods
|
|
kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack
|
|
kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get secrets -n openstack
|
|
|
|
# This is used to grab a pod name for the following tests
|
|
TEST_POD="$(kubectl get pods -n openstack | awk 'NR==2{print $1}')"
|
|
|
|
# create users
|
|
openstack user create --or-show --password password admin_k8cluster_user
|
|
openstack user create --or-show --password password admin_k8cluster_edit_user
|
|
openstack user create --or-show --password password admin_k8cluster_view_user
|
|
|
|
# create project
|
|
openstack project create --or-show openstack-system
|
|
openstack project create --or-show demoProject
|
|
|
|
# create roles
|
|
openstack role create --or-show openstackRole
|
|
openstack role create --or-show kube-system-admin
|
|
openstack role create --or-show admin_k8cluster
|
|
openstack role create --or-show admin_k8cluster_editor
|
|
openstack role create --or-show admin_k8cluster_viewer
|
|
|
|
# assign user role to project
|
|
openstack role add --project openstack-system --user bob --project-domain default --user-domain ldapdomain openstackRole
|
|
openstack role add --project demoProject --user alice --project-domain default --user-domain ldapdomain kube-system-admin
|
|
openstack role add --project demoProject --user admin_k8cluster_user --project-domain default --user-domain default admin_k8cluster
|
|
openstack role add --project demoProject --user admin_k8cluster_edit_user --project-domain default --user-domain default admin_k8cluster_editor
|
|
openstack role add --project demoProject --user admin_k8cluster_view_user --project-domain default --user-domain default admin_k8cluster_viewer
|
|
|
|
unset OS_CLOUD
|
|
export OS_AUTH_URL="http://keystone.openstack.svc.cluster.local/v3"
|
|
export OS_IDENTITY_API_VERSION="3"
|
|
export OS_PROJECT_NAME="openstack-system"
|
|
export OS_PASSWORD="password"
|
|
export OS_USERNAME="bob"
|
|
export OS_USER_DOMAIN_NAME="ldapdomain"
|
|
|
|
# Create files for secret generation
|
|
echo -n 'admin' > /tmp/user.txt
|
|
echo -n 'password' > /tmp/pass.txt
|
|
|
|
# See this does fail as the policy does not allow for a non-admin user
|
|
TOKEN=$(keystone_token)
|
|
test_user_is_unauthorized "get pods"
|
|
|
|
export OS_USERNAME="alice"
|
|
export OS_PROJECT_NAME="demoProject"
|
|
test_user_is_unauthorized "get pods -n openstack"
|
|
|
|
export OS_USER_DOMAIN_NAME="default"
|
|
|
|
#admin_k8cluser_user
|
|
export OS_USERNAME="admin_k8cluster_user"
|
|
RESOURCES=("pods" "configmaps" "endpoints" "persistentvolumeclaims" \
|
|
"replicationcontrollers" "secrets" "serviceaccounts" \
|
|
"services" "events" "limitranges" "namespace" \
|
|
"replicationcontrollers" "resourcequotas" "daemonsets" \
|
|
"deployments" "replicasets" "statefulsets" "jobs" \
|
|
"cronjobs" "poddisruptionbudgets" "serviceaccounts" \
|
|
"networkpolicies" "horizontalpodautoscalers")
|
|
for r in "${RESOURCES[@]}" ; do
|
|
test_user_is_authorized "get $r"
|
|
done
|
|
|
|
test_user_is_authorized "create secret generic test-secret --from-file=/tmp/user.txt --from-file=/tmp/pass.txt"
|
|
test_user_is_authorized "delete secret test-secret"
|
|
|
|
#admin_k8cluster_edit_user
|
|
export OS_USERNAME="admin_k8cluster_edit_user"
|
|
RESOURCES=("pods" "configmaps" "endpoints" "persistentvolumeclaims" \
|
|
"replicationcontrollers" "secrets" "serviceaccounts" \
|
|
"services" "events" "limitranges" "namespace" \
|
|
"replicationcontrollers" "resourcequotas" "daemonsets" \
|
|
"deployments" "replicasets" "statefulsets" "jobs" \
|
|
"cronjobs" "poddisruptionbudgets" "serviceaccounts" \
|
|
"networkpolicies" "horizontalpodautoscalers")
|
|
for r in "${RESOURCES[@]}" ; do
|
|
test_user_is_authorized "get $r"
|
|
done
|
|
|
|
test_user_is_authorized "create secret generic test-secret --from-file=/tmp/user.txt --from-file=/tmp/pass.txt"
|
|
test_user_is_authorized "delete secret test-secret"
|
|
test_user_is_authorized "logs -n openstack $TEST_POD --tail=5"
|
|
|
|
test_user_is_unauthorized "create namespace test"
|
|
|
|
|
|
#admin_k8cluster_view_user
|
|
export OS_USERNAME="admin_k8cluster_view_user"
|
|
RESOURCES=("pods" "configmaps" "endpoints" "persistentvolumeclaims" \
|
|
"replicationcontrollers" "services" "serviceaccounts" \
|
|
"replicationcontrollers" "resourcequotas" "namespaces" \
|
|
"daemonsets" "deployments" "replicasets" "statefulsets" \
|
|
"poddisruptionbudgets" "networkpolicies")
|
|
for r in "${RESOURCES[@]}" ; do
|
|
test_user_is_authorized "get $r"
|
|
done
|
|
|
|
test_user_is_authorized "logs -n openstack $TEST_POD --tail=5"
|
|
|
|
test_user_is_unauthorized "delete pod $TEST_POD -n openstack"
|
|
test_user_is_unauthorized "create namespace test"
|
|
test_user_is_unauthorized "get secrets"
|
|
test_user_is_unauthorized "create secret generic test-secret --from-file=/tmp/user.txt --from-file=/tmp/pass.txt"
|