github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: ensure no non-admin users have access to system namespaces (#499)

release/2.28.0
Steven Kang 2025-03-13 16:43:56 +13:00 committed by GitHub
parent 8b7aef883a
commit 417891675d
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api/kubernetes/cli/namespace.go
View File

@ -265,9 +265,12 @@ func isSystemNamespace(namespace *corev1.Namespace) bool {
return systemLabelValue == "true" return systemLabelValue == "true"
} }
systemNamespaces := defaultSystemNamespaces() return isSystemDefaultNamespace(namespace.Name)
}
_, isSystem := systemNamespaces[namespace.Name] func isSystemDefaultNamespace(namespace string) bool {
systemNamespaces := defaultSystemNamespaces()
_, isSystem := systemNamespaces[namespace]
return isSystem return isSystem
} }
@ -390,8 +393,10 @@ func (kcl *KubeClient) CombineNamespaceWithResourceQuota(namespace portainer.K8s
func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} { func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} {
nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces)) nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces))
for _, namespace := range kcl.NonAdminNamespaces { for _, namespace := range kcl.NonAdminNamespaces {
if !isSystemDefaultNamespace(namespace) {
nonAdminNamespaceSet[namespace] = struct{}{} nonAdminNamespaceSet[namespace] = struct{}{}
} }
}
return nonAdminNamespaceSet return nonAdminNamespaceSet
} }