Add multi-violation CEL integration tests for OIDCConfigRef and AuthzConfigRef#4309
Open
ChrisJBurns wants to merge 1 commit intomainfrom
Open
Add multi-violation CEL integration tests for OIDCConfigRef and AuthzConfigRef#4309ChrisJBurns wants to merge 1 commit intomainfrom
ChrisJBurns wants to merge 1 commit intomainfrom
Conversation
…ConfigRef Test that the API server surfaces multiple CEL violations simultaneously: - OIDCConfigRef: type=configMap with only inline set triggers both the missing-configMap and extra-inline rules at once - OIDCConfigRef: type=inline with inline+kubernetes set triggers the kubernetes-not-allowed rule - AuthzConfigRef: type=configMap with only inline set triggers both the missing-configMap and extra-inline rules at once Co-authored-by: Chris Burns <ChrisJBurns@users.noreply.github.com>
ChrisJBurns
requested review from
JAORMX,
jerm-dro,
jhrozek and
yrobla
as code owners
Collaborator
Author
|
@claude please update the pr description |
Contributor
|
Claude finished @ChrisJBurns's task in 1m 18s —— View job Updating PR Description
The Summary
Type of change
Test plan
Changes
Does this introduce a user-facing change?No Generated with Claude Code |
jhrozek
approved these changes
Mar 23, 2026
Contributor
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
Reviewed the full changeset (49 lines, single test file). Tests are technically correct — all assertions match actual CEL rule behavior and will pass. The And(ContainSubstring(...)) pattern is the right Gomega idiom for order-independent multi-message checks, resource names are unique, and the file follows existing conventions.
Minor observations (non-blocking):
- The second OIDC test (
oidc-inline-with-k8s, line 183) only triggers one CEL rule (the kubernetes rule), so it's a single-violation test in the multi-violation context — not incorrect, just mislabeled organizationally. - The reverse AuthzConfigRef multi-violation direction (
type=inlinewith onlyconfigMapset) isn't covered, but this is additive.
Neither is worth blocking on. LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds some extra test cases to the CEL scenarios