community.okd/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml

---
- block:
    - set_fact:
        test_sa: "clusterrole-sa"
        test_ns: "clusterrole-ns"

    - name: Ensure namespace
      kubernetes.core.k8s:
        kind: Namespace
        name: "{{ test_ns }}"

    - name: Get cluster information
      kubernetes.core.k8s_cluster_info:
      register: cluster_info
      no_log: true

    - set_fact:
        cluster_host: "{{ cluster_info['connection']['host'] }}"

    - name: Create Service account
      kubernetes.core.k8s:
        definition:
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: "{{ test_sa }}"
            namespace: "{{ test_ns }}"

    - name: Read Service Account
      kubernetes.core.k8s_info:
        kind: ServiceAccount
        namespace: "{{ test_ns }}"
        name: "{{ test_sa }}"
      register: result

    - set_fact:
        secret_token: "{{ result.resources[0]['secrets'][0]['name'] }}"

    - name: Get secret details
      kubernetes.core.k8s_info:
        kind: Secret
        namespace: '{{ test_ns }}'
        name: '{{ secret_token }}'
      register: _secret
      retries: 10
      delay: 10
      until:
        - ("'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']") or ("'token' in _secret.resources[0]['data']")

    - set_fact:
        api_token: "{{ _secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}"
      when: "'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']"

    - set_fact:
        api_token: "{{ _secret.resources[0]['data']['token'] | b64decode }}"
      when: "'token' in _secret.resources[0]['data']"

    - name: list Node should failed (forbidden user)
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Node
      register: error
      ignore_errors: true

    - assert:
        that:
          - '"nodes is forbidden: User" in error.msg'

    - name: list Pod for all namespace should failed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
      register: error
      ignore_errors: true

    - assert:
        that:
          - '"pods is forbidden: User" in error.msg'

    - name: list Pod for test namespace should failed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
        namespace: "{{ test_ns }}"
      register: error
      ignore_errors: true

    - assert:
        that:
          - '"pods is forbidden: User" in error.msg'

    - set_fact:
        test_labels:
          phase: dev
        cluster_roles:
          - name: pod-manager
            resources:
              - pods
            verbs:
              - list
            api_version_binding: "authorization.openshift.io/v1"
          - name: node-manager
            resources:
              - nodes
            verbs:
              - list
            api_version_binding: "rbac.authorization.k8s.io/v1"

    - name: Create cluster roles
      kubernetes.core.k8s:
        definition:
          kind: ClusterRole
          apiVersion: "rbac.authorization.k8s.io/v1"
          metadata:
            name: "{{ item.name }}"
            labels: "{{ test_labels }}"
          rules:
            - apiGroups: [""]
              resources: "{{ item.resources }}"
              verbs: "{{ item.verbs }}"
      with_items: '{{ cluster_roles }}'

    - name: Create Role Binding (namespaced)
      kubernetes.core.k8s:
        definition:
          kind: RoleBinding
          apiVersion: "rbac.authorization.k8s.io/v1"
          metadata:
            name: "{{ cluster_roles[0].name }}-binding"
            namespace: "{{ test_ns }}"
            labels: "{{ test_labels }}"
          subjects:
            - kind: ServiceAccount
              name: "{{ test_sa }}"
              namespace: "{{ test_ns }}"
              apiGroup: ""
          roleRef:
            kind: ClusterRole
            name: "{{ cluster_roles[0].name }}"
            apiGroup: ""

    - name: list Pod for all namespace should failed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
      register: error
      ignore_errors: true

    - assert:
        that:
          - '"pods is forbidden: User" in error.msg'

    - name: list Pod for test namespace should succeed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
        namespace: "{{ test_ns }}"
      no_log: true

    - name: Create Cluster role Binding
      kubernetes.core.k8s:
        definition:
          kind: ClusterRoleBinding
          apiVersion: "{{ item.api_version_binding }}"
          metadata:
            name: "{{ item.name }}-binding"
            labels: "{{ test_labels }}"
          subjects:
            - kind: ServiceAccount
              name: "{{ test_sa }}"
              namespace: "{{ test_ns }}"
              apiGroup: ""
          roleRef:
            kind: ClusterRole
            name: "{{ item.name }}"
            apiGroup: ""
      with_items: "{{ cluster_roles }}"

    - name: list Pod for all namespace should succeed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
      no_log: true

    - name: list Pod for test namespace should succeed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
        namespace: "{{ test_ns }}"
      no_log: true

    - name: list Node using ServiceAccount
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Node
        namespace: "{{ test_ns }}"
      no_log: true

    - name: Prune clusterroles (check mode)
      community.okd.openshift_adm_prune_auth:
        resource: clusterroles
        label_selectors:
          - phase=dev
      register: check
      check_mode: true

    - name: validate clusterrole binding candidates for prune
      assert:
        that:
          - '"{{ item.name }}-binding" in check.cluster_role_binding'
          - '"{{ test_ns }}/{{ cluster_roles[0].name }}-binding" in check.role_binding'
      with_items: "{{ cluster_roles }}"

    - name: Prune Cluster Role for managing Pod
      community.okd.openshift_adm_prune_auth:
        resource: clusterroles
        name: "{{ cluster_roles[0].name }}"

    - name: list Pod for all namespace should failed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
      register: error
      no_log: true
      ignore_errors: true

    - assert:
        that:
          - '"pods is forbidden: User" in error.msg'

    - name: list Pod for test namespace should failed
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Pod
        namespace: "{{ test_ns }}"
      register: error
      no_log: true
      ignore_errors: true

    - assert:
        that:
          - '"pods is forbidden: User" in error.msg'

    - name: list Node using ServiceAccount
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Node
        namespace: "{{ test_ns }}"
      no_log: true

    - name: Prune clusterroles (remaining)
      community.okd.openshift_adm_prune_auth:
        resource: clusterroles
        label_selectors:
          - phase=dev

    - name: list Node using ServiceAccount should fail
      kubernetes.core.k8s_info:
        api_key: "{{ api_token }}"
        host: "{{ cluster_host }}"
        validate_certs: no
        kind: Node
        namespace: "{{ test_ns }}"
      register: error
      ignore_errors: true

    - assert:
        that:
          - '"nodes is forbidden: User" in error.msg'

  always:
    - name: Ensure namespace is deleted
      kubernetes.core.k8s:
        state: absent
        kind: Namespace
        name: "{{ test_ns }}"
      ignore_errors: true

    - name: Delete ClusterRoleBinding
      kubernetes.core.k8s:
        kind: ClusterRoleBinding
        api_version: "rbac.authorization.k8s.io/v1"
        name: "{{ item.name }}-binding"
        state: absent
      ignore_errors: true
      with_items: "{{ cluster_roles }}"
      when: cluster_roles is defined

    - name: Delete ClusterRole
      kubernetes.core.k8s:
        kind: ClusterRole
        api_version: "rbac.authorization.k8s.io/v1"
        name: "{{ item.name }}"
        state: absent
      ignore_errors: true
      with_items: "{{ cluster_roles }}"
      when: cluster_roles is defined