Block creation of RBAC objects via DevWorkspace components

amisevsk · amisevsk · commit c1006d10c8de · 2022-12-16T14:40:57.000-05:00
Signed-off-by: Angel Misevski &lt;amisevsk@redhat.com&gt;
diff --git a/webhook/workspace/handler/kubernetes.go b/webhook/workspace/handler/kubernetes.go
@@ -70,9 +70,13 @@ func (h *WebhookHandler) validatePermissionsOnObject(ctx context.Context, req ad
 	if err := yaml.Unmarshal([]byte(component), typeMeta); err != nil {
 		return fmt.Errorf("failed to read content for component %s", componentName)
 	}
-	if typeMeta.Kind == "List" {
+	kind := typeMeta.Kind
+	if kind == "List" {
 		return fmt.Errorf("lists are not supported in Kubernetes or OpenShift components")
 	}
+	if kind == "Role" || kind == "Rolebinding" || kind == "ClusterRole" || kind == "ClusterRoleBinding" {
+		return fmt.Errorf("kubernetes RBAC objects are not permitted within DevWorkspace components")
+	}
 
 	// Workaround to get the correct resource type for a given kind -- probably fragile
 	// Convert e.g. Pod -> pods, Deployment -> deployments

Original file line number	Diff line number	Diff line change
`@@ -70,9 +70,13 @@ func (h *WebhookHandler) validatePermissionsOnObject(ctx context.Context, req ad`
`70`	`70`	`if err := yaml.Unmarshal([]byte(component), typeMeta); err != nil {`
`71`	`71`	`return fmt.Errorf("failed to read content for component %s", componentName)`
`72`	`72`	`}`
`73`		`- if typeMeta.Kind == "List" {`
	`73`	`+ kind := typeMeta.Kind`
	`74`	`+ if kind == "List" {`
`74`	`75`	`return fmt.Errorf("lists are not supported in Kubernetes or OpenShift components")`
`75`	`76`	`}`
	`77`	`+ if kind == "Role" \|\| kind == "Rolebinding" \|\| kind == "ClusterRole" \|\| kind == "ClusterRoleBinding" {`
	`78`	`+ return fmt.Errorf("kubernetes RBAC objects are not permitted within DevWorkspace components")`
	`79`	`+ }`
`76`	`80`
`77`	`81`	`// Workaround to get the correct resource type for a given kind -- probably fragile`
`78`	`82`	`// Convert e.g. Pod -> pods, Deployment -> deployments`