github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #46551 from caesarxuchao/rule-validation

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 46726, 41912, 46695, 46034, 46551)

Fix validation of Rule.Resouces
This commit is contained in:
Kubernetes Submit Queue 2017-06-02 21:42:43 -07:00 committed by GitHub
commit 3093936a18
13 changed files with 277 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/openapi-spec/swagger.json
View File

@ -50202,7 +50202,7 @@
"type": "string"
},
"rules": {
"description": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule.",
"description": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule. Rule.Resources must not include subresources.",
"type": "array",
"items": {
"$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.admissionregistration.v1alpha1.Rule"
@ -50295,7 +50295,7 @@
}
},
"resources": {
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required.",
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
"type": "array",
"items": {
"type": "string"
@ -50328,7 +50328,7 @@
}
},
"resources": {
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required.",
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
"type": "array",
"items": {
"type": "string"

6
api/swagger-spec/admissionregistration.k8s.io_v1alpha1.json
View File

@ -1663,7 +1663,7 @@
"items": {
"type": "string"
},
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required."
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required."
}
}
},
@ -1813,7 +1813,7 @@
"items": {
"$ref": "v1alpha1.Rule"
},
"description": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule."
"description": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule. Rule.Resources must not include subresources."
},
"failurePolicy": {
"$ref": "v1alpha1.FailurePolicyType",
@ -1844,7 +1844,7 @@
"items": {
"type": "string"
},
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required."
"description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required."
}
}
},

16
docs/api-reference/admissionregistration.k8s.io/v1alpha1/definitions.html
View File

@ -492,9 +492,11 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<td class="tableblock halign-left valign-top"><p class="tableblock">resources</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resources is a list of resources this rule applies to.<br>
<br>
For example: <em>pods</em> means pods. <em>pods/log</em> means the log subresource of pods. <em><strong></em> means all resources, but not subresources. <em>pods/</strong></em> means all subresources of pods. <em><strong>/scale</em> means all scale subresources. <em></strong>/<strong></em> means all resources and their subresources.<br>
For example: <em>pods</em> means pods. <em>pods/log</em> means the log subresource of pods. <em><strong></em> means all resources, but not subresources. <em>pods/</strong></em> means all subresources of pods. <em><strong>/scale</em> means all scale subresources. <em></strong>/*</em> means all resources and their subresources.<br>
<br>
If <em></strong></em> or <em><strong>/</strong></em> is present, the length of the slice must be one. Required.</p></td>
If wildcard is present, the validation rule will ensure resources do not overlap with each other.<br>
<br>
Depending on the enclosing object, subresources might not be allowed. Required.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
@ -551,9 +553,11 @@ If <em></strong></em> or <em><strong>/</strong></em> is present, the length of t
<td class="tableblock halign-left valign-top"><p class="tableblock">resources</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resources is a list of resources this rule applies to.<br>
<br>
For example: <em>pods</em> means pods. <em>pods/log</em> means the log subresource of pods. <em><strong></em> means all resources, but not subresources. <em>pods/</strong></em> means all subresources of pods. <em><strong>/scale</em> means all scale subresources. <em></strong>/<strong></em> means all resources and their subresources.<br>
For example: <em>pods</em> means pods. <em>pods/log</em> means the log subresource of pods. <em><strong></em> means all resources, but not subresources. <em>pods/</strong></em> means all subresources of pods. <em><strong>/scale</em> means all scale subresources. <em></strong>/*</em> means all resources and their subresources.<br>
<br>
If <em></strong></em> or <em><strong>/</strong></em> is present, the length of the slice must be one. Required.</p></td>
If wildcard is present, the validation rule will ensure resources do not overlap with each other.<br>
<br>
Depending on the enclosing object, subresources might not be allowed. Required.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
@ -968,7 +972,7 @@ If <em></strong></em> or <em><strong>/</strong></em> is present, the length of t
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">rules</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches <em>any</em> Rule.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches <em>any</em> Rule. Rule.Resources must not include subresources.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_rule">v1alpha1.Rule</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
@ -1746,7 +1750,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-05-25 18:54:30 UTC
Last updated 2017-05-31 22:29:50 UTC
</div>
</div>
</body>

