github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #88943 from tedyu/visitor-container-type

Browse Source 
Visitors of Configmaps and Secrets should specify which containers to visit
This commit is contained in:
Kubernetes Prow Robot 2020-03-20 09:20:36 -07:00 committed by GitHub
commit 0549d0e7db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/api/pod/util.go
View File

@ -89,13 +89,13 @@ type Visitor func(name string) (shouldContinue bool)
// referenced by the pod spec. If visitor returns false, visiting is short-circuited. // referenced by the pod spec. If visitor returns false, visiting is short-circuited.
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited. // Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
// Returns true if visiting completed, false if visiting was short-circuited. // Returns true if visiting completed, false if visiting was short-circuited.
func VisitPodSecretNames(pod *api.Pod, visitor Visitor) bool { func VisitPodSecretNames(pod *api.Pod, visitor Visitor, containerType ContainerType) bool {
for _, reference := range pod.Spec.ImagePullSecrets { for _, reference := range pod.Spec.ImagePullSecrets {
if !visitor(reference.Name) { if !visitor(reference.Name) {
return false return false
} }
} }
VisitContainers(&pod.Spec, AllContainers, func(c *api.Container, containerType ContainerType) bool { VisitContainers(&pod.Spec, containerType, func(c *api.Container, containerType ContainerType) bool {
return visitContainerSecretNames(c, visitor) return visitContainerSecretNames(c, visitor)
}) })
var source *api.VolumeSource var source *api.VolumeSource
@ -177,8 +177,8 @@ func visitContainerSecretNames(container *api.Container, visitor Visitor) bool {
// referenced by the pod spec. If visitor returns false, visiting is short-circuited. // referenced by the pod spec. If visitor returns false, visiting is short-circuited.
// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited. // Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
// Returns true if visiting completed, false if visiting was short-circuited. // Returns true if visiting completed, false if visiting was short-circuited.
func VisitPodConfigmapNames(pod *api.Pod, visitor Visitor) bool { func VisitPodConfigmapNames(pod *api.Pod, visitor Visitor, containerType ContainerType) bool {
VisitContainers(&pod.Spec, AllContainers, func(c *api.Container, containerType ContainerType) bool { VisitContainers(&pod.Spec, containerType, func(c *api.Container, containerType ContainerType) bool {
return visitContainerConfigmapNames(c, visitor) return visitContainerConfigmapNames(c, visitor)
}) })
var source *api.VolumeSource var source *api.VolumeSource

4
pkg/api/pod/util_test.go
View File

@ -283,7 +283,7 @@ func TestPodSecrets(t *testing.T) {
VisitPodSecretNames(pod, func(name string) bool { VisitPodSecretNames(pod, func(name string) bool {
extractedNames.Insert(name) extractedNames.Insert(name)
return true return true
}) }, AllContainers)
// excludedSecretPaths holds struct paths to fields with "secret" in the name that are not actually references to secret API objects // excludedSecretPaths holds struct paths to fields with "secret" in the name that are not actually references to secret API objects
excludedSecretPaths := sets.NewString( excludedSecretPaths := sets.NewString(
@ -428,7 +428,7 @@ func TestPodConfigmaps(t *testing.T) {
VisitPodConfigmapNames(pod, func(name string) bool { VisitPodConfigmapNames(pod, func(name string) bool {
extractedNames.Insert(name) extractedNames.Insert(name)
return true return true
}) }, AllContainers)
// expectedPaths holds struct paths to fields with "ConfigMap" in the name that are references to ConfigMap API objects. // expectedPaths holds struct paths to fields with "ConfigMap" in the name that are references to ConfigMap API objects.
// every path here should be represented as an example in the Pod stub above, with the ConfigMap name set to the path. // every path here should be represented as an example in the Pod stub above, with the ConfigMap name set to the path.

4
plugin/pkg/admission/noderestriction/admission.go
View File

@ -257,12 +257,12 @@ func (p *Plugin) admitPodCreate(nodeName string, a admission.Attributes) error {
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference a service account", nodeName)) return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference a service account", nodeName))
} }
hasSecrets := false hasSecrets := false
podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false }) podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false }, podutil.AllContainers)
if hasSecrets { if hasSecrets {
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference secrets", nodeName)) return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference secrets", nodeName))
} }
hasConfigMaps := false hasConfigMaps := false
podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false }) podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false }, podutil.AllContainers)
if hasConfigMaps { if hasConfigMaps {
return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference configmaps", nodeName)) return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference configmaps", nodeName))
} }

2
plugin/pkg/admission/serviceaccount/admission.go
View File

@ -216,7 +216,7 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
podutil.VisitPodSecretNames(pod, func(name string) bool { podutil.VisitPodSecretNames(pod, func(name string) bool {
hasSecrets = true hasSecrets = true
return false return false
}) }, podutil.AllContainers)
if hasSecrets { if hasSecrets {
return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets")) return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets"))
} }