Deal with namespace bindings to cluster scoped resources

2025-06-22 20:57:04 +00:00 · 2020-02-10 20:53:45 -07:00 · 2020-02-10 20:53:45 -07:00 · 433a39dcab
commit 433a39dcab
parent d1ce16f351
1 changed files with 10 additions and 0 deletions
--- a/pkg/schema/factory.go
+++ b/pkg/schema/factory.go
@ -66,6 +66,16 @@ func (c *Collection) schemasForSubject(access *accesscontrol.AccessSet) (*types.

 		for _, verb := range verbs {
 			a := access.AccessListFor(verb, gr)
+			if !attributes.Namespaced(s) {
+				// trim out bad data where we are granted namespaced access to cluster scoped object
+				result := accesscontrol.AccessList{}
+				for _, access := range a {
+					if access.Namespace == accesscontrol.All {
+						result = append(result, access)
+					}
+				}
+				a = result
+			}
 			if len(a) > 0 {
 				verbAccess[verb] = a
 			}