github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

[api] Fix listing tenantnamespaces for non-oidc users (#1517)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[api] Fix listing tenantnamespaces for non-oidc users
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Namespace access now recognizes group, user, and service-account
subjects when evaluating RBAC bindings, granting access for matching
identities.
* Service accounts are properly recognized and allowed when their
fully-qualified identity matches bindings.

* **Improvements**
* Simplified and more reliable RBAC subject evaluation to reduce missed
eligible namespaces.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Andrei Kvapil
2025-10-15 10:09:26 +02:00
committed by GitHub
parent 43ec8f0877 671e13df70
commit e9bdbcf60d
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/registry/core/tenantnamespace/rest.go
View File

@@ -294,13 +294,25 @@ func (r *REST) filterAccessible(
if _, ok := nameSet[rbs.Items[i].Namespace]; !ok {
continue
}
subjectLoop:
for j := range rbs.Items[i].Subjects {
if rbs.Items[i].Subjects[j].Kind != "Group" {
continue
}
if _, ok = groups[rbs.Items[i].Subjects[j].Name]; ok {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break
subj := rbs.Items[i].Subjects[j]
switch subj.Kind {
case "Group":
if _, ok = groups[subj.Name]; ok {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
case "User":
if subj.Name == u.GetName() {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
case "ServiceAccount":
if u.GetName() == fmt.Sprintf("system:serviceaccount:%s:%s", subj.Namespace, subj.Name) {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
}
}
}