Fix unless no subresource tests, add go action caching

Signed-off-by: Micah Hausler <[email protected]>

.github/workflows/unit-tests.yaml

@@ -18,9 +18,23 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
-
+      - name: Restore cached modules
+        id: go-buildcache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
       - name: Build
         run: make build
-
+      - name: Save cached modules
+        id: go-buildcache-save
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
       - name: Run unit tests
         run: make test

internal/convert/testdata/cluster-admin.cedar

@@ -14,4 +14,5 @@ permit (
   principal in k8s::Group::"system:masters",
   action,
   resource is k8s::Resource
-);
+)
+unless { resource has subresource };

internal/convert/testdata/crazy-policy.cedar

@@ -12,7 +12,8 @@ when
   principal.name == "crazy-service-account" &&
   ["batch", "batch.k8s.aws"].contains(resource.apiGroup) &&
   ["jobs", "cronjobs"].contains(resource.resource)
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("crazy-policy")
 @clusterRole("crazy-policy")
@@ -27,7 +28,8 @@ when
   principal.namespace == "default" &&
   principal.name == "crazy-service-account" &&
   resource.resource == "something"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("crazy-policy")
 @clusterRole("crazy-policy")
@@ -109,7 +111,8 @@ when
     (
       resource.apiGroup
     )
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("crazy-policy")
 @clusterRole("crazy-policy")
@@ -145,7 +148,8 @@ when
   resource.resource == "configmaps" &&
   resource has name &&
   resource.name == "aws-auth"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("crazy-policy")
 @clusterRole("crazy-policy")
@@ -163,7 +167,8 @@ when
   resource.resource == "configmaps" &&
   resource has name &&
   ["kubeadm-config", "kube-proxy", "coredns"].contains(resource.name)
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("crazy-policy")
 @clusterRole("crazy-policy")
@@ -178,4 +183,5 @@ when
   principal.namespace == "default" &&
   principal.name == "crazy-service-account" &&
   resource.apiGroup == ""
-};
+}
+unless { resource has subresource };

internal/convert/testdata/kubeadm:get-nodes.cedar

@@ -6,4 +6,5 @@ permit (
   action == k8s::Action::"get",
   resource is k8s::Resource
 )
-when { resource.apiGroup == "" && resource.resource == "nodes" };
+when { resource.apiGroup == "" && resource.resource == "nodes" }
+unless { resource has subresource };

internal/convert/testdata/system:controller:horizontal-pod-autoscaler.cedar

@@ -12,7 +12,8 @@ when
   principal.name == "horizontal-pod-autoscaler" &&
   resource.apiGroup == "autoscaling" &&
   resource.resource == "horizontalpodautoscalers"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:controller:horizontal-pod-autoscaler")
 @clusterRole("system:controller:horizontal-pod-autoscaler")
@@ -81,7 +82,8 @@ when
   principal.name == "horizontal-pod-autoscaler" &&
   resource.apiGroup == "" &&
   resource.resource == "pods"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:controller:horizontal-pod-autoscaler")
 @clusterRole("system:controller:horizontal-pod-autoscaler")
@@ -97,7 +99,8 @@ when
   principal.name == "horizontal-pod-autoscaler" &&
   resource.apiGroup == "metrics.k8s.io" &&
   resource.resource == "pods"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:controller:horizontal-pod-autoscaler")
 @clusterRole("system:controller:horizontal-pod-autoscaler")
@@ -112,7 +115,8 @@ when
   principal.namespace == "kube-system" &&
   principal.name == "horizontal-pod-autoscaler" &&
   resource.apiGroup == "custom.metrics.k8s.io"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:controller:horizontal-pod-autoscaler")
 @clusterRole("system:controller:horizontal-pod-autoscaler")
@@ -127,7 +131,8 @@ when
   principal.namespace == "kube-system" &&
   principal.name == "horizontal-pod-autoscaler" &&
   resource.apiGroup == "external.metrics.k8s.io"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:controller:horizontal-pod-autoscaler")
 @clusterRole("system:controller:horizontal-pod-autoscaler")
@@ -144,4 +149,5 @@ when
   principal.name == "horizontal-pod-autoscaler" &&
   ["", "events.k8s.io"].contains(resource.apiGroup) &&
   resource.resource == "events"
-};
+}
+unless { resource has subresource };

internal/convert/testdata/system:controller:token-cleaner.cedar

@@ -19,7 +19,8 @@ when
   resource.resource == "secrets" &&
   resource has namespace &&
   resource.namespace == "kube-system"
-};
+}
+unless { resource has subresource };
 
 @roleBinding("system:controller:token-cleaner")
 @role("system:controller:token-cleaner")
@@ -39,4 +40,5 @@ when
   resource.resource == "events" &&
   resource has namespace &&
   resource.namespace == "kube-system"
-};
+}
+unless { resource has subresource };

internal/convert/testdata/system:coredns.cedar

@@ -12,7 +12,8 @@ when
   principal.name == "coredns" &&
   resource.apiGroup == "" &&
   ["endpoints", "services", "pods", "namespaces"].contains(resource.resource)
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:coredns")
 @clusterRole("system:coredns")
@@ -28,4 +29,5 @@ when
   principal.name == "coredns" &&
   resource.apiGroup == "discovery.k8s.io" &&
   resource.resource == "endpointslices"
-};
+}
+unless { resource has subresource };

internal/convert/testdata/system:kube-controller-manager.cedar

@@ -6,7 +6,8 @@ permit (
   action in [k8s::Action::"list", k8s::Action::"watch"],
   resource is k8s::Resource
 )
-when { principal.name == "system:kube-controller-manager" };
+when { principal.name == "system:kube-controller-manager" }
+unless { resource has subresource };
 
 @clusterRoleBinding("system:kube-controller-manager")
 @clusterRole("system:kube-controller-manager")

internal/convert/testdata/system:node-proxier.cedar

@@ -11,7 +11,8 @@ when
   principal.name == "system:kube-proxy" &&
   resource.apiGroup == "" &&
   ["endpoints", "services"].contains(resource.resource)
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:node-proxier")
 @clusterRole("system:node-proxier")
@@ -26,7 +27,8 @@ when
   principal.name == "system:kube-proxy" &&
   resource.apiGroup == "" &&
   resource.resource == "nodes"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:node-proxier")
 @clusterRole("system:node-proxier")
@@ -42,7 +44,8 @@ when
   principal.name == "system:kube-proxy" &&
   ["", "events.k8s.io"].contains(resource.apiGroup) &&
   resource.resource == "events"
-};
+}
+unless { resource has subresource };
 
 @clusterRoleBinding("system:node-proxier")
 @clusterRole("system:node-proxier")
@@ -57,4 +60,5 @@ when
   principal.name == "system:kube-proxy" &&
   resource.apiGroup == "discovery.k8s.io" &&
   resource.resource == "endpointslices"
-};
+}
+unless { resource has subresource };