mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-30 19:35:06 +00:00
Code Activity

fix auth validation (#6696)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-03-27 19:56:24 +08:00 committed by GitHub
parent 03220cd8a9
commit 81ec6c96a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pkg/policy/mutate/validate.go
View file

@ -95,22 +95,21 @@ func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.ResourceS
for _, target := range targets {
if !regex.IsVariable(target.Namespace) {
_, _, k, sub := kubeutils.ParseKindSelector(target.Kind)
if ok, err := m.authChecker.CanICreate(ctx, k, target.Namespace, sub); err != nil {
errs = append(errs, err)
} else if !ok {
errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "create", k, sub, target.Namespace))
srcKey := k
if sub != "" {
srcKey = srcKey + "/" + sub
}
if ok, err := m.authChecker.CanIUpdate(ctx, k, target.Namespace, sub); err != nil {
errs = append(errs, err)
} else if !ok {
errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "update", k, sub, target.Namespace))
errs = append(errs, fmt.Errorf("cannot %s %s in namespace %s", "update", srcKey, target.Namespace))
}
if ok, err := m.authChecker.CanIGet(ctx, k, target.Namespace, sub); err != nil {
errs = append(errs, err)
} else if !ok {
errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "get", k, sub, target.Namespace))
errs = append(errs, fmt.Errorf("cannot %s %s in namespace %s", "get", srcKey, target.Namespace))
}
}
}