diff --git a/api/v1alpha1/tenant_labels.go b/api/v1alpha1/tenant_labels.go index e384bab69..8a5bc7d62 100644 --- a/api/v1alpha1/tenant_labels.go +++ b/api/v1alpha1/tenant_labels.go @@ -34,6 +34,10 @@ func GetTypeLabel(t runtime.Object) (label string, err error) { return "capsule.clastix.io/network-policy", nil case *corev1.ResourceQuota: return "capsule.clastix.io/resource-quota", nil + case *corev1.Service: + return "capsule.clastix.io/tenant", nil + case *corev1.Endpoints: + return "capsule.clastix.io/tenant", nil default: err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v) } diff --git a/pkg/webhook/owner_reference/patching.go b/pkg/webhook/owner_reference/patching.go index 2048f6cf3..c86486dbc 100644 --- a/pkg/webhook/owner_reference/patching.go +++ b/pkg/webhook/owner_reference/patching.go @@ -19,9 +19,7 @@ package owner_reference import ( "context" "encoding/json" - "fmt" "net/http" - "strings" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -31,6 +29,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" "github.com/clastix/capsule/api/v1alpha1" + "github.com/clastix/capsule/pkg/utils" "github.com/clastix/capsule/pkg/webhook" ) @@ -76,7 +75,7 @@ func (r *handler) OnCreate(ctx context.Context, req admission.Request, clt clien return admission.Errored(http.StatusBadRequest, err) } // Tenant owner must adhere to user that asked for NS creation - if !r.isTenantOwner(t.Spec.Owner, req) { + if !utils.IsTenantOwner(t.Spec.Owner, req.UserInfo) { return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant") } // Patching the response @@ -85,43 +84,19 @@ func (r *handler) OnCreate(ctx context.Context, req admission.Request, clt clien } - // assigning namespace to Tenant in case of --force-tenant-prefix flag enabled - if r.forceTenantPrefix { - tenantName := strings.Split(ns.GetName(), "-")[0] - // retrieving the selected Tenant - t := &v1alpha1.Tenant{} - if err := clt.Get(ctx, types.NamespacedName{Name: tenantName}, t); err != nil { - return admission.Errored(http.StatusBadRequest, err) - } - // Tenant owner must adhere to user that asked for NS creation - if !r.isTenantOwner(t.Spec.Owner, req) { - return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant") - } - // Patching the response - return r.patchResponseForOwnerRef(t, ns) - } - - tl, err := r.listTenantsForOwner(ctx, "User", req.UserInfo.Username, clt) + tenant, err := utils.GetNamespaceTenant(ctx, ns.Name, r.forceTenantPrefix, req.UserInfo, clt) if err != nil { + if err, ok := err.(*utils.TenantNotFoundError); ok { + return admission.Denied(err.Error()) + } return admission.Errored(http.StatusBadRequest, err) } - if len(tl.Items) > 0 { - return r.patchResponseForOwnerRef(&tl.Items[0], ns) + // Tenant owner must adhere to user that asked for NS creation + if !utils.IsTenantOwner(tenant.Spec.Owner, req.UserInfo) { + return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant") } - if len(req.UserInfo.Groups) > 0 { - for _, group := range req.UserInfo.Groups { - tl, err := r.listTenantsForOwner(ctx, "Group", group, clt) - if err != nil { - return admission.Errored(http.StatusBadRequest, err) - } - if len(tl.Items) > 0 { - return r.patchResponseForOwnerRef(&tl.Items[0], ns) - } - } - } - - return admission.Denied("You do not have any Tenant assigned: please, reach out the system administrators") + return r.patchResponseForOwnerRef(tenant, ns) } func (r *handler) OnDelete(ctx context.Context, req admission.Request, client client.Client, decoder *admission.Decoder) admission.Response { @@ -132,15 +107,6 @@ func (r *handler) OnUpdate(ctx context.Context, req admission.Request, client cl return admission.Denied("Capsule user cannot update a Namespace") } -func (r *handler) listTenantsForOwner(ctx context.Context, ownerKind string, ownerName string, clt client.Client) (*v1alpha1.TenantList, error) { - tl := &v1alpha1.TenantList{} - f := client.MatchingFields{ - ".spec.owner.ownerkind": fmt.Sprintf("%s:%s", ownerKind, ownerName), - } - err := clt.List(ctx, tl, f) - return tl, err -} - func (r *handler) patchResponseForOwnerRef(tenant *v1alpha1.Tenant, ns *corev1.Namespace) admission.Response { scheme := runtime.NewScheme() _ = v1alpha1.AddToScheme(scheme) @@ -153,17 +119,3 @@ func (r *handler) patchResponseForOwnerRef(tenant *v1alpha1.Tenant, ns *corev1.N c, _ := json.Marshal(ns) return admission.PatchResponseFromRaw(o, c) } - -func (r *handler) isTenantOwner(os v1alpha1.OwnerSpec, req admission.Request) bool { - if os.Kind == "User" && req.UserInfo.Username == os.Name { - return true - } - if os.Kind == "Group" { - for _, group := range req.UserInfo.Groups { - if group == os.Name { - return true - } - } - } - return false -}