fluxcd
/
image-reflector-controller
mirror of https://github.com/fluxcd/image-reflector-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify access from all namespace 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2021-08-06 17:34:32 +03:00
parent 8f4ae31562
commit 3f77178a87
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
3 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
controllers/imagepolicy_controller.go
View File

@ -320,11 +320,6 @@ func (r *ImagePolicyReconciler) hasAccessToRepository(ctx context.Context, polic
repo.Namespace, repo.Name)
}
// grant access if the repository ACL has no namespace selectors
if acl != nil && acl.NamespaceSelectors == nil {
return true, nil
}
// get the policy namespace labels
var policyNamespace v1.Namespace
if err := r.Get(ctx, types.NamespacedName{Name: policy.Namespace}, &policyNamespace); err != nil {

10
controllers/policy_test.go
View File

@ -383,7 +383,7 @@ var _ = Describe("ImagePolicy controller", func() {
})
When("is in different namespace with empty ACL", func() {
It("grants access", func() {
It("deny access", func() {
policyNamespace := &corev1.Namespace{}
policyNamespace.Name = "acl-" + randStringRunes(5)
policyNamespace.Labels = map[string]string{
@ -449,16 +449,16 @@ var _ = Describe("ImagePolicy controller", func() {
Expect(r.Create(ctx, &pol)).To(Succeed())
Eventually(func() bool {
err := r.Get(ctx, polObjectName, &pol)
return err == nil && pol.Status.LatestImage != ""
_ = r.Get(ctx, polObjectName, &pol)
return apimeta.IsStatusConditionFalse(pol.Status.Conditions, meta.ReadyCondition)
}, timeout, interval).Should(BeTrue())
Expect(pol.Status.LatestImage).To(Equal(imgRepo + ":1.0.1"))
Expect(apimeta.FindStatusCondition(pol.Status.Conditions, meta.ReadyCondition).Reason).To(Equal("AccessDenied"))
Expect(r.Delete(ctx, &pol)).To(Succeed())
})
})
When("is in different namespace with no empty match labels", func() {
When("is in different namespace with empty match labels", func() {
It("grants access", func() {
policyNamespace := &corev1.Namespace{}
policyNamespace.Name = "acl-" + randStringRunes(5)

8
docs/spec/v1beta1/imagerepositories.md
View File

@ -159,6 +159,14 @@ spec:
range: 1.0.x
```
To grant access to all namespaces, an empty `matchLabels` must be provided:
```yaml
accessFrom:
namespaceSelectors:
- matchLabels: {}
```
## Status
```go