diff --git a/api/v1beta1/index/cluster.go b/api/v1beta1/index/cluster.go index 226145db9753..09fa67cb2ec5 100644 --- a/api/v1beta1/index/cluster.go +++ b/api/v1beta1/index/cluster.go @@ -51,7 +51,7 @@ func ByClusterClassName(ctx context.Context, mgr ctrl.Manager) error { func ByClusterClassNamespace(ctx context.Context, mgr ctrl.Manager) error { if err := mgr.GetCache().IndexField(ctx, &clusterv1.Cluster{}, ClusterClassNamespaceField, - ClusterByClusterClassClassNamespace, + ClusterByClusterClassNamespace, ); err != nil { return errors.Wrap(err, "error setting index field") } @@ -70,11 +70,14 @@ func ClusterByClusterClassClassName(o client.Object) []string { return nil } -// ClusterByClusterClassClassNamespace contains the logic to index Clusters by ClusterClass namespace. -func ClusterByClusterClassClassNamespace(o client.Object) []string { +// ClusterByClusterClassNamespace contains the logic to index Clusters by ClusterClass namespace. +func ClusterByClusterClassNamespace(o client.Object) []string { cluster, ok := o.(*clusterv1.Cluster) if !ok { panic(fmt.Sprintf("Expected Cluster but got a %T", o)) } - return []string{cluster.GetClassKey().Namespace} + if cluster.Spec.Topology != nil { + return []string{cluster.GetClassKey().Namespace} + } + return nil } diff --git a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md index 990d638888b6..6cca507457ac 100644 --- a/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md +++ b/docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md @@ -477,7 +477,7 @@ Changing `classNamespace` is not supported in rebase procedure, while changing ` #### Securing cross-namespace reference to the ClusterClass -It is often desirable to restrict free cross-namespace `ClusterClass` access for the `Cluster` object. This can be implemented by defining a [`ValidatingAdmissionPolicy`](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) on the `Cluster` object. +It is often desirable to restrict free cross-namespace `ClusterClass` access for the `Cluster` object. This can be implemented by defining a [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/#what-is-validating-admission-policy) on the `Cluster` object. An example of such policy may be: diff --git a/internal/webhooks/clusterclass_test.go b/internal/webhooks/clusterclass_test.go index 639b9dc71643..6275a271da7b 100644 --- a/internal/webhooks/clusterclass_test.go +++ b/internal/webhooks/clusterclass_test.go @@ -92,7 +92,7 @@ func TestClusterClassDefaultNamespaces(t *testing.T) { fakeClient := fake.NewClientBuilder(). WithScheme(fakeScheme). WithIndex(&clusterv1.Cluster{}, index.ClusterClassNameField, index.ClusterByClusterClassClassName). - WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassClassNamespace). + WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassNamespace). Build() // Create the webhook and add the fakeClient as its client. @@ -1867,7 +1867,7 @@ func TestClusterClassValidation(t *testing.T) { fakeClient := fake.NewClientBuilder(). WithScheme(fakeScheme). WithIndex(&clusterv1.Cluster{}, index.ClusterClassNameField, index.ClusterByClusterClassClassName). - WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassClassNamespace). + WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassNamespace). Build() // Pin the compatibility version used in variable CEL validation to 1.29, so we don't have to continuously refactor @@ -2515,7 +2515,7 @@ func TestClusterClassValidationWithClusterAwareChecks(t *testing.T) { WithScheme(fakeScheme). WithObjects(tt.clusters...). WithIndex(&clusterv1.Cluster{}, index.ClusterClassNameField, index.ClusterByClusterClassClassName). - WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassClassNamespace). + WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassNamespace). Build() // Create the webhook and add the fakeClient as its client. @@ -2569,7 +2569,7 @@ func TestGetClustersUsingClusterClass(t *testing.T) { WithScheme(fakeScheme). WithObjects(tt.clusters...). WithIndex(&clusterv1.Cluster{}, index.ClusterClassNameField, index.ClusterByClusterClassClassName). - WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassClassNamespace). + WithIndex(&clusterv1.Cluster{}, index.ClusterClassNamespaceField, index.ClusterByClusterClassNamespace). Build() // Create the webhook and add the fakeClient as its client.