Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Commit

Permalink
Only load manifests with allowed namespaces
Browse files Browse the repository at this point in the history
  • Loading branch information
Alfonso Acosta committed Jan 17, 2019
1 parent 606a1bf commit dda60d7
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 9 deletions.
14 changes: 7 additions & 7 deletions cluster/kubernetes/kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func NewCluster(clientset k8sclient.Interface,
func (c *Cluster) SomeControllers(ids []flux.ResourceID) (res []cluster.Controller, err error) {
var controllers []cluster.Controller
for _, id := range ids {
if !c.isInAllowedNamespace(id) {
if !isInAllowedNamespace(c.allowedNamespaces, id) {
continue
}
ns, kind, name := id.Components()
Expand Down Expand Up @@ -228,7 +228,7 @@ func (c *Cluster) Sync(spec cluster.SyncDef) error {
{action.Apply, "apply"},
}
for _, stage := range stages {
if stage.res == nil || !c.isInAllowedNamespace(stage.res.ResourceID()) {
if stage.res == nil || !isInAllowedNamespace(c.allowedNamespaces, stage.res.ResourceID()) {
continue
}

Expand Down Expand Up @@ -382,13 +382,13 @@ func (c *Cluster) getAllowedNamespaces() ([]apiv1.Namespace, error) {
return namespaces.Items, nil
}

func (c *Cluster) isInAllowedNamespace(id flux.ResourceID) bool {
if len(c.allowedNamespaces) == 0 {
// all namespaces are allowed
func isInAllowedNamespace(allowedNamespaces []string, id flux.ResourceID) bool {
ns, _, _ := id.Components()
if len(allowedNamespaces) == 0 || ns == "" {
// all namespaces are allowed or it's cluster-wide resource (not namespaced)
return true
}
ns, _, _ := id.Components()
for _, allowedNS := range c.allowedNamespaces {
for _, allowedNS := range allowedNamespaces {
if ns == allowedNS {
return true
}
Expand Down
9 changes: 8 additions & 1 deletion cluster/kubernetes/manifests.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,17 @@ import (
)

type Manifests struct {
AllowedNamespaces []string
}

func (c *Manifests) LoadManifests(base string, paths []string) (map[string]resource.Resource, error) {
return kresource.Load(base, paths)
resources, err := kresource.Load(base, paths)
for k, r := range resources {
if !isInAllowedNamespace(c.AllowedNamespaces, r.ResourceID()) {
delete(resources, k)
}
}
return resources, err
}

func (c *Manifests) ParseManifests(allDefs []byte) (map[string]resource.Resource, error) {
Expand Down
2 changes: 1 addition & 1 deletion cmd/fluxd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ func main() {
imageCreds = k8sInst.ImagesToFetch
// There is only one way we currently interpret a repo of
// files as manifests, and that's as Kubernetes yamels.
k8sManifests = &kubernetes.Manifests{}
k8sManifests = &kubernetes.Manifests{AllowedNamespaces: allowedNamespaces}
}

// Wrap the procedure for collecting images to scan
Expand Down

0 comments on commit dda60d7

Please sign in to comment.