fizz/kubeflow-rbac-smoke.sh

## kubeflow-rbac-smoke.sh
#!/usr/bin/env bash
set -euo pipefail

# kubeflow-rbac-smoke.sh — RBAC smoke checks via kubectl auth can-i
#
# Usage:
#   ./kubeflow-rbac-smoke.sh <kube-context>
#   ./kubeflow-rbac-smoke.sh mlinfra-prod
#   ./kubeflow-rbac-smoke.sh mlinfra-29
#
# Example output (mlinfra-prod, 2026-02-27):
#
#   Kubeflow RBAC Smoke Checks
#   Context:   mlinfra-prod
#   Timestamp: 2026-02-27T17:50:03Z
#
#   PASS  workflow-controller can list workflows cluster-wide (kubeflow/argo)
#   PASS  workflow-controller can list workflowtemplates cluster-wide (kubeflow/argo)
#   PASS  workflow-controller can list pods cluster-wide (kubeflow/argo)
#   PASS  workflow-controller can list configmaps cluster-wide (kubeflow/argo)
#   PASS  kserve controller can list inferenceservices (kubeflow SA)
#   PASS  kserve controller can list inferenceservices (kserve SA)
#   PASS  ml-pipeline scheduledworkflow SA can list workflows
#
#   Summary: 7 passed, 0 failed

CTX="${1:-mlinfra-prod}"

need_cmd() {
  command -v "$1" >/dev/null 2>&1 || {
    echo "error: missing required command: $1" >&2
    exit 1
  }
}

need_cmd kubectl
need_cmd date

pass_count=0
fail_count=0

check() {
  local name="$1"
  local args="$2"
  local out

  # shellcheck disable=SC2086
  out=$(kubectl --context "$CTX" auth can-i $args 2>/dev/null || true)
  if [[ "$out" == "yes" ]]; then
    printf "PASS  %s\n" "$name"
    pass_count=$((pass_count + 1))
  else
    printf "FAIL  %s\n" "$name"
    fail_count=$((fail_count + 1))
  fi
}

echo "Kubeflow RBAC Smoke Checks"
echo "Context:   $CTX"
echo "Timestamp: $(date -u +"%Y-%m-%dT%H:%M:%SZ")"
echo

check "workflow-controller can list workflows cluster-wide (kubeflow/argo)" \
  "list workflows.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:argo"

check "workflow-controller can list workflowtemplates cluster-wide (kubeflow/argo)" \
  "list workflowtemplates.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:argo"

check "workflow-controller can list pods cluster-wide (kubeflow/argo)" \
  "list pods --all-namespaces --as=system:serviceaccount:kubeflow:argo"

check "workflow-controller can list configmaps cluster-wide (kubeflow/argo)" \
  "list configmaps --all-namespaces --as=system:serviceaccount:kubeflow:argo"

check "kserve controller can list inferenceservices (kubeflow SA)" \
  "list inferenceservices.serving.kserve.io --all-namespaces --as=system:serviceaccount:kubeflow:kserve-controller-manager"

check "kserve controller can list inferenceservices (kserve SA)" \
  "list inferenceservices.serving.kserve.io --all-namespaces --as=system:serviceaccount:kserve:kserve-controller-manager"

check "ml-pipeline scheduledworkflow SA can list workflows" \
  "list workflows.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow"

echo
echo "Summary: $pass_count passed, $fail_count failed"

if (( fail_count > 0 )); then
  exit 1
fi
	#!/usr/bin/env bash
	set -euo pipefail

	# kubeflow-rbac-smoke.sh — RBAC smoke checks via kubectl auth can-i
	#
	# Usage:
	# ./kubeflow-rbac-smoke.sh <kube-context>
	# ./kubeflow-rbac-smoke.sh mlinfra-prod
	# ./kubeflow-rbac-smoke.sh mlinfra-29
	#
	# Example output (mlinfra-prod, 2026-02-27):
	#
	# Kubeflow RBAC Smoke Checks
	# Context: mlinfra-prod
	# Timestamp: 2026-02-27T17:50:03Z
	#
	# PASS workflow-controller can list workflows cluster-wide (kubeflow/argo)
	# PASS workflow-controller can list workflowtemplates cluster-wide (kubeflow/argo)
	# PASS workflow-controller can list pods cluster-wide (kubeflow/argo)
	# PASS workflow-controller can list configmaps cluster-wide (kubeflow/argo)
	# PASS kserve controller can list inferenceservices (kubeflow SA)
	# PASS kserve controller can list inferenceservices (kserve SA)
	# PASS ml-pipeline scheduledworkflow SA can list workflows
	#
	# Summary: 7 passed, 0 failed

	CTX="${1:-mlinfra-prod}"

	need_cmd() {
	command -v "$1" >/dev/null 2>&1 \|\| {
	echo "error: missing required command: $1" >&2
	exit 1
	}
	}

	need_cmd kubectl
	need_cmd date

	pass_count=0
	fail_count=0

	check() {
	local name="$1"
	local args="$2"
	local out

	# shellcheck disable=SC2086
	out=$(kubectl --context "$CTX" auth can-i $args 2>/dev/null \|\| true)
	if [[ "$out" == "yes" ]]; then
	printf "PASS %s\n" "$name"
	pass_count=$((pass_count + 1))
	else
	printf "FAIL %s\n" "$name"
	fail_count=$((fail_count + 1))
	fi
	}

	echo "Kubeflow RBAC Smoke Checks"
	echo "Context: $CTX"
	echo "Timestamp: $(date -u +"%Y-%m-%dT%H:%M:%SZ")"
	echo

	check "workflow-controller can list workflows cluster-wide (kubeflow/argo)" \
	"list workflows.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:argo"

	check "workflow-controller can list workflowtemplates cluster-wide (kubeflow/argo)" \
	"list workflowtemplates.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:argo"

	check "workflow-controller can list pods cluster-wide (kubeflow/argo)" \
	"list pods --all-namespaces --as=system:serviceaccount:kubeflow:argo"

	check "workflow-controller can list configmaps cluster-wide (kubeflow/argo)" \
	"list configmaps --all-namespaces --as=system:serviceaccount:kubeflow:argo"

	check "kserve controller can list inferenceservices (kubeflow SA)" \
	"list inferenceservices.serving.kserve.io --all-namespaces --as=system:serviceaccount:kubeflow:kserve-controller-manager"

	check "kserve controller can list inferenceservices (kserve SA)" \
	"list inferenceservices.serving.kserve.io --all-namespaces --as=system:serviceaccount:kserve:kserve-controller-manager"

	check "ml-pipeline scheduledworkflow SA can list workflows" \
	"list workflows.argoproj.io --all-namespaces --as=system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow"

	echo
	echo "Summary: $pass_count passed, $fail_count failed"

	if (( fail_count > 0 )); then
	exit 1
	fi
No results found