Get individual namespaces when given whitelist

Asking for the full list of namespaces requires a cluster-scoped permission of listing namespaces; however, a common scenario for using the whitelist is that you want to restrict permissions. If we simply Get the whitelisted namespaces, ignoring those we're forbidden to see (or that don't exist, as before), we don't need the cluster-scoped permission and can just be given permissions per namespace. The trade is that we do an API request per whitelisted namespace. I expect there to be relatively few, though, so I don't think this is a huge deal.
fluxcd · Aug 21, 2018 · c5bfdd1 · c5bfdd1
1 parent 3e98ee1
commit c5bfdd1
Showing 1 changed file with 15 additions and 19 deletions.
diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
@@ -101,7 +101,7 @@ type Cluster struct {
 	version     string // string response for the version command.
 	logger      log.Logger
 	sshKeyRing  ssh.KeyRing
-	nsWhitelist map[string]bool
+	nsWhitelist []string
 
 	mu sync.Mutex
 }
@@ -114,11 +114,6 @@ func NewCluster(clientset k8sclient.Interface,
 	logger log.Logger,
 	nsWhitelist []string) *Cluster {
 
-	nsWhitelistMap := map[string]bool{}
-	for _, namespace := range nsWhitelist {
-		nsWhitelistMap[namespace] = true
-	}
-
 	c := &Cluster{
 		client: extendedClient{
 			clientset,
@@ -127,7 +122,7 @@ func NewCluster(clientset k8sclient.Interface,
 		applier:     applier,
 		logger:      logger,
 		sshKeyRing:  sshKeyRing,
-		nsWhitelist: nsWhitelistMap,
+		nsWhitelist: nsWhitelist,
 	}
 
 	return c
@@ -315,20 +310,21 @@ func (c *Cluster) PublicSSHKey(regenerate bool) (ssh.PublicKey, error) {
 // instance, in which case it returns a list containing the namespaces from the whitelist
 // that exist in the cluster.
 func (c *Cluster) getAllowedNamespaces() ([]apiv1.Namespace, error) {
-	nsList := []apiv1.Namespace{}
+	if len(c.nsWhitelist) > 0 {
+		nsList := []apiv1.Namespace{}
+		for _, name := range c.nsWhitelist {
+			if ns, err := c.client.Namespaces().Get(name, meta_v1.GetOptions{}); err == nil {
+				nsList = append(nsList, *ns)
+			} else if !(apierrors.IsNotFound(err) || apierrors.IsUnauthorized(err) || apierrors.IsForbidden(err)) {
+				return nil, err
+			}
+		}
+		return nsList, nil
+	}
 
 	namespaces, err := c.client.CoreV1().Namespaces().List(meta_v1.ListOptions{})
 	if err != nil {
-		return nsList, err
+		return nil, err
 	}
-
-	for _, namespace := range namespaces.Items {
-		if len(c.nsWhitelist) > 0 && !c.nsWhitelist[namespace.ObjectMeta.Name] {
-			continue
-		}
-
-		nsList = append(nsList, namespace)
-	}
-
-	return nsList, nil
+	return namespaces.Items, nil
 }