feat(k8s): Introduce the ability to restrict access to default namespace (EE-745) (#5337)

2025-07-23 15:29:42 +02:00 · 2021-07-23 17:10:46 +12:00 · 2021-07-23 17:10:46 +12:00 · 7d6b1edd48
commit 7d6b1edd48
parent c26af1449c
16 changed files with 56 additions and 60 deletions
--- a/api/http/proxy/factory/kubernetes/token.go
+++ b/api/http/proxy/factory/kubernetes/token.go
@ -45,7 +45,7 @@ func (manager *tokenManager) getAdminServiceAccountToken() string {
 	return manager.adminToken
 }

-func (manager *tokenManager) getUserServiceAccountToken(userID int) (string, error) {
+func (manager *tokenManager) getUserServiceAccountToken(userID int, endpointID portainer.EndpointID) (string, error) {
 	manager.mutex.Lock()
 	defer manager.mutex.Unlock()

@ -61,7 +61,13 @@ func (manager *tokenManager) getUserServiceAccountToken(userID int) (string, err
 			teamIds = append(teamIds, int(membership.TeamID))
 		}

-		err = manager.kubecli.SetupUserServiceAccount(userID, teamIds)
+		endpoint, err := manager.dataStore.Endpoint().Endpoint(endpointID)
+		if err != nil {
+			return "", err
+		}
+
+		restrictDefaultNamespace := endpoint.Kubernetes.Configuration.RestrictDefaultNamespace
+		err = manager.kubecli.SetupUserServiceAccount(userID, teamIds, restrictDefaultNamespace)
 		if err != nil {
 			return "", err
 		}