From c8931cb699afda076ce35ea11feb65990c82c7bd Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Fri, 25 Sep 2020 14:10:14 -0400 Subject: [PATCH 1/2] SelfSubjectAccessReviews now work with the k8s module --- molecule/default/converge.yml | 1 + molecule/default/tasks/access_review.yml | 23 +++++++++++++++++++++++ plugins/module_utils/common.py | 4 ++-- 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 molecule/default/tasks/access_review.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index e3e0aa8d..944aefa6 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -28,6 +28,7 @@ - include_tasks: tasks/exec.yml - include_tasks: tasks/log.yml - include_tasks: tasks/cluster_info.yml + - include_tasks: tasks/access_review.yml roles: - helm diff --git a/molecule/default/tasks/access_review.yml b/molecule/default/tasks/access_review.yml new file mode 100644 index 00000000..9ce3b6f1 --- /dev/null +++ b/molecule/default/tasks/access_review.yml @@ -0,0 +1,23 @@ +--- +- name: Create a SelfSubjectAccessReview resource + register: can_i_create_namespaces + ignore_errors: yes + k8s: + state: present + definition: + apiVersion: authorization.k8s.io/v1 + kind: SelfSubjectAccessReview + spec: + resourceAttributes: + group: v1 + resource: Namespace + verb: create + +- name: Assert that the SelfSubjectAccessReview request succeded + assert: + that: + - can_i_create_namespaces is successful + - (can_i_create_namespaces.resources | length) == 1 + - can_i_create_namespaces.resources.0.status is defined + - can_i_create_namespaces.resources.0.status.allowed is defined + - can_i_create_namespaces.resources.0.status.allowed diff --git a/plugins/module_utils/common.py b/plugins/module_utils/common.py index dac92818..d303eab6 100644 --- a/plugins/module_utils/common.py +++ b/plugins/module_utils/common.py @@ -38,7 +38,7 @@ from openshift.dynamic import DynamicClient from openshift.dynamic.exceptions import ( ResourceNotFoundError, ResourceNotUniqueError, NotFoundError, DynamicApiError, - ConflictError, ForbiddenError) + ConflictError, ForbiddenError, MethodNotAllowedError) HAS_K8S_MODULE_HELPER = True k8s_import_exception = None except ImportError as e: @@ -610,7 +610,7 @@ def perform_action(self, resource, definition): if namespace: params['namespace'] = namespace existing = resource.get(**params) - except NotFoundError: + except (NotFoundError, MethodNotAllowedError): # Remove traceback so that it doesn't show up in later failures try: sys.exc_clear() From 8f4fed6a9cb58684226f011c9d5dc3a7807bf659 Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Fri, 25 Sep 2020 14:40:03 -0400 Subject: [PATCH 2/2] fix test --- molecule/default/tasks/access_review.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/molecule/default/tasks/access_review.yml b/molecule/default/tasks/access_review.yml index 9ce3b6f1..78d6d567 100644 --- a/molecule/default/tasks/access_review.yml +++ b/molecule/default/tasks/access_review.yml @@ -17,7 +17,6 @@ assert: that: - can_i_create_namespaces is successful - - (can_i_create_namespaces.resources | length) == 1 - - can_i_create_namespaces.resources.0.status is defined - - can_i_create_namespaces.resources.0.status.allowed is defined - - can_i_create_namespaces.resources.0.status.allowed + - can_i_create_namespaces.result.status is defined + - can_i_create_namespaces.result.status.allowed is defined + - can_i_create_namespaces.result.status.allowed