Add namespace selector to filter on namespace

2025-03-06 07:57:07 +00:00 · 2019-07-01 13:27:10 -07:00 · 2019-07-01 13:27:10 -07:00 · 29653196bf
commit 29653196bf
parent b490d614f2
3 changed files with 14 additions and 4 deletions
--- a/pkg/apis/policy/v1alpha1/types.go
+++ b/pkg/apis/policy/v1alpha1/types.go
@ -33,9 +33,10 @@ type Rule struct {

 // ResourceDescription describes the resource to which the PolicyRule will be applied.
 type ResourceDescription struct {
-	Kinds    []string              `json:"kinds"`
-	Name     *string               `json:"name"`
-	Selector *metav1.LabelSelector `json:"selector"`
+	Kinds     []string              `json:"kinds"`
+	Name      *string               `json:"name"`
+	Namespace *string               `json:"namespace,omitempty"`
+	Selector  *metav1.LabelSelector `json:"selector"`
 }

 // Mutation describes the way how Mutating Webhook will react on resource creation
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -29,7 +29,11 @@ func ProcessExisting(client *client.Client, policy *types.Policy) []*info.Policy
 			gvr := client.DiscoveryClient.GetGVRFromKind(k)
 			// label selectors
 			// namespace ? should it be default or allow policy to specify it
-			list, err := client.ListResource(gvr.Resource, "default", rule.ResourceDescription.Selector)
+			namespace := "default"
+			if rule.ResourceDescription.Namespace != nil {
+				namespace = *rule.ResourceDescription.Namespace
+			}
+			list, err := client.ListResource(gvr.Resource, namespace, rule.ResourceDescription.Selector)
 			if err != nil {
 				glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
 				glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -23,6 +23,7 @@ func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.Resourc
 	if resourceRaw != nil {
 		meta := parseMetadataFromObject(resourceRaw)
 		name := ParseNameFromObject(resourceRaw)
+		namespace := ParseNamespaceFromObject(resourceRaw)

 		if description.Name != nil {

@ -31,6 +32,10 @@ func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.Resourc
 			}
 		}

+		if description.Namespace != nil && *description.Namespace != namespace {
+			return false
+		}
+
 		if description.Selector != nil {
 			selector, err := metav1.LabelSelectorAsSelector(description.Selector)