github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #67116 from yue9944882/refactor/node-admission-controller-externalize

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 65297, 67179, 67116, 67011, 66842). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Externalize node admission controller

**Release note**:

```release-note
NONE
```



**What this PR does / why we need it**:

/sig api-machinery

under unbrella: #66680

We start with injecting external informer/lister into node admission controller for that it's slightly simpler than the others.

Here is the thing I actually did in this pull:

1. Enable plugin initializer to inject external/internal clientset/informers into the admission controllers.
2. Receive external informer in node admission controller.
3. Create a `AdmissionConfig` following how we did in `AuthenticationConfig` and `AuthorizationConfig` and creates the actual plugin initializers and the admission post-start hook in its `New()` method
This commit is contained in:
Kubernetes Submit Queue 2018-08-09 08:39:31 -07:00 committed by GitHub
commit 44d6de79e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 174 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeapiserver/admission/BUILD
View File

@ -25,7 +25,6 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
], ],
) )

2
pkg/kubeapiserver/admission/initializer.go
View File

@ -21,7 +21,6 @@ import (
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config" webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
"k8s.io/kubernetes/pkg/quota" "k8s.io/kubernetes/pkg/quota"
@ -60,7 +59,6 @@ type WantsQuotaConfiguration interface {
// PluginInitializer is used for initialization of the Kubernetes specific admission plugins. // PluginInitializer is used for initialization of the Kubernetes specific admission plugins.
type PluginInitializer struct { type PluginInitializer struct {
internalClient internalclientset.Interface internalClient internalclientset.Interface
externalClient clientset.Interface
informers informers.SharedInformerFactory informers informers.SharedInformerFactory
authorizer authorizer.Authorizer authorizer authorizer.Authorizer
cloudConfig []byte cloudConfig []byte

2
pkg/kubeapiserver/authorizer/config.go
View File

@ -75,7 +75,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
node.AddGraphEventHandlers( node.AddGraphEventHandlers(
graph, graph,
config.InformerFactory.Core().InternalVersion().Nodes(), config.InformerFactory.Core().InternalVersion().Nodes(),
config.InformerFactory.Core().InternalVersion().Pods(), config.VersionedInformerFactory.Core().V1().Pods(),
config.InformerFactory.Core().InternalVersion().PersistentVolumes(), config.InformerFactory.Core().InternalVersion().PersistentVolumes(),
config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
) )

9
plugin/pkg/admission/noderestriction/BUILD
View File

@ -16,15 +16,15 @@ go_library(
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/client/listers/core/internalversion:go_default_library",
"//pkg/features:go_default_library", "//pkg/features:go_default_library",
"//pkg/kubeapiserver/admission:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/informers:go_default_library",
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
], ],
) )
@ -37,13 +37,14 @@ go_test(
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/policy:go_default_library", "//pkg/apis/policy:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/client/listers/core/internalversion:go_default_library",
"//pkg/features:go_default_library", "//pkg/features:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
], ],
) )

14
plugin/pkg/admission/noderestriction/admission.go
View File

@ -24,16 +24,16 @@ import (
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
apiserveradmission "k8s.io/apiserver/pkg/admission/initializer"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/informers"
corev1lister "k8s.io/client-go/listers/core/v1"
podutil "k8s.io/kubernetes/pkg/api/pod" podutil "k8s.io/kubernetes/pkg/api/pod"
authenticationapi "k8s.io/kubernetes/pkg/apis/authentication" authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/auth/nodeidentifier"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
internalversion "k8s.io/kubernetes/pkg/client/listers/core/internalversion"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
) )
const ( const (
@ -61,18 +61,18 @@ func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *nodePlugin {
type nodePlugin struct { type nodePlugin struct {
*admission.Handler *admission.Handler
nodeIdentifier nodeidentifier.NodeIdentifier nodeIdentifier nodeidentifier.NodeIdentifier
podsGetter internalversion.PodLister podsGetter corev1lister.PodLister
// allows overriding for testing // allows overriding for testing
features utilfeature.FeatureGate features utilfeature.FeatureGate
} }
var ( var (
_ = admission.Interface(&nodePlugin{}) _ = admission.Interface(&nodePlugin{})
_ = kubeapiserveradmission.WantsInternalKubeInformerFactory(&nodePlugin{}) _ = apiserveradmission.WantsExternalKubeInformerFactory(&nodePlugin{})
) )
func (p *nodePlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) { func (p *nodePlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
p.podsGetter = f.Core().InternalVersion().Pods().Lister() p.podsGetter = f.Core().V1().Pods().Lister()
} }
func (p *nodePlugin) ValidateInitialization() error { func (p *nodePlugin) ValidateInitialization() error {

