3 files changed, 93 insertions, 0 deletions

diff --git a/tests/conftest.py b/tests/conftest.py
index 8906c42..61c389d 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -95,6 +95,19 @@ def mock_prometheus_load_pods():
 
 
 @pytest.fixture(autouse=True, scope="session")
+def mock_prometheus_get_history_range():
+    async def get_history_range(self, history_duration: timedelta) -> tuple[datetime, datetime]:
+        now = datetime.now()
+        start = now - history_duration
+        return start, now
+
+    with patch(
+        "robusta_krr.core.integrations.prometheus.loader.PrometheusMetricsLoader.get_history_range", get_history_range
+    ):
+        yield
+
+
+@pytest.fixture(autouse=True, scope="session")
 def mock_prometheus_init():
     with patch("robusta_krr.core.integrations.prometheus.loader.PrometheusMetricsLoader.__init__", return_value=None):
         yield
diff --git a/tests/single_namespace_as_group.yaml b/tests/single_namespace_as_group.yaml
new file mode 100644
index 0000000..16f0805
--- /dev/null
+++ b/tests/single_namespace_as_group.yaml
@@ -0,0 +1,38 @@
+# Test environment for per-namespace scans using a group object ID (for e.g. Microsoft Entra)
+# The purpose of this setup is to verify that per-namespace features work without cluster level permissions
+# You can test this Group and KRR using:
+# A user named aksdev that's part of the appdev group.
+# krr simple --as aksdev --as-group <appdev-groupID> -n kube-system
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: kube-system
+  name: krr-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: krr-role-binding
+  namespace: kube-system
+subjects:
+- kind: Group
+  # Replace <appdev-groupID> with the actual Group Object ID
+  name: <appdev-groupID>
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: krr-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/single_namespace_permissions.yaml b/tests/single_namespace_permissions.yaml
new file mode 100644
index 0000000..f6e324d
--- /dev/null
+++ b/tests/single_namespace_permissions.yaml
@@ -0,0 +1,42 @@
+# Test environment for per-namespace scans
+# The purpose of this setup is to verify that per-namespace features work without cluster level permissions
+# You can test this ServiceAccount and KRR using:
+#   krr simple --as system:serviceaccount:kube-system:krr-account -n kube-system
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: krr-account
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: kube-system
+  name: krr-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: krr-role-binding
+  namespace: kube-system
+subjects:
+- kind: ServiceAccount
+  name: krr-account
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: krr-role
+  apiGroup: rbac.authorization.k8s.io