Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict lookups of cluster-scoped resources #85

Merged
merged 1 commit into from
Jun 13, 2023
Merged

Restrict lookups of cluster-scoped resources #85

merged 1 commit into from
Jun 13, 2023

Conversation

JustinKuli
Copy link
Contributor

In some cases, it was possible to do a cluster-scoped lookup, despite LookupNamespace being set on the config, which was intended to prevent this. That is fixed, and more thoroughly tested.

A new config field ClusterScopedAllowList was added to allow specific cluster-scoped resources to be used in lookup when LookupNamespace is set.

@openshift-ci openshift-ci bot requested review from dhaiducek and gparvin June 13, 2023 14:35
@JustinKuli JustinKuli requested a review from mprahl June 13, 2023 14:35
mprahl
mprahl reviewed Jun 13, 2023
View reviewed changes
pkg/templates/generic_lookup_func.go Outdated
if !apiResource.Namespaced && t.config.LookupNamespace != "" {
rsrcIdentifier := ClusterScopedObjectIdentifier{
Group: apiResource.Group,
Version: apiResource.Version,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the version should be used in the restriction. For instance, if ClusterClaim has an API version bump, I wouldn't want the calling code to be updated.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point.

mprahl
mprahl reviewed Jun 13, 2023
View reviewed changes
pkg/templates/generic_lookup_func.go Outdated
}

for _, item := range allowlist {
if item.Group == "*" && item.Version == "*" && item.Kind == "*" && item.Name == "*" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think something like this would be better:

if item.Group != "*" && item.Group != rsrc.Group {
continue
}

if item.Kind != "*" && item.Kind != rsrc.Kind {
continue
}

if item.Name == "*" || item.Name == rsrc.Name {
return true
}

mprahl
mprahl requested changes Jun 13, 2023
View reviewed changes
Copy link
Contributor

@mprahl mprahl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few comments but this looks good!

@JustinKuli
Restrict lookups of cluster-scoped resources
76beeea 
In some cases, it was possible to do a cluster-scoped lookup, despite
`LookupNamespace` being set on the config, which was intended to prevent
this. That is fixed, and more thoroughly tested.

A new config field `ClusterScopedAllowList` was added to allow specific
cluster-scoped resources to be used in `lookup` when `LookupNamespace`
is set.

Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
@sonarcloud
Copy link

sonarcloud bot commented Jun 13, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

95.2% 95.2% Coverage
0.0% 0.0% Duplication

mprahl
mprahl approved these changes Jun 13, 2023
View reviewed changes
Copy link
Contributor

@mprahl mprahl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@openshift-ci openshift-ci bot added the lgtm label Jun 13, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jun 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JustinKuli, mprahl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 398d246 into stolostron:main Jun 13, 2023
4 checks passed
@JustinKuli JustinKuli deleted the limit-clusterscoped-lookup branch June 13, 2023 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mprahl mprahl mprahl approved these changes

@dhaiducek dhaiducek Awaiting requested review from dhaiducek

@gparvin gparvin Awaiting requested review from gparvin

Assignees

@mprahl mprahl

Labels
approved dco-signoff: yes lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JustinKuli @mprahl @openshift-merge-robot