SelfSubjectAccessReviews now work with the k8s module (#237)

* SelfSubjectAccessReviews now work with the k8s module
2026-03-26 21:33:02 +00:00 · 2020-09-28 12:20:01 -04:00
parent 5de49373b7
commit 0f3fef927e
3 changed files with 25 additions and 2 deletions
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -28,6 +28,7 @@
    - include_tasks: tasks/exec.yml
    - include_tasks: tasks/log.yml
    - include_tasks: tasks/cluster_info.yml
+    - include_tasks: tasks/access_review.yml

  roles:
    - helm
--- a/molecule/default/tasks/access_review.yml
+++ b/molecule/default/tasks/access_review.yml
@@ -0,0 +1,22 @@
+---
+- name: Create a SelfSubjectAccessReview resource
+  register: can_i_create_namespaces
+  ignore_errors: yes
+  k8s:
+    state: present
+    definition:
+      apiVersion: authorization.k8s.io/v1
+      kind: SelfSubjectAccessReview
+      spec:
+        resourceAttributes:
+          group: v1
+          resource: Namespace
+          verb: create
+
+- name: Assert that the SelfSubjectAccessReview request succeded
+  assert:
+    that:
+      - can_i_create_namespaces is successful
+      - can_i_create_namespaces.result.status is defined
+      - can_i_create_namespaces.result.status.allowed is defined
+      - can_i_create_namespaces.result.status.allowed
--- a/plugins/module_utils/common.py
+++ b/plugins/module_utils/common.py
@@ -38,7 +38,7 @@ try:
    from openshift.dynamic import DynamicClient
    from openshift.dynamic.exceptions import (
        ResourceNotFoundError, ResourceNotUniqueError, NotFoundError, DynamicApiError,
-        ConflictError, ForbiddenError)
+        ConflictError, ForbiddenError, MethodNotAllowedError)
    HAS_K8S_MODULE_HELPER = True
    k8s_import_exception = None
 except ImportError as e:
@@ -610,7 +610,7 @@ class K8sAnsibleMixin(object):
            if namespace:
                params['namespace'] = namespace
            existing = resource.get(**params)
-        except NotFoundError:
+        except (NotFoundError, MethodNotAllowedError):
            # Remove traceback so that it doesn't show up in later failures
            try:
                sys.exc_clear()