Skip to content

Commit e1f47fe

Browse files
oliverbaehleroliverbaehler
authored
Merge commit from fork
Signed-off-by: Oliver Bähler <[email protected]>
1 parent 24543aa commit e1f47fe

File tree

2 files changed

+41
-7
lines changed

2 files changed

+41
-7
lines changed

e2e/namespace_hijacking_test.go

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ var _ = Describe("creating several Namespaces for a Tenant", Label("namespace"),
5454

5555
})
5656

57-
It("Can't hijack offlimits namespace", func() {
57+
It("Can't hijack offlimits namespace (Ownerreferences)", func() {
5858
tenant := &capsulev1beta2.Tenant{}
5959
Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: tnt.Name}, tenant)).Should(Succeed())
6060

@@ -72,6 +72,40 @@ var _ = Describe("creating several Namespaces for a Tenant", Label("namespace"),
7272
}
7373
})
7474

75+
It("Can't hijack offlimits namespace (Labels)", func() {
76+
tenant := &capsulev1beta2.Tenant{}
77+
Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: tnt.Name}, tenant)).Should(Succeed())
78+
79+
// Get the namespace
80+
Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: kubeSystem.GetName()}, kubeSystem)).Should(Succeed())
81+
82+
for _, owner := range tnt.Spec.Owners {
83+
cs := ownerClient(owner)
84+
85+
patch := []byte(fmt.Sprintf(`{"metadata":{"labels":{"%s":"%s"}}}`, "capsule.clastix.io/tenant", tenant.GetName()))
86+
87+
_, err := cs.CoreV1().Namespaces().Patch(context.TODO(), kubeSystem.Name, types.StrategicMergePatchType, patch, metav1.PatchOptions{})
88+
Expect(err).To(HaveOccurred())
89+
}
90+
})
91+
92+
It("Can't hijack offlimits namespace (Annotations)", func() {
93+
tenant := &capsulev1beta2.Tenant{}
94+
Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: tnt.Name}, tenant)).Should(Succeed())
95+
96+
// Get the namespace
97+
Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: kubeSystem.GetName()}, kubeSystem)).Should(Succeed())
98+
99+
for _, owner := range tnt.Spec.Owners {
100+
cs := ownerClient(owner)
101+
102+
patch := []byte(fmt.Sprintf(`{"metadata":{"annotations":{"%s":"%s"}}}`, "capsule.clastix.io/tenant", tenant.GetName()))
103+
104+
_, err := cs.CoreV1().Namespaces().Patch(context.TODO(), kubeSystem.Name, types.StrategicMergePatchType, patch, metav1.PatchOptions{})
105+
Expect(err).To(HaveOccurred())
106+
}
107+
})
108+
75109
It("Owners can create and attempt to patch new namespaces but patches should not be applied", func() {
76110
for _, owner := range tnt.Spec.Owners {
77111
cs := ownerClient(owner)

pkg/webhook/namespace/validation/patch.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -66,14 +66,14 @@ func (r *patchHandler) OnUpdate(c client.Client, decoder admission.Decoder, reco
6666
return &response
6767
}
6868

69-
if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
70-
recorder.Eventf(tnt, corev1.EventTypeWarning, "NamespacePatch", e)
71-
response := admission.Denied(e)
72-
73-
return &response
69+
if utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
70+
return nil
7471
}
7572
}
7673

77-
return nil
74+
recorder.Eventf(ns, corev1.EventTypeWarning, "NamespacePatch", e)
75+
response := admission.Denied(e)
76+
77+
return &response
7878
}
7979
}

0 commit comments

Comments
 (0)