feat: add startup error when running in the kube-system namespace

To avoid any accedential security issues, we block running anything in
the kube-system namespace. We already have this explicitly blocked in
the rest of the code that deals with namespaces and it causes hard to
debug errors for users that try to deploy to the kube-system namespace.

This adds an explicit check so that this mis-configuration is easier to
detect and debug for end users.

Signed-off-by: Lucas Roesler <[email protected]>

Author: LucasRoesler

main.go

@@ -98,6 +98,12 @@ func main() {
 
 	config.Fprint(verbose)
 
+	// use kubeclient to check the current namespace
+	namespace, _ := k8s.CurrentNamespace()
+	if namespace == "kube-system" {
+		log.Fatal("You cannot run the OpenFaaS provider in the kube-system namespace, please try another namespace.")
+	}
+
 	deployConfig := k8s.DeploymentConfig{
 		RuntimeHTTPPort: 8080,
 		HTTPProbe:       config.HTTPProbe,

pkg/k8s/namespaces.go

@@ -0,0 +1,27 @@
+package k8s
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+)
+
+// CurrentNamespace attempts to return the current namespace from the environment
+// or from the service account file. If it cannot find the namespace, it returns
+// an empty string. This will be empty when the not running in-cluster.
+//
+// This implementation is based on the clientcmd.inClusterClientConfig.Namespace method.
+// This is not exported and not accessible via other methods, so we have to copy it.
+func CurrentNamespace() (namespace string, found bool) {
+	if ns := os.Getenv("POD_NAMESPACE"); ns != "" {
+		return ns, true
+	}
+
+	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
+			return ns, true
+		}
+	}
+
+	return "", false
+}