diff --git a/pkg/webhooks/namespace/namespace.go b/pkg/webhooks/namespace/namespace.go index 065f9fe0..9cfe4b21 100644 --- a/pkg/webhooks/namespace/namespace.go +++ b/pkg/webhooks/namespace/namespace.go @@ -27,7 +27,6 @@ const ( layeredProductNamespace string = `^redhat-.*` layeredProductAdminGroupName string = "layered-sre-cluster-admins" docString string = `Managed OpenShift Customers may not modify namespaces specified in the %v ConfigMaps because customer workloads should be placed in customer-created namespaces. Customers may not create namespaces identified by this regular expression %s because it could interfere with critical DNS resolution. Additionally, customers may not set or change the values of these Namespace labels %s.` - clusterAdminGroup string = "cluster-admins" ) // exported vars to be used across packages @@ -352,7 +351,7 @@ func NewWebhook() *NamespaceWebhook { } func amIAdmin(request admissionctl.Request) bool { - if slices.Contains(clusterAdminUsers, request.UserInfo.Username) || slices.Contains(request.UserInfo.Groups, clusterAdminGroup) { + if slices.Contains(clusterAdminUsers, request.UserInfo.Username) { return true } diff --git a/pkg/webhooks/namespace/namespace_test.go b/pkg/webhooks/namespace/namespace_test.go index 08302603..41a1a1e4 100644 --- a/pkg/webhooks/namespace/namespace_test.go +++ b/pkg/webhooks/namespace/namespace_test.go @@ -717,13 +717,13 @@ func TestAdminUser(t *testing.T) { shouldBeAllowed: true, }, { - // admin users gonna admin + // cluster-admin users cannot update privilegedNamespaces testID: "cluster-admin-test", targetNamespace: privilegedNamespace, username: "lisa", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Update, - shouldBeAllowed: true, + shouldBeAllowed: false, }, { // admin users gonna admin @@ -762,40 +762,31 @@ func TestAdminUser(t *testing.T) { shouldBeAllowed: true, }, { - // Admins should be able to create a privileged namespace - testID: "cluster-admin-in-ns-test", + // cluster-admin group members should not be able to create a privileged namespace + testID: "cluster-admin-group-in-ns-test", targetNamespace: "in", username: "lisa", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Create, - shouldBeAllowed: true, - }, - { - // Admins should be able to create a privileged namespace - testID: "cluster-admin-in-ns-test", - targetNamespace: privilegedNamespace, - username: "lisa", - userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, - operation: admissionv1.Create, - shouldBeAllowed: true, + shouldBeAllowed: false, }, { - // Admins should be able to update a privileged namespace + // cluster-admin group members should not be able to update a privileged namespace testID: "cluster-admin-in-ns-test", targetNamespace: privilegedNamespace, username: "lisa", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Update, - shouldBeAllowed: true, + shouldBeAllowed: false, }, { - // Admins should be able to delete a privileged namespace + // cluster-admins group members should not be able to delete a privileged namespace testID: "cluster-admin-in-ns-test", targetNamespace: privilegedNamespace, username: "lisa", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Delete, - shouldBeAllowed: true, + shouldBeAllowed: false, }, } runNamespaceTests(t, tests) @@ -825,25 +816,13 @@ func TestLabelCreates(t *testing.T) { shouldBeAllowed: true, }, { - testID: "cluster-admin-can-create-priv-labelled-ns", + testID: "cluster-admins-group-cannot-create-priv-labelled-ns", targetNamespace: privilegedNamespace, username: "no-reply@redhat.com", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Create, labels: map[string]string{"my-label": "hello"}, - shouldBeAllowed: true, - }, - { - testID: "cluster-admins-can-create-priv-labelled-ns", - targetNamespace: privilegedNamespace, - username: "no-reply@redhat.com", - userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, - operation: admissionv1.Create, - labels: map[string]string{ - "managed.openshift.io/storage-pv-quota-exempt": "true", - "managed.openshift.io/storage-lb-quota-exempt": "true", - }, - shouldBeAllowed: true, + shouldBeAllowed: false, }, { testID: "admin-test", @@ -1082,14 +1061,14 @@ func TestLabellingUpdates(t *testing.T) { shouldBeAllowed: false, }, { - testID: "cluster-admin-can-add-removable-label-on-unpriv-ns", + testID: "cluster-admin-cant-add-removable-label-on-unpriv-ns", targetNamespace: "my-customer-ns", username: "test@user", userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"}, operation: admissionv1.Update, oldObject: createOldObject("my-customer-ns", "user-can-remove-removable-label-from-unpriv-ns", map[string]string{}), labels: map[string]string{"openshift.io/cluster-monitoring": "true"}, - shouldBeAllowed: true, + shouldBeAllowed: false, }, { testID: "backplane-cluster-admin-can-add-removable-label-on-unpriv-ns",