sebhoss
commented
1 week ago wrt. testing: We are using conftest in our team to verify that k8s manifests have certain properties, e.g. in order to verify this change here, I've added the following to our internal test:
package main
import rego.v1
deny contains msg if {
some resource in input
role := resource.contents
role.apiVersion == "rbac.authorization.k8s.io/v1"
role.kind == "ClusterRole"
role.metadata.name == "calico-crds"
rules := [rule |
some rule in role.rules
rule.apiGroups == ["crd.projectcalico.org"]
rule.resources[_] == "tiers"
rule.verbs[_] == "create"
]
count(rules) == 0
msg := sprintf("ClusterRole '%v' does not allow to create tiers", [role.metadata.name])
}This test is executed every time someone changes our internal copy of the calico-apiserver manifests and ensures that the missing permission is not missing :sweat_smile:
mazdakn
Description
Allows calico-apiserver to handle
tierresources.Related issues/PRs
fixes #9481
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.