Skip to content

🐛 fix: allow cluster-scoped resources to bypass allowedNamepsaces checks#6080

Open
andclt wants to merge 1 commit into
kubernetes-sigs:mainfrom
andclt:fix/cluster-scoped-identity-permissions
Open

🐛 fix: allow cluster-scoped resources to bypass allowedNamepsaces checks#6080
andclt wants to merge 1 commit into
kubernetes-sigs:mainfrom
andclt:fix/cluster-scoped-identity-permissions

Conversation

@andclt

@andclt andclt commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR fixes a bug where cluster-scoped resources cannot use AWS identities that have allowedNamespaces restrictions.

The permission check in isClusterPermittedToUsePrincipal() assumes all resources have a namespace, but cluster-scoped resources return an empty namespace (""), causing them to fail
allowedNamespaces validation even when they should be allowed.

This fix allows cluster-scoped resources to bypass allowedNamespaces checks since:

  1. Cluster-scoped resources don't belong to a namespace
  2. The allowedNamespaces field is designed for namespace-scoped resources to enforce multi-tenancy
  3. Cluster-scoped resources are already protected by cluster-level RBAC (only cluster admins can create them)

Changes:

  • Added isClusterScopedResource() helper that uses RESTMapper to query resource scope metadata from CRD definitions.
  • Cluster-scoped resources bypass allowedNamespaces validation

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #6087
https://redhat.atlassian.net/browse/ROSAENG-60948

Special notes for your reviewer:

AI Usage:

None

Checklist:

  • squashed commits
  • includes documentation
  • includes AI generated content
  • includes emoji in title
  • adds unit tests
  • adds or updates e2e tests

Release note:

fix: allow cluster-scoped resources to bypass allowedNamepsaces checks

@kubernetes-prow kubernetes-prow Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-priority labels Jun 26, 2026
@kubernetes-prow kubernetes-prow Bot requested review from faiq and serngawy June 26, 2026 17:26
@kubernetes-prow kubernetes-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 26, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

Hi @andclt. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubernetes-prow kubernetes-prow Bot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 26, 2026
@andclt andclt force-pushed the fix/cluster-scoped-identity-permissions branch from 7f80a66 to 6c803c6 Compare June 29, 2026 09:24
@kubernetes-prow kubernetes-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 29, 2026
@andclt andclt force-pushed the fix/cluster-scoped-identity-permissions branch 2 times, most recently from 3e2f8e8 to f850ecd Compare July 1, 2026 13:09
@andclt andclt changed the title ✨ fix: allow cluster-scoped resources to bypass allowedNamepsaces checks 🐛 fix: allow cluster-scoped resources to bypass allowedNamepsaces checks Jul 1, 2026
@andclt andclt marked this pull request as ready for review July 1, 2026 13:20
@kubernetes-prow kubernetes-prow Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2026
@kubernetes-prow kubernetes-prow Bot requested a review from richardcase July 1, 2026 13:20
@damdo

damdo commented Jul 2, 2026

Copy link
Copy Markdown
Member

/assign @nrb

Comment thread pkg/cloud/scope/session.go Outdated
Comment thread pkg/cloud/scope/session.go Outdated
@serngawy

serngawy commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

@kubernetes-prow kubernetes-prow Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 2, 2026
@andclt andclt force-pushed the fix/cluster-scoped-identity-permissions branch from f850ecd to 9c8203d Compare July 2, 2026 17:13
@andclt andclt force-pushed the fix/cluster-scoped-identity-permissions branch from 9c8203d to b810e54 Compare July 3, 2026 13:22

@serngawy serngawy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

@kubernetes-prow kubernetes-prow Bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 6, 2026
@nrb

nrb commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@kubernetes-prow kubernetes-prow Bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 7, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

LGTM label has been added.

DetailsGit tree hash: f7f0e962693f6fe4cd52a61e15c27d4431778c7c

@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
@damdo

damdo commented Jul 7, 2026

Copy link
Copy Markdown
Member

/hold

for testing

@kubernetes-prow kubernetes-prow Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 7, 2026
@damdo

damdo commented Jul 7, 2026

Copy link
Copy Markdown
Member

/test ?

@damdo

damdo commented Jul 7, 2026

Copy link
Copy Markdown
Member

/test pull-cluster-api-provider-aws-e2e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cluster-scoped resources cannot use identities with allowedNamespaces restrictions

4 participants