diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b59b80b53..99cc12640 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -105,7 +105,7 @@ jobs: env: KUBECONFIG: /etc/rancher/k3s/k3s.yaml run: | - curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664 + curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664 kubectl wait node --all --for condition=ready --timeout=90s mkdir -p $HOME/.kube cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 253d1d468..9c59bfe17 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -80,7 +80,7 @@ jobs: env: KUBECONFIG: /etc/rancher/k3s/k3s.yaml run: | - curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664 + curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664 kubectl wait node --all --for condition=ready --timeout=90s mkdir -p $HOME/.kube cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 05357c90b..65ea4bb86 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,7 +93,7 @@ jobs: env: KUBECONFIG: /etc/rancher/k3s/k3s.yaml run: | - curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664 + curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664 kubectl wait node --all --for condition=ready --timeout=90s mkdir -p $HOME/.kube cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index dff023349..1df62e422 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -18,7 +18,7 @@ metadata: app.kubernetes.io/managed-by: kubectl name: litmus --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: litmus @@ -32,17 +32,32 @@ metadata: app.kubernetes.io/managed-by: kubectl name: litmus rules: -- apiGroups: ["","apps","batch","apps.openshift.io","argoproj.io"] - resources: ["jobs","deployments","replicationcontrollers","daemonsets","replicasets","statefulsets","deploymentconfigs","rollouts","secrets"] - verbs: ["get","list","watch","deletecollection"] -- apiGroups: ["","litmuschaos.io"] - resources: ["pods","configmaps","events","services","chaosengines","chaosexperiments","chaosresults"] +- apiGroups: [""] + resources: ["replicationcontrollers","secrets"] + verbs: ["get","list"] +- apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["get","list"] +- apiGroups: ["apps"] + resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] + verbs: ["get","list"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get","list","deletecollection"] +- apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["get","list"] +- apiGroups: [""] + resources: ["pods","configmaps","events","services"] + verbs: ["get","create","update","patch","delete","list","watch","deletecollection"] +- apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] verbs: ["get","create","update","patch","delete","list","watch","deletecollection"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list","get"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: litmus @@ -62,4 +77,4 @@ roleRef: subjects: - kind: ServiceAccount name: litmus - namespace: litmus + namespace: litmus \ No newline at end of file diff --git a/tests/bdd/bdd_test.go b/tests/bdd/bdd_test.go index a10d0c4c0..ac3fbf040 100644 --- a/tests/bdd/bdd_test.go +++ b/tests/bdd/bdd_test.go @@ -388,7 +388,7 @@ var _ = Describe("BDD on chaos-operator", func() { By("Creating ChaosEngine") chaosEngine := &v1alpha1.ChaosEngine{ ObjectMeta: metav1.ObjectMeta{ - Name: "engine-nginx", + Name: "engine-nginx-1", Namespace: "litmus", }, Spec: v1alpha1.ChaosEngineSpec{ @@ -427,7 +427,7 @@ var _ = Describe("BDD on chaos-operator", func() { Wait(time.Duration(2) * time.Second). Try(func(attempt uint) error { //Fetching engine-nginx-runner pod - _, err := client.CoreV1().Pods("litmus").Get("engine-nginx-runner", metav1.GetOptions{}) + _, err := client.CoreV1().Pods("litmus").Get("engine-nginx-1-runner", metav1.GetOptions{}) isNotFound := errors.IsNotFound(err) if isNotFound { return nil @@ -444,7 +444,7 @@ var _ = Describe("BDD on chaos-operator", func() { Wait(time.Duration(2) * time.Second). Try(func(attempt uint) error { //Fetching engineStatus - engine, err := clientSet.ChaosEngines("litmus").Get("engine-nginx", metav1.GetOptions{}) + engine, err := clientSet.ChaosEngines("litmus").Get("engine-nginx-1", metav1.GetOptions{}) if err != nil { return err } diff --git a/tests/manifest/pod_delete_rbac.yaml b/tests/manifest/pod_delete_rbac.yaml index 1504897c6..ff01acea6 100644 --- a/tests/manifest/pod_delete_rbac.yaml +++ b/tests/manifest/pod_delete_rbac.yaml @@ -6,26 +6,70 @@ metadata: namespace: litmus labels: name: pod-delete-sa + app.kubernetes.io/part-of: litmus --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-delete-sa namespace: litmus labels: name: pod-delete-sa + app.kubernetes.io/part-of: litmus rules: -- apiGroups: ["","litmuschaos.io","batch","apps"] - resources: ["pods","deployments","pods/log","events","jobs","chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-delete-sa namespace: litmus labels: name: pod-delete-sa + app.kubernetes.io/part-of: litmus roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -34,3 +78,4 @@ subjects: - kind: ServiceAccount name: pod-delete-sa namespace: litmus +