Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tenant owners can edit Namespace labels or annotations although these are forbidden. #617

Closed
prometherion opened this issue Jul 22, 2022 · 0 comments · Fixed by #618
Closed

Tenant owners can edit Namespace labels or annotations although these are forbidden. #617

prometherion opened this issue Jul 22, 2022 · 0 comments · Fixed by #618
Assignees
@prometherion
Labels
bug Something isn't working
Milestone
v0.1.2

Comments

@prometherion
Copy link
Member

With the current manifest, alice shouldn't be able to change the Namespaces label pod-security.kubernetes.io/enforce.

apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  annotations:
    capsule.clastix.io/forbidden-namespace-labels: pod-security.kubernetes.io/enforce
  name: solar
spec:
  namespaceOptions:
    additionalMetadata:
      labels:
        pod-security.kubernetes.io/enforce: baseline
  owners:
  - kind: User
    name: alice

In fact, if a Namespace creation is issued (kubectl --as alice --as-group capsule.clastix.io create ns solar-development), the labels is available thanks to the spec.namespaceOptions.additionalMetadata.

$: kubectl describe ns solar-development
Name:         solar-development
Labels:       capsule.clastix.io/tenant=solar
              kubernetes.io/metadata.name=solar-development
              name=solar-development
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/enforce=baseline
              pod-security.kubernetes.io/enforce-version=v1.24
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
Annotations:  capsule.clastix.io/forbidden-namespace-labels: pod-security.kubernetes.io/enforce
Status:       Active

No resource quota.

No LimitRange resource.

However, if a change is put in place, this is not blocked.

$: kubectl --as alice --as-group capsule.clastix.io label namespace solar-development "pod-security.kubernetes.io/audit-"
namespace/solar-development labeled

The expectation is getting a denied error from the Namespace webhook as follows.

Error from server (Label pod-security.kubernetes.io/enforce is forbidden for namespaces in the current Tenant. Forbidden are one of the following (pod-security.kubernetes.io/enforce)): admission webhook "namespaces.capsule.clastix.io" denied the request: Label pod-security.kubernetes.io/enforce is forbidden for namespaces in the current Tenant. Forbidden are one of the following (pod-security.kubernetes.io/enforce)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prometherion prometherion

Labels
bug Something isn't working
Projects
None yet
Milestone
v0.1.2
Development

Successfully merging a pull request may close this issue.

fix: tenant owners cannot replace protected namesapce labels or annotations projectcapsule/capsule
1 participant
@prometherion