Test the newly added kubernetes permissions kubernetes.clusters.read and kubernetes.resources.read with kubernetes.

Automate test case

DEMO (only the Kubernetes tab part): https://github.com/backstage/community-plugins/pull/2942

https://github.com/backstage/backstage/pull/27499

Test instructions:

Deploy an app for the Kubernetes plugin

Ensure the label

backstage.io/kubernetes-id: <APP_NAME>

Create a catalog entity file to match the app

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: <APP_NAME>
title: <APP_NAME>
annotations:
backstage.io/kubernetes-id: <APP_NAME>
spec:
type: website
system: janus-idp
owner: janus-authors
lifecycle: production

Deploy RHDH

Add app config with the following, needed are an auth provider, kubernetes, catalog component for the deployed app, catalog user for the user to sign into, and permissions:

kind: ConfigMap
apiVersion: v1
metadata:
name: app-config-rhdh
namespace: rhdh
data:
app-config-rhdh.yaml: |-
auth:
environment: development
providers:
github:
development:
clientId: ${GITHUB_APP_CLIENT_ID}
clientSecret: ${GITHUB_APP_CLIENT_SECRET}
catalog:
import:
entityFilename: catalog-info.yaml
pullRequestBranchName: backstage-integration
locations:

• target: <URL_TO_APP_CATALOG_COMPONENT>
  type: url
• target: <URL_TO_USER_CATALOG_COMPONENT>
  type: url
  rules:
• allow:
• Component
• System
• Group
• Resource
• Location
• Template
• API
• User
• Group
  kubernetes:
  serviceLocatorMethod:
  type: 'multiTenant'
  clusterLocatorMethods:
• type: 'config'
  clusters:
• name: ${K8S_CLUSTER_NAME}
  url: ${K8S_CLUSTER_URL}
  authProvider: 'serviceAccount'
  skipTLSVerify: true
  serviceAccountToken: ${K8S_CLUSTER_TOKEN}
  permission:
  enabled: true
  rbac:
  database:
  enabled: true
  policies-csv-file: ${PERMISSION_POLICY_PATH}
  admin:
  users:
• name: ${PERMISSION_ADMIN}

Create Secret with the following:

GITHUB_APP_CLIENT_ID
GITHUB_APP_CLIENT_SECRET
K8S_CLUSTER_NAME
K8S_CLUSTER_URL
K8S_CLUSTER_TOKEN
PERMISSION_ADMIN set to user:default/<YOUR_USER>

Upgrade Helm Chart

Enable Kubernetes Plugin (Frontend and Backend)
Add app-config
Add secrets

Scenario one (deny when not both kubernetes.clusters.read and kubernetes.resources.read are allowed)

1. Navigate to your component in the catalog
2. Select Kubernetes tab
3. See Permission required alert

Scenario two (deny when only one of kubernetes.clusters.read or kubernetes.resources.read is allowed via UI)

1. Navigate to rbac frontend
2. Create role test and assign only one of kubernetes.clusters.read or kubernetes.resources.read permissions
3. Navigate to your component in the catalog
4. Select Kubernetes tab
5. See Permission required alert

Scenario three (allow when both kubernetes.clusters.read and kubernetes.resources.read permissions are allowed)

1. Navigate to rbac frontend
2. Create role test and assign both kubernetes.clusters.read and kubernetes.resources.read permissions
3. Navigate to your component in the catalog
4. Select Kubernetes tab
5. You are allowed to view kubernetes data