Add check for namespace label openfaas=true

This commit adds the checks that the namespace supplied by the user has the `openfaas=true` label. Without this check the user can deploy/update/read functions in any namespace using the CLI. The UI is not effected because it calls the listnamesaces endpoint, which has the check for the label Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2025-06-19 20:46:40 +00:00 · 2021-09-16 08:31:05 +01:00
parent 195e81f595
commit 12b5e8ca7f
9 changed files with 123 additions and 0 deletions
--- a/pkg/provider/handlers/utils.go
+++ b/pkg/provider/handlers/utils.go
@ -1,6 +1,8 @@
 package handlers

 import (
+	"context"
+	"github.com/containerd/containerd"
 	"net/http"
 	"path"

@ -23,3 +25,25 @@ func readNamespaceFromQuery(r *http.Request) string {
 func getNamespaceSecretMountPath(userSecretPath string, namespace string) string {
 	return path.Join(userSecretPath, namespace)
 }
+
+func validateNamespace(client *containerd.Client, namespace string) (bool, error) {
+	if namespace == faasd.FunctionNamespace {
+		return true, nil
+	}
+
+	store := client.NamespaceService()
+	labels, err := store.Labels(context.Background(), namespace)
+	if err != nil {
+		return false, err
+	}
+
+	value, found := labels["openfaas"]
+
+	if found {
+		if value == "true" {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}