Fix amIAdmin function to correctly check admin group membership

The amIAdmin function had a logic bug where it was checking if a single
group name existed in the user's group list, rather than checking if any
of the user's groups matched the allowed admin groups. This caused the
webhook to incorrectly deny requests from users in the cluster-admins group.

This fixes the e2e test failures in openshift/origin endpoint admission tests
where the admin client was being denied access to privileged namespaces.

OCPBUGS-62642

Author: dustman9000

pkg/webhooks/namespace/namespace.go

@@ -321,19 +321,22 @@ func NewWebhook() *NamespaceWebhook {
 }
 
 func amIAdmin(request admissionctl.Request) bool {
-	amISREAdmin := false
-	amIClusterAdmin := false
+	// Check if user is a cluster admin by username
+	if utils.SliceContains(request.UserInfo.Username, clusterAdminUsers) {
+		return true
+	}
 
-	if utils.SliceContains(request.UserInfo.Username, clusterAdminUsers) || utils.SliceContains(clusterAdminGroup, request.UserInfo.Groups) {
-		amIClusterAdmin = true
+	// Check if user is in cluster-admins group
+	if utils.SliceContains(clusterAdminGroup, request.UserInfo.Groups) {
+		return true
 	}
 
+	// Check if user is in any SRE admin groups
 	for _, group := range sreAdminGroups {
 		if utils.SliceContains(group, request.UserInfo.Groups) {
-			amISREAdmin = true
-			break
+			return true
 		}
 	}
 
-	return (amIClusterAdmin || amISREAdmin)
+	return false
 }