fix access conditions when the restrict default namespace is enabled (#12281)

2 months ago · 71c7dacf42
parent c0db48b29d
commit 71c7dacf42
2 changed files with 7 additions and 3 deletions
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@ -197,7 +197,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 				return
 			}
-			nonAdminNamespaces, err = pcli.GetNonAdminNamespaces(int(user.ID))
+			nonAdminNamespaces, err = pcli.GetNonAdminNamespaces(int(user.ID), endpoint.Kubernetes.Configuration.RestrictDefaultNamespace)
 			if err != nil {
 				httperror.WriteError(w, http.StatusInternalServerError, "an error occurred during the KubeClientMiddleware operation, unable to retrieve non-admin namespaces. Error: ", err)
 				return
--- a/api/kubernetes/cli/access.go
+++ b/api/kubernetes/cli/access.go
@ -124,13 +124,17 @@ func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]p
 }
 // GetNonAdminNamespaces retrieves namespaces for a non-admin user, excluding the default namespace if restricted.
-func (kcl *KubeClient) GetNonAdminNamespaces(userID int) ([]string, error) {
+func (kcl *KubeClient) GetNonAdminNamespaces(userID int, isRestrictDefaultNamespace bool) ([]string, error) {
 	accessPolicies, err := kcl.GetNamespaceAccessPolicies()
 	if err != nil {
 		return nil, fmt.Errorf("an error occurred during the getNonAdminNamespaces operation, unable to get namespace access policies via portainer-config. check if portainer-config configMap exists in the Kubernetes cluster: %w", err)
 	}
-	nonAdminNamespaces := []string{defaultNamespace}
+	nonAdminNamespaces := []string{}
 	if !isRestrictDefaultNamespace {
 		nonAdminNamespaces = append(nonAdminNamespaces, defaultNamespace)
 	}
 	for namespace, accessPolicy := range accessPolicies {
 		if hasUserAccessToNamespace(userID, nil, accessPolicy) {
 			nonAdminNamespaces = append(nonAdminNamespaces, namespace)