Skip to content

Commit 7d2a4e8

Browse files
author
Gabriel Saratura
committed
Fix leaked backups
All backups in the cluster are being leaked due to APPCAT-563
1 parent 214777c commit 7d2a4e8

File tree

3 files changed

+44
-11
lines changed

3 files changed

+44
-11
lines changed

pkg/apiserver/vshn/postgres/vshnpostgresql.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,11 @@ func (k *kubeXVSHNPostgresqlProvider) ListXVSHNPostgreSQL(ctx context.Context, n
2727
err := k.Client.List(ctx, list)
2828
cleanedList := make([]vshnv1.XVSHNPostgreSQL, 0)
2929
for _, p := range list.Items {
30+
// In some cases instance namespaces is missing and as a consequence all backups from the whole cluster
31+
// are being exposed creating a security issue - check APPCAT-563.
32+
if p.Status.InstanceNamespace == "" {
33+
continue
34+
}
3035
if p.Labels[claimNamespaceLabel] == "" || p.Labels[claimNameLabel] == "" {
3136
continue
3237
}

pkg/apiserver/vshn/postgres/vshnpostgresql_test.go

Lines changed: 28 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -21,39 +21,41 @@ func Test_ListXVSHNPostgreSQL(t *testing.T) {
2121
namespace: "namespace-prod",
2222
postgresqls: &vshnv1.XVSHNPostgreSQLList{
2323
Items: []vshnv1.XVSHNPostgreSQL{
24-
getInstance("prod", "namespace-prod"),
25-
getInstance("prod-2", "namespace-prod-2"),
24+
getInstance("prod", "namespace-prod", "instance-namespace"),
25+
getInstance("prod-2", "namespace-prod-2", "instance-namespace"),
2626
getInstanceWithoutLabels("prod-3"),
2727
getInstanceWithoutLabels("prod"),
2828
getInstanceWithoutClaimName("prod", "namespace-prod"),
2929
getInstanceWithoutClaimName("prod-3", "namespace-prod-2"),
3030
getInstanceWithoutClaimNamespace("prod"),
3131
getInstanceWithoutClaimNamespace("prod-3"),
32-
getInstance("test", "namespace-test-2"),
33-
getInstance("test", "namespace-prod"),
32+
getInstance("test", "namespace-test-2", "instance-namespace"),
33+
getInstance("test", "namespace-prod", "instance-namespace"),
34+
getInstanceWithoutInstanceNamespace("test", "namespace-prod"),
3435
},
3536
},
3637
expectedPostgresqls: &vshnv1.XVSHNPostgreSQLList{
3738
Items: []vshnv1.XVSHNPostgreSQL{
38-
getInstance("prod", "namespace-prod"),
39-
getInstance("test", "namespace-prod"),
39+
getInstance("prod", "namespace-prod", "instance-namespace"),
40+
getInstance("test", "namespace-prod", "instance-namespace"),
4041
},
4142
},
4243
},
4344
"GivenAListOfPostgreSQLs_ThenFilter_2": {
4445
namespace: "namespace-not-match",
4546
postgresqls: &vshnv1.XVSHNPostgreSQLList{
4647
Items: []vshnv1.XVSHNPostgreSQL{
47-
getInstance("prod", "namespace-prod"),
48-
getInstance("prod-2", "namespace-prod-2"),
48+
getInstance("prod", "namespace-prod", "instance-namespace"),
49+
getInstance("prod", "namespace-prod", "instance-namespace"),
50+
getInstance("prod-2", "namespace-prod-2", "instance-namespace"),
4951
getInstanceWithoutLabels("prod-3"),
5052
getInstanceWithoutLabels("prod"),
5153
getInstanceWithoutClaimName("prod", "namespace-prod"),
5254
getInstanceWithoutClaimName("prod-3", "namespace-prod-2"),
5355
getInstanceWithoutClaimNamespace("prod"),
5456
getInstanceWithoutClaimNamespace("prod-3"),
55-
getInstance("test", "namespace-test-2"),
56-
getInstance("test", "namespace-prod"),
57+
getInstance("test", "namespace-test-2", "instance-namespace"),
58+
getInstance("test", "namespace-prod", "instance-namespace"),
5759
},
5860
},
5961
expectedPostgresqls: &vshnv1.XVSHNPostgreSQLList{
@@ -118,7 +120,7 @@ func getInstanceWithoutLabels(name string) vshnv1.XVSHNPostgreSQL {
118120
}
119121
}
120122

121-
func getInstance(name, namespace string) vshnv1.XVSHNPostgreSQL {
123+
func getInstanceWithoutInstanceNamespace(name, namespace string) vshnv1.XVSHNPostgreSQL {
122124
return vshnv1.XVSHNPostgreSQL{
123125
ObjectMeta: metav1.ObjectMeta{
124126
Name: name + "-tty",
@@ -129,3 +131,18 @@ func getInstance(name, namespace string) vshnv1.XVSHNPostgreSQL {
129131
},
130132
}
131133
}
134+
135+
func getInstance(name, namespace, instanceNamespace string) vshnv1.XVSHNPostgreSQL {
136+
return vshnv1.XVSHNPostgreSQL{
137+
ObjectMeta: metav1.ObjectMeta{
138+
Name: name + "-tty",
139+
Labels: map[string]string{
140+
claimNameLabel: name,
141+
claimNamespaceLabel: namespace,
142+
},
143+
},
144+
Status: vshnv1.VSHNPostgreSQLStatus{
145+
InstanceNamespace: instanceNamespace,
146+
},
147+
}
148+
}

pkg/apiserver/vshn/redis/vshnredis.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,5 +24,16 @@ func (c *concreteRedisProvider) ListVSHNRedis(ctx context.Context, namespace str
2424
return nil, err
2525
}
2626

27+
cleanedList := make([]vshnv1.VSHNRedis, 0)
28+
for _, p := range instances.Items {
29+
//
30+
// In some cases instance namespaces is missing and as a consequence all backups from the whole cluster
31+
// are being exposed creating a security issue - check APPCAT-563.
32+
if p.Status.InstanceNamespace != "" {
33+
cleanedList = append(cleanedList, p)
34+
}
35+
}
36+
instances.Items = cleanedList
37+
2738
return instances, nil
2839
}

0 commit comments

Comments
 (0)