Tighten kubeconfig integration assertions and namespace denial check.

anniegracehu · anniegracehu · commit dcc7bb1f74fe · 2026-03-24T09:57:05.000-07:00
Validate that -x sets both cluster entry names and context cluster reference, and ensure the cross-namespace consumer denial test verifies the forbidden error references the target namespace.

Made-with: Cursor
diff --git a/tests/test_provider_kubeconfig.py b/tests/test_provider_kubeconfig.py
@@ -173,6 +173,8 @@ def _assert_kubeconfig_valid(
         if expected_cluster_name:
             self.assertEqual(cfg.get("current-context"), expected_cluster_name)
             self.assertEqual(ctx_entry.get("name"), expected_cluster_name)
+            self.assertEqual(cluster_entry.get("name"), expected_cluster_name)
+            self.assertEqual(ctx.get("cluster"), expected_cluster_name)
         if expected_namespace:
             self.assertEqual(ctx.get("namespace"), expected_namespace)
 
@@ -289,8 +291,7 @@ def test_flags_s_and_x_combined(self):
 
     def test_consumer_cannot_create_pod_in_other_namespace(self):
         """
-        Consumer kubeconfig: verify create/delete in other namespaces is forbidden.
-        Consumer RBAC should restrict operations; creating a pod in another ns should fail.
+        Consumer kubeconfig: verify creating a pod in another namespace is forbidden.
         """
         ns = "kubeplus-test-restrict-" + uuid.uuid4().hex[:8]
         other_ns = "kubeplus-test-other-" + uuid.uuid4().hex[:8]
@@ -320,6 +321,11 @@ def test_consumer_cannot_create_pod_in_other_namespace(self):
                 "Consumer should not be able to create pod in other namespace; got out=%r err=%r"
                 % (out, err),
             )
+            self.assertIn(
+                other_ns,
+                err,
+                "Expected denial to reference the target other namespace; got err=%r" % (err,),
+            )
         finally:
             _run_command("kubectl delete namespace " + other_ns + self.kubeconfig_flag + " 2>/dev/null")
             self._delete_for_cleanup(ns, sa=consumer_sa)
