Issue #696 - Support apps with static namespaces in resources

[alexmt]

After PR is merged application might have resources with 'hardcoded' namespaces. This partially solved issue #696

[jessesuen]

I haven't yet looked at the code, but before I forget, do we prevent the following attack:

In git, I have a ClusterRole with a metadata.namespace value (even though ClusterRoles don't need namespace). The namespace is in the whitelisted namespaces in the project, but ClusterRoles are not whitelisted.

The expected behavior is that the create ClusterRole should be rejected.

[alexmt]

@jessesuen thanks for reminding about project permissions check. The attack which you described is prevented ( we are explicetly if resource is namespaced or not using discovery api ).

I forgot to add destination namespace check. This is fixed now. Please review PR

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@3a9196c). Click here to learn what that means.
The diff coverage is 52.25%.

@@            Coverage Diff            @@
##             master     #842   +/-   ##
=========================================
  Coverage          ?   30.75%           
=========================================
  Files             ?       47           
  Lines             ?     6893           
  Branches          ?        0           
=========================================
  Hits              ?     2120           
  Misses            ?     4451           
  Partials          ?      322

Impacted Files	Coverage Δ
controller/state.go	4.76% <0%> (ø)
util/kube/kube.go	31.91% <0%> (ø)
controller/sync_hooks.go	20.11% <10.52%> (ø)
controller/cache/cache.go	3.73% <21.73%> (ø)
controller/cache/cluster.go	78.37% <60%> (ø)
controller/sync.go	56.13% <84.21%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3a9196c...fb9602f. Read the comment docs.

[jessesuen]

Is there any problem here that if we don't see the GVK in the cluster, that we unconditionally consider it as a namespaced? e.g. will deploying an app for the first time that contains a cluster-scoped CRD + cluster-scoped CRD object work okay?

[alexmt]

good point. working improving it in next PR

[peterbosalliandercom]

Should this be working on role and rolebindings? I have set a namespace hardcoded into the resource and still it pickes up the application namespace...

[peterbosalliandercom]

I have added the following pod, it should be running in namespace demo1 but it runs in demo (the application destination namespace).
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:

• name: myapp-container
  image: busybox
  command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']

[peterbosalliandercom]

My source pod.yaml was:
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
namespace: demo1
spec:
containers:

• name: myapp-container
  image: busybox
  command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']

[peterbosalliandercom]

Is this the same issue as described in my previous posts? 483872a

[jessesuen]

Yes possibly. Are you using kustomize?