214
plugin/pkg/admission/noderestriction/admission_test.go
View File

@ -20,17 +20,18 @@ import (
"strings" "strings"
"testing" "testing"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
corev1lister "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
authenticationapi "k8s.io/kubernetes/pkg/apis/authentication" authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/auth/nodeidentifier"
"k8s.io/kubernetes/pkg/client/listers/core/internalversion"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
) )
@ -48,16 +49,22 @@ func init() {
} }
} }
func makeTestPod(namespace, name, node string, mirror bool) *api.Pod { func makeTestPod(namespace, name, node string, mirror bool) (*api.Pod, *corev1.Pod) {
pod := &api.Pod{} corePod := &api.Pod{}
pod.Namespace = namespace corePod.Namespace = namespace
pod.UID = types.UID("pod-uid") corePod.UID = types.UID("pod-uid")
pod.Name = name corePod.Name = name
pod.Spec.NodeName = node corePod.Spec.NodeName = node
v1Pod := &corev1.Pod{}
v1Pod.Namespace = namespace
v1Pod.UID = types.UID("pod-uid")
v1Pod.Name = name
v1Pod.Spec.NodeName = node
if mirror { if mirror {
pod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"} corePod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"}
v1Pod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"}
} }
return pod return corePod, v1Pod
} }
func makeTestPodEviction(name string) *policy.Eviction { func makeTestPodEviction(name string) *policy.Eviction {
@ -105,17 +112,18 @@ func Test_nodePlugin_Admit(t *testing.T) {
UID: "quxUID", UID: "quxUID",
KubeletConfigKey: "kubelet", KubeletConfigKey: "kubelet",
}}}} }}}}
mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}} mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}} mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}} othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true) coremymirrorpod, v1mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true)
othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true) coreothermirrorpod, v1othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true)
unboundmirrorpod = makeTestPod("ns", "unboundmirrorpod", "", true) coreunboundmirrorpod, v1unboundmirrorpod = makeTestPod("ns", "unboundmirrorpod", "", true)
mypod = makeTestPod("ns", "mypod", "mynode", false) coremypod, v1mypod = makeTestPod("ns", "mypod", "mynode", false)
otherpod = makeTestPod("ns", "otherpod", "othernode", false) coreotherpod, v1otherpod = makeTestPod("ns", "otherpod", "othernode", false)
unboundpod = makeTestPod("ns", "unboundpod", "", false) coreunboundpod, v1unboundpod = makeTestPod("ns", "unboundpod", "", false)
unnamedpod = makeTestPod("ns", "", "mynode", false) coreunnamedpod, _ = makeTestPod("ns", "", "mynode", false)
mymirrorpodEviction = makeTestPodEviction("mymirrorpod") mymirrorpodEviction = makeTestPodEviction("mymirrorpod")
othermirrorpodEviction = makeTestPodEviction("othermirrorpod") othermirrorpodEviction = makeTestPodEviction("othermirrorpod")
@ -139,34 +147,34 @@ func Test_nodePlugin_Admit(t *testing.T) {
tokenrequestKind = api.Kind("TokenRequest").WithVersion("v1") tokenrequestKind = api.Kind("TokenRequest").WithVersion("v1")
noExistingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil) noExistingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil)
noExistingPods = internalversion.NewPodLister(noExistingPodsIndex) noExistingPods = corev1lister.NewPodLister(noExistingPodsIndex)
existingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil) existingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil)
existingPods = internalversion.NewPodLister(existingPodsIndex) existingPods = corev1lister.NewPodLister(existingPodsIndex)
) )
existingPodsIndex.Add(mymirrorpod) existingPodsIndex.Add(v1mymirrorpod)
existingPodsIndex.Add(othermirrorpod) existingPodsIndex.Add(v1othermirrorpod)
existingPodsIndex.Add(unboundmirrorpod) existingPodsIndex.Add(v1unboundmirrorpod)
existingPodsIndex.Add(mypod) existingPodsIndex.Add(v1mypod)
existingPodsIndex.Add(otherpod) existingPodsIndex.Add(v1otherpod)
existingPodsIndex.Add(unboundpod) existingPodsIndex.Add(v1unboundpod)
sapod := makeTestPod("ns", "mysapod", "mynode", true) sapod, _ := makeTestPod("ns", "mysapod", "mynode", true)
sapod.Spec.ServiceAccountName = "foo" sapod.Spec.ServiceAccountName = "foo"
secretpod := makeTestPod("ns", "mysecretpod", "mynode", true) secretpod, _ := makeTestPod("ns", "mysecretpod", "mynode", true)
secretpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}} secretpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}}
configmappod := makeTestPod("ns", "myconfigmappod", "mynode", true) configmappod, _ := makeTestPod("ns", "myconfigmappod", "mynode", true)
configmappod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: "foo"}}}}} configmappod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: "foo"}}}}}
pvcpod := makeTestPod("ns", "mypvcpod", "mynode", true) pvcpod, _ := makeTestPod("ns", "mypvcpod", "mynode", true)
pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}} pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}}
tests := []struct { tests := []struct {
name string name string
podsGetter internalversion.PodLister podsGetter corev1lister.PodLister
attributes admission.Attributes attributes admission.Attributes
features utilfeature.FeatureGate features utilfeature.FeatureGate
err string err string
