Commit b02e95ce authored by Tiger's avatar Tiger

Block specifying a k8s namespace via CI template for managed clusters

A namespace can only be specified via gitlab-ci.yml
for unmanaged clusters, as we currently have no way
of preventing a job requesting a namespace it
shouldn't have access to.

To make this clear, we fail the build instead of
silently using a namespace other than the one
explicitly specified.

https://gitlab.com/gitlab-org/gitlab/issues/27630
parent b4a4b133
---
title: Do not allow specifying a Kubernetes namespace via CI template for managed
clusters
merge_request: 21223
author:
type: added
...@@ -63,12 +63,33 @@ module Gitlab ...@@ -63,12 +63,33 @@ module Gitlab
end end
def create_namespace def create_namespace
namespace = kubernetes_namespace || build_namespace_record
return if conflicting_ci_namespace_requested?(namespace)
Clusters::Kubernetes::CreateOrUpdateNamespaceService.new( Clusters::Kubernetes::CreateOrUpdateNamespaceService.new(
cluster: deployment_cluster, cluster: deployment_cluster,
kubernetes_namespace: kubernetes_namespace || build_namespace_record kubernetes_namespace: namespace
).execute ).execute
end end
##
# A namespace can only be specified via gitlab-ci.yml
# for unmanaged clusters, as we currently have no way
# of preventing a job requesting a namespace it
# shouldn't have access to.
#
# To make this clear, we fail the build instead of
# silently using a namespace other than the one
# explicitly specified.
#
# Support for managed clusters will be added in
# https://gitlab.com/gitlab-org/gitlab/issues/38054
def conflicting_ci_namespace_requested?(namespace_record)
build.expanded_kubernetes_namespace.present? &&
namespace_record.namespace != build.expanded_kubernetes_namespace
end
def build_namespace_record def build_namespace_record
Clusters::BuildKubernetesNamespaceService.new( Clusters::BuildKubernetesNamespaceService.new(
deployment_cluster, deployment_cluster,
......
...@@ -128,6 +128,47 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do ...@@ -128,6 +128,47 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
subject subject
end end
context 'the build has a namespace configured via CI template' do
let(:kubernetes_namespace) { double(namespace: existing_namespace) }
before do
allow(build).to receive(:expanded_kubernetes_namespace)
.and_return(requested_namespace)
end
context 'the requested namespace matches the default' do
let(:requested_namespace) { 'production' }
let(:existing_namespace) { requested_namespace }
it 'creates a namespace' do
expect(Clusters::BuildKubernetesNamespaceService)
.to receive(:new)
.with(cluster, environment: deployment.environment)
.and_return(namespace_builder)
expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService)
.to receive(:new)
.with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
.and_return(service)
expect(service).to receive(:execute).once
subject
end
end
context 'the requested namespace differs from the default' do
let(:requested_namespace) { 'production' }
let(:existing_namespace) { 'other-namespace' }
it 'does not create a namespace' do
expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new)
subject
end
end
end
end end
context 'kubernetes namespace exists (but has no service_account_token)' do context 'kubernetes namespace exists (but has no service_account_token)' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment