Skip to content

Commit 99f096e

Browse files
tniermantnierman
committed
Revert "SREP-1565 - Remove cluster-admins exception from namespaces webhook"
1 parent a9dba1e commit 99f096e

File tree

2 files changed

+36
-14
lines changed

2 files changed

+36
-14
lines changed

pkg/webhooks/namespace/namespace.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ const (
2727
layeredProductNamespace string = `^redhat-.*`
2828
layeredProductAdminGroupName string = "layered-sre-cluster-admins"
2929
docString string = `Managed OpenShift Customers may not modify namespaces specified in the %v ConfigMaps because customer workloads should be placed in customer-created namespaces. Customers may not create namespaces identified by this regular expression %s because it could interfere with critical DNS resolution. Additionally, customers may not set or change the values of these Namespace labels %s.`
30+
clusterAdminGroup string = "cluster-admins"
3031
)
3132

3233
// exported vars to be used across packages
@@ -351,7 +352,7 @@ func NewWebhook() *NamespaceWebhook {
351352
}
352353

353354
func amIAdmin(request admissionctl.Request) bool {
354-
if slices.Contains(clusterAdminUsers, request.UserInfo.Username) {
355+
if slices.Contains(clusterAdminUsers, request.UserInfo.Username) || slices.Contains(request.UserInfo.Groups, clusterAdminGroup) {
355356
return true
356357
}
357358

pkg/webhooks/namespace/namespace_test.go

Lines changed: 34 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -717,13 +717,13 @@ func TestAdminUser(t *testing.T) {
717717
shouldBeAllowed: true,
718718
},
719719
{
720-
// cluster-admin users cannot update privilegedNamespaces
720+
// admin users gonna admin
721721
testID: "cluster-admin-test",
722722
targetNamespace: privilegedNamespace,
723723
username: "lisa",
724724
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
725725
operation: admissionv1.Update,
726-
shouldBeAllowed: false,
726+
shouldBeAllowed: true,
727727
},
728728
{
729729
// admin users gonna admin
@@ -762,31 +762,40 @@ func TestAdminUser(t *testing.T) {
762762
shouldBeAllowed: true,
763763
},
764764
{
765-
// cluster-admin group members should not be able to create a privileged namespace
766-
testID: "cluster-admin-group-in-ns-test",
765+
// Admins should be able to create a privileged namespace
766+
testID: "cluster-admin-in-ns-test",
767767
targetNamespace: "in",
768768
username: "lisa",
769769
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
770770
operation: admissionv1.Create,
771-
shouldBeAllowed: false,
771+
shouldBeAllowed: true,
772+
},
773+
{
774+
// Admins should be able to create a privileged namespace
775+
testID: "cluster-admin-in-ns-test",
776+
targetNamespace: privilegedNamespace,
777+
username: "lisa",
778+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
779+
operation: admissionv1.Create,
780+
shouldBeAllowed: true,
772781
},
773782
{
774-
// cluster-admin group members should not be able to update a privileged namespace
783+
// Admins should be able to update a privileged namespace
775784
testID: "cluster-admin-in-ns-test",
776785
targetNamespace: privilegedNamespace,
777786
username: "lisa",
778787
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
779788
operation: admissionv1.Update,
780-
shouldBeAllowed: false,
789+
shouldBeAllowed: true,
781790
},
782791
{
783-
// cluster-admins group members should not be able to delete a privileged namespace
792+
// Admins should be able to delete a privileged namespace
784793
testID: "cluster-admin-in-ns-test",
785794
targetNamespace: privilegedNamespace,
786795
username: "lisa",
787796
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
788797
operation: admissionv1.Delete,
789-
shouldBeAllowed: false,
798+
shouldBeAllowed: true,
790799
},
791800
}
792801
runNamespaceTests(t, tests)
@@ -816,13 +825,25 @@ func TestLabelCreates(t *testing.T) {
816825
shouldBeAllowed: true,
817826
},
818827
{
819-
testID: "cluster-admins-group-cannot-create-priv-labelled-ns",
828+
testID: "cluster-admin-can-create-priv-labelled-ns",
820829
targetNamespace: privilegedNamespace,
821830
username: "no-reply@redhat.com",
822831
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
823832
operation: admissionv1.Create,
824833
labels: map[string]string{"my-label": "hello"},
825-
shouldBeAllowed: false,
834+
shouldBeAllowed: true,
835+
},
836+
{
837+
testID: "cluster-admins-can-create-priv-labelled-ns",
838+
targetNamespace: privilegedNamespace,
839+
username: "no-reply@redhat.com",
840+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
841+
operation: admissionv1.Create,
842+
labels: map[string]string{
843+
"managed.openshift.io/storage-pv-quota-exempt": "true",
844+
"managed.openshift.io/storage-lb-quota-exempt": "true",
845+
},
846+
shouldBeAllowed: true,
826847
},
827848
{
828849
testID: "admin-test",
@@ -1061,14 +1082,14 @@ func TestLabellingUpdates(t *testing.T) {
10611082
shouldBeAllowed: false,
10621083
},
10631084
{
1064-
testID: "cluster-admin-cant-add-removable-label-on-unpriv-ns",
1085+
testID: "cluster-admin-can-add-removable-label-on-unpriv-ns",
10651086
targetNamespace: "my-customer-ns",
10661087
username: "test@user",
10671088
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
10681089
operation: admissionv1.Update,
10691090
oldObject: createOldObject("my-customer-ns", "user-can-remove-removable-label-from-unpriv-ns", map[string]string{}),
10701091
labels: map[string]string{"openshift.io/cluster-monitoring": "true"},
1071-
shouldBeAllowed: false,
1092+
shouldBeAllowed: true,
10721093
},
10731094
{
10741095
testID: "backplane-cluster-admin-can-add-removable-label-on-unpriv-ns",

0 commit comments

Comments
 (0)