package authorizer
import (
"errors"
"reflect"
"strings"
"testing"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/pkg/util/sets"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
testpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/test"
"github.com/openshift/origin/pkg/authorization/rulevalidation"
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
_ "github.com/openshift/origin/pkg/api/install"
)
type authorizeTest struct {
clusterPolicies []authorizationapi.ClusterPolicy
policies []authorizationapi.Policy
policyRetrievalError error
clusterBindings []authorizationapi.ClusterPolicyBinding
bindings []authorizationapi.PolicyBinding
bindingRetrievalError error
context kapi.Context
attributes *DefaultAuthorizationAttributes
expectedAllowed bool
expectedReason string
expectedError string
}
func TestAPIGroupDeny(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "list",
APIGroup: "group",
Resource: "pods",
},
expectedAllowed: false,
expectedReason: `User "Anna" cannot list group.pods in project "adze"`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestAPIGroupDefaultAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "list",
Resource: "pods",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestAPIGroupAllAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "list",
APIGroup: "group",
Resource: "pods",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.policies[0].Roles["by-group"] = &authorizationapi.Role{
ObjectMeta: kapi.ObjectMeta{
Name: "by-group",
Namespace: "adze",
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("list"), APIGroups: []string{"group"}, Resources: sets.NewString("pods"),
},
},
}
test.bindings[0].RoleBindings["by-group"] = &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Name: "by-group",
},
RoleRef: kapi.ObjectReference{
Namespace: "adze",
Name: "by-group",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Anna"}},
}
test.test(t)
}
func TestAPIAllAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "list",
APIGroup: "group",
Resource: "pods",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.policies[0].Roles["by-group"] = &authorizationapi.Role{
ObjectMeta: kapi.ObjectMeta{
Name: "by-group",
Namespace: "adze",
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("list"), APIGroups: []string{authorizationapi.APIGroupAll}, Resources: sets.NewString("pods"),
},
},
}
test.bindings[0].RoleBindings["by-group"] = &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Name: "by-group",
},
RoleRef: kapi.ObjectReference{
Namespace: "adze",
Name: "by-group",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Anna"}},
}
test.test(t)
}
func TestResourceNameDeny(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceNone), &user.DefaultInfo{Name: "just-a-user"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "users",
ResourceName: "just-a-user",
},
expectedAllowed: false,
expectedReason: `User "just-a-user" cannot get users`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestResourceNameAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceNone), &user.DefaultInfo{Name: "just-a-user"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "users",
ResourceName: "~",
},
expectedAllowed: true,
expectedReason: "allowed by cluster rule",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestClusterBindingServiceAccountSubject(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceNone), &user.DefaultInfo{Name: serviceaccount.MakeUsername("foo", "default")}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "users",
ResourceName: "any",
},
expectedAllowed: true,
expectedReason: "allowed by cluster rule",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestLocalBindingServiceAccountSubject(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: serviceaccount.MakeUsername("adze", "second")}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "pods",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestLocalBindingOtherServiceAccountSubject(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: serviceaccount.MakeUsername("other", "first")}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "pods",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestDeniedWithError(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "update",
Resource: "roles",
},
expectedAllowed: false,
expectedError: "my special error",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.bindings[0].RoleBindings["missing"] = &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Name: "missing",
},
RoleRef: kapi.ObjectReference{
Name: "not-a-real-binding",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Anna"}},
}
test.policyRetrievalError = errors.New("my special error")
test.test(t)
}
func TestAllowedWithMissingBinding(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "update",
Resource: "roles",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.bindings[0].RoleBindings["missing"] = &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Name: "missing",
},
RoleRef: kapi.ObjectReference{
Name: "not-a-real-binding",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Anna"}},
}
test.test(t)
}
func TestHealthAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.NewContext(), &user.DefaultInfo{Name: "no-one", Groups: []string{"system:unauthenticated"}}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
NonResourceURL: true,
URL: "/healthz",
},
expectedAllowed: true,
