Merge branch '27630-fail-build-if-namespace-specified-in-ci-for-managed-cluster' into 'master'

Block specifying a k8s namespace via CI template for managed clusters

See merge request gitlab-org/gitlab!21223

changelogs/unreleased/27630-fail-build-if-namespace-specified-in-ci-for-managed-cluster.yml

+---
+title: Do not allow specifying a Kubernetes namespace via CI template for managed
+  clusters
+merge_request: 21223
+author:
+type: added

lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb

@@ -63,12 +63,33 @@ module Gitlab
           end
 
           def create_namespace
+            namespace = kubernetes_namespace || build_namespace_record
+
+            return if conflicting_ci_namespace_requested?(namespace)
+
             Clusters::Kubernetes::CreateOrUpdateNamespaceService.new(
               cluster: deployment_cluster,
-              kubernetes_namespace: kubernetes_namespace || build_namespace_record
+              kubernetes_namespace: namespace
             ).execute
           end
 
+          ##
+          # A namespace can only be specified via gitlab-ci.yml
+          # for unmanaged clusters, as we currently have no way
+          # of preventing a job requesting a namespace it
+          # shouldn't have access to.
+          #
+          # To make this clear, we fail the build instead of
+          # silently using a namespace other than the one
+          # explicitly specified.
+          #
+          # Support for managed clusters will be added in
+          # https://gitlab.com/gitlab-org/gitlab/issues/38054
+          def conflicting_ci_namespace_requested?(namespace_record)
+            build.expanded_kubernetes_namespace.present? &&
+              namespace_record.namespace != build.expanded_kubernetes_namespace
+          end
+
           def build_namespace_record
             Clusters::BuildKubernetesNamespaceService.new(
               deployment_cluster,

spec/lib/gitlab/ci/build/prerequisite/kubernetes_namespace_spec.rb

@@ -128,6 +128,47 @@ describe Gitlab::Ci::Build::Prerequisite::KubernetesNamespace do
 
           subject
         end
+
+        context 'the build has a namespace configured via CI template' do
+          let(:kubernetes_namespace) { double(namespace: existing_namespace) }
+
+          before do
+            allow(build).to receive(:expanded_kubernetes_namespace)
+              .and_return(requested_namespace)
+          end
+
+          context 'the requested namespace matches the default' do
+            let(:requested_namespace) { 'production' }
+            let(:existing_namespace) { requested_namespace }
+
+            it 'creates a namespace' do
+              expect(Clusters::BuildKubernetesNamespaceService)
+                .to receive(:new)
+                .with(cluster, environment: deployment.environment)
+                .and_return(namespace_builder)
+
+              expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService)
+                .to receive(:new)
+                .with(cluster: cluster, kubernetes_namespace: kubernetes_namespace)
+                .and_return(service)
+
+              expect(service).to receive(:execute).once
+
+              subject
+            end
+          end
+
+          context 'the requested namespace differs from the default' do
+            let(:requested_namespace) { 'production' }
+            let(:existing_namespace) { 'other-namespace' }
+
+            it 'does not create a namespace' do
+              expect(Clusters::Kubernetes::CreateOrUpdateNamespaceService).not_to receive(:new)
+
+              subject
+            end
+          end
+        end
       end
 
       context 'kubernetes namespace exists (but has no service_account_token)' do