Merge pull request #902 from fuel-wlightning/issue-872

#872 Add certificates and issuers to aggregated RBAC

Gopkg.lock

@@ -1377,9 +1377,11 @@
     "golang.org/x/oauth2/google",
     "google.golang.org/api/dns/v1",
     "k8s.io/api/admission/v1beta1",
+    "k8s.io/api/authorization/v1",
     "k8s.io/api/batch/v1",
     "k8s.io/api/core/v1",
     "k8s.io/api/extensions/v1beta1",
+    "k8s.io/api/rbac/v1",
     "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1",
     "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset",
     "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1",

contrib/charts/cert-manager/Chart.yaml

@@ -1,6 +1,6 @@
 name: cert-manager
-version: v0.6.0-dev.0
-appVersion: v0.6.0-dev.0
+version: v0.6.0-dev.1
+appVersion: v0.6.0-dev.1
 description: A Helm chart for cert-manager
 home: https://github.com/jetstack/cert-manager
 keywords:

contrib/charts/cert-manager/templates/rbac.yaml

@@ -36,4 +36,37 @@ subjects:
   - name: {{ template "cert-manager.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
     kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-view
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-edit
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    chart: {{ template "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
 {{- end -}}

contrib/manifests/cert-manager/with-rbac.yaml

@@ -18,7 +18,7 @@ metadata:
   namespace: "cert-manager"
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 ---
@@ -31,7 +31,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -55,7 +55,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -75,7 +75,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -93,7 +93,7 @@ metadata:
   name: cert-manager
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 rules:
@@ -113,7 +113,7 @@ metadata:
   name: cert-manager
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 roleRef:
@@ -125,6 +125,39 @@ subjects:
     namespace: "cert-manager"
     kind: ServiceAccount
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-view
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.6.0-dev.1
+    release: cert-manager
+    heritage: Tiller
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-edit
+  labels:
+    app: cert-manager
+    chart: cert-manager-v0.6.0-dev.1
+    release: cert-manager
+    heritage: Tiller
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["certmanager.k8s.io"]
+    resources: ["certificates", "issuers"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1beta1
 kind: Deployment
@@ -133,7 +166,7 @@ metadata:
   namespace: "cert-manager"
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:

contrib/manifests/cert-manager/without-rbac.yaml

@@ -19,7 +19,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -43,7 +43,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -63,7 +63,7 @@ metadata:
     "helm.sh/hook": crd-install
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:
@@ -82,7 +82,7 @@ metadata:
   namespace: "cert-manager"
   labels:
     app: cert-manager
-    chart: cert-manager-v0.6.0-dev.0
+    chart: cert-manager-v0.6.0-dev.1
     release: cert-manager
     heritage: Tiller
 spec:

test/e2e/certificate/BUILD.bazel

@@ -6,6 +6,7 @@ go_library(
         "certificate_acme.go",
         "certificate_acme_dns01.go",
         "certificate_ca.go",
+        "certificate_rbac.go",
         "certificate_selfsigned.go",
         "certificate_vault.go",
     ],

test/e2e/certificate/certificate_rbac.go

@@ -0,0 +1,204 @@
+/*
+Copyright 2018 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificate
+
+import (
+	"github.com/jetstack/cert-manager/test/e2e/framework"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = framework.CertManagerDescribe("Service Account", func() {
+	f := framework.NewDefaultFramework("certificate-rbac")
+	resource := "certificates" // this file is related to certificates
+
+	Context("with namespace view access", func() {
+		clusterRole := "view"
+		It("shouldn't be able to create certificates", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete certificates", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete collections of certificates", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to patch certificates", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to update certificates", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("should be able to get certificates", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list certificates", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch certificates", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+	Context("with namespace edit access", func() {
+		clusterRole := "edit"
+		It("should be able to create certificates", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete certificates", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of certificates", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch certificates", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update certificates", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get certificates", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list certificates", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch certificates", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+
+	Context("with namespace admin access", func() {
+		clusterRole := "admin"
+		It("should be able to create certificates", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete certificates", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of certificates", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch certificates", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update certificates", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get certificates", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list certificates", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch certificates", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+})

test/e2e/framework/BUILD.bazel

@@ -16,7 +16,9 @@ go_library(
         "//vendor/github.com/onsi/ginkgo:go_default_library",
         "//vendor/github.com/onsi/ginkgo/config:go_default_library",
         "//vendor/github.com/onsi/gomega:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/api/rbac/v1:go_default_library",
         "//vendor/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
         "//vendor/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",

test/e2e/framework/framework.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/api/core/v1"
 	apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -41,6 +42,9 @@ type Framework struct {
 	// Namespace in which all test resources should reside
 	Namespace *v1.Namespace
 
