k8s_rbac_cluster_role resource
Use the k8s_rbac_cluster_role
Chef InSpec audit resource to test the Role-based access control (RBAC) cluster role settings.
Installation
Syntax
describe k8s_rbac_cluster_role(name: "NAME") do
#...
end
Parameters
name
- Cluster role name.
Properties
uid
- UID of the cluster role.
kind
- Resource type of the cluster role.
resource_version
- Resource version of the cluster role.
labels
- Labels attached to the cluster role.
annotations
- Annotations of the cluster role.
rules
- List of rules set for the cluster role.
aggregation_rule
- Aggregation rule set for the cluster role.
cluster_role_selectors
- List of aggregation rule cluster role selectors set for the cluster role.
metadata
- Metadata of the cluster role.
creation_timestamp
- Creation timestamp of the cluster role.
Examples
Test to verify that the RBAC cluster role with the specified name exists
describe k8s_rbac_cluster_role(name: "CLUSTER_ROLE_NAME") do
it { should exist }
end
Test to verify rules set for the specified cluster role
describe k8s_rbac_cluster_role(name: "pod-reader") do
it { should exist }
its('rules') { should include apiGroups: [""], resources: ["pods"], verbs: ["get", "list", "watch"] }
end
Test to verify aggregation rule is not empty and cluster role selectors have the specified value
describe k8s_rbac_cluster_role(name: "monitoring") do
its("aggregation_rule") { should_not be_empty }
its("cluster_role_selectors") { should include matchLabels: { "rbac.example.com/aggregate-to-monitoring": "true" } }
end
Matchers
This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, see our Universal Matchers page.