From ba630983708a9f7b18937e4c7dc16d1820a2bfba Mon Sep 17 00:00:00 2001
From: Rebecca Zanzig <16315901+adilyse@users.noreply.github.com>
Date: Mon, 20 Jul 2020 16:10:04 -0700
Subject: [PATCH] Respect allow/deny lists even when namespaces aren't enabled

Fixes #296
---
 CHANGELOG.md                   |   4 +
 connect-inject/handler.go      |  16 ++-
 connect-inject/handler_test.go | 178 ++++++++++++++++++++++++++++++---
 3 files changed, 177 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 581c88f2b1..116eca2644 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## UNRELEASED
 
+BUG FIXES:
+
+* Connect: Respect allow/deny list flags when namespaces are disabled. [[GH-296](https://github.com/hashicorp/consul-k8s/issues/296)]
+
 ## 0.17.0 (July 09, 2020)
 
 BREAKING CHANGES:
diff --git a/connect-inject/handler.go b/connect-inject/handler.go
index 01fe54cc65..631e1f299f 100644
--- a/connect-inject/handler.go
+++ b/connect-inject/handler.go
@@ -382,16 +382,14 @@ func (h *Handler) shouldInject(pod *corev1.Pod, namespace string) (bool, error)
 	}
 
 	// Namespace logic
-	if h.EnableNamespaces {
-		// If in deny list, don't inject
-		if h.DenyK8sNamespacesSet.Contains(namespace) {
-			return false, nil
-		}
+	// If in deny list, don't inject
+	if h.DenyK8sNamespacesSet.Contains(namespace) {
+		return false, nil
+	}
 
-		// If not in allow list or allow list is not *, don't inject
-		if !h.AllowK8sNamespacesSet.Contains("*") && !h.AllowK8sNamespacesSet.Contains(namespace) {
-			return false, nil
-		}
+	// If not in allow list or allow list is not *, don't inject
+	if !h.AllowK8sNamespacesSet.Contains("*") && !h.AllowK8sNamespacesSet.Contains(namespace) {
+		return false, nil
 	}
 
 	// If we already injected then don't inject again
diff --git a/connect-inject/handler_test.go b/connect-inject/handler_test.go
index 5e1b8e5f0d..9ecce3c5d1 100644
--- a/connect-inject/handler_test.go
+++ b/connect-inject/handler_test.go
@@ -34,7 +34,11 @@ func TestHandlerHandle(t *testing.T) {
 	}{
 		{
 			"kube-system namespace",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Namespace: metav1.NamespaceSystem,
 				Object: encodeRaw(t, &corev1.Pod{
@@ -47,7 +51,11 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"already injected",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
@@ -65,7 +73,11 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod basic",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					Spec: basicSpec,
@@ -102,7 +114,11 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"pod with upstreams specified",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
@@ -161,7 +177,11 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod with injection disabled",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
@@ -179,7 +199,11 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod with injection truthy",
-			Handler{Log: hclog.Default().Named("handler")},
+			Handler{
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					ObjectMeta: metav1.ObjectMeta{
@@ -222,7 +246,13 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod basic, no default protocol",
-			Handler{WriteServiceDefaults: true, DefaultProtocol: "", Log: hclog.Default().Named("handler")},
+			Handler{
+				WriteServiceDefaults:  true,
+				DefaultProtocol:       "",
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					Spec: basicSpec,
@@ -260,7 +290,12 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod basic, protocol in annotation",
-			Handler{WriteServiceDefaults: true, Log: hclog.Default().Named("handler")},
+			Handler{
+				WriteServiceDefaults:  true,
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					Spec: basicSpec,
@@ -299,7 +334,13 @@ func TestHandlerHandle(t *testing.T) {
 
 		{
 			"empty pod basic, default protocol specified",
-			Handler{WriteServiceDefaults: true, DefaultProtocol: "http", Log: hclog.Default().Named("handler")},
+			Handler{
+				WriteServiceDefaults:  true,
+				DefaultProtocol:       "http",
+				Log:                   hclog.Default().Named("handler"),
+				AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:  mapset.NewSet(),
+			},
 			v1beta1.AdmissionRequest{
 				Object: encodeRaw(t, &corev1.Pod{
 					Spec: basicSpec,
@@ -369,7 +410,11 @@ func TestHandlerHandle_badContentType(t *testing.T) {
 	require.NoError(t, err)
 	req.Header.Set("Content-Type", "text/plain")
 
-	h := Handler{Log: hclog.Default().Named("handler")}
+	h := Handler{
+		Log:                   hclog.Default().Named("handler"),
+		AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+		DenyK8sNamespacesSet:  mapset.NewSet(),
+	}
 	rec := httptest.NewRecorder()
 	h.Handle(rec, req)
 	require.Equal(t, http.StatusBadRequest, rec.Code)
@@ -382,7 +427,11 @@ func TestHandlerHandle_noBody(t *testing.T) {
 	require.NoError(t, err)
 	req.Header.Set("Content-Type", "application/json")
 
-	h := Handler{Log: hclog.Default().Named("handler")}
+	h := Handler{
+		Log:                   hclog.Default().Named("handler"),
+		AllowK8sNamespacesSet: mapset.NewSetWith("*"),
+		DenyK8sNamespacesSet:  mapset.NewSet(),
+	}
 	rec := httptest.NewRecorder()
 	h.Handle(rec, req)
 	require.Equal(t, http.StatusBadRequest, rec.Code)
@@ -789,7 +838,7 @@ func TestShouldInject(t *testing.T) {
 			false,
 		},
 		{
-			"namespaces disabled",
+			"namespaces disabled, empty allow/deny lists",
 			&corev1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
@@ -801,8 +850,113 @@ func TestShouldInject(t *testing.T) {
 			false,
 			mapset.NewSet(),
 			mapset.NewSet(),
+			false,
+		},
+		{
+			"namespaces disabled, allow *",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("*"),
+			mapset.NewSet(),
 			true,
 		},
+		{
+			"namespaces disabled, allow default",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("default"),
+			mapset.NewSet(),
+			true,
+		},
+		{
+			"namespaces disabled, allow * and default",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("*", "default"),
+			mapset.NewSet(),
+			true,
+		},
+		{
+			"namespaces disabled, allow only ns1 and ns2",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("ns1", "ns2"),
+			mapset.NewSet(),
+			false,
+		},
+		{
+			"namespaces disabled, deny default ns",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSet(),
+			mapset.NewSetWith("default"),
+			false,
+		},
+		{
+			"namespaces disabled, allow *, deny default ns",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("*"),
+			mapset.NewSetWith("default"),
+			false,
+		},
+		{
+			"namespaces disabled, default ns in both allow and deny lists",
+			&corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						annotationService: "testing",
+					},
+				},
+			},
+			"default",
+			false,
+			mapset.NewSetWith("default"),
+			mapset.NewSetWith("default"),
+			false,
+		},
 		{
 			"namespaces enabled, empty allow/deny lists",
 			&corev1.Pod{