expectedReason: "allowed by cluster rule",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestNonResourceAllow(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.NewContext(), &user.DefaultInfo{Name: "ClusterAdmin"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
NonResourceURL: true,
URL: "not-specified",
},
expectedAllowed: true,
expectedReason: "allowed by cluster rule",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestNonResourceDeny(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.NewContext(), &user.DefaultInfo{Name: "no-one"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
NonResourceURL: true,
URL: "not-allowed",
},
expectedAllowed: false,
expectedReason: `User "no-one" cannot "get" on "not-allowed"`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestHealthDeny(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.NewContext(), &user.DefaultInfo{Name: "no-one"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
NonResourceURL: true,
URL: "/healthz",
},
expectedAllowed: false,
expectedReason: `User "no-one" cannot "get" on "/healthz"`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestAdminEditingGlobalDeploymentConfig(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceNone), &user.DefaultInfo{Name: "ClusterAdmin"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "update",
Resource: "deploymentConfigs",
},
expectedAllowed: true,
expectedReason: "allowed by cluster rule",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestDisallowedViewingGlobalPods(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceNone), &user.DefaultInfo{Name: "SomeYahoo"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "pods",
},
expectedAllowed: false,
expectedReason: `User "SomeYahoo" cannot get pods`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.clusterBindings = newDefaultClusterPolicyBindings()
test.test(t)
}
func TestProjectAdminEditPolicy(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Anna"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "update",
Resource: "roles",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestGlobalPolicyOutranksLocalPolicy(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "ClusterAdmin"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "update",
Resource: "roles",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestResourceRestrictionsWork(t *testing.T) {
test1 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Rachel"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "buildConfigs",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test1.clusterPolicies = newDefaultClusterPolicies()
test1.policies = newAdzePolicies()
test1.clusterBindings = newDefaultClusterPolicyBindings()
test1.bindings = newAdzeBindings()
test1.test(t)
test2 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Rachel"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "pods",
},
expectedAllowed: false,
expectedReason: `User "Rachel" cannot get pods in project "adze"`,
}
test2.clusterPolicies = newDefaultClusterPolicies()
test2.policies = newAdzePolicies()
test2.clusterBindings = newDefaultClusterPolicyBindings()
test2.bindings = newAdzeBindings()
test2.test(t)
}
func TestResourceRestrictionsWithWeirdWork(t *testing.T) {
test1 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Rachel"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "BUILDCONFIGS",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test1.clusterPolicies = newDefaultClusterPolicies()
test1.policies = newAdzePolicies()
test1.clusterBindings = newDefaultClusterPolicyBindings()
test1.bindings = newAdzeBindings()
test1.test(t)
test2 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Rachel"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "buildconfigs",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test2.clusterPolicies = newDefaultClusterPolicies()
test2.policies = newAdzePolicies()
test2.clusterBindings = newDefaultClusterPolicyBindings()
test2.bindings = newAdzeBindings()
test2.test(t)
}
func TestLocalRightsDoNotGrantGlobalRights(t *testing.T) {
test := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "backsaw"), &user.DefaultInfo{Name: "Rachel"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "buildConfigs",
},
expectedAllowed: false,
expectedReason: `User "Rachel" cannot get buildConfigs in project "backsaw"`,
}
test.clusterPolicies = newDefaultClusterPolicies()
test.policies = append(test.policies, newAdzePolicies()...)
test.clusterBindings = newDefaultClusterPolicyBindings()
test.bindings = append(test.bindings, newAdzeBindings()...)
test.test(t)
}
func TestVerbRestrictionsWork(t *testing.T) {
test1 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Valerie"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "get",
Resource: "buildConfigs",
},
expectedAllowed: true,
expectedReason: "allowed by rule in adze",
}
test1.clusterPolicies = newDefaultClusterPolicies()
test1.policies = newAdzePolicies()
test1.clusterBindings = newDefaultClusterPolicyBindings()
test1.bindings = newAdzeBindings()
test1.test(t)
test2 := &authorizeTest{
context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Valerie"}),
attributes: &DefaultAuthorizationAttributes{
Verb: "create",
Resource: "buildConfigs",
},
expectedAllowed: false,
expectedReason: `User "Valerie" cannot create buildConfigs in project "adze"`,
}
test2.clusterPolicies = newDefaultClusterPolicies()
test2.policies = newAdzePolicies()
test2.clusterBindings = newDefaultClusterPolicyBindings()
