ROX-27053: Fix subjects handling for user and group kind#13410
ROX-27053: Fix subjects handling for user and group kind#13410
Conversation
|
It's unclear to me why we filter only unique subjects from the orchestrator response (we don't seem to do that in the RBAC service). Hard to say what use cases the test was intended to cover, but for symmetry, what'd you say about filtering RBAC service's response for unique names as well? |
|
Images are ready for the commit at d62f2c1. To use with deploy scripts, first |
|
@rukletsov I would rather do the opposite - remove filtering from |
Yeah, that would be even better if want to invest a bit more here rather than keeping this test shallow. Looking at the response proto, I think we can try to dedupe on |
|
/test gke-latest-qa-e2e-tests |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #13410 +/- ##
=======================================
Coverage 48.53% 48.53%
=======================================
Files 2473 2473
Lines 178677 178677
=======================================
+ Hits 86712 86713 +1
Misses 85016 85016
+ Partials 6949 6948 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
|
/test gke-qa-e2e-tests |
|
@mtodor please ping me when this is ready for review again. |
5bc3ef8 to
b431960
Compare
|
/test gke-qa-e2e-tests |
|
/test gke-qa-e2e-tests |
b431960 to
21038d4
Compare
|
/test gke-qa-e2e-tests |
21038d4 to
d906476
Compare
|
/test gke-qa-e2e-tests |
|
/retest |
d906476 to
c051cc4
Compare
c051cc4 to
8079b7e
Compare
vikin91
left a comment
There was a problem hiding this comment.
It is not my corner of expertise, but I read into the description, the code, and the tests and the change makes total sense for me 👍
8079b7e to
d62f2c1
Compare
|
@mtodor: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
We have failing tests on GKE. The difference comes from non-namespaced subjects.
With GKE - Kubernetes version
v1.31.2-gke.1384000, we have two role bindings. One is normal (namespace) role binding, and the other is cluster (non-namespace) role binding.and
The problem that we are facing is that subjects of kind User and Group are non-namespace subjects and they should not have set
namespaceproperty. They are actually the same subject, but ACS considers it as two separate subjects.Kubernetes documentation: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/
This PR introduces a helper function that will adjust subjects for role binding and remove the namespace for non-namespaced subjects.
The test is also adjusted because it uses the namespace property during comparison.
Additional information is provided in Jira.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
I have added unit tests for service and worked on implementation after that.
After I had finished implementation, I moved tests from service to function unit tests because they fit better there and are easier to understand.
Use the latest GKE version
/pragma: gke_cluster_version:latest