From 524ff21b7f0d8fcc11bbdcf8023c7803b63a0961 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 15 Jun 2021 11:17:59 -0400 Subject: [PATCH] TestServiceAccountPermissions: handle extra permissions on EKS Signed-off-by: Monis Khan --- test/integration/rbac_test.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/integration/rbac_test.go b/test/integration/rbac_test.go index e752e6a7..ffe7d71e 100644 --- a/test/integration/rbac_test.go +++ b/test/integration/rbac_test.go @@ -67,6 +67,15 @@ func TestServiceAccountPermissions(t *testing.T) { ) } + crbs, err := library.NewKubernetesClientset(t).RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: "eks.amazonaws.com/component=pod-security-policy"}) + require.NoError(t, err) + if len(crbs.Items) > 0 { + expectedResourceRules = append(expectedResourceRules, + // EKS binds these to system:authenticated + authorizationv1.ResourceRule{Verbs: []string{"use"}, APIGroups: []string{"policy"}, Resources: []string{"podsecuritypolicies"}, ResourceNames: []string{"eks.privileged"}}, + ) + } + expectedNonResourceRules := []authorizationv1.NonResourceRule{ // system:public-info-viewer is bound to system:authenticated and system:unauthenticated by default {Verbs: []string{"get"}, NonResourceURLs: []string{"/healthz", "/livez", "/readyz", "/version", "/version/"}},