From 4e450f3ecf7a7df161956fe1574392e9c406054c Mon Sep 17 00:00:00 2001 From: Pavel Zhukov <33721692+LeaveMyYard@users.noreply.github.com> Date: Tue, 26 Mar 2024 11:54:14 +0200 Subject: Improve limited permissions (cherry-picked from #220) (#238) * Add --as option to impersonate a specific user * Update test case * Don't exit if the user lacks permissions to auto-discover prometheus * Add a comment * Add support for HPA w/o cluster-level permissions * feat: cli option for --as-group (#224) * feat: cli option for --as-group * add: as-group example * Improve a message in case of API error * Return the debug log with found items in cluster --------- Co-authored-by: Robusta Runner Co-authored-by: Rohan Katkar Co-authored-by: LeaveMyYard --- tests/single_namespace_as_group.yaml | 38 +++++++++++++++++++++++++++++ tests/single_namespace_permissions.yaml | 42 +++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 tests/single_namespace_as_group.yaml create mode 100644 tests/single_namespace_permissions.yaml (limited to 'tests') diff --git a/tests/single_namespace_as_group.yaml b/tests/single_namespace_as_group.yaml new file mode 100644 index 0000000..16f0805 --- /dev/null +++ b/tests/single_namespace_as_group.yaml @@ -0,0 +1,38 @@ +# Test environment for per-namespace scans using a group object ID (for e.g. Microsoft Entra) +# The purpose of this setup is to verify that per-namespace features work without cluster level permissions +# You can test this Group and KRR using: +# A user named aksdev that's part of the appdev group. +# krr simple --as aksdev --as-group -n kube-system +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: kube-system + name: krr-role +rules: +- apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: krr-role-binding + namespace: kube-system +subjects: +- kind: Group + # Replace with the actual Group Object ID + name: + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: krr-role + apiGroup: rbac.authorization.k8s.io diff --git a/tests/single_namespace_permissions.yaml b/tests/single_namespace_permissions.yaml new file mode 100644 index 0000000..f6e324d --- /dev/null +++ b/tests/single_namespace_permissions.yaml @@ -0,0 +1,42 @@ +# Test environment for per-namespace scans +# The purpose of this setup is to verify that per-namespace features work without cluster level permissions +# You can test this ServiceAccount and KRR using: +# krr simple --as system:serviceaccount:kube-system:krr-account -n kube-system +apiVersion: v1 +kind: ServiceAccount +metadata: + name: krr-account + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: kube-system + name: krr-role +rules: +- apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: krr-role-binding + namespace: kube-system +subjects: +- kind: ServiceAccount + name: krr-account + namespace: kube-system +roleRef: + kind: Role + name: krr-role + apiGroup: rbac.authorization.k8s.io -- cgit v1.2.3 From ba140253ac140acba61a0caf55791bed179ef297 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov <33721692+LeaveMyYard@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:24:56 +0200 Subject: Improving prometheus detection step (#236) * Rework prometheus detection logging, fix #119 * Fix success if no scans were made * Fix get_history_range in tests * Remove unused constant --------- Co-authored-by: LeaveMyYard --- tests/conftest.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'tests') diff --git a/tests/conftest.py b/tests/conftest.py index 8906c42..61c389d 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -94,6 +94,19 @@ def mock_prometheus_load_pods(): yield +@pytest.fixture(autouse=True, scope="session") +def mock_prometheus_get_history_range(): + async def get_history_range(self, history_duration: timedelta) -> tuple[datetime, datetime]: + now = datetime.now() + start = now - history_duration + return start, now + + with patch( + "robusta_krr.core.integrations.prometheus.loader.PrometheusMetricsLoader.get_history_range", get_history_range + ): + yield + + @pytest.fixture(autouse=True, scope="session") def mock_prometheus_init(): with patch("robusta_krr.core.integrations.prometheus.loader.PrometheusMetricsLoader.__init__", return_value=None): -- cgit v1.2.3