From 64f73ec2d13c936fead19b35d2f2f88f9f30b5e5 Mon Sep 17 00:00:00 2001 From: Chmouel Boudjnah Date: Fri, 20 Oct 2023 05:37:58 +0200 Subject: [PATCH] Add a setting to disallow access to all namespaces With the cluster resolver we allow access to all namespaces by default if empty. This is not always desirable and we should have a way to only allow explicitly the namespaces that are allowed. Let the user configure the `blocked-namespaces` setting to `*` to disallow all namespaces by default and only allow access to namespaces with the `allowed-namespaces` setting. Signed-off-by: Chmouel Boudjnah --- docs/cluster-resolver.md | 2 +- pkg/resolution/resolver/cluster/resolver.go | 8 +++++ .../resolver/cluster/resolver_test.go | 30 +++++++++++++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/cluster-resolver.md b/docs/cluster-resolver.md index 3e0d68eca14..fc545420ce8 100644 --- a/docs/cluster-resolver.md +++ b/docs/cluster-resolver.md @@ -40,7 +40,7 @@ for the name, namespace and defaults that the resolver ships with. | `default-kind` | The default resource kind to fetch if not specified in parameters. | `task`, `pipeline` | | `default-namespace` | The default namespace to fetch resources from if not specified in parameters. | `default`, `some-namespace` | | `allowed-namespaces` | An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. | `default,some-namespace`, (empty) | -| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, (empty) | +| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. If the value is a `*` all namespaces will be disallowed and allowed namespace will need to be explicitely listed in `allowed-namespaces`. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, `*`, (empty) | ## Usage diff --git a/pkg/resolution/resolver/cluster/resolver.go b/pkg/resolution/resolver/cluster/resolver.go index b289960d0b6..44c5c800b9e 100644 --- a/pkg/resolution/resolver/cluster/resolver.go +++ b/pkg/resolution/resolver/cluster/resolver.go @@ -279,6 +279,14 @@ func populateParamsWithDefaults(ctx context.Context, origParams []pipelinev1.Par return nil, fmt.Errorf("access to specified namespace %s is blocked", params[NamespaceParam]) } + if conf[AllowedNamespacesKey] != "" && isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) { + return params, nil + } + + if conf[BlockedNamespacesKey] != "" && conf[BlockedNamespacesKey] == "*" { + return nil, fmt.Errorf("only explicit allowed access to namespaces is allowed") + } + if conf[AllowedNamespacesKey] != "" && !isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) { return nil, fmt.Errorf("access to specified namespace %s is not allowed", params[NamespaceParam]) } diff --git a/pkg/resolution/resolver/cluster/resolver_test.go b/pkg/resolution/resolver/cluster/resolver_test.go index 783a701a01f..e1051a7089d 100644 --- a/pkg/resolution/resolver/cluster/resolver_test.go +++ b/pkg/resolution/resolver/cluster/resolver_test.go @@ -159,6 +159,30 @@ func TestValidateParamsFailure(t *testing.T) { }, expectedErr: "access to specified namespace foo is blocked", }, + { + name: "blocked by star", + params: map[string]string{ + cluster.KindParam: "task", + cluster.NamespaceParam: "foo", + cluster.NameParam: "baz", + }, + conf: map[string]string{ + cluster.BlockedNamespacesKey: "*", + }, + expectedErr: "only explicit allowed access to namespaces is allowed", + }, + { + name: "blocked by star but allowed explicitly", + params: map[string]string{ + cluster.KindParam: "task", + cluster.NamespaceParam: "foo", + cluster.NameParam: "baz", + }, + conf: map[string]string{ + cluster.BlockedNamespacesKey: "*", + cluster.AllowedNamespacesKey: "foo", + }, + }, } for _, tc := range testCases { @@ -178,6 +202,12 @@ func TestValidateParamsFailure(t *testing.T) { }) } err := resolver.ValidateParams(ctx, asParams) + if tc.expectedErr == "" { + if err != nil { + t.Fatalf("got unexpected error: %v", err) + } + return + } if err == nil { t.Fatalf("got no error, but expected: %s", tc.expectedErr) }