+	// Config which was used to create the connection.
+	Config *rest.Config
+
 	// To make sure that this framework cleans up after itself, no matter what,
 	// we install a Cleanup action before each test and clear it after.  If we
 	// should abort, the AfterSuite hook should run all Cleanup actions.
@@ -67,6 +71,7 @@ func (f *Framework) BeforeEach() {
 	By("Creating a kubernetes client")
 	kubeConfig, err := LoadConfig(TestContext.KubeConfig, TestContext.KubeContext)
 	Expect(err).NotTo(HaveOccurred())
+	f.Config = kubeConfig
 
 	f.KubeClientSet, err = kubernetes.NewForConfig(kubeConfig)
 	Expect(err).NotTo(HaveOccurred())

test/e2e/framework/util.go

@@ -23,7 +23,9 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
+	authorizationv1 "k8s.io/api/authorization/v1"
 	"k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -306,3 +308,61 @@ func podRunning(c kubernetes.Interface, podName, namespace string) wait.Conditio
 		return false, nil
 	}
 }
+
+func RbacClusterRoleHasAccessToResource(f *Framework, clusterRole string, verb string, resource string) bool {
+	By("Creating a service account")
+	viewServiceAccount := &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "rbac-test-",
+		},
+	}
+	serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
+	serviceAccount, err := serviceAccountClient.Create(viewServiceAccount)
+	Expect(err).NotTo(HaveOccurred())
+	viewServiceAccountName := serviceAccount.Name
+
+	By("Creating ClusterRoleBinding to view " + clusterRole + " clusterRole")
+	viewRoleBinding := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: viewServiceAccountName + "-rb-",
+		},
+		Subjects: []rbacv1.Subject{
+			{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     clusterRole,
+		},
+	}
+	roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+	_, err = roleBindingClient.Create(viewRoleBinding)
+	Expect(err).NotTo(HaveOccurred())
+
+	By("Sleeping for a second.")
+	// to allow RBAC to propagate
+	time.Sleep(time.Second)
+
+	By("Impersonating the Service Account")
+	var impersonateConfig *rest.Config
+	impersonateConfig = f.Config
+	impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
+	impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
+	Expect(err).NotTo(HaveOccurred())
+
+	By("Submitting a self subject access review")
+	sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
+	sar := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Namespace: f.Namespace.Name,
+				Verb:      verb,
+				Group:     "certmanager.k8s.io",
+				Resource:  resource,
+			},
+		},
+	}
+	response, err := sarClient.Create(sar)
+	Expect(err).NotTo(HaveOccurred())
+	return response.Status.Allowed
+}

test/e2e/issuer/BUILD.bazel

@@ -5,6 +5,7 @@ go_library(
     srcs = [
         "issuer_acme.go",
         "issuer_ca.go",
+        "issuer_rbac.go",
         "issuer_vault.go",
     ],
     importpath = "github.com/jetstack/cert-manager/test/e2e/issuer",

test/e2e/issuer/issuer_rbac.go

@@ -0,0 +1,204 @@
+/*
+Copyright 2018 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package issuer
+
+import (
+	"github.com/jetstack/cert-manager/test/e2e/framework"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = framework.CertManagerDescribe("Service Account", func() {
+	f := framework.NewDefaultFramework("issuer-rbac")
+	resource := "issuers" // this file is related to issuers
+
+	Context("with namespace view access", func() {
+		clusterRole := "view"
+		It("shouldn't be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+	Context("with namespace edit access", func() {
+		clusterRole := "edit"
+		It("should be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+
+	Context("with namespace admin access", func() {
+		clusterRole := "admin"
+		It("should be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+})