Skip to content

Add revoke action and YAML support for permission updates#1461

Open
anniegracehu wants to merge 11 commits intocloud-ark:masterfrom
anniegracehu:annie/revoke-update-perm-yaml-json
Open

Add revoke action and YAML support for permission updates#1461
anniegracehu wants to merge 11 commits intocloud-ark:masterfrom
anniegracehu:annie/revoke-update-perm-yaml-json

Conversation

@anniegracehu
Copy link
Copy Markdown
Collaborator

@anniegracehu anniegracehu commented Mar 30, 2026
edited
Loading

Summary

  • add revoke action to provider-kubeconfig.py
  • support both JSON and YAML permission files for update and revoke
  • keep <sa>-perms configmap synchronized when updating and revoking permissions
  • add tests for revoke CLI validation and permission file parsing
  • add manual YAML fixture for update/revoke e2e at tests/manual/update-revoke-perms.yaml

Test plan

  • python3 -m unittest tests/test_provider_kubeconfig.py

Manual update/revoke e2e (existing SA)

Use an existing service account (example: argocd-application-controller in argocd) and verify update/revoke without creating a new SA.

# Inputs
NS=default
SA=default
KCFG="$HOME/.kube/config"
PERMS=tests/manual/update-revoke-perms.yaml

# 1) Baseline (expected: no)
kubectl auth can-i create secrets -n "$NS" --as=system:serviceaccount:$NS:$SA --kubeconfig="$KCFG"

# 2) Grant via update (expected: yes)
python3 provider-kubeconfig.py update "$NS" -c "$SA" -p "$PERMS" -k "$KCFG"
kubectl auth can-i create secrets -n "$NS" --as=system:serviceaccount:$NS:$SA --kubeconfig="$KCFG"

# 3) Revoke (expected: no)
python3 provider-kubeconfig.py revoke "$NS" -c "$SA" -p "$PERMS" -k "$KCFG"
kubectl auth can-i create secrets -n "$NS" --as=system:serviceaccount:$NS:$SA --kubeconfig="$KCFG"

@anniegracehu
Add revoke action and YAML/JSON permission parsing.
6e0c42b 
Support permission updates and revocations from both JSON and YAML files, reuse shared parsing/configmap helpers, and extend tests to cover revoke CLI validation and multi-format permission file parsing.

Made-with: Cursor
@anniegracehu anniegracehu force-pushed the annie/revoke-update-perm-yaml-json branch from 5e4ab35 to 6e0c42b Compare March 30, 2026 18:23
@anniegracehu
Keep legacy update parser as runtime source of truth.
4719e7c 
Run new update parser in shadow mode behind an env flag and assert old/new parity, with tests validating parser output equivalence.

Made-with: Cursor
@anniegracehu
Minimize update parser parity diff.
49356a3 
Inline legacy update parsing in _update_rbac for source-of-truth behavior and keep old/new parity assertions behind KUBEPLUS_UPDATE_EQ_CHECK, while removing extra helper methods.

Made-with: Cursor
@anniegracehu
Shrink update path; fix revoke no-op; align parser with legacy.
3405b38 
Use _load_permission_data only in _update_rbac and keep the original rule loop. Drop dual-parser parity and its test. Match _parse_permission_rules to legacy by always appending rule_group. Return early from revoke when no update ClusterRole exists to avoid rewriting perms configmap.

Made-with: Cursor
@anniegracehu anniegracehu self-assigned this Mar 30, 2026
@anniegracehu
Restore update parser parity checks.
32ebc09 
Add _parse_update_rules_legacy for a single legacy implementation, optional KUBEPLUS_UPDATE_EQ_CHECK assertion against _parse_permission_rules in _update_rbac, and a unit test including non-apigroup edge cases.

Made-with: Cursor
@anniegracehu
Use single _parse_permission_rules for update and revoke.
28d25b5 
Remove duplicate _parse_update_rules_legacy and env parity self-check; add a focused test for non-apigroup edge case.

Made-with: Cursor
@anniegracehu
Add manual YAML fixture for update/revoke e2e checks.
146a8e4 
Provide a minimal permissions file to validate update/revoke against an existing service account during manual testing.

Made-with: Cursor
@anniegracehu
Add JSON/YAML permission fixtures for manual update/revoke checks.
15ee238 
Provide three paired examples under tests/permission_files to validate update/revoke behavior with auth can-i for both input formats.

Made-with: Cursor
@anniegracehu
Add test coverage for permission fixture files.
b2cf020 
Parse all JSON and YAML fixtures in tests/permission_files through provider-kubeconfig helpers to validate real file-based inputs used in manual update/revoke checks.

Made-with: Cursor
@anniegracehu
Remove obsolete manual update/revoke permission fixture.
eeff860 
Use tests/permission_files fixtures for manual checks and test coverage instead of the old tests/manual file.

Made-with: Cursor
@anniegracehu
Add integration test for JSON/YAML auth can-i equivalence.
ff11a68 
Verify update/revoke using matching JSON and YAML permission fixtures produce the same auth can-i transition on an existing service account (deny -> allow -> deny).

Made-with: Cursor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devdattakulkarni devdattakulkarni Awaiting requested review from devdattakulkarni

Assignees

@anniegracehu anniegracehu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anniegracehu