github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: ensure no non-admin users have access to system namespaces (#499)

release/2.28.0
Steven Kang 2025-03-13 16:43:56 +13:00 committed by GitHub
parent 8b7aef883a
commit 417891675d
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
api/kubernetes/cli/namespace.go
View File

@ -265,9 +265,12 @@ func isSystemNamespace(namespace *corev1.Namespace) bool {
return systemLabelValue == "true"
}
systemNamespaces := defaultSystemNamespaces()
return isSystemDefaultNamespace(namespace.Name)
}
_, isSystem := systemNamespaces[namespace.Name]
func isSystemDefaultNamespace(namespace string) bool {
systemNamespaces := defaultSystemNamespaces()
_, isSystem := systemNamespaces[namespace]
return isSystem
}
@ -390,7 +393,9 @@ func (kcl *KubeClient) CombineNamespaceWithResourceQuota(namespace portainer.K8s
func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} {
nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces))
for _, namespace := range kcl.NonAdminNamespaces {
nonAdminNamespaceSet[namespace] = struct{}{}
if !isSystemDefaultNamespace(namespace) {
nonAdminNamespaceSet[namespace] = struct{}{}
}
}
return nonAdminNamespaceSet