6
pkg/apis/admissionregistration/types.go
View File

@ -65,6 +65,7 @@ type Initializer struct {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
Rules []Rule
// FailurePolicy defines what happens if the responsible initializer controller
@ -98,7 +99,10 @@ type Rule struct {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
Resources []string
}

6
pkg/apis/admissionregistration/v1alpha1/generated.proto
View File

@ -105,6 +105,7 @@ message Initializer {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
repeated Rule rules = 2;
// FailurePolicy defines what happens if the responsible initializer controller
@ -167,7 +168,10 @@ message Rule {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
repeated string resources = 3;
}

6
pkg/apis/admissionregistration/v1alpha1/types.go
View File

@ -67,6 +67,7 @@ type Initializer struct {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
Rules []Rule `json:"rules,omitempty" protobuf:"bytes,2,rep,name=rules"`
// FailurePolicy defines what happens if the responsible initializer controller
@ -100,7 +101,10 @@ type Rule struct {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
}

4
pkg/apis/admissionregistration/v1alpha1/types_swagger_doc_generated.go
View File

@ -72,7 +72,7 @@ func (ExternalAdmissionHookConfigurationList) SwaggerDoc() map[string]string {
var map_Initializer = map[string]string{
"": "Initializer describes the name and the failure policy of an initializer, and what resources it applies to.",
"name": "Name is the identifier of the initializer. It will be added to the object that needs to be initialized. Name should be fully qualified, e.g., alwayspullimages.kubernetes.io, where \"alwayspullimages\" is the name of the webhook, and kubernetes.io is the name of the organization. Required",
"rules": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule.",
"rules": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule. Rule.Resources must not include subresources.",
"failurePolicy": "FailurePolicy defines what happens if the responsible initializer controller fails to takes action. Allowed values are Ignore, or Fail. If \"Ignore\" is set, initializer is removed from the initializers list of an object if the timeout is reached; If \"Fail\" is set, admissionregistration returns timeout error if the timeout is reached.",
}
@ -104,7 +104,7 @@ var map_Rule = map[string]string{
"": "Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid.",
"apiGroups": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.",
"apiVersions": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.",
"resources": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required.",
"resources": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
}
func (Rule) SwaggerDoc() map[string]string {

