phantomjinx commented on a change in pull request #2284: URL: https://github.com/apache/camel-k/pull/2284#discussion_r648106357
########## File path: e2e/common/kustomize/operator_test.go ########## @@ -0,0 +1,89 @@ +// +build integration + +// To enable compilation of this file in Goland, go to "Settings -> Go -> Vendoring & Build Tags -> Custom Tags" and add "integration" + +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kustomize + +import ( + "fmt" + "testing" + + . "github.com/apache/camel-k/e2e/support" + . "github.com/onsi/gomega" +) + +func TestBasicOperator(t *testing.T) { + defer Uninstall() + + WithNewTestNamespace(t, func(ns string) { + ExecMake(t, Make("setup-cluster", fmt.Sprintf("NAMESPACE=%s", ns))) Review comment: That is true, although whenever `kamel install` is called the cluster-setup functions are always carried out. `kamel install --cluster-setup` just aborts the camel-k install once the cluster resources have been applied. Thus, the e2e tests are in fact doing the job twice (once in the github action and the other in the code). I found this when executing the e2e tests locally on my own openshift cluster. Since the kustomize Makefile makes it transparent that the cluster-setup functions are separate, the e2e tests are therefore doing the 'same' operations that the kamel binary is doing. This needs more thought from the perspective of RBAC. The kind cluster has no concern for user privilege (the e2e tests use the default admin? user) and so executing all commands is not a problem. The expectation I had was the following: 1. make cluster-setup - executed via a cluster-admin in the same way OLM applies these resources prior to spinning up an operator; 2. make setup - executed via a privileged user but not necessarily a cluster-admin - the word 'privilege' carries weight here since 'developer' cannot apply a strimzi permission to a service account if it does not already have it on openshift (on kind this is not a problem). So what is the expectation for which level of user should be applying the namespace-specific resources? - in fuse-online, there is the concept of 'grant' which gave the normal user the appropriate privileges. With the advent of OLM, this has latterly become much less important. However, what needs to be made clear is what level of privilege the user requires in order to satisfy this step from a security perspective. 3. make operator - executed via a namespace admin user - All roles and bindings have been applied at this point so all that's left is the deployment and infrastructure (operand service accounts); The `kamel install` binary has, from my understanding, blurred these steps and as a consequence installed via a cluster-admin. OLM has mitigated this on openshift with the CSV bundle taking out most of the cluster-level resources. However, without OLM, which is what kustomize addresses, that issue comes back. Is the install approaching from a least-user privilege position because I am not sure a cluster-admin position is sustainable? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
