fix: Let pubsub config controller only watch specified configmap

Signed-off-by: Matthias Teich <[email protected]> check for nil
Mattes83 · Oct 25, 2023 · 17bfaca · 17bfaca
1 parent 9e44283
commit 17bfaca
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go
@@ -53,7 +53,6 @@ const (
 	defaultConstraintViolationsLimit = 20
 	defaultListLimit                 = 500
 	defaultAPICacheDir               = "/tmp/audit"
-	defaultConnection                = "audit-connection"
 	defaultChannel                   = "audit-channel"
 )
 
@@ -66,7 +65,6 @@ var (
 	auditEventsInvolvedNamespace = flag.Bool("audit-events-involved-namespace", false, "emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will still follow the default behavior")
 	auditMatchKindOnly           = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)")
 	apiCacheDir                  = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit")
-	auditConnection              = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages")
 	auditChannel                 = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages")
 	emptyAuditResults            []updateListEntry
 	logStatsAudit                = flag.Bool("log-stats-audit", false, "(alpha) log stats metrics for the audit run")
@@ -801,7 +799,7 @@ func (am *Manager) addAuditResponsesToUpdateLists(
 		totalViolationsPerEnforcementAction[ea]++
 		logViolation(am.log, r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels())
 		if *pubsubController.PubsubEnabled {
-			err := am.pubsubSystem.Publish(context.Background(), *auditConnection, *auditChannel, violationMsg(r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels(), timestamp))
+			err := am.pubsubSystem.Publish(context.Background(), *pubsubController.AuditConnection, *auditChannel, violationMsg(r.Constraint, ea, gvk, namespace, name, r.Msg, details, r.obj.GetLabels(), timestamp))
 			if err != nil {
 				am.log.Error(err, "pubsub audit Publishing")
 			}

diff --git a/pkg/controller/pubsub/pubsub_config_controller.go b/pkg/controller/pubsub/pubsub_config_controller.go
@@ -29,9 +29,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
+const defaultConnection = "audit-connection"
+
 var (
-	PubsubEnabled = flag.Bool("enable-pub-sub", false, "Enabled pubsub to publish messages")
-	log           = logf.Log.WithName("controller").WithValues(logging.Process, "pubsub_controller")
+	PubsubEnabled   = flag.Bool("enable-pub-sub", false, "Enabled pubsub to publish messages")
+	AuditConnection = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages")
+	log             = logf.Log.WithName("controller").WithValues(logging.Process, "pubsub_controller")
 )
 
 type Adder struct {
@@ -89,16 +92,16 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 		&handler.EnqueueRequestForObject{},
 		predicate.Funcs{
 			CreateFunc: func(e event.CreateEvent) bool {
-				return e.Object.GetNamespace() == util.GetNamespace()
+				return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection
 			},
 			UpdateFunc: func(e event.UpdateEvent) bool {
-				return e.ObjectNew.GetNamespace() == util.GetNamespace()
+				return e.ObjectNew.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.ObjectNew.GetName() == *AuditConnection
 			},
 			DeleteFunc: func(e event.DeleteEvent) bool {
-				return e.Object.GetNamespace() == util.GetNamespace()
+				return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection
 			},
 			GenericFunc: func(e event.GenericEvent) bool {
-				return e.Object.GetNamespace() == util.GetNamespace()
+				return e.Object.GetNamespace() == util.GetNamespace() && AuditConnection != nil && e.Object.GetName() == *AuditConnection
 			},
 		},
 	)