Fix issues when creating clusterrolebindings to namespaces objects

pkg/accesscontrol/access_set.go

@@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
 		verbs = append(verbs, "get")
 	}
 
-	for _, verb := range verbs {
-		for _, access := range a[verb] {
+	for _, access := range a[verb] {
+		resources := result[access.Namespace]
+		if access.ResourceName == All {
+			resources.All = true
+		} else {
+			if resources.Names == nil {
+				resources.Names = sets.String{}
+			}
+			resources.Names.Insert(access.ResourceName)
+		}
+		result[access.Namespace] = resources
+	}
+
+	if verb == "list" {
+		// look for objects referenced by get
+		for _, access := range a["get"] {
 			resources := result[access.Namespace]
 			if access.ResourceName == All {
-				resources.All = true
-			} else {
+				continue
+			} else if len(access.ResourceName) > 0 {
 				if resources.Names == nil {
 					resources.Names = sets.String{}
 				}
 				resources.Names.Insert(access.ResourceName)
+				result[access.Namespace] = resources
 			}
-			result[access.Namespace] = resources
 		}
 	}
+
 	return result
 }
 

pkg/stores/proxy/proxy_store.go

@@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
 }
 
 func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
+	if apiOp.Namespace == "*" {
+		// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
+		// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
+		return types.APIObjectList{}, nil
+	}
+
 	adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
 	if err != nil {
 		return types.APIObjectList{}, err