Log in
Log in
Log in
Book a Demo
Get Started
630.1K 456.7K 7.8K
Back to Repositories

Validating RBAC Pod Log Reader Configuration in Apache Airflow

This test suite validates RBAC Pod Log Reader functionality in Apache Airflow’s Helm chart implementation. It ensures proper role bindings and permissions for pod log access across different deployment configurations and namespace modes.

Test Coverage Overview

The test suite comprehensively covers RBAC pod log reader configurations in Airflow Helm deployments.

  • Tests role bindings for different combinations of triggerer and webserver configurations
  • Validates pod log reader role creation and naming
  • Covers multi-namespace mode scenarios
  • Tests cluster-wide vs namespace-scoped permissions

Implementation Analysis

The implementation uses pytest’s parametrize feature for systematic testing of different configuration combinations.

Testing approach includes:
  • Helm chart rendering with specific value configurations
  • JMESPath queries for YAML document validation
  • Assertion-based verification of role names and binding configurations

Technical Details

Key technical components include:
  • pytest framework for test organization
  • Helm template generator for chart rendering
  • JMESPath for YAML parsing and querying
  • Custom chart rendering utility functions
  • RBAC configuration validation tools

Best Practices Demonstrated

The test suite exemplifies several testing best practices:

  • Parametrized test cases for comprehensive coverage
  • Isolated test functions for specific functionality
  • Clear test case organization and naming
  • Systematic validation of RBAC configurations
  • Efficient test data handling through fixtures

apache/airflow

helm_tests/security/test_rbac_pod_log_reader.py

            
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
from __future__ import annotations

import jmespath
import pytest

from tests.charts.helm_template_generator import render_chart


class TestPodReader:
    """Tests RBAC Pod Reader."""

    @pytest.mark.parametrize(
        "triggerer, webserver, expected",
        [
            (True, True, ["release-name-airflow-webserver", "release-name-airflow-triggerer"]),
            (True, False, ["release-name-airflow-triggerer"]),
            (False, True, ["release-name-airflow-webserver"]),
            (False, False, []),
        ],
    )
    def test_pod_log_reader_rolebinding(self, triggerer, webserver, expected):
        docs = render_chart(
            values={
                "triggerer": {"enabled": triggerer},
                "webserver": {"allowPodLogReading": webserver},
            },
            show_only=["templates/rbac/pod-log-reader-rolebinding.yaml"],
        )
        actual = jmespath.search("subjects[*].name", docs[0]) if docs else []
        assert actual == expected

    @pytest.mark.parametrize(
        "triggerer, webserver, expected",
        [
            (True, True, "release-name-pod-log-reader-role"),
            (True, False, "release-name-pod-log-reader-role"),
            (False, True, "release-name-pod-log-reader-role"),
            (False, False, None),
        ],
    )
    def test_pod_log_reader_role(self, triggerer, webserver, expected):
        docs = render_chart(
            values={
                "triggerer": {"enabled": triggerer},
                "webserver": {"allowPodLogReading": webserver},
            },
            show_only=["templates/rbac/pod-log-reader-role.yaml"],
        )
        actual = jmespath.search("metadata.name", docs[0]) if docs else None
        assert actual == expected

    @pytest.mark.parametrize(
        "multiNamespaceMode, namespace, expectedRole, expectedRoleBinding",
        [
            (
                True,
                "namespace",
                "namespace-release-name-pod-log-reader-role",
                "namespace-release-name-pod-log-reader-rolebinding",
            ),
            (
                True,
                "other-ns",
                "other-ns-release-name-pod-log-reader-role",
                "other-ns-release-name-pod-log-reader-rolebinding",
            ),
            (
                False,
                "namespace",
                "release-name-pod-log-reader-role",
                "release-name-pod-log-reader-rolebinding",
            ),
        ],
    )
    def test_pod_log_reader_rolebinding_multi_namespace(
        self, multiNamespaceMode, namespace, expectedRole, expectedRoleBinding
    ):
        docs = render_chart(
            namespace=namespace,
            values={"webserver": {"allowPodLogReading": True}, "multiNamespaceMode": multiNamespaceMode},
            show_only=["templates/rbac/pod-log-reader-rolebinding.yaml"],
        )

        actualRoleBinding = jmespath.search("metadata.name", docs[0])
        assert actualRoleBinding == expectedRoleBinding

        actualRoleRef = jmespath.search("roleRef.name", docs[0])
        assert actualRoleRef == expectedRole

        actualKind = jmespath.search("kind", docs[0])
        actualRoleRefKind = jmespath.search("roleRef.kind", docs[0])
        if multiNamespaceMode:
            assert actualKind == "ClusterRoleBinding"
            assert actualRoleRefKind == "ClusterRole"
        else:
            assert actualKind == "RoleBinding"
            assert actualRoleRefKind == "Role"

    @pytest.mark.parametrize(
        "multiNamespaceMode, namespace, expectedRole",
        [
            (True, "namespace", "namespace-release-name-pod-log-reader-role"),
            (True, "other-ns", "other-ns-release-name-pod-log-reader-role"),
            (False, "namespace", "release-name-pod-log-reader-role"),
        ],
    )
    def test_pod_log_reader_role_multi_namespace(self, multiNamespaceMode, namespace, expectedRole):
        docs = render_chart(
            namespace=namespace,
            values={"webserver": {"allowPodLogReading": True}, "multiNamespaceMode": multiNamespaceMode},
            show_only=["templates/rbac/pod-log-reader-role.yaml"],
        )

        actualRole = jmespath.search("metadata.name", docs[0])
        assert actualRole == expectedRole

        actualKind = jmespath.search("kind", docs[0])
        if multiNamespaceMode:
            assert actualKind == "ClusterRole"
        else:
            assert actualKind == "Role"