mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #88943 from tedyu/visitor-container-type
Visitors of Configmaps and Secrets should specify which containers to visit
This commit is contained in:
commit
0549d0e7db
@ -89,13 +89,13 @@ type Visitor func(name string) (shouldContinue bool)
|
|||||||
// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
|
// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
|
||||||
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
|
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
|
||||||
// Returns true if visiting completed, false if visiting was short-circuited.
|
// Returns true if visiting completed, false if visiting was short-circuited.
|
||||||
func VisitPodSecretNames(pod *api.Pod, visitor Visitor) bool {
|
func VisitPodSecretNames(pod *api.Pod, visitor Visitor, containerType ContainerType) bool {
|
||||||
for _, reference := range pod.Spec.ImagePullSecrets {
|
for _, reference := range pod.Spec.ImagePullSecrets {
|
||||||
if !visitor(reference.Name) {
|
if !visitor(reference.Name) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
VisitContainers(&pod.Spec, AllContainers, func(c *api.Container, containerType ContainerType) bool {
|
VisitContainers(&pod.Spec, containerType, func(c *api.Container, containerType ContainerType) bool {
|
||||||
return visitContainerSecretNames(c, visitor)
|
return visitContainerSecretNames(c, visitor)
|
||||||
})
|
})
|
||||||
var source *api.VolumeSource
|
var source *api.VolumeSource
|
||||||
@ -177,8 +177,8 @@ func visitContainerSecretNames(container *api.Container, visitor Visitor) bool {
|
|||||||
// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
|
// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
|
||||||
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
|
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
|
||||||
// Returns true if visiting completed, false if visiting was short-circuited.
|
// Returns true if visiting completed, false if visiting was short-circuited.
|
||||||
func VisitPodConfigmapNames(pod *api.Pod, visitor Visitor) bool {
|
func VisitPodConfigmapNames(pod *api.Pod, visitor Visitor, containerType ContainerType) bool {
|
||||||
VisitContainers(&pod.Spec, AllContainers, func(c *api.Container, containerType ContainerType) bool {
|
VisitContainers(&pod.Spec, containerType, func(c *api.Container, containerType ContainerType) bool {
|
||||||
return visitContainerConfigmapNames(c, visitor)
|
return visitContainerConfigmapNames(c, visitor)
|
||||||
})
|
})
|
||||||
var source *api.VolumeSource
|
var source *api.VolumeSource
|
||||||
|
@ -283,7 +283,7 @@ func TestPodSecrets(t *testing.T) {
|
|||||||
VisitPodSecretNames(pod, func(name string) bool {
|
VisitPodSecretNames(pod, func(name string) bool {
|
||||||
extractedNames.Insert(name)
|
extractedNames.Insert(name)
|
||||||
return true
|
return true
|
||||||
})
|
}, AllContainers)
|
||||||
|
|
||||||
// excludedSecretPaths holds struct paths to fields with "secret" in the name that are not actually references to secret API objects
|
// excludedSecretPaths holds struct paths to fields with "secret" in the name that are not actually references to secret API objects
|
||||||
excludedSecretPaths := sets.NewString(
|
excludedSecretPaths := sets.NewString(
|
||||||
@ -428,7 +428,7 @@ func TestPodConfigmaps(t *testing.T) {
|
|||||||
VisitPodConfigmapNames(pod, func(name string) bool {
|
VisitPodConfigmapNames(pod, func(name string) bool {
|
||||||
extractedNames.Insert(name)
|
extractedNames.Insert(name)
|
||||||
return true
|
return true
|
||||||
})
|
}, AllContainers)
|
||||||
|
|
||||||
// expectedPaths holds struct paths to fields with "ConfigMap" in the name that are references to ConfigMap API objects.
|
// expectedPaths holds struct paths to fields with "ConfigMap" in the name that are references to ConfigMap API objects.
|
||||||
// every path here should be represented as an example in the Pod stub above, with the ConfigMap name set to the path.
|
// every path here should be represented as an example in the Pod stub above, with the ConfigMap name set to the path.
|
||||||
|
@ -257,12 +257,12 @@ func (p *Plugin) admitPodCreate(nodeName string, a admission.Attributes) error {
|
|||||||
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference a service account", nodeName))
|
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference a service account", nodeName))
|
||||||
}
|
}
|
||||||
hasSecrets := false
|
hasSecrets := false
|
||||||
podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false })
|
podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false }, podutil.AllContainers)
|
||||||
if hasSecrets {
|
if hasSecrets {
|
||||||
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference secrets", nodeName))
|
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference secrets", nodeName))
|
||||||
}
|
}
|
||||||
hasConfigMaps := false
|
hasConfigMaps := false
|
||||||
podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false })
|
podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false }, podutil.AllContainers)
|
||||||
if hasConfigMaps {
|
if hasConfigMaps {
|
||||||
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference configmaps", nodeName))
|
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference configmaps", nodeName))
|
||||||
}
|
}
|
||||||
|
@ -216,7 +216,7 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
|
|||||||
podutil.VisitPodSecretNames(pod, func(name string) bool {
|
podutil.VisitPodSecretNames(pod, func(name string) bool {
|
||||||
hasSecrets = true
|
hasSecrets = true
|
||||||
return false
|
return false
|
||||||
})
|
}, podutil.AllContainers)
|
||||||
if hasSecrets {
|
if hasSecrets {
|
||||||
return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets"))
|
return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets"))
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user