Merge pull request #368 from joshbranham/clarify-namespace-promrule-exceptions

openshift-merge-bot[bot] · web-flow · commit bb9d6acf7b50 · 2025-05-13T21:12:10.000Z
OSD-29566: Clarify namespaces that can bypass PrometheusRules webhook
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Ensure the git branch is current and run `make syncset`. The updated Template wi
 
 Ensure the git branch is current and run `make generate`. The updated lists will be written to [pkg/config/namespaces.go](pkg/config/namespaces.go). [Documentation should also be regenerated](#updating-documentation-files) to ensure the ConfigMaps specified are up-to-date.
 
-## Updating documenation files
+## Updating documentation files
 
 Ensure the git branch is current and run `make docs > docs/webhooks.json && make DOCFLAGS=-hideRules docs > docs/webhooks-short.json`.
 
diff --git a/pkg/config/namespaces.go b/pkg/config/namespaces.go
diff --git a/pkg/webhooks/prometheusrule/prometheusrule.go b/pkg/webhooks/prometheusrule/prometheusrule.go
@@ -45,6 +45,9 @@ var (
 		},
 	}
 	log = logf.Log.WithName(WebhookName)
+
+	// These namespaces are partially managed by Red Hat SRE, however we allow customers to define PrometheusRules in them.
+	privilegedNamespacesAllowed = []string{"openshift-customer-monitoring", "openshift-user-workload-monitoring"}
 )
 
 // prometheusruleWebhook validates a prometheusRule change
@@ -80,10 +83,8 @@ func (s *prometheusruleWebhook) authorized(request admissionctl.Request) admissi
 		return admissionctl.Errored(http.StatusBadRequest, err)
 	}
 
-	if hookconfig.IsPrivilegedNamespace(pr.GetNamespace()) &&
-		// TODO: [OSD-13680] Remove this exception for openshift-customer-monitoring
-		pr.GetNamespace() != "openshift-customer-monitoring" &&
-		pr.GetNamespace() != "openshift-user-workload-monitoring" {
+	// This block covers the denial flow for PrivilegedNamespaces, excluding some special case namespaces.
+	if hookconfig.IsPrivilegedNamespace(pr.GetNamespace()) && !slices.Contains(privilegedNamespacesAllowed, pr.GetNamespace()) {
 		log.Info(fmt.Sprintf("%s operation detected on managed namespace: %s", request.Operation, pr.GetNamespace()))
 		if isAllowedUser(request) {
 			ret = admissionctl.Allowed(fmt.Sprintf("User can do operations on PrometheusRules"))
diff --git a/pkg/webhooks/prometheusrule/prometheusrule_test.go b/pkg/webhooks/prometheusrule/prometheusrule_test.go
@@ -258,8 +258,8 @@ func TestUsers(t *testing.T) {
 			shouldBeAllowed: true,
 		},
 		{
-			testID:          "regular-user-can-create-prometheusrule-in-openshift-user-workload-monitoring",
-			targetNamespace: "openshift-user-workload-monitoring",
+			testID:          "regular-user-can-create-prometheusrule-in-openshift-customer-monitoring",
+			targetNamespace: "openshift-customer-monitoring",
 			targetResource:  "prometheusrule",
 			username:        "prometheus-user-workload",
 			userGroups:      []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
