From cc506db1dafbec9ae26d102c9f37c16835ff71f7 Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Wed, 8 Sep 2021 10:19:23 +0200
Subject: [PATCH] Use `request.userInfo.groups` to validate the organization
 label

Kyverno provides the requesting user's groups in `request.userInfo.groups`.

This commit changes the `is-in-organization` policy to use this variable
instead of fetching all groups from the Kubernetes API when validating
that the user is part of the organization specified on the Namespace
object.
---
 component/namespace-policies.jsonnet                | 13 ++-----------
 .../appuio-cloud/02_organization_namespaces.yaml    | 11 +++--------
 2 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/component/namespace-policies.jsonnet b/component/namespace-policies.jsonnet
index c521fa4..9160795 100644
--- a/component/namespace-policies.jsonnet
+++ b/component/namespace-policies.jsonnet
@@ -161,23 +161,14 @@ local organizationNamespaces = kyverno.ClusterPolicy('organization-namespaces')
             value: '',
           },
         ],
-        context: [
-          {
-            name: 'groups',
-            apiCall: {
-              urlPath: '/apis/user.openshift.io/v1/groups',
-              jmesPath: 'items',
-            },
-          },
-        ],
         validate: {
           message: 'Creating namespace for {{request.object.metadata.labels."appuio.io/organization"}} but {{request.userInfo.username}} is not in organization',
           deny: {
             conditions: [
               {
-                key: '{{request.userInfo.username}}',
+                key: '{{request.object.metadata.labels."appuio.io/organization"}}',
                 operator: 'NotIn',
-                value: "{{groups[?metadata.name=='{{request.object.metadata.labels.\"appuio.io/organization\"}}'].users[]}}",
+                value: '{{request.userInfo.groups}}',
               },
             ],
           },
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml
index aed3c42..55bd07d 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml
@@ -103,12 +103,7 @@ spec:
           metadata:
             labels:
               appuio.io/organization: ?*
-    - context:
-        - apiCall:
-            jmesPath: items
-            urlPath: /apis/user.openshift.io/v1/groups
-          name: groups
-      exclude:
+    - exclude:
         clusterRoles:
           - cluster-admin
           - cluster-image-registry-operator
@@ -143,9 +138,9 @@ spec:
       validate:
         deny:
           conditions:
-            - key: '{{request.userInfo.username}}'
+            - key: '{{request.object.metadata.labels."appuio.io/organization"}}'
               operator: NotIn
-              value: '{{groups[?metadata.name==''{{request.object.metadata.labels."appuio.io/organization"}}''].users[]}}'
+              value: '{{request.userInfo.groups}}'
         message: Creating namespace for {{request.object.metadata.labels."appuio.io/organization"}}
           but {{request.userInfo.username}} is not in organization
   validationFailureAction: enforce