Skip to content

Commit

Permalink
Add a setting to disallow access to all namespaces
Browse files Browse the repository at this point in the history
With the cluster resolver we allow access to all namespaces by default
if empty. This is not always desirable and we should have a way to only
allow explicitly  the namespaces that are allowed.

Let the user configure the `blocked-namespaces` setting to `*` to
disallow all namespaces by default and only allow access to namespaces
with the `allowed-namespaces` setting.

Signed-off-by: Chmouel Boudjnah <[email protected]>
  • Loading branch information
chmouel authored and tekton-robot committed Oct 24, 2023
1 parent dcd34c1 commit b958eb5
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docs/cluster-resolver.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ for the name, namespace and defaults that the resolver ships with.
| `default-kind` | The default resource kind to fetch if not specified in parameters. | `task`, `pipeline` |
| `default-namespace` | The default namespace to fetch resources from if not specified in parameters. | `default`, `some-namespace` |
| `allowed-namespaces` | An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. | `default,some-namespace`, (empty) |
| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, (empty) |
| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. If the value is a `*` all namespaces will be disallowed and allowed namespace will need to be explicitely listed in `allowed-namespaces`. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, `*`, (empty) |

## Usage

Expand Down
8 changes: 8 additions & 0 deletions pkg/resolution/resolver/cluster/resolver.go
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,14 @@ func populateParamsWithDefaults(ctx context.Context, origParams []pipelinev1.Par
return nil, fmt.Errorf("access to specified namespace %s is blocked", params[NamespaceParam])
}

if conf[AllowedNamespacesKey] != "" && isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) {
return params, nil
}

if conf[BlockedNamespacesKey] != "" && conf[BlockedNamespacesKey] == "*" {
return nil, fmt.Errorf("only explicit allowed access to namespaces is allowed")
}

if conf[AllowedNamespacesKey] != "" && !isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) {
return nil, fmt.Errorf("access to specified namespace %s is not allowed", params[NamespaceParam])
}
Expand Down
30 changes: 30 additions & 0 deletions pkg/resolution/resolver/cluster/resolver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,30 @@ func TestValidateParamsFailure(t *testing.T) {
},
expectedErr: "access to specified namespace foo is blocked",
},
{
name: "blocked by star",
params: map[string]string{
cluster.KindParam: "task",
cluster.NamespaceParam: "foo",
cluster.NameParam: "baz",
},
conf: map[string]string{
cluster.BlockedNamespacesKey: "*",
},
expectedErr: "only explicit allowed access to namespaces is allowed",
},
{
name: "blocked by star but allowed explicitly",
params: map[string]string{
cluster.KindParam: "task",
cluster.NamespaceParam: "foo",
cluster.NameParam: "baz",
},
conf: map[string]string{
cluster.BlockedNamespacesKey: "*",
cluster.AllowedNamespacesKey: "foo",
},
},
}

for _, tc := range testCases {
Expand All @@ -178,6 +202,12 @@ func TestValidateParamsFailure(t *testing.T) {
})
}
err := resolver.ValidateParams(ctx, asParams)
if tc.expectedErr == "" {
if err != nil {
t.Fatalf("got unexpected error: %v", err)
}
return
}
if err == nil {
t.Fatalf("got no error, but expected: %s", tc.expectedErr)
}
Expand Down

0 comments on commit b958eb5

Please sign in to comment.