Skip to content

Commit eddc908

Browse files
fjammesfjammes
committed
Update current feature
1 parent 37f510c commit eddc908

File tree

1 file changed

+65
-0
lines changed

1 file changed

+65
-0
lines changed

labs/2_authorization/2_0_RBAC_simple.sh

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
#!/bin/bash
2+
3+
set -e # Exit on error
4+
set -o pipefail # Exit if any command in a pipeline fails
5+
6+
ID="test" # Change this to a unique identifier if needed
7+
8+
FOO_NAMESPACE="foo-${ID}"
9+
BAR_NAMESPACE="bar-${ID}"
10+
11+
echo "Creating namespaces..."
12+
kubectl create namespace "$FOO_NAMESPACE" || true
13+
kubectl create namespace "$BAR_NAMESPACE" || true
14+
15+
echo "Deploying kubectl-proxy pod in $FOO_NAMESPACE..."
16+
kubectl apply -f https://raw.githubusercontent.com/k8s-school/k8s-advanced/master/labs/2_authorization/kubectl-proxy.yaml -n "$FOO_NAMESPACE"
17+
18+
echo "Creating services in $FOO_NAMESPACE and $BAR_NAMESPACE..."
19+
kubectl create service clusterip foo-service --tcp=80:80 -n "$FOO_NAMESPACE" || true
20+
kubectl create service clusterip bar-service --tcp=80:80 -n "$BAR_NAMESPACE" || true
21+
22+
echo "Waiting for kubectl-proxy pod to be ready..."
23+
kubectl wait --for=condition=ready pod -l app=kubectl-proxy -n "$FOO_NAMESPACE" --timeout=60s
24+
25+
echo "Fetching kubectl-proxy pod name..."
26+
PROXY_POD=$(kubectl get pods -n "$FOO_NAMESPACE" -l app=kubectl-proxy -o jsonpath="{.items[0].metadata.name}")
27+
28+
echo "Creating RBAC (Role and RoleBinding) in $FOO_NAMESPACE..."
29+
kubectl apply -f - <<EOF
30+
apiVersion: rbac.authorization.k8s.io/v1
31+
kind: Role
32+
metadata:
33+
name: service-reader
34+
namespace: $FOO_NAMESPACE
35+
rules:
36+
- apiGroups: [""]
37+
resources: ["services"]
38+
verbs: ["get", "list"]
39+
EOF
40+
41+
kubectl apply -f - <<EOF
42+
apiVersion: rbac.authorization.k8s.io/v1
43+
kind: RoleBinding
44+
metadata:
45+
name: service-reader-binding
46+
namespace: $FOO_NAMESPACE
47+
subjects:
48+
- kind: ServiceAccount
49+
name: default
50+
namespace: $FOO_NAMESPACE
51+
roleRef:
52+
kind: Role
53+
name: service-reader
54+
apiGroup: rbac.authorization.k8s.io
55+
EOF
56+
57+
echo "Running tests inside kubectl-proxy pod..."
58+
59+
echo "Testing access to services in $FOO_NAMESPACE (should succeed)..."
60+
kubectl exec -n "$FOO_NAMESPACE" "$PROXY_POD" -- curl -s -o /dev/null -w "%{http_code}" http://localhost:8001/api/v1/namespaces/"$FOO_NAMESPACE"/services
61+
62+
echo "Testing access to services in $BAR_NAMESPACE (should be forbidden)..."
63+
kubectl exec -n "$FOO_NAMESPACE" "$PROXY_POD" -- curl -s -o /dev/null -w "%{http_code}" http://localhost:8001/api/v1/namespaces/"$BAR_NAMESPACE"/services
64+
65+
echo "Test completed!"

0 commit comments

Comments
 (0)