mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-05-06 01:16:44 +00:00
24 lines
694 B
Go
24 lines
694 B
Go
package utils
|
|
|
|
import (
|
|
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
|
|
|
|
"github.com/clastix/capsule/pkg/utils"
|
|
)
|
|
|
|
func IsCapsuleUser(req admission.Request, userGroups []string) bool {
|
|
groupList := utils.NewUserGroupList(req.UserInfo.Groups)
|
|
// if the user is a ServiceAccount belonging to the kube-system namespace, definitely, it's not a Capsule user
|
|
// and we can skip the check in case of Capsule user group assigned to system:authenticated
|
|
// (ref: https://github.com/clastix/capsule/issues/234)
|
|
if groupList.Find("system:serviceaccounts:kube-system") {
|
|
return false
|
|
}
|
|
for _, group := range userGroups {
|
|
if groupList.Find(group) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|