@ -175,61 +183,61 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "allow creating a mirror pod bound to self", name: "allow creating a mirror pod bound to self",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coremymirrorpod, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Create, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid update of mirror pod bound to self", name: "forbid update of mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coremymirrorpod, coremymirrorpod, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow delete of mirror pod bound to self", name: "allow delete of mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Delete, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid create of mirror pod status bound to self", name: "forbid create of mirror pod status bound to self",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coremymirrorpod, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow update of mirror pod status bound to self", name: "allow update of mirror pod status bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coremymirrorpod, coremymirrorpod, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Update, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid delete of mirror pod status bound to self", name: "forbid delete of mirror pod status bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow create of eviction for mirror pod bound to self", name: "allow create of eviction for mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid update of eviction for mirror pod bound to self", name: "forbid update of eviction for mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for mirror pod bound to self", name: "forbid delete of eviction for mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow create of unnamed eviction for mirror pod bound to self", name: "allow create of unnamed eviction for mirror pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "", err: "",
}, },
@ -237,61 +245,61 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid creating a mirror pod bound to another", name: "forbid creating a mirror pod bound to another",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreothermirrorpod, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid update of mirror pod bound to another", name: "forbid update of mirror pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreothermirrorpod, coreothermirrorpod, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of mirror pod bound to another", name: "forbid delete of mirror pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Delete, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid create of mirror pod status bound to another", name: "forbid create of mirror pod status bound to another",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreothermirrorpod, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid update of mirror pod status bound to another", name: "forbid update of mirror pod status bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreothermirrorpod, coreothermirrorpod, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Update, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid delete of mirror pod status bound to another", name: "forbid delete of mirror pod status bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of eviction for mirror pod bound to another", name: "forbid create of eviction for mirror pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid update of eviction for mirror pod bound to another", name: "forbid update of eviction for mirror pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for mirror pod bound to another", name: "forbid delete of eviction for mirror pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of unnamed eviction for mirror pod to another", name: "forbid create of unnamed eviction for mirror pod to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
@ -299,61 +307,61 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid creating a mirror pod unbound", name: "forbid creating a mirror pod unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreunboundmirrorpod, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid update of mirror pod unbound", name: "forbid update of mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreunboundmirrorpod, coreunboundmirrorpod, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of mirror pod unbound", name: "forbid delete of mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Delete, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid create of mirror pod status unbound", name: "forbid create of mirror pod status unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreunboundmirrorpod, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid update of mirror pod status unbound", name: "forbid update of mirror pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreunboundmirrorpod, coreunboundmirrorpod, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Update, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid delete of mirror pod status unbound", name: "forbid delete of mirror pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of eviction for mirror pod unbound", name: "forbid create of eviction for mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid update of eviction for mirror pod unbound", name: "forbid update of eviction for mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for mirror pod unbound", name: "forbid delete of eviction for mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of unnamed eviction for mirror pod unbound", name: "forbid create of unnamed eviction for mirror pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
