-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Webhook for Role/RoleBinding #425
Conversation
61e367a
to
dd7a4f3
Compare
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go
Outdated
Show resolved
Hide resolved
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go
Outdated
Show resolved
Hide resolved
pkg/webhook/fleetresourcehandler/fleetresourcehandler_webhook.go
Outdated
Show resolved
Hide resolved
return slices.Contains(whiteListedUsers, userInfo.Username) || slices.Contains(userInfo.Groups, mastersGroup) | ||
} | ||
|
||
// IsUserAuthenticatedServiceAccount returns true if user is a valid/authenticated service account. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a hunch that this should always be allowed for any resources
a301431
to
5bc80df
Compare
return true | ||
// ValidateUserForFleetCRD checks to see if user is not allowed to modify fleet CRDs. | ||
func ValidateUserForFleetCRD(group string, namespacedName types.NamespacedName, whiteListedUsers []string, userInfo authenticationv1.UserInfo) admission.Response { | ||
if !checkCRDGroup(group) && isMasterGroupUserOrWhiteListedUser(whiteListedUsers, userInfo) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Arvind! Should this be an OR term?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the condition to only allow master group users and whitelisted users to modfiy fleet CRDs. We allow any user to modify other CRDs created by the user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the comment things LGTM.
703899b
to
e1cb88f
Compare
return admission.Denied(fmt.Sprintf("failed to validate user: %s in groups: %v to modify fleet CRD: %s", req.UserInfo.Username, req.UserInfo.Groups, crd.Name)) | ||
} | ||
return admission.Allowed(fmt.Sprintf("user: %s in groups: %v is allowed to modify CRD: %s", req.UserInfo.Username, req.UserInfo.Groups, crd.Name)) | ||
return validation.ValidateUserForFleetCRD(group, types.NamespacedName{Name: crd.Name, Namespace: crd.Namespace}, v.whiteListedUsers, req.UserInfo) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CRD has no namespace
|
||
// ValidateUserForResource checks to see if user is allowed to modify argued fleet resource. | ||
func ValidateUserForResource(resKind string, namespacedName types.NamespacedName, whiteListedUsers []string, userInfo authenticationv1.UserInfo) admission.Response { | ||
if isMasterGroupUserOrWhiteListedUser(whiteListedUsers, userInfo) || isUserAuthenticatedServiceAccount(userInfo) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like resKind is not used in the validation?
Description of your changes
Fixes #
I have:
make reviewable
to ensure this PR is ready for review.How has this code been tested
Special notes for your reviewer