From d2dda9cb989658761f7919488687d7bbca646f31 Mon Sep 17 00:00:00 2001 From: raul Date: Fri, 14 Jun 2024 17:06:36 +0200 Subject: [PATCH] Add missing comment to FleetWorkspacePermissionsResourceRulesFromRole --- pkg/auth/globalrole.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/auth/globalrole.go b/pkg/auth/globalrole.go index 42775a951..ad2b5bf3b 100644 --- a/pkg/auth/globalrole.go +++ b/pkg/auth/globalrole.go @@ -69,6 +69,10 @@ func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.P return rules, nil } +// FleetWorkspacePermissionsResourceRulesFromRole finds rules which this GlobalRole gives on fleet resources in the workspace backing namespace. +// This is assuming a user has permissions in all workspaces (including fleet-local), which is not true. That's fine if we +// use it to evaluate InheritedFleetWorkspacePermissions.ResourceRules. However, it shouldn't be used in a more generic evaluation +// of permissions on the workspace backing namespace. func (g *GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule { for _, name := range adminRoles { if gr.Name == name {