@ -361,55 +369,55 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid creating a normal pod bound to self", name: "forbid creating a normal pod bound to self",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coremypod, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Create, false, mynode),
err: "can only create mirror pods", err: "can only create mirror pods",
}, },
{ {
name: "forbid update of normal pod bound to self", name: "forbid update of normal pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coremypod, coremypod, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow delete of normal pod bound to self", name: "allow delete of normal pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Delete, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid create of normal pod status bound to self", name: "forbid create of normal pod status bound to self",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coremypod, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow update of normal pod status bound to self", name: "allow update of normal pod status bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coremypod, coremypod, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Update, false, mynode),
err: "", err: "",
}, },
{ {
name: "forbid delete of normal pod status bound to self", name: "forbid delete of normal pod status bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid update of eviction for normal pod bound to self", name: "forbid update of eviction for normal pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for normal pod bound to self", name: "forbid delete of eviction for normal pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "allow create of unnamed eviction for normal pod bound to self", name: "allow create of unnamed eviction for normal pod bound to self",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "", err: "",
}, },
@ -417,37 +425,37 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid creating a normal pod bound to another", name: "forbid creating a normal pod bound to another",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreotherpod, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Create, false, mynode),
err: "can only create mirror pods", err: "can only create mirror pods",
}, },
{ {
name: "forbid update of normal pod bound to another", name: "forbid update of normal pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreotherpod, coreotherpod, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of normal pod bound to another", name: "forbid delete of normal pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Delete, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid create of normal pod status bound to another", name: "forbid create of normal pod status bound to another",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreotherpod, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid update of normal pod status bound to another", name: "forbid update of normal pod status bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreotherpod, coreotherpod, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Update, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid delete of normal pod status bound to another", name: "forbid delete of normal pod status bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
@ -471,7 +479,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid create of unnamed eviction for normal pod bound to another", name: "forbid create of unnamed eviction for normal pod bound to another",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, otherpod.Namespace, otherpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
@ -479,61 +487,61 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid creating a normal pod unbound", name: "forbid creating a normal pod unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Create, false, mynode),
err: "can only create mirror pods", err: "can only create mirror pods",
}, },
{ {
name: "forbid update of normal pod unbound", name: "forbid update of normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of normal pod unbound", name: "forbid delete of normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid create of normal pod status unbound", name: "forbid create of normal pod status unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Create, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid update of normal pod status unbound", name: "forbid update of normal pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Update, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid delete of normal pod status unbound", name: "forbid delete of normal pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of eviction for normal pod unbound", name: "forbid create of eviction for normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
{ {
name: "forbid update of eviction for normal pod unbound", name: "forbid update of eviction for normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for normal pod unbound", name: "forbid delete of eviction for normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of unnamed eviction for normal unbound", name: "forbid create of unnamed eviction for normal unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "spec.nodeName set to itself", err: "spec.nodeName set to itself",
}, },
@ -541,31 +549,31 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "forbid delete of unknown pod", name: "forbid delete of unknown pod",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, mynode),
err: "not found", err: "not found",
}, },
{ {