100
pkg/apis/admissionregistration/validation/validation.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package validation
import (
"fmt"
"strings"
genericvalidation "k8s.io/apimachinery/pkg/api/validation"
@ -48,7 +49,8 @@ func validateInitializer(initializer *admissionregistration.Initializer, fldPath
}
for i, rule := range initializer.Rules {
allErrors = append(allErrors, validateRule(&rule, fldPath.Child("rules").Index(i))...)
notAllowSubresources := false
allErrors = append(allErrors, validateRule(&rule, fldPath.Child("rules").Index(i), notAllowSubresources)...)
}
// TODO: relax the validation rule when admissionregistration is beta.
if initializer.FailurePolicy != nil && *initializer.FailurePolicy != admissionregistration.Ignore {
@ -66,7 +68,82 @@ func hasWildcard(slice []string) bool {
return false
}
func validateRule(rule *admissionregistration.Rule, fldPath *field.Path) field.ErrorList {
func validateResources(resources []string, fldPath *field.Path) field.ErrorList {
var allErrors field.ErrorList
if len(resources) == 0 {
allErrors = append(allErrors, field.Required(fldPath, ""))
}
// */x
resourcesWithWildcardSubresoures := sets.String{}
// x/*
subResoucesWithWildcardResource := sets.String{}
// */*
hasDoubleWildcard := false
// *
hasSingleWildcard := false
// x
hasResourceWithoutSubresource := false
for i, resSub := range resources {
if resSub == "" {
allErrors = append(allErrors, field.Required(fldPath.Index(i), ""))
continue
}
if resSub == "*/*" {
hasDoubleWildcard = true
}
if resSub == "*" {
hasSingleWildcard = true
}
parts := strings.SplitN(resSub, "/", 2)
if len(parts) == 1 {
hasResourceWithoutSubresource = resSub != "*"
continue
}
res, sub := parts[0], parts[1]
if _, ok := resourcesWithWildcardSubresoures[res]; ok {
allErrors = append(allErrors, field.Invalid(fldPath.Index(i), resSub, fmt.Sprintf("if '%s/*' is present, must not specify %s", res, resSub)))
}
if _, ok := subResoucesWithWildcardResource[sub]; ok {
allErrors = append(allErrors, field.Invalid(fldPath.Index(i), resSub, fmt.Sprintf("if '*/%s' is present, must not specify %s", sub, resSub)))
}
if sub == "*" {
resourcesWithWildcardSubresoures[res] = struct{}{}
}
if res == "*" {
subResoucesWithWildcardResource[sub] = struct{}{}
}
}
if len(resources) > 1 && hasDoubleWildcard {
allErrors = append(allErrors, field.Invalid(fldPath, resources, "if '*/*' is present, must not specify other resources"))
}
if hasSingleWildcard && hasResourceWithoutSubresource {
allErrors = append(allErrors, field.Invalid(fldPath, resources, "if '*' is present, must not specify other resources without subresources"))
}
return allErrors
}
func validateResourcesNoSubResources(resources []string, fldPath *field.Path) field.ErrorList {
var allErrors field.ErrorList
if len(resources) == 0 {
allErrors = append(allErrors, field.Required(fldPath, ""))
}
for i, resource := range resources {
if resource == "" {
allErrors = append(allErrors, field.Required(fldPath.Index(i), ""))
}
if strings.Contains(resource, "/") {
allErrors = append(allErrors, field.Invalid(fldPath.Index(i), resource, "must not specify subresources"))
}
}
if len(resources) > 1 && hasWildcard(resources) {
allErrors = append(allErrors, field.Invalid(fldPath, resources, "if '*' is present, must not specify other resources"))
}
return allErrors
}
func validateRule(rule *admissionregistration.Rule, fldPath *field.Path, allowSubResource bool) field.ErrorList {
var allErrors field.ErrorList
if len(rule.APIGroups) == 0 {
allErrors = append(allErrors, field.Required(fldPath.Child("apiGroups"), ""))
@ -86,16 +163,10 @@ func validateRule(rule *admissionregistration.Rule, fldPath *field.Path) field.E
allErrors = append(allErrors, field.Required(fldPath.Child("apiVersions").Index(i), ""))
}
}
if len(rule.Resources) == 0 {
allErrors = append(allErrors, field.Required(fldPath.Child("resources"), ""))
}
if len(rule.Resources) > 1 && hasWildcard(rule.Resources) {
allErrors = append(allErrors, field.Invalid(fldPath.Child("Resources"), rule.Resources, "if '*' is present, must not specify other resources"))
}
for i, resource := range rule.Resources {
if resource == "" {
allErrors = append(allErrors, field.Required(fldPath.Child("resources").Index(i), ""))
}
if allowSubResource {
allErrors = append(allErrors, validateResources(rule.Resources, fldPath.Child("resources"))...)
} else {
allErrors = append(allErrors, validateResourcesNoSubResources(rule.Resources, fldPath.Child("resources"))...)
}
return allErrors
}
@ -107,7 +178,7 @@ func ValidateInitializerConfigurationUpdate(newIC, oldIC *admissionregistration.
func ValidateExternalAdmissionHookConfiguration(e *admissionregistration.ExternalAdmissionHookConfiguration) field.ErrorList {
allErrors := genericvalidation.ValidateObjectMeta(&e.ObjectMeta, false, genericvalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
for i, hook := range e.ExternalAdmissionHooks {
allErrors = append(allErrors, validateExternalAdmissionHook(&hook, field.NewPath("externalAdmissionHook").Index(i))...)
allErrors = append(allErrors, validateExternalAdmissionHook(&hook, field.NewPath("externalAdmissionHooks").Index(i))...)
}
return allErrors
}
@ -165,7 +236,8 @@ func validateRuleWithOperations(ruleWithOperations *admissionregistration.RuleWi
allErrors = append(allErrors, field.NotSupported(fldPath.Child("operations").Index(i), operation, supportedOperations.List()))
}
}
allErrors = append(allErrors, validateRule(&ruleWithOperations.Rule, fldPath)...)
allowSubResource := true
allErrors = append(allErrors, validateRule(&ruleWithOperations.Rule, fldPath, allowSubResource)...)
return allErrors
}

