Fix issues when creating clusterrolebindings to namespaces objects

This commit is contained in:
Darren Shepherd 2021-07-23 23:46:03 -07:00
parent 991a2a1776
commit eba8358f2a
2 changed files with 26 additions and 5 deletions

View File

@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
verbs = append(verbs, "get")
}
for _, verb := range verbs {
for _, access := range a[verb] {
for _, access := range a[verb] {
resources := result[access.Namespace]
if access.ResourceName == All {
resources.All = true
} else {
if resources.Names == nil {
resources.Names = sets.String{}
}
resources.Names.Insert(access.ResourceName)
}
result[access.Namespace] = resources
}
if verb == "list" {
// look for objects referenced by get
for _, access := range a["get"] {
resources := result[access.Namespace]
if access.ResourceName == All {
resources.All = true
} else {
continue
} else if len(access.ResourceName) > 0 {
if resources.Names == nil {
resources.Names = sets.String{}
}
resources.Names.Insert(access.ResourceName)
result[access.Namespace] = resources
}
result[access.Namespace] = resources
}
}
return result
}

View File

@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
}
func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
if apiOp.Namespace == "*" {
// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
return types.APIObjectList{}, nil
}
adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
if err != nil {
return types.APIObjectList{}, err