mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: allow deletion of namespace containing managed resources (#6098)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-24 18:07:27 +01:00 committed by GitHub
parent 1900a21627
commit 47cb099cf9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/webhooks/handlers/protect.go
View file

@ -14,6 +14,8 @@ import (
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
const namespaceControllerUsername = "system:serviceaccount:kube-system:namespace-controller"
func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
if !enabled {
return inner
@ -23,6 +25,10 @@ func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
func (inner AdmissionHandler) withProtection() AdmissionHandler {
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
// Allows deletion of namespace containing managed resources
if request.Operation == admissionv1.Delete && request.UserInfo.Username == namespaceControllerUsername {
return inner(ctx, logger, request, startTime)
}
newResource, oldResource, err := admissionutils.ExtractResources(nil, request)
if err != nil {
logger.Error(err, "Failed to extract resources")