Skip to content

Commit 899640d

Browse files
zach-robinson-devzach-robinson-dev
committed
feat: don't expose whether secrets in another namespace exist if permission is not granted
1 parent 1c836dc commit 899640d

File tree

1 file changed

+59
-47
lines changed

1 file changed

+59
-47
lines changed

src/resource_extensions.rs

Lines changed: 59 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -101,54 +101,66 @@ async fn cluster_client(
101101
local_ns: &str,
102102
client: Client,
103103
) -> crate::Result<Client> {
104-
let client = match cluster_ref {
105-
None => client,
106-
Some(cluster_ref) => {
107-
let secret_ns = cluster_ref
108-
.kube_config
109-
.secret_ref
110-
.namespace
111-
.as_deref()
112-
.unwrap_or(local_ns);
113-
let secrets: Api<Secret> = Api::namespaced(client, secret_ns);
114-
let secret_ref = &cluster_ref.kube_config.secret_ref;
115-
let sec = secrets.get(&secret_ref.name).await?;
116-
117-
if secret_ns != local_ns {
118-
verify_kubeconfig_secret_access(local_ns, &sec)?;
104+
let client =
105+
match cluster_ref {
106+
None => client,
107+
Some(cluster_ref) => {
108+
let secret_ns = cluster_ref
109+
.kube_config
110+
.secret_ref
111+
.namespace
112+
.as_deref()
113+
.unwrap_or(local_ns);
114+
let secrets: Api<Secret> = Api::namespaced(client, secret_ns);
115+
let secret_ref = &cluster_ref.kube_config.secret_ref;
116+
let sec = secrets.get(&secret_ref.name).await.map_err(|e| {
117+
match secret_ns == local_ns {
118+
true => crate::Error::from(e),
119+
false => {
120+
debug!(
121+
"error accessing kubeconfig secret in remote namespace: {}",
122+
e
123+
);
124+
UnauthorizedKubeconfigAccess()
125+
}
126+
}
127+
})?;
128+
129+
if secret_ns != local_ns {
130+
verify_kubeconfig_secret_access(local_ns, &sec)?;
131+
}
132+
133+
let kube_config = kube::config::Kubeconfig::from_yaml(
134+
std::str::from_utf8(
135+
&sec.data
136+
.unwrap()
137+
.get(&secret_ref.key)
138+
.ok_or_else(|| {
139+
Error::MissingKeyError(
140+
secret_ref.key.clone(),
141+
secret_ref.name.clone(),
142+
secret_ns.to_string(),
143+
)
144+
})?
145+
.0,
146+
)
147+
.map_err(Error::KubeconfigUtf8Error)?,
148+
)?;
149+
let mut config =
150+
Config::from_custom_kubeconfig(kube_config, &Default::default()).await?;
151+
152+
if let Some(ref namespace) = cluster_ref.namespace {
153+
config.default_namespace = namespace.clone();
154+
}
155+
156+
debug!(?config.cluster_url, "connecting to remote cluster");
157+
let remote_client = kube::Client::try_from(config)?;
158+
let version = remote_client.apiserver_version().await?;
159+
debug!(?version, "remote cluster version");
160+
161+
remote_client
119162
}
120-
121-
let kube_config = kube::config::Kubeconfig::from_yaml(
122-
std::str::from_utf8(
123-
&sec.data
124-
.unwrap()
125-
.get(&secret_ref.key)
126-
.ok_or_else(|| {
127-
Error::MissingKeyError(
128-
secret_ref.key.clone(),
129-
secret_ref.name.clone(),
130-
secret_ns.to_string(),
131-
)
132-
})?
133-
.0,
134-
)
135-
.map_err(Error::KubeconfigUtf8Error)?,
136-
)?;
137-
let mut config =
138-
Config::from_custom_kubeconfig(kube_config, &Default::default()).await?;
139-
140-
if let Some(ref namespace) = cluster_ref.namespace {
141-
config.default_namespace = namespace.clone();
142-
}
143-
144-
debug!(?config.cluster_url, "connecting to remote cluster");
145-
let remote_client = kube::Client::try_from(config)?;
146-
let version = remote_client.apiserver_version().await?;
147-
debug!(?version, "remote cluster version");
148-
149-
remote_client
150-
}
151-
};
163+
};
152164
Ok(client)
153165
}
154166

0 commit comments

Comments
 (0)