fix CVE namespace-isolation break (#868)

anandrkskd · web-flow · commit 8c5e292b44cf · 2025-04-03T09:05:33.000Z
argocd adds cluster monitoring label if the ns contains openshift- prefix

Signed-off-by: Anand Kumar Singh &lt;anandrkskd@gmail.com&gt;
diff --git a/controllers/argocd_metrics_controller.go b/controllers/argocd_metrics_controller.go
@@ -109,14 +109,23 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 	}
 
 	const clusterMonitoringLabel = "openshift.io/cluster-monitoring"
-	labelVal, exists := namespace.Labels[clusterMonitoringLabel]
+	const userDefinedMonitoringLabel = "openshift.io/user-monitoring"
+	var labelVal, monitoringLabel string
+	var exists bool
+	if strings.HasPrefix(namespace.Name, "openshift-") {
+		labelVal, exists = namespace.Labels[clusterMonitoringLabel]
+		monitoringLabel = clusterMonitoringLabel
+	} else {
+		labelVal, exists = namespace.Labels[userDefinedMonitoringLabel]
+		monitoringLabel = userDefinedMonitoringLabel
+	}
 
 	if argocd.Spec.Monitoring.DisableMetrics == nil || !*argocd.Spec.Monitoring.DisableMetrics {
 		if !exists || labelVal != "true" {
 			if namespace.Labels == nil {
 				namespace.Labels = make(map[string]string)
 			}
-			namespace.Labels[clusterMonitoringLabel] = "true"
+			namespace.Labels[monitoringLabel] = "true"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",
@@ -178,7 +187,7 @@ func (r *ArgoCDMetricsReconciler) Reconcile(ctx context.Context, request reconci
 		}
 	} else {
 		if exists {
-			namespace.Labels[clusterMonitoringLabel] = "false"
+			namespace.Labels[monitoringLabel] = "false"
 			err = r.Client.Update(ctx, &namespace)
 			if err != nil {
 				reqLogger.Error(err, "Error updating namespace",
diff --git a/controllers/argocd_metrics_controller_test.go b/controllers/argocd_metrics_controller_test.go
@@ -81,16 +81,19 @@ func newMetricsReconciler(t *testing.T, namespace, name string, disableMetrics *
 
 func TestReconcile_add_namespace_label(t *testing.T) {
 	testCases := []struct {
-		instanceName string
-		namespace    string
+		instanceName  string
+		namespace     string
+		expectedLabel string
 	}{
 		{
-			instanceName: argoCDInstanceName,
-			namespace:    "openshift-gitops",
+			instanceName:  argoCDInstanceName,
+			namespace:     "openshift-gitops",
+			expectedLabel: "openshift.io/cluster-monitoring",
 		},
 		{
-			instanceName: "instance-two",
-			namespace:    "namespace-two",
+			instanceName:  "instance-two",
+			namespace:     "namespace-two",
+			expectedLabel: "openshift.io/user-monitoring",
 		},
 	}
 	for _, tc := range testCases {
@@ -101,7 +104,7 @@ func TestReconcile_add_namespace_label(t *testing.T) {
 		ns := corev1.Namespace{}
 		err = r.Client.Get(context.TODO(), types.NamespacedName{Name: tc.namespace}, &ns)
 		assert.NilError(t, err)
-		value := ns.Labels["openshift.io/cluster-monitoring"]
+		value := ns.Labels[tc.expectedLabel]
 		assert.Equal(t, value, "true")
 	}
 }