name: "forbid create of eviction for unknown pod", name: "forbid create of eviction for unknown pod",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "not found", err: "not found",
}, },
{ {
name: "forbid update of eviction for unknown pod", name: "forbid update of eviction for unknown pod",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for unknown pod", name: "forbid delete of eviction for unknown pod",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of unnamed eviction for unknown pod", name: "forbid create of unnamed eviction for unknown pod",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "not found", err: "not found",
}, },
@ -573,26 +581,26 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "allow create of eviction for unnamed pod", name: "allow create of eviction for unnamed pod",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Create, false, mynode),
// use the submitted eviction resource name as the pod name // use the submitted eviction resource name as the pod name
err: "", err: "",
}, },
{ {
name: "forbid update of eviction for unnamed pod", name: "forbid update of eviction for unnamed pod",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Update, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Update, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid delete of eviction for unnamed pod", name: "forbid delete of eviction for unnamed pod",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Delete, false, mynode), attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Delete, false, mynode),
err: "forbidden: unexpected operation", err: "forbidden: unexpected operation",
}, },
{ {
name: "forbid create of unnamed eviction for unnamed pod", name: "forbid create of unnamed eviction for unnamed pod",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Create, false, mynode),
err: "could not determine pod from request data", err: "could not determine pod from request data",
}, },
@ -765,21 +773,21 @@ func Test_nodePlugin_Admit(t *testing.T) {
name: "forbid create of token bound to pod without uid", name: "forbid create of token bound to pod without uid",
podsGetter: existingPods, podsGetter: existingPods,
features: trEnabledFeature, features: trEnabledFeature,
attributes: admission.NewAttributesRecord(makeTokenRequest(mypod.Name, ""), nil, tokenrequestKind, "ns", "mysa", svcacctResource, "token", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, ""), nil, tokenrequestKind, "ns", "mysa", svcacctResource, "token", admission.Create, false, mynode),
err: "pod binding without a uid", err: "pod binding without a uid",
}, },
{ {
name: "forbid create of token bound to pod scheduled on another node", name: "forbid create of token bound to pod scheduled on another node",
podsGetter: existingPods, podsGetter: existingPods,
features: trEnabledFeature, features: trEnabledFeature,
attributes: admission.NewAttributesRecord(makeTokenRequest(otherpod.Name, otherpod.UID), nil, tokenrequestKind, otherpod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(makeTokenRequest(coreotherpod.Name, coreotherpod.UID), nil, tokenrequestKind, coreotherpod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode),
err: "pod scheduled on a different node", err: "pod scheduled on a different node",
}, },
{ {
name: "allow create of token bound to pod scheduled this node", name: "allow create of token bound to pod scheduled this node",
podsGetter: existingPods, podsGetter: existingPods,
features: trEnabledFeature, features: trEnabledFeature,
attributes: admission.NewAttributesRecord(makeTokenRequest(mypod.Name, mypod.UID), nil, tokenrequestKind, mypod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, coremypod.UID), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode),
}, },
// Unrelated objects // Unrelated objects
@ -806,37 +814,37 @@ func Test_nodePlugin_Admit(t *testing.T) {
{ {
name: "allow unrelated user creating a normal pod unbound", name: "allow unrelated user creating a normal pod unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, false, bob), attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Create, false, bob),
err: "", err: "",
}, },
{ {
name: "allow unrelated user update of normal pod unbound", name: "allow unrelated user update of normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, false, bob), attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Update, false, bob),
err: "", err: "",
}, },
{ {
name: "allow unrelated user delete of normal pod unbound", name: "allow unrelated user delete of normal pod unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, bob), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, bob),
err: "", err: "",
}, },
{ {
name: "allow unrelated user create of normal pod status unbound", name: "allow unrelated user create of normal pod status unbound",
podsGetter: noExistingPods, podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, false, bob), attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Create, false, bob),
err: "", err: "",
}, },
{ {
name: "allow unrelated user update of normal pod status unbound", name: "allow unrelated user update of normal pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, false, bob), attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Update, false, bob),
err: "", err: "",
}, },
{ {
name: "allow unrelated user delete of normal pod status unbound", name: "allow unrelated user delete of normal pod status unbound",
podsGetter: existingPods, podsGetter: existingPods,
attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, false, bob), attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Delete, false, bob),
err: "", err: "",
}, },
} }

