Merge pull request juju#13569 from ycliuhw/enhance-rbac-checker

juju#13569 Use kubectl auth can-i to check RBAC for CI test;
sdg0919 · Dec 13, 2021 · d450572 · d450572
2 parents 07502ae + 53e6605
commit d450572
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/acceptancetests/jujupy/k8s_provider/base.py b/acceptancetests/jujupy/k8s_provider/base.py
@@ -33,7 +33,6 @@
 from jujupy.client import temp_bootstrap_env
 from jujupy.utility import ensure_dir, until_timeout
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -209,15 +208,16 @@ def assert_rbac_config(self):
         if self.enable_rbac and not rbac_enabled_in_cluster:
             raise Exception("RBAC is required but it's NOT enabled in the cluster")
         if not self.enable_rbac and rbac_enabled_in_cluster:
-            raise Exception("RBAC is unexpectedly enabled in the cluster")
-
-    def check_rbac_enable(self):
-        timeout = 180
-        cmd = ['/bin/sh', '-c', f'{" ".join(self._kubectl_bin)} run --timeout={timeout}s tmp-shell --restart=Never --rm -i --tty --image bitnami/kubectl:latest -- auth can-i create pods; exit 0']
-        o = self.sh(*cmd, timeout=timeout)
-        logger.info('checking RBAC by run "%s" -> %s', ' '.join(cmd), o)
-        # The default SA in the default namespace does NOT have permission to create pods when RBAC is enabled.
-        return 'no' in o.split()
+            raise Exception("RBAC is NOT required but it's enabled in the cluster")
+
+    def check_rbac_enable(self, timeout=10):
+        cmd = ['/bin/sh', '-c']
+        cmd.append(
+            f'{" ".join(self._kubectl_bin)} auth can-i create pods --as=poorguy'
+        )
+        output = self.sh(*cmd, timeout=timeout)
+        logger.info('checking RBAC by run "%s" -> %s', ' '.join(cmd), output)
+        return 'no' in [item.strip() for item in output.split()]
 
     def kubectl(self, *args):
         return self.sh(*(self._kubectl_bin + args))