diff --git a/test/e2e/installplan_e2e_test.go b/test/e2e/installplan_e2e_test.go index 68e05bcaef..df4ab35ec9 100644 --- a/test/e2e/installplan_e2e_test.go +++ b/test/e2e/installplan_e2e_test.go @@ -15,7 +15,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" . "github.com/onsi/gomega/gstruct" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" authorizationv1 "k8s.io/api/authorization/v1" @@ -1887,6 +1886,7 @@ var _ = Describe("Install Plan", func() { By(`If the CSV is succeeded, we successfully rolled out the RBAC changes`) }) + It("AttenuatePermissions", func() { defer func() { @@ -2017,7 +2017,33 @@ var _ = Describe("Install Plan", func() { _, err = fetchCSV(crc, generatedNamespace.GetName(), mainCSV.GetName(), csvSucceededChecker) require.NoError(GinkgoT(), err) - By(`Update CatalogSource with a new CSV with more permissions`) + By("Wait for ServiceAccount to have access") + err = wait.Poll(pollInterval, pollDuration, func() (bool, error) { + res, err := c.KubernetesInterface().AuthorizationV1().SubjectAccessReviews().Create(context.Background(), &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + User: "system:serviceaccount:" + generatedNamespace.GetName() + ":" + serviceAccountName, + ResourceAttributes: &authorizationv1.ResourceAttributes{ + Group: "cluster.com", + Version: "v1alpha1", + Resource: crdPlural, + Verb: rbac.VerbAll, + }, + }, + }, metav1.CreateOptions{}) + if err != nil { + return false, err + } + if res == nil { + return false, nil + } + GinkgoT().Log("checking serviceaccount for permission") + + By("should be allowed") + return res.Status.Allowed, nil + }) + Expect(err).NotTo(HaveOccurred()) + + By(`Update CatalogSource with a new CSV with fewer permissions`) updatedPermissions := []operatorsv1alpha1.StrategyDeploymentPermissions{ { ServiceAccountName: serviceAccountName, @@ -2043,9 +2069,6 @@ var _ = Describe("Install Plan", func() { }, } - oldSecrets, err := c.KubernetesInterface().CoreV1().Secrets(generatedNamespace.GetName()).List(context.Background(), metav1.ListOptions{}) - require.NoError(GinkgoT(), err, "error listing secrets") - By(`Create the catalog sources`) updatedNamedStrategy := newNginxInstallStrategy(genName("dep-"), updatedPermissions, updatedClusterPermissions) updatedCSV := newCSV(mainPackageStable+"-next", generatedNamespace.GetName(), mainCSV.GetName(), semver.MustParse("0.2.0"), []apiextensionsv1.CustomResourceDefinition{mainCRD}, nil, &updatedNamedStrategy) @@ -2077,15 +2100,6 @@ var _ = Describe("Install Plan", func() { _, err = fetchCSV(crc, generatedNamespace.GetName(), updatedCSV.GetName(), csvSucceededChecker) require.NoError(GinkgoT(), err) - newSecrets, err := c.KubernetesInterface().CoreV1().Secrets(generatedNamespace.GetName()).List(context.Background(), metav1.ListOptions{}) - require.NoError(GinkgoT(), err, "error listing secrets") - - By(`Assert that the number of secrets is not increased from updating service account as part of the install plan,`) - assert.EqualValues(GinkgoT(), len(oldSecrets.Items), len(newSecrets.Items)) - - By(`And that the secret list is indeed updated.`) - assert.Equal(GinkgoT(), oldSecrets.Items, newSecrets.Items) - By(`Wait for ServiceAccount to not have access anymore`) err = wait.Poll(pollInterval, pollDuration, func() (bool, error) { res, err := c.KubernetesInterface().AuthorizationV1().SubjectAccessReviews().Create(context.Background(), &authorizationv1.SubjectAccessReview{