5
plugin/pkg/auth/authorizer/node/BUILD
View File

@ -19,6 +19,7 @@ go_test(
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/features:go_default_library", "//pkg/features:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/storage/v1beta1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
@ -40,18 +41,20 @@ go_library(
importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node", importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node",
deps = [ deps = [
"//pkg/api/persistentvolume:go_default_library", "//pkg/api/persistentvolume:go_default_library",
"//pkg/api/pod:go_default_library", "//pkg/api/v1/pod:go_default_library",
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/storage:go_default_library", "//pkg/apis/storage:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library", "//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library",
"//pkg/features:go_default_library", "//pkg/features:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/storage/v1beta1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/informers/storage/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/informers/storage/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
"//third_party/forked/gonum/graph:go_default_library", "//third_party/forked/gonum/graph:go_default_library",

5
plugin/pkg/auth/authorizer/node/graph.go
View File

@ -19,8 +19,9 @@ package node
import ( import (
"sync" "sync"
corev1 "k8s.io/api/core/v1"
pvutil "k8s.io/kubernetes/pkg/api/persistentvolume" pvutil "k8s.io/kubernetes/pkg/api/persistentvolume"
podutil "k8s.io/kubernetes/pkg/api/pod" podutil "k8s.io/kubernetes/pkg/api/v1/pod"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/third_party/forked/gonum/graph" "k8s.io/kubernetes/third_party/forked/gonum/graph"
"k8s.io/kubernetes/third_party/forked/gonum/graph/simple" "k8s.io/kubernetes/third_party/forked/gonum/graph/simple"
@ -305,7 +306,7 @@ func (g *Graph) recomputeDestinationIndex_locked(n graph.Node) {
// configmap -> pod // configmap -> pod
// pvc -> pod // pvc -> pod
// svcacct -> pod // svcacct -> pod
func (g *Graph) AddPod(pod *api.Pod) { func (g *Graph) AddPod(pod *corev1.Pod) {
g.lock.Lock() g.lock.Lock()
defer g.lock.Unlock() defer g.lock.Unlock()

