Only load manifests with allowed namespaces

fluxcd · Jan 17, 2019 · f060e01 · f060e01
1 parent 606a1bf
commit f060e01
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 18 deletions.
diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
@@ -138,7 +138,7 @@ func NewCluster(clientset k8sclient.Interface,
 func (c *Cluster) SomeControllers(ids []flux.ResourceID) (res []cluster.Controller, err error) {
 	var controllers []cluster.Controller
 	for _, id := range ids {
-		if !c.isInAllowedNamespace(id) {
+		if !isInAllowedNamespace(c.allowedNamespaces, id) {
 			continue
 		}
 		ns, kind, name := id.Components()
@@ -228,7 +228,7 @@ func (c *Cluster) Sync(spec cluster.SyncDef) error {
 			{action.Apply, "apply"},
 		}
 		for _, stage := range stages {
-			if stage.res == nil || !c.isInAllowedNamespace(stage.res.ResourceID()) {
+			if stage.res == nil || !isInAllowedNamespace(c.allowedNamespaces, stage.res.ResourceID()) {
 				continue
 			}
 
@@ -382,13 +382,13 @@ func (c *Cluster) getAllowedNamespaces() ([]apiv1.Namespace, error) {
 	return namespaces.Items, nil
 }
 
-func (c *Cluster) isInAllowedNamespace(id flux.ResourceID) bool {
-	if len(c.allowedNamespaces) == 0 {
+func isInAllowedNamespace(allowedNamespaces []string, id flux.ResourceID) bool {
+	if len(allowedNamespaces) == 0 {
 		// all namespaces are allowed
 		return true
 	}
 	ns, _, _ := id.Components()
-	for _, allowedNS := range c.allowedNamespaces {
+	for _, allowedNS := range allowedNamespaces {
 		if ns == allowedNS {
 			return true
 		}

diff --git a/cluster/kubernetes/manifests.go b/cluster/kubernetes/manifests.go
@@ -8,10 +8,17 @@ import (
 )
 
 type Manifests struct {
+	AllowedNamespaces []string
 }
 
 func (c *Manifests) LoadManifests(base string, paths []string) (map[string]resource.Resource, error) {
-	return kresource.Load(base, paths)
+	resources, err := kresource.Load(base, paths)
+	for k, r := range resources {
+		if !isInAllowedNamespace(c.AllowedNamespaces, r.ResourceID()) {
+			delete(resources, k)
+		}
+	}
+	return resources, err
 }
 
 func (c *Manifests) ParseManifests(allDefs []byte) (map[string]resource.Resource, error) {

diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -274,7 +274,7 @@ func main() {
 		imageCreds = k8sInst.ImagesToFetch
 		// There is only one way we currently interpret a repo of
 		// files as manifests, and that's as Kubernetes yamels.
-		k8sManifests = &kubernetes.Manifests{}
+		k8sManifests = &kubernetes.Manifests{AllowedNamespaces: allowedNamespaces}
 	}
 
 	// Wrap the procedure for collecting images to scan

diff --git a/daemon/daemon.go b/daemon/daemon.go
@@ -42,17 +42,17 @@ const (
 // Daemon is the fully-functional state of a daemon (compare to
 // `NotReadyDaemon`).
 type Daemon struct {
-	V              string
-	Cluster        cluster.Cluster
-	Manifests      cluster.Manifests
-	Registry       registry.Registry
-	ImageRefresh   chan image.Name
-	Repo           *git.Repo
-	GitConfig      git.Config
-	Jobs           *job.Queue
-	JobStatusCache *job.StatusCache
-	EventWriter    event.EventWriter
-	Logger         log.Logger
+	V                 string
+	Cluster           cluster.Cluster
+	Manifests         cluster.Manifests
+	Registry          registry.Registry
+	ImageRefresh      chan image.Name
+	Repo              *git.Repo
+	GitConfig         git.Config
+	Jobs              *job.Queue
+	JobStatusCache    *job.StatusCache
+	EventWriter       event.EventWriter
+	Logger            log.Logger
 	// bookkeeping
 	*LoopVars
 }