Merge pull request #23 from ibuildthecloud/master

Fix issues when creating clusterrolebindings to namespaces objects
2025-07-02 01:11:55 +00:00 · 2021-08-04 12:23:45 -07:00 · 2021-08-04 12:23:45 -07:00 · b2d940920c
commit b2d940920c
parent f588bcef30 eba8358f2a
3 changed files with 27 additions and 6 deletions
--- a/pkg/accesscontrol/access_set.go
+++ b/pkg/accesscontrol/access_set.go
@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
 		verbs = append(verbs, "get")
 	}

-	for _, verb := range verbs {
-		for _, access := range a[verb] {
+	for _, access := range a[verb] {
+		resources := result[access.Namespace]
+		if access.ResourceName == All {
+			resources.All = true
+		} else {
+			if resources.Names == nil {
+				resources.Names = sets.String{}
+			}
+			resources.Names.Insert(access.ResourceName)
+		}
+		result[access.Namespace] = resources
+	}
+
+	if verb == "list" {
+		// look for objects referenced by get
+		for _, access := range a["get"] {
 			resources := result[access.Namespace]
 			if access.ResourceName == All {
-				resources.All = true
-			} else {
+				continue
+			} else if len(access.ResourceName) > 0 {
 				if resources.Names == nil {
 					resources.Names = sets.String{}
 				}
 				resources.Names.Insert(access.ResourceName)
+				result[access.Namespace] = resources
 			}
-			result[access.Namespace] = resources
 		}
 	}
+
 	return result
 }

--- a/pkg/stores/partition/store.go
+++ b/pkg/stores/partition/store.go
@ -101,7 +101,7 @@ func (s *Store) List(apiOp *types.APIRequest, schema *types.APISchema) (types.AP

 	result.Revision = lister.Revision()
 	result.Continue = lister.Continue()
-	return result, nil
+	return result, lister.Err()
 }

 func (s *Store) Create(apiOp *types.APIRequest, schema *types.APISchema, data types.APIObject) (types.APIObject, error) {
--- a/pkg/stores/proxy/proxy_store.go
+++ b/pkg/stores/proxy/proxy_store.go
@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
 }

 func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
+	if apiOp.Namespace == "*" {
+		// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
+		// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
+		return types.APIObjectList{}, nil
+	}
+
 	adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
 	if err != nil {
 		return types.APIObjectList{}, err