Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter out forbidden and terminating namespaces #2158

Merged
merged 2 commits into from
Nov 12, 2020
Merged

Filter out forbidden and terminating namespaces #2158

merged 2 commits into from
Nov 12, 2020

Conversation

andresmgot
Copy link
Contributor

Description of the change

This PR address two minor issues when listing namespaces:

  • Filter out namespaces in which the user don't have permissions (regardless if the user has permission to list namespace). This is to avoid showing unusable namespaces for the user.
  • Filter out namespaces that are in terminating status (which are not usable either).

Applicable issues

absoludity
absoludity approved these changes Nov 12, 2020
View reviewed changes
pkg/kube/kube_handler.go
readyNamespaces = append(readyNamespaces, namespace)
}
}
return readyNamespaces
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functional code for the win :)

pkg/kube/kube_handler.go
@@ -649,36 +649,49 @@ func filterAllowedNamespaces(userClientset combinedClientsetInterface, namespace
allowedNamespaces = append(allowedNamespaces, namespace)
}
}
namespaces.Items = allowedNamespaces
return namespaces, nil
return allowedNamespaces, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change, it might make sense to update the signature to accept namespaces []corev1.Namespace and just update callsites to call it with .Items on the list? Only reason is that then this can match the functional filter that you've created below (which is nicer, imo :) ). Whatever you think.

pkg/kube/kube_handler.go
namespaceList, err := filterAllowedNamespaces(a.clientset, namespaces)
if err != nil {
return nil, err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why this filter has been moved out to here: isn't it a superfluous (and relatively expensive) check if the request was done with the user's own credentials? (if you decide to move it back, just remember to update the wording of the second test which changed accordingly, I think)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not superfluous since it's covering the use case in which a user has permissions to list namespaces (which is harmless) but don't have permissions to access resources in all the namespaces (not an admin). This prevents people from using namespaces that they don't have access.

I'm thinking on the case, for example, I (andres@corp.com) have permissions to list namespaces but only have write access to my namespace foo. If bar exists, Kubeapps will autoselect the first namespace in alphabetical order (which is bar) so by default I will get a forbidden error if I try to do anything without changing the namespace.

@andresmgot andresmgot merged commit 9d7070b into master Nov 12, 2020
@absoludity absoludity deleted the listNSFilter branch November 13, 2020 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@absoludity absoludity absoludity approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@andresmgot @absoludity