147
pkg/apis/admissionregistration/validation/validation_test.go
View File

@ -181,7 +181,7 @@ func TestValidateInitializerConfiguration(t *testing.T) {
expectedError: "resources[1]: Required value",
},
{
name: "wildcard cannot be mixed with other strings",
name: "wildcard cannot be mixed with other strings for APIGroups or APIVersions or Resources",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
@ -195,7 +195,24 @@ func TestValidateInitializerConfiguration(t *testing.T) {
},
},
}),
expectedError: `initializers[0].rules[0].apiGroups: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API groups, initializers[0].rules[0].apiVersions: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API versions, initializers[0].rules[0].Resources: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other resources`,
expectedError: `[initializers[0].rules[0].apiGroups: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API groups, initializers[0].rules[0].apiVersions: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other API versions, initializers[0].rules[0].resources: Invalid value: []string{"a", "*"}: if '*' is present, must not specify other resources]`,
},
{
name: "Subresource not allowed",
config: getInitializerConfiguration(
[]admissionregistration.Initializer{
{
Name: "initializer.k8s.io",
Rules: []admissionregistration.Rule{
{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/b"},
},
},
},
}),
expectedError: ` "a/b": must not specify subresources`,
},
{
name: "FailurePolicy can only be \"Ignore\"",
@ -257,7 +274,7 @@ func TestValidateExternalAdmissionHookConfiguration(t *testing.T) {
Name: "",
},
}),
expectedError: `externalAdmissionHook[1].name: Invalid value: "k8s.io": should be a domain with at least two dots, externalAdmissionHook[2].name: Required value`,
expectedError: `externalAdmissionHooks[1].name: Invalid value: "k8s.io": should be a domain with at least two dots, externalAdmissionHooks[2].name: Required value`,
},
{
name: "Operations must not be empty or nil",
@ -285,7 +302,7 @@ func TestValidateExternalAdmissionHookConfiguration(t *testing.T) {
},
},
}),
expectedError: `externalAdmissionHook[0].rules[0].operations: Required value, externalAdmissionHook[0].rules[1].operations: Required value`,
expectedError: `externalAdmissionHooks[0].rules[0].operations: Required value, externalAdmissionHooks[0].rules[1].operations: Required value`,
},
{
name: "\"\" is NOT a valid operation",
@ -328,7 +345,7 @@ func TestValidateExternalAdmissionHookConfiguration(t *testing.T) {
expectedError: `Unsupported value: "PATCH"`,
},
{
name: "wildcard cannot be mixed with other strings",
name: "wildcard operation cannot be mixed with other strings",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
@ -347,12 +364,130 @@ func TestValidateExternalAdmissionHookConfiguration(t *testing.T) {
}),
expectedError: `if '*' is present, must not specify other operations`,
},
{
name: `resource "*" can co-exist with resources that have subresources`,
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*", "a/b", "a/*", "*/b"},
},
},
},
},
}),
},
{
name: `resource "*" cannot mix with resources that don't have subresources`,
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*", "a"},
},
},
},
},
}),
expectedError: `if '*' is present, must not specify other resources without subresources`,
},
{
name: "resource a/* cannot mix with a/x",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/*", "a/x"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources[1]: Invalid value: "a/x": if 'a/*' is present, must not specify a/x`,
},
{
name: "resource a/* can mix with a",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"a/*", "a"},
},
},
},
},
}),
},
{
name: "resource */a cannot mix with x/a",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*/a", "x/a"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources[1]: Invalid value: "x/a": if '*/a' is present, must not specify x/a`,
},
{
name: "resource */* cannot mix with other resources",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "webhook.k8s.io",
Rules: []admissionregistration.RuleWithOperations{
{
Operations: []admissionregistration.OperationType{"CREATE"},
Rule: admissionregistration.Rule{
APIGroups: []string{"a"},
APIVersions: []string{"a"},
Resources: []string{"*/*", "a"},
},
},
},
},
}),
expectedError: `externalAdmissionHooks[0].rules[0].resources: Invalid value: []string{"*/*", "a"}: if '*/*' is present, must not specify other resources`,
},
{
name: "FailurePolicy can only be \"Ignore\"",
config: getExternalAdmissionHookConfiguration(
[]admissionregistration.ExternalAdmissionHook{
{
Name: "initializer.k8s.io",
Name: "webhook.k8s.io",
FailurePolicy: func() *admissionregistration.FailurePolicyType {
r := admissionregistration.Fail
return &r

