Capsule user should be treated as a tenant owner

Stratio · Nov 22, 2024 · d616812 · d616812
1 parent 7062a3a
commit d616812
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/pkg/webhook/namespace/patch.go b/pkg/webhook/namespace/patch.go
@@ -20,10 +20,14 @@ import (
 	"github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
 
-type patchHandler struct{}
+type patchHandler struct{
+	capsuleUserName string
+}
 
-func PatchHandler() capsulewebhook.Handler {
-	return &patchHandler{}
+func PatchHandler(capsuleUserName string) capsulewebhook.Handler {
+	return &patchHandler{
+		capsuleUserName: capsuleUserName,
+	}
 }
 
 func (r *patchHandler) OnCreate(client.Client, admission.Decoder, record.EventRecorder) capsulewebhook.Func {
@@ -66,7 +70,7 @@ func (r *patchHandler) OnUpdate(c client.Client, decoder admission.Decoder, reco
 				return &response
 			}
 
-			if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
+			if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo, r.capsuleUserName) {
 				recorder.Eventf(tnt, corev1.EventTypeWarning, "NamespacePatch", e)
 				response := admission.Denied(e)
 

diff --git a/pkg/webhook/ownerreference/patching.go b/pkg/webhook/ownerreference/patching.go
@@ -155,7 +155,7 @@ func (h *handler) setOwnerRef(ctx context.Context, req admission.Request, client
 			return &response
 		}
 		// Tenant owner must adhere to user that asked for NS creation
-		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) && req.UserInfo.Username != h.capsuleUserName {
+		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo, h.capsuleUserName) {
 			recorder.Eventf(tnt, corev1.EventTypeWarning, "NonOwnedTenant", "Namespace %s cannot be assigned to the current Tenant", ns.GetName())
 
 			response := admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")

diff --git a/pkg/webhook/utils/is_tenant_owner.go b/pkg/webhook/utils/is_tenant_owner.go
@@ -9,7 +9,10 @@ import (
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 )
 
-func IsTenantOwner(owners capsulev1beta2.OwnerListSpec, userInfo authenticationv1.UserInfo) bool {
+func IsTenantOwner(owners capsulev1beta1.OwnerListSpec, userInfo authenticationv1.UserInfo, capsuleUserName string) bool {
+	if userInfo.Username == capsuleUserName {
+		return true
+	}
 	for _, owner := range owners {
 		switch owner.Kind {
 		case capsulev1beta2.UserOwner, capsulev1beta2.ServiceAccountOwner: