[RFC] Add ACL support for allowing cross-namespace access to image repository

controllers/policy_test.go

@@ -174,7 +174,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		})
 	})
 
-	Context("Filers tags", func() {
+	Context("Filters tags", func() {
 		When("valid regex supplied", func() {
 			It("correctly filters the repo tags", func() {
 				versions := []string{"test-0.1.0", "test-0.1.1", "dev-0.2.0", "1.0.0", "1.0.1", "1.0.2", "1.1.0-alpha"}

docs/spec/v1beta1/imagepolicies.md

@@ -16,7 +16,7 @@ type ImagePolicySpec struct {
 	// ImageRepositoryRef points at the object specifying the image
 	// being scanned
 	// +required
-	ImageRepositoryRef corev1.LocalObjectReference `json:"imageRepositoryRef"`
+	ImageRepositoryRef meta.NamespacedObjectReference `json:"imageRepositoryRef"`
 	// Policy gives the particulars of the policy to be followed in
 	// selecting the most recent image
 	// +required
@@ -29,8 +29,11 @@ type ImagePolicySpec struct {
 }
 ```
 
-The field `ImageRepositoryRef` names an `ImageRepository` object in the same namespace. It is this
+The field `ImageRepositoryRef` names an `ImageRepository` object. It is this
 object that provides the scanned image metadata for the policy to use in selecting an image.
+You can refer to an `ImageRepository` in another namespace with `ImageRepositoryRef.Namespace`,
+for more details on how to allow cross-namespace references see the
+[ImageRepository docs](imagerepositories.md#allow-cross-namespace-references).
 
 ### Policy
 

docs/spec/v1beta1/imagerepositories.md

@@ -52,13 +52,18 @@ type ImageRepositorySpec struct {
 	// It does not apply to already started scans. Defaults to false.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom defines an ACL for allowing cross-namespace references
+	// to the ImageRepository object based on the caller's namespace labels.
+	// +optional
+	AccessFrom *AccessFrom `json:"accessFrom,omitempty"`
 }
 ```
 
 The `Suspend` field can be set to `true` to stop the controller scanning the image repository
 specified; remove the field value or set to `false` to resume scanning.
 
-**`secretRef` for credentials**
+### Authentication 
 
 The `secretRef` names a secret in the same namespace that holds credentials for accessing the image
 repository. This secret is expected to be in the same format as for
@@ -72,7 +77,7 @@ is advice specific to some platforms [in the image automation guide][image-auto-
 
 For a publicly accessible image repository, you don't need to provide a `secretRef`.
 
-**`certSecretRef` for TLS certificates**
+### TLS Certificates
 
 The `certSecretRef` field names a secret with TLS certificate data. This is for two separate
 purposes:
@@ -110,6 +115,50 @@ kubectl create secret generic $SECRET_NAME \
   --from-file=caFile=ca.crt
 ```
 
+### Allow cross-namespace references
+
+To grant access to an `ImageRepository` for policies in other namespaces, the owner of the `ImageRepository`
+has to specify a list of label selectors that match the namespaces of the `ImagePolicy` objects.
+
+```yaml
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: app1
+  namespace: apps
+spec:
+  interval: 5m
+  image: docker.io/org/image
+  secretRef:
+    name: regcred
+  accessFrom:
+  - namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: flux-system
+```
+
+**Note** that the `kubernetes.io/metadata.name` is a readonly label added by Kubernetes >= 1.21
+automatically on namespaces. If you're using an older version of Kubernetes, please set labels
+on the namespaces where the `ImagePolicy` are.
+
+The above definition, allows for `ImagePolicy` in the `flux-system` namespace
+to reference the app1 `ImageRepository` e.g.:
+
+```yaml
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: app1
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: app1
+    namespace: apps
+  policy:
+    semver:
+      range: 1.0.x
+```
+
 ## Status
 
 ```go