TestServiceAccountPermissions: handle extra permissions on EKS

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-06-15 11:17:59 -04:00
parent 913c140be8
commit 524ff21b7f
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8

View File

@ -67,6 +67,15 @@ func TestServiceAccountPermissions(t *testing.T) {
) )
} }
crbs, err := library.NewKubernetesClientset(t).RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: "eks.amazonaws.com/component=pod-security-policy"})
require.NoError(t, err)
if len(crbs.Items) > 0 {
expectedResourceRules = append(expectedResourceRules,
// EKS binds these to system:authenticated
authorizationv1.ResourceRule{Verbs: []string{"use"}, APIGroups: []string{"policy"}, Resources: []string{"podsecuritypolicies"}, ResourceNames: []string{"eks.privileged"}},
)
}
expectedNonResourceRules := []authorizationv1.NonResourceRule{ expectedNonResourceRules := []authorizationv1.NonResourceRule{
// system:public-info-viewer is bound to system:authenticated and system:unauthenticated by default // system:public-info-viewer is bound to system:authenticated and system:unauthenticated by default
{Verbs: []string{"get"}, NonResourceURLs: []string{"/healthz", "/livez", "/readyz", "/version", "/version/"}}, {Verbs: []string{"get"}, NonResourceURLs: []string{"/healthz", "/livez", "/readyz", "/version", "/version/"}},