mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: protect managed resource not considering other components (#7363)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-05-31 16:05:49 +02:00 committed by GitHub
parent f7e57aa117
commit 408c00ae93
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pkg/webhooks/handlers/protect.go
View file

@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"strings"
"time"
"github.com/go-logr/logr"
@ -16,7 +17,7 @@ import (
const namespaceControllerUsername = "system:serviceaccount:kube-system:namespace-controller"
var kyvernoUsername = fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())
var kyvernoUsernamePrefix = fmt.Sprintf("system:serviceaccount:%s:", config.KyvernoNamespace())
func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
if !enabled {
@ -39,7 +40,7 @@ func (inner AdmissionHandler) withProtection() AdmissionHandler {
for _, resource := range []unstructured.Unstructured{newResource, oldResource} {
resLabels := resource.GetLabels()
if resLabels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp {
if request.UserInfo.Username != kyvernoUsername {
if !strings.HasPrefix(request.UserInfo.Username, kyvernoUsernamePrefix) {
logger.V(2).Info("access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")
return admissionutils.Response(request.UID, errors.New("A kyverno managed resource can only be modified by kyverno"))
}