6
staging/src/k8s.io/client-go/pkg/apis/admissionregistration/types.go
View File

@ -65,6 +65,7 @@ type Initializer struct {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
Rules []Rule
// FailurePolicy defines what happens if the responsible initializer controller
@ -98,7 +99,10 @@ type Rule struct {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
Resources []string
}

6
staging/src/k8s.io/client-go/pkg/apis/admissionregistration/v1alpha1/generated.proto
View File

@ -105,6 +105,7 @@ message Initializer {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
repeated Rule rules = 2;
// FailurePolicy defines what happens if the responsible initializer controller
@ -167,7 +168,10 @@ message Rule {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
repeated string resources = 3;
}

6
staging/src/k8s.io/client-go/pkg/apis/admissionregistration/v1alpha1/types.go
View File

@ -67,6 +67,7 @@ type Initializer struct {
// Rules describes what resources/subresources the initializer cares about.
// The initializer cares about an operation if it matches _any_ Rule.
// Rule.Resources must not include subresources.
Rules []Rule `json:"rules,omitempty" protobuf:"bytes,2,rep,name=rules"`
// FailurePolicy defines what happens if the responsible initializer controller
@ -100,7 +101,10 @@ type Rule struct {
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
//
// If '*' or '*/*' is present, the length of the slice must be one.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
//
// Depending on the enclosing object, subresources might not be allowed.
// Required.
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
}

4
staging/src/k8s.io/client-go/pkg/apis/admissionregistration/v1alpha1/types_swagger_doc_generated.go
View File

@ -72,7 +72,7 @@ func (ExternalAdmissionHookConfigurationList) SwaggerDoc() map[string]string {
var map_Initializer = map[string]string{
"": "Initializer describes the name and the failure policy of an initializer, and what resources it applies to.",
"name": "Name is the identifier of the initializer. It will be added to the object that needs to be initialized. Name should be fully qualified, e.g., alwayspullimages.kubernetes.io, where \"alwayspullimages\" is the name of the webhook, and kubernetes.io is the name of the organization. Required",
"rules": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule.",
"rules": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule. Rule.Resources must not include subresources.",
"failurePolicy": "FailurePolicy defines what happens if the responsible initializer controller fails to takes action. Allowed values are Ignore, or Fail. If \"Ignore\" is set, initializer is removed from the initializers list of an object if the timeout is reached; If \"Fail\" is set, admissionregistration returns timeout error if the timeout is reached.",
}
@ -104,7 +104,7 @@ var map_Rule = map[string]string{
"": "Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid.",
"apiGroups": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.",
"apiVersions": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.",
"resources": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf '*' or '*/*' is present, the length of the slice must be one. Required.",
"resources": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
}
func (Rule) SwaggerDoc() map[string]string {