Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow disabling cross-namespace references to image repositories #228

Merged
merged 3 commits into from
Jan 29, 2022
Merged

Allow disabling cross-namespace references to image repositories #228

merged 3 commits into from
Jan 29, 2022

Conversation

squaremo
Copy link
Member

@squaremo squaremo commented Jan 27, 2022
edited by stefanprodan
Loading

Introduce the flag --no-cross-namespace-refs (defaults to false) for allowing cluster admins to disable cross-namespace references to ImageRepositories.

When the controller is run with --no-cross-namespace-refs=true and a ImagePolicy.spec.imageRepositoryRef.namespace refers to an ImageRepository in a different namespace than the ImagePolicy object, the reconciliation will fail with the AccessDenied reason.

On access denied errors the controller logs and sends an event e.g.:

can't access 'ImageRepository/my-other-namespace/my-source', cross-namespace references have been blocked

And the ImagePolicy status Ready condition it set to:

status:
  conditions:
  - lastTransitionTime: "2022-01-26T07:26:48Z"
    message: "can't access 'ImageRepository/my-other-namespace/my-source', cross-namespace references have been blocked"
    reason: AccessDenied
    status: "False"
    type: Ready

Part of: fluxcd/flux2#2337

@squaremo
Use fluxcd/pkg/{apis,runtime}/acl for ACLs
42aa8ed 
This commit replaces the local ACL-related API types, and the func for
checking access, with their standarised forms in fluxcd/pkg/apis/acl
and fluxcd/pkg/runtime/acl respectively.

The test case for "When the ACL is empty, it denies access" needed
adjustment because the zero value of acl.AccessFrom is not valid -- it
needs an explicit list of namespace selectors. Providing `nil` in the
test case is the equivalent of providing a zero value.

Signed-off-by: Michael Bridgen <michael@weave.works>
@squaremo
Add --no-cross-namespace-refs flag
48a673d 
This uses the helper in fluxcd/runtime/acl to bind the cross-ns flag,
passes it to the controller, and checks it when resolving the
potentially cross-namespace reference.

Signed-off-by: Michael Bridgen <michael@weave.works>
@squaremo
Test no-cross-namespace-refs switch
1d947a1 
Signed-off-by: Michael Bridgen <michael@weave.works>
@stefanprodan stefanprodan changed the title Add --no-cross-namespace-refs flag Allow disabling cross-namespace references to image repositories Jan 27, 2022
@stefanprodan stefanprodan added the enhancement New feature or request label Jan 27, 2022
stefanprodan
stefanprodan approved these changes Jan 27, 2022
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @squaremo 🥇

@stefanprodan stefanprodan merged commit 4e5c687 into main Jan 29, 2022
@stefanprodan stefanprodan deleted the deny-cross-ns-flag branch January 29, 2022 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@squaremo @stefanprodan