From 1087ea853b7b41492c56fb71f00a8038cf71fede Mon Sep 17 00:00:00 2001
From: Dario Tranchitella <dario@tranchitella.eu>
Date: Thu, 24 Nov 2022 18:31:14 +0100
Subject: [PATCH] fix: inverted logic in forbidden user namespace metadata

---
 pkg/webhook/namespace/user_metadata.go | 32 +++++++++++++++++---------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/pkg/webhook/namespace/user_metadata.go b/pkg/webhook/namespace/user_metadata.go
index ac34be46..b4dc3489 100644
--- a/pkg/webhook/namespace/user_metadata.go
+++ b/pkg/webhook/namespace/user_metadata.go
@@ -131,26 +131,36 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder *admission.
 			}
 		}
 
-		var labels, annotations map[string]string
+		labels, annotations := oldNs.GetLabels(), oldNs.GetAnnotations()
 
 		for key, value := range newNs.GetLabels() {
-			if _, ok := oldNs.GetLabels()[key]; ok {
-				if labels == nil {
-					labels = make(map[string]string)
-				}
-
+			v, ok := labels[key]
+			if !ok {
 				labels[key] = value
+
+				continue
 			}
+
+			if v != value {
+				continue
+			}
+
+			delete(labels, key)
 		}
 
 		for key, value := range newNs.GetAnnotations() {
-			if _, ok := oldNs.GetAnnotations()[key]; ok {
-				if annotations == nil {
-					annotations = make(map[string]string)
-				}
-
+			v, ok := annotations[key]
+			if !ok {
 				annotations[key] = value
+
+				continue
 			}
+
+			if v != value {
+				continue
+			}
+
+			delete(annotations, key)
 		}
 
 		return r.validateUserMetadata(tnt, recorder, labels, annotations)