From 417891675d80efe1c30e7b2aaeb5a3d3ccf903ca Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 13 Mar 2025 16:43:56 +1300
Subject: [PATCH] fix: ensure no non-admin users have access to system
 namespaces (#499)

---
 api/kubernetes/cli/namespace.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/api/kubernetes/cli/namespace.go b/api/kubernetes/cli/namespace.go
index 0ebb6189a..11307d651 100644
--- a/api/kubernetes/cli/namespace.go
+++ b/api/kubernetes/cli/namespace.go
@@ -265,9 +265,12 @@ func isSystemNamespace(namespace *corev1.Namespace) bool {
 		return systemLabelValue == "true"
 	}
 
-	systemNamespaces := defaultSystemNamespaces()
+	return isSystemDefaultNamespace(namespace.Name)
+}
 
-	_, isSystem := systemNamespaces[namespace.Name]
+func isSystemDefaultNamespace(namespace string) bool {
+	systemNamespaces := defaultSystemNamespaces()
+	_, isSystem := systemNamespaces[namespace]
 	return isSystem
 }
 
@@ -390,7 +393,9 @@ func (kcl *KubeClient) CombineNamespaceWithResourceQuota(namespace portainer.K8s
 func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} {
 	nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces))
 	for _, namespace := range kcl.NonAdminNamespaces {
-		nonAdminNamespaceSet[namespace] = struct{}{}
+		if !isSystemDefaultNamespace(namespace) {
+			nonAdminNamespaceSet[namespace] = struct{}{}
+		}
 	}
 
 	return nonAdminNamespaceSet