10
plugin/pkg/auth/authorizer/node/graph_populator.go
View File

@ -20,8 +20,10 @@ import (
"fmt" "fmt"
"github.com/golang/glog" "github.com/golang/glog"
corev1 "k8s.io/api/core/v1"
storagev1beta1 "k8s.io/api/storage/v1beta1" storagev1beta1 "k8s.io/api/storage/v1beta1"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
corev1informers "k8s.io/client-go/informers/core/v1"
storageinformers "k8s.io/client-go/informers/storage/v1beta1" storageinformers "k8s.io/client-go/informers/storage/v1beta1"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
@ -36,7 +38,7 @@ type graphPopulator struct {
func AddGraphEventHandlers( func AddGraphEventHandlers(
graph *Graph, graph *Graph,
nodes coreinformers.NodeInformer, nodes coreinformers.NodeInformer,
pods coreinformers.PodInformer, pods corev1informers.PodInformer,
pvs coreinformers.PersistentVolumeInformer, pvs coreinformers.PersistentVolumeInformer,
attachments storageinformers.VolumeAttachmentInformer, attachments storageinformers.VolumeAttachmentInformer,
) { ) {
@ -134,13 +136,13 @@ func (g *graphPopulator) addPod(obj interface{}) {
} }
func (g *graphPopulator) updatePod(oldObj, obj interface{}) { func (g *graphPopulator) updatePod(oldObj, obj interface{}) {
pod := obj.(*api.Pod) pod := obj.(*corev1.Pod)
if len(pod.Spec.NodeName) == 0 { if len(pod.Spec.NodeName) == 0 {
// No node assigned // No node assigned
glog.V(5).Infof("updatePod %s/%s, no node", pod.Namespace, pod.Name) glog.V(5).Infof("updatePod %s/%s, no node", pod.Namespace, pod.Name)
return return
} }
if oldPod, ok := oldObj.(*api.Pod); ok && oldPod != nil { if oldPod, ok := oldObj.(*corev1.Pod); ok && oldPod != nil {
if (pod.Spec.NodeName == oldPod.Spec.NodeName) && (pod.UID == oldPod.UID) { if (pod.Spec.NodeName == oldPod.Spec.NodeName) && (pod.UID == oldPod.UID) {
// Node and uid are unchanged, all object references in the pod spec are immutable // Node and uid are unchanged, all object references in the pod spec are immutable
glog.V(5).Infof("updatePod %s/%s, node unchanged", pod.Namespace, pod.Name) glog.V(5).Infof("updatePod %s/%s, node unchanged", pod.Namespace, pod.Name)
@ -155,7 +157,7 @@ func (g *graphPopulator) deletePod(obj interface{}) {
if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
obj = tombstone.Obj obj = tombstone.Obj
} }
pod, ok := obj.(*api.Pod) pod, ok := obj.(*corev1.Pod)
if !ok { if !ok {
glog.Infof("unexpected type %T", obj) glog.Infof("unexpected type %T", obj)
return return

71
plugin/pkg/auth/authorizer/node/node_authorizer_test.go
View File

@ -26,6 +26,7 @@ import (
"os" "os"
corev1 "k8s.io/api/core/v1"
storagev1beta1 "k8s.io/api/storage/v1beta1" storagev1beta1 "k8s.io/api/storage/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
@ -255,34 +256,34 @@ func TestAuthorizerSharedResources(t *testing.T) {
node2 := &user.DefaultInfo{Name: "system:node:node2", Groups: []string{"system:nodes"}} node2 := &user.DefaultInfo{Name: "system:node:node2", Groups: []string{"system:nodes"}}
node3 := &user.DefaultInfo{Name: "system:node:node3", Groups: []string{"system:nodes"}} node3 := &user.DefaultInfo{Name: "system:node:node3", Groups: []string{"system:nodes"}}
g.AddPod(&api.Pod{ g.AddPod(&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "pod1-node1", Namespace: "ns1"}, ObjectMeta: metav1.ObjectMeta{Name: "pod1-node1", Namespace: "ns1"},
Spec: api.PodSpec{ Spec: corev1.PodSpec{
NodeName: "node1", NodeName: "node1",
Volumes: []api.Volume{ Volumes: []corev1.Volume{
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-only"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-only"}}},
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-node2-only"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-node2-only"}}},
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}},
}, },
}, },
}) })
g.AddPod(&api.Pod{ g.AddPod(&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "pod2-node2", Namespace: "ns1"}, ObjectMeta: metav1.ObjectMeta{Name: "pod2-node2", Namespace: "ns1"},
Spec: api.PodSpec{ Spec: corev1.PodSpec{
NodeName: "node2", NodeName: "node2",
Volumes: []api.Volume{ Volumes: []corev1.Volume{
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-node2-only"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-node2-only"}}},
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}},
}, },
}, },
}) })
pod3 := &api.Pod{ pod3 := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "pod3-node3", Namespace: "ns1"}, ObjectMeta: metav1.ObjectMeta{Name: "pod3-node3", Namespace: "ns1"},
Spec: api.PodSpec{ Spec: corev1.PodSpec{
NodeName: "node3", NodeName: "node3",
Volumes: []api.Volume{ Volumes: []corev1.Volume{
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}},
}, },
}, },
} }
@ -615,13 +616,13 @@ func BenchmarkAuthorization(b *testing.B) {
for shouldWrite == 1 { for shouldWrite == 1 {
go func() { go func() {
start := time.Now() start := time.Now()
authz.graph.AddPod(&api.Pod{ authz.graph.AddPod(&corev1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "testwrite", Namespace: "ns0"}, ObjectMeta: metav1.ObjectMeta{Name: "testwrite", Namespace: "ns0"},
Spec: api.PodSpec{ Spec: corev1.PodSpec{
NodeName: "node0", NodeName: "node0",
ServiceAccountName: "default", ServiceAccountName: "default",
Volumes: []api.Volume{ Volumes: []corev1.Volume{
{Name: "token", VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "secret0-shared"}}}, {Name: "token", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "secret0-shared"}}},
}, },
}, },
}) })
@ -683,7 +684,7 @@ func BenchmarkAuthorization(b *testing.B) {
} }
} }
func populate(graph *Graph, nodes []*api.Node, pods []*api.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
p := &graphPopulator{} p := &graphPopulator{}
p.graph = graph p.graph = graph
for _, node := range nodes { for _, node := range nodes {
@ -704,40 +705,40 @@ func populate(graph *Graph, nodes []*api.Node, pods []*api.Pod, pvs []*api.Persi
// the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
// for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
// when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
nodes := make([]*api.Node, 0, opts.nodes) nodes := make([]*api.Node, 0, opts.nodes)
pods := make([]*api.Pod, 0, opts.nodes*opts.podsPerNode) pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
for n := 0; n < opts.nodes; n++ { for n := 0; n < opts.nodes; n++ {
nodeName := fmt.Sprintf("node%d", n) nodeName := fmt.Sprintf("node%d", n)
for p := 0; p < opts.podsPerNode; p++ { for p := 0; p < opts.podsPerNode; p++ {
pod := &api.Pod{} pod := &corev1.Pod{}
pod.Namespace = fmt.Sprintf("ns%d", p%opts.namespaces) pod.Namespace = fmt.Sprintf("ns%d", p%opts.namespaces)
pod.Name = fmt.Sprintf("pod%d-%s", p, nodeName) pod.Name = fmt.Sprintf("pod%d-%s", p, nodeName)
pod.Spec.NodeName = nodeName pod.Spec.NodeName = nodeName
pod.Spec.ServiceAccountName = fmt.Sprintf("svcacct%d-%s", p, nodeName) pod.Spec.ServiceAccountName = fmt.Sprintf("svcacct%d-%s", p, nodeName)
for i := 0; i < opts.uniqueSecretsPerPod; i++ { for i := 0; i < opts.uniqueSecretsPerPod; i++ {
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
Secret: &api.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-%s", i, pod.Name)}, Secret: &corev1.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-%s", i, pod.Name)},
}}) }})
} }
for i := 0; i < opts.sharedSecretsPerPod; i++ { for i := 0; i < opts.sharedSecretsPerPod; i++ {
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
Secret: &api.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-shared", i)}, Secret: &corev1.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-shared", i)},
}}) }})
} }
for i := 0; i < opts.uniqueConfigMapsPerPod; i++ { for i := 0; i < opts.uniqueConfigMapsPerPod; i++ {
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: fmt.Sprintf("configmap%d-%s", i, pod.Name)}}, ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("configmap%d-%s", i, pod.Name)}},
}}) }})
} }
for i := 0; i < opts.sharedConfigMapsPerPod; i++ { for i := 0; i < opts.sharedConfigMapsPerPod; i++ {
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: fmt.Sprintf("configmap%d-shared", i)}}, ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("configmap%d-shared", i)}},
}}) }})
} }
@ -748,8 +749,8 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVo
pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace}
pvs = append(pvs, pv) pvs = append(pvs, pv)
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name},
}}) }})
} }
for i := 0; i < opts.sharedPVCsPerPod; i++ { for i := 0; i < opts.sharedPVCsPerPod; i++ {
@ -759,8 +760,8 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVo
pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace}
pvs = append(pvs, pv) pvs = append(pvs, pv)
pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name},
}}) }})
} }

2
test/integration/auth/node_test.go
