-
Task
-
Resolution: Done
-
Normal
-
None
-
3
-
False
-
-
False
-
-
-
RHDH Plugins 3272
Test the newly added kubernetes permissions kubernetes.clusters.read and kubernetes.resources.read with topology.
Automate test case
DEMO: https://github.com/backstage/community-plugins/pull/2998
Test instructions:
Deploy an app for the Kubernetes and Topology plugins
Ensure the label
backstage.io/kubernetes-id: <APP_NAME>
Create a catalog entity file to match the app
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: <APP_NAME>
title: <APP_NAME>
annotations:
backstage.io/kubernetes-id: <APP_NAME>
spec:
type: website
system: janus-idp
owner: janus-authors
lifecycle: production
Deploy RHDH
Add app config with the following, needed are an auth provider, kubernetes, catalog component for the deployed app, catalog user for the user to sign into, and permissions:
kind: ConfigMap
apiVersion: v1
metadata:
name: app-config-rhdh
namespace: rhdh
data:
app-config-rhdh.yaml: |-
auth:
environment: development
providers:
github:
development:
clientId: ${GITHUB_APP_CLIENT_ID}
clientSecret: ${GITHUB_APP_CLIENT_SECRET}
catalog:
import:
entityFilename: catalog-info.yaml
pullRequestBranchName: backstage-integration
locations:
- target: <URL_TO_APP_CATALOG_COMPONENT>
type: url - target: <URL_TO_USER_CATALOG_COMPONENT>
type: url
rules: - allow:
- Component
- System
- Group
- Resource
- Location
- Template
- API
- User
- Group
kubernetes:
serviceLocatorMethod:
type: 'multiTenant'
clusterLocatorMethods: - type: 'config'
clusters: - name: ${K8S_CLUSTER_NAME}
url: ${K8S_CLUSTER_URL}
authProvider: 'serviceAccount'
skipTLSVerify: true
serviceAccountToken: ${K8S_CLUSTER_TOKEN}
permission:
enabled: true
rbac:
database:
enabled: true
policies-csv-file: ${PERMISSION_POLICY_PATH}
admin:
users: - name: ${PERMISSION_ADMIN}
Create Secret with the following:
GITHUB_APP_CLIENT_ID
GITHUB_APP_CLIENT_SECRET
K8S_CLUSTER_NAME
K8S_CLUSTER_URL
K8S_CLUSTER_TOKEN
PERMISSION_ADMIN set to user:default/<YOUR_USER>
Upgrade Helm Chart
Enable Kubernetes Plugin (Frontend and Backend)
Enabled Topology Plugin
Add app-config
Add secrets
Scenario one (deny when not both kubernetes.clusters.read and kubernetes.resources.read are allowed)
- Navigate to your component in the catalog
- Select Topology tab
- See Permission required alert
Scenario two (deny when only one of kubernetes.clusters.read and kubernetes.resources.read is allowed via UI)
- Navigate to rbac frontend
- Create role test and assign only one of kubernetes.clusters.read or kubernetes.resources.read permissions
- Navigate to your component in the catalog
- Select Topology tab
- See Permission required alert
Scenario three (allow when both kubernetes.clusters.read or kubernetes.resources.read permissions are used, but deny for pod logs without kubernetes.proxy permission)
- Navigate to rbac frontend
- Create role test and assign both kubernetes.clusters.read and kubernetes.resources.read permissions
- Navigate to your component in the catalog
- Select Topology tab
- You are allowed to view topology data
- Select application
- Select the Resources tab on the side bar for the deployment
- Click view logs
- See Permission required alert
Scenario four (allow for kubernetes.clusters.read, kubernetes.resources.read, kubernetes.proxy)
- Navigate to rbac frontend
- Create role test and assign kubernetes.clusters.read and kubernetes.resources.read and kubernetes.proxy permissions
- Navigate to your component in the catalog
- Select Topology tab
- You are allowed to view topology data
- Select application
- Select the Resources tab on the side bar for the deployment
- Click view logs
- See Permission required alert
- See logs
- is depended on by
-
RHIDP-6616 [Test automation] Add permission support to RBAC plugin
-
- Closed
-
- links to