test2.bindings = newAdzeBindings()
test2.test(t)
}
func (test *authorizeTest) test(t *testing.T) {
policyRegistry := testpolicyregistry.NewPolicyRegistry(test.policies, test.policyRetrievalError)
policyBindingRegistry := testpolicyregistry.NewPolicyBindingRegistry(test.bindings, test.bindingRetrievalError)
clusterPolicyRegistry := testpolicyregistry.NewClusterPolicyRegistry(test.clusterPolicies, test.policyRetrievalError)
clusterPolicyBindingRegistry := testpolicyregistry.NewClusterPolicyBindingRegistry(test.clusterBindings, test.bindingRetrievalError)
authorizer := NewAuthorizer(rulevalidation.NewDefaultRuleResolver(policyRegistry, policyBindingRegistry, clusterPolicyRegistry, clusterPolicyBindingRegistry), NewForbiddenMessageResolver(""))
actualAllowed, actualReason, actualError := authorizer.Authorize(test.context, *test.attributes)
matchBool(test.expectedAllowed, actualAllowed, "allowed", t)
if actualAllowed {
containsString(test.expectedReason, actualReason, "allowReason", t)
} else {
containsString(test.expectedReason, actualReason, "denyReason", t)
matchError(test.expectedError, actualError, "error", t)
}
}
func matchString(expected, actual string, field string, t *testing.T) {
if expected != actual {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
}
}
func matchStringSlice(expected, actual []string, field string, t *testing.T) {
if !reflect.DeepEqual(expected, actual) {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
}
}
func containsString(expected, actual string, field string, t *testing.T) {
if len(expected) == 0 && len(actual) != 0 {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
return
}
if !strings.Contains(actual, expected) {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
}
}
func matchBool(expected, actual bool, field string, t *testing.T) {
if expected != actual {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
}
}
func matchError(expected string, actual error, field string, t *testing.T) {
if actual == nil {
if len(expected) != 0 {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
return
} else {
return
}
}
if actual != nil && len(expected) == 0 {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
return
}
if !strings.Contains(actual.Error(), expected) {
t.Errorf("%v: Expected %v, got %v", field, expected, actual)
}
}
func newDefaultClusterPolicies() []authorizationapi.ClusterPolicy {
return []authorizationapi.ClusterPolicy{*GetBootstrapPolicy()}
}
func newDefaultClusterPolicyBindings() []authorizationapi.ClusterPolicyBinding {
policyBinding := authorizationapi.ClusterPolicyBinding{
ObjectMeta: kapi.ObjectMeta{
Name: authorizationapi.ClusterPolicyBindingName,
},
RoleBindings: map[string]*authorizationapi.ClusterRoleBinding{
"extra-cluster-admins": {
ObjectMeta: kapi.ObjectMeta{
Name: "cluster-admins",
},
RoleRef: kapi.ObjectReference{
Name: "cluster-admin",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "ClusterAdmin"}, {Kind: authorizationapi.GroupKind, Name: "RootUsers"}, {Name: "default", Namespace: "foo", Kind: authorizationapi.ServiceAccountKind}},
},
"user-only": {
ObjectMeta: kapi.ObjectMeta{
Name: "user-only",
},
RoleRef: kapi.ObjectReference{
Name: "basic-user",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "just-a-user"}},
},
},
}
for key, value := range GetBootstrapPolicyBinding().RoleBindings {
policyBinding.RoleBindings[key] = value
}
return []authorizationapi.ClusterPolicyBinding{policyBinding}
}
func newAdzePolicies() []authorizationapi.Policy {
return []authorizationapi.Policy{
{
ObjectMeta: kapi.ObjectMeta{
Name: authorizationapi.PolicyName,
Namespace: "adze",
},
Roles: map[string]*authorizationapi.Role{
"restrictedViewer": {
ObjectMeta: kapi.ObjectMeta{
Name: "admin",
Namespace: "adze",
},
Rules: append(make([]authorizationapi.PolicyRule, 0),
authorizationapi.PolicyRule{
APIGroups: []string{""},
Verbs: sets.NewString("watch", "list", "get"),
Resources: sets.NewString("buildConfigs"),
}),
},
},
}}
}
func newAdzeBindings() []authorizationapi.PolicyBinding {
return []authorizationapi.PolicyBinding{
{
ObjectMeta: kapi.ObjectMeta{
Name: authorizationapi.ClusterPolicyBindingName,
Namespace: "adze",
},
RoleBindings: map[string]*authorizationapi.RoleBinding{
"projectAdmins": {
ObjectMeta: kapi.ObjectMeta{
Name: "projectAdmins",
Namespace: "adze",
},
RoleRef: kapi.ObjectReference{
Name: bootstrappolicy.AdminRoleName,
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Anna"}},
},
"viewers": {
ObjectMeta: kapi.ObjectMeta{
Name: "viewers",
Namespace: "adze",
},
RoleRef: kapi.ObjectReference{
Name: bootstrappolicy.ViewRoleName,
},
Subjects: []kapi.ObjectReference{
{Kind: authorizationapi.UserKind, Name: "Valerie"},
{Name: "first", Namespace: "other", Kind: authorizationapi.ServiceAccountKind},
{Name: "second", Kind: authorizationapi.ServiceAccountKind},
},
},
"editors": {
ObjectMeta: kapi.ObjectMeta{
Name: "editors",
Namespace: "adze",
},
RoleRef: kapi.ObjectReference{
Name: bootstrappolicy.EditRoleName,
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Ellen"}},
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: authorizationapi.GetPolicyBindingName("adze"),
Namespace: "adze",
},
RoleBindings: map[string]*authorizationapi.RoleBinding{
"restrictedViewers": {
ObjectMeta: kapi.ObjectMeta{
Name: "restrictedViewers",
Namespace: "adze",
},
RoleRef: kapi.ObjectReference{
Name: "restrictedViewer",
Namespace: "adze",
},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Rachel"}},
},
},
},
}
}