From 63b59992dacd729c982109a0f2e0445fa05baa38 Mon Sep 17 00:00:00 2001
From: Kevin Klues <kklues@nvidia.com>
Date: Tue, 11 Feb 2025 15:04:09 +0000
Subject: [PATCH] Ensure that ResourceClaim / ComputeDomain namespace are the
 same

Signed-off-by: Kevin Klues <kklues@nvidia.com>
---
 .../computedomain.go                             | 16 ++++++++++++++++
 .../device_state.go                              |  3 +++
 2 files changed, 19 insertions(+)

diff --git a/cmd/compute-domain-kubelet-plugin/computedomain.go b/cmd/compute-domain-kubelet-plugin/computedomain.go
index 45c521ba6..aa0026aa3 100644
--- a/cmd/compute-domain-kubelet-plugin/computedomain.go
+++ b/cmd/compute-domain-kubelet-plugin/computedomain.go
@@ -265,6 +265,22 @@ func (m *ComputeDomainManager) GetNodeIPs(ctx context.Context, cdUID string) ([]
 	return ips, nil
 }
 
+func (m *ComputeDomainManager) AssertComputeDomainNamespace(ctx context.Context, claimNamespace, cdUID string) error {
+	cd, err := m.GetComputeDomain(ctx, cdUID)
+	if err != nil {
+		return fmt.Errorf("error getting ComputeDomain: %w", err)
+	}
+	if cd == nil {
+		return fmt.Errorf("ComputeDomain not found: %s", cdUID)
+	}
+
+	if cd.Namespace != claimNamespace {
+		return fmt.Errorf("the ResourceClaim's namespace is different than the ComputeDomain's namespace")
+	}
+
+	return nil
+}
+
 func (m *ComputeDomainManager) AddNodeLabel(ctx context.Context, cdUID string) error {
 	node, err := m.config.clientsets.Core.CoreV1().Nodes().Get(ctx, m.config.flags.nodeName, metav1.GetOptions{})
 	if err != nil {
diff --git a/cmd/compute-domain-kubelet-plugin/device_state.go b/cmd/compute-domain-kubelet-plugin/device_state.go
index d69d61b3b..8d9c5d67c 100644
--- a/cmd/compute-domain-kubelet-plugin/device_state.go
+++ b/cmd/compute-domain-kubelet-plugin/device_state.go
@@ -378,6 +378,9 @@ func (s *DeviceState) applyComputeDomainChannelConfig(ctx context.Context, confi
 	// Create any necessary ComputeDomain channels and gather their CDI container edits.
 	for _, r := range results {
 		channel := s.allocatable[r.Device].Channel
+		if err := s.computeDomainManager.AssertComputeDomainNamespace(ctx, claim.Namespace, config.DomainID); err != nil {
+			return nil, fmt.Errorf("error asserting ComputeDomain's namespace: %w", err)
+		}
 		if err := s.computeDomainManager.AddNodeLabel(ctx, config.DomainID); err != nil {
 			return nil, fmt.Errorf("error adding Node label for ComputeDomain: %w", err)
 		}