Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use request.userInfo.groups to validate the organization label #14

Merged
merged 1 commit into from
Sep 10, 2021
Merged

Use request.userInfo.groups to validate the organization label #14

merged 1 commit into from
Sep 10, 2021

Conversation

simu
Copy link
Member

@simu simu commented Sep 8, 2021
edited
Loading

Kyverno provides the requesting user's groups in request.userInfo.groups.

This commit changes the is-in-organization policy to use this variable instead of fetching all groups from the Kubernetes API when validating that the user is part of the organization specified on the Namespace object.

Checklist

  • Update the documentation.
  • Categorize the PR by setting a good title and adding one of the labels:
    bug, enhancement, documentation, change, breaking, dependency
    as they show up in the changelog

@simu simu force-pushed the feat/simplify-namespace-organization-validation branch from 18cecae to 5b0c81d Compare September 10, 2021 13:22
@simu simu added the change label Sep 10, 2021
@simu simu force-pushed the feat/simplify-namespace-organization-validation branch from 5b0c81d to 25c0b49 Compare September 10, 2021 13:25
@simu simu changed the title Make use of request.userInfo.groups to validate the organization label Use request.userInfo.groups to validate the organization label Sep 10, 2021
@simu simu force-pushed the feat/simplify-namespace-organization-validation branch from 25c0b49 to dd60540 Compare September 10, 2021 13:26
@simu simu requested a review from glrf September 10, 2021 13:27
@simu simu marked this pull request as ready for review September 10, 2021 13:27
@simu simu force-pushed the feat/simplify-namespace-organization-validation branch from dd60540 to 870b56a Compare September 10, 2021 14:00
glrf
glrf suggested changes Sep 10, 2021
View reviewed changes
component/namespace-policies.jsonnet Outdated Show resolved Hide resolved
@simu
Use request.userInfo.groups to validate the organization label
cc506db 
Kyverno provides the requesting user's groups in `request.userInfo.groups`.

This commit changes the `is-in-organization` policy to use this variable
instead of fetching all groups from the Kubernetes API when validating
that the user is part of the organization specified on the Namespace
object.
@simu simu force-pushed the feat/simplify-namespace-organization-validation branch from 870b56a to cc506db Compare September 10, 2021 14:03
@simu simu requested a review from glrf September 10, 2021 14:03
@simu simu merged commit c143204 into master Sep 10, 2021
@simu simu deleted the feat/simplify-namespace-organization-validation branch September 10, 2021 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glrf glrf glrf approved these changes

Assignees
No one assigned
Labels
change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simu @glrf