From dda60d7a0a763a61902050b8f1b29ccec2c69e9e Mon Sep 17 00:00:00 2001
From: Alfonso Acosta <alfonso.acosta@gmail.com>
Date: Thu, 17 Jan 2019 05:45:48 +0100
Subject: [PATCH] Only load manifests with allowed namespaces

---
 cluster/kubernetes/kubernetes.go | 14 +++++++-------
 cluster/kubernetes/manifests.go  |  9 ++++++++-
 cmd/fluxd/main.go                |  2 +-
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
index bd619d9792..3464bd52cc 100644
--- a/cluster/kubernetes/kubernetes.go
+++ b/cluster/kubernetes/kubernetes.go
@@ -138,7 +138,7 @@ func NewCluster(clientset k8sclient.Interface,
 func (c *Cluster) SomeControllers(ids []flux.ResourceID) (res []cluster.Controller, err error) {
 	var controllers []cluster.Controller
 	for _, id := range ids {
-		if !c.isInAllowedNamespace(id) {
+		if !isInAllowedNamespace(c.allowedNamespaces, id) {
 			continue
 		}
 		ns, kind, name := id.Components()
@@ -228,7 +228,7 @@ func (c *Cluster) Sync(spec cluster.SyncDef) error {
 			{action.Apply, "apply"},
 		}
 		for _, stage := range stages {
-			if stage.res == nil || !c.isInAllowedNamespace(stage.res.ResourceID()) {
+			if stage.res == nil || !isInAllowedNamespace(c.allowedNamespaces, stage.res.ResourceID()) {
 				continue
 			}
 
@@ -382,13 +382,13 @@ func (c *Cluster) getAllowedNamespaces() ([]apiv1.Namespace, error) {
 	return namespaces.Items, nil
 }
 
-func (c *Cluster) isInAllowedNamespace(id flux.ResourceID) bool {
-	if len(c.allowedNamespaces) == 0 {
-		// all namespaces are allowed
+func isInAllowedNamespace(allowedNamespaces []string, id flux.ResourceID) bool {
+	ns, _, _ := id.Components()
+	if len(allowedNamespaces) == 0 || ns == "" {
+		// all namespaces are allowed or it's cluster-wide resource (not namespaced)
 		return true
 	}
-	ns, _, _ := id.Components()
-	for _, allowedNS := range c.allowedNamespaces {
+	for _, allowedNS := range allowedNamespaces {
 		if ns == allowedNS {
 			return true
 		}
diff --git a/cluster/kubernetes/manifests.go b/cluster/kubernetes/manifests.go
index 18c4241616..f7678967fd 100644
--- a/cluster/kubernetes/manifests.go
+++ b/cluster/kubernetes/manifests.go
@@ -8,10 +8,17 @@ import (
 )
 
 type Manifests struct {
+	AllowedNamespaces []string
 }
 
 func (c *Manifests) LoadManifests(base string, paths []string) (map[string]resource.Resource, error) {
-	return kresource.Load(base, paths)
+	resources, err := kresource.Load(base, paths)
+	for k, r := range resources {
+		if !isInAllowedNamespace(c.AllowedNamespaces, r.ResourceID()) {
+			delete(resources, k)
+		}
+	}
+	return resources, err
 }
 
 func (c *Manifests) ParseManifests(allDefs []byte) (map[string]resource.Resource, error) {
diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
index f3132b24a2..073dbbfcb1 100644
--- a/cmd/fluxd/main.go
+++ b/cmd/fluxd/main.go
@@ -274,7 +274,7 @@ func main() {
 		imageCreds = k8sInst.ImagesToFetch
 		// There is only one way we currently interpret a repo of
 		// files as manifests, and that's as Kubernetes yamels.
-		k8sManifests = &kubernetes.Manifests{}
+		k8sManifests = &kubernetes.Manifests{AllowedNamespaces: allowedNamespaces}
 	}
 
 	// Wrap the procedure for collecting images to scan