-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
13
-
AppSvc Sprint 194, AppSvc Sprint 195, AppSvc Sprint 196, AppSvc Sprint 206
Description
- Binding data collection: If the user doesn't have the permission to read secrets/configmaps/CRs (and any other objects that are used in this context), do not allow ServiceBindingRequest to proceed , with appropriate status/error message.
- Binding data injection: If the user doesn't have the privileges to create/edit secrets or edit the application workload, do not allow ServiceBindingRequest to proceed, with appropriate status/error message.
INITIAL WORK: https://github.com/sbose78/service-binding-admission-controller
Acceptance Criteria
Feature: Forbid user to bind services to application
if she/he does not have permissions to read binding data or
modify application resource
Background:
Given Namespace [TEST_NAMESPACE] is used
* Service Binding Operator is running
Scenario: Service cannot be bound to application if user cannot read service resource
Given OLM Operator "backend" is running
* The Custom Resource is present
"""
apiVersion: "stable.example.com/v1"
kind: Backend
metadata:
name: backend-with-tag-sequence
spec:
host: example.common
tags:
- "centos7-12.3"
- 123
"""
* Generic test application "foo" is running
* User 'developer' cannot read resource 'backend-with-tag-sequence'
When user 'developer' applies Service Binding
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: custom-env-var-from-sequence
spec:
application:
name: foo
group: apps
version: v1
resource: deployments
services:
- group: stable.example.com
version: v1
kind: Backend
name: backend-with-tag-sequence
id: backend
customEnvVar:
- name: TAGS
value: '{{ .backend.spec.tags }}'
"""
Then jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "False"
And jq ".status.conditions[] | select(.type=="CollectionReady").reason" of Service Binding "custom-env-var-from-sequence" should be changed to "NoReadPermissions"
And The application does not have access to env var "TAGS"
Scenario: Service cannot be bound to application when user cannot read referred config map
Given OLM Operator "backend" is running
And Generic test application "cmsa-1" is running
And The ConfigMap is present
"""
apiVersion: v1
kind: ConfigMap
metadata:
name: cmsa-1-configmap
data:
certificate: "certificate value"
"""
And The Custom Resource is present
"""
apiVersion: stable.example.com/v1
kind: Backend
metadata:
name: cmsa-1-service
annotations:
service.binding/username: path={.status.data.dbConfiguration},objectType=ConfigMap,valueKey=username
spec:
image: docker.io/postgres
imageName: postgres
dbName: db-demo
status:
data:
dbConfiguration: cmsa-1-configmap # ConfigMap
"""
And user 'developer' has no read access to config map 'cmsa-1-configmap'
When Service Binding is applied
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: cmsa-1
spec:
services:
- group: stable.example.com
version: v1
kind: Backend
name: cmsa-1-service
application:
name: cmsa-1
group: apps
version: v1
resource: deployments
"""
Then The application cannot access env var "BACKEND_CERTIFICATE"
And jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "cmsa-1" should be changed to "False"
And jq ".status.conditions[] | select(.type=="CollectionReady").reason" of Service Binding "cmsa-1" should be changed to "NoReadPermissions"
And jq ".status.conditions[] | select(.type=="CollectionReady").message" of Service Binding "cmsa-1" should be changed to "User 'developer' has no read permission on config map 'cmsa-1-configmap'"
Scenario: Bind service to application after enabling user to read service resource
Given OLM Operator "backend" is running
* The Custom Resource is present
"""
apiVersion: "stable.example.com/v1"
kind: Backend
metadata:
name: backend-with-tag-sequence
spec:
host: example.common
tags:
- "centos7-12.3"
- 123
"""
* Generic test application "foo" is running
* User 'developer' cannot read resource 'backend-with-tag-sequence'
* user 'developer' applies Service Binding
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: custom-env-var-from-sequence
spec:
application:
name: foo
group: apps
version: v1
resource: deployments
services:
- group: stable.example.com
version: v1
kind: Backend
name: backend-with-tag-sequence
id: backend
customEnvVar:
- name: TAGS
value: '{{ .backend.spec.tags }}'
"""
* jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "False"
* jq ".status.conditions[] | select(.type=="CollectionReady").reason" of Service Binding "custom-env-var-from-sequence" should be changed to "NoReadPermissions"
* The application does not have access to env var "TAGS"
When User 'developer' gets rights to read resource 'backend-with-tag-sequence'
Then The application env var "TAGS" has value "[centos7-12.3 123]"
And jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
And jq ".status.conditions[] | select(.type=="InjectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
Scenario: Bind service to application after enabling user to read referred config map
Given OLM Operator "backend" is running
And Generic test application "cmsa-1" is running
And The ConfigMap is present
"""
apiVersion: v1
kind: ConfigMap
metadata:
name: cmsa-1-configmap
data:
certificate: "certificate value"
"""
And The Custom Resource is present
"""
apiVersion: stable.example.com/v1
kind: Backend
metadata:
name: cmsa-1-service
annotations:
service.binding/username: path={.status.data.dbConfiguration},objectType=ConfigMap,valueKey=username
spec:
image: docker.io/postgres
imageName: postgres
dbName: db-demo
status:
data:
dbConfiguration: cmsa-1-configmap # ConfigMap
"""
And user 'developer' has no read access to config map 'cmsa-1-configmap'
When Service Binding is applied
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: cmsa-1
spec:
services:
- group: stable.example.com
version: v1
kind: Backend
name: cmsa-1-service
application:
name: cmsa-1
group: apps
version: v1
resource: deployments
"""
* The application cannot access env var "BACKEND_CERTIFICATE"
* jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "cmsa-1" should be changed to "False"
* jq ".status.conditions[] | select(.type=="CollectionReady").reason" of Service Binding "cmsa-1" should be changed to "NoReadPermissions"
* jq ".status.conditions[] | select(.type=="CollectionReady").message" of Service Binding "cmsa-1" should be changed to "User 'developer' has no read permission on config map 'cmsa-1-configmap'"
When user 'developer' gets read access to config map 'cmsa-1-configmap'
Then The application env var "BACKEND_CERTIFICATE" has value "certificate value"
And jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "cmsa-1" should be changed to "True"
And jq ".status.conditions[] | select(.type=="InjectionReady").status" of Service Binding "cmsa-1" should be changed to "True"
Scenario: Service cannot be bound to application if user cannot modify application resource
Given OLM Operator "backend" is running
* The Custom Resource is present
"""
apiVersion: "stable.example.com/v1"
kind: Backend
metadata:
name: backend-with-tag-sequence
spec:
host: example.common
tags:
- "centos7-12.3"
- 123
"""
* Generic test application "foo" is running
* User 'developer' cannot modify application resource 'foo'
When user 'developer' applies Service Binding
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: custom-env-var-from-sequence
spec:
application:
name: foo
group: apps
version: v1
resource: deployments
services:
- group: stable.example.com
version: v1
kind: Backend
name: backend-with-tag-sequence
id: backend
customEnvVar:
- name: TAGS
value: '{{ .backend.spec.tags }}'
"""
Then jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
And jq ".status.conditions[] | select(.type=="InjectReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "False"
And jq ".status.conditions[] | select(.type=="InjectReady").reason" of Service Binding "custom-env-var-from-sequence" should be changed to "NoModifyPermissions"
And jq ".status.conditions[] | select(.type=="InjectReady").message" of Service Binding "custom-env-var-from-sequence" should be changed to "User 'developer' cannot modify application resource"
And The application does not have access to env var "TAGS"
Scenario: Bind service to application after enabling user to modify application resource
Given OLM Operator "backend" is running
* The Custom Resource is present
"""
apiVersion: "stable.example.com/v1"
kind: Backend
metadata:
name: backend-with-tag-sequence
spec:
host: example.common
tags:
- "centos7-12.3"
- 123
"""
* Generic test application "foo" is running
* User 'developer' cannot modify application resource 'foo'
When user 'developer' applies Service Binding
"""
apiVersion: operators.coreos.com/v1alpha1
kind: ServiceBinding
metadata:
name: custom-env-var-from-sequence
spec:
application:
name: foo
group: apps
version: v1
resource: deployments
services:
- group: stable.example.com
version: v1
kind: Backend
name: backend-with-tag-sequence
id: backend
customEnvVar:
- name: TAGS
value: '{{ .backend.spec.tags }}'
"""
* jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
* jq ".status.conditions[] | select(.type=="InjectReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "False"
* jq ".status.conditions[] | select(.type=="InjectReady").reason" of Service Binding "custom-env-var-from-sequence" should be changed to "NoModifyPermissions"
* jq ".status.conditions[] | select(.type=="InjectReady").message" of Service Binding "custom-env-var-from-sequence" should be changed to "User 'developer' cannot modify application resource"
* The application does not have access to env var "TAGS"
When User 'developer' gets rights to modify application resource 'foo'
Then The application env var "TAGS" has value "[centos7-12.3 123]"
And jq ".status.conditions[] | select(.type=="CollectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
And jq ".status.conditions[] | select(.type=="InjectionReady").status" of Service Binding "custom-env-var-from-sequence" should be changed to "True"
- duplicates
-
-
- Closed
-
- incorporates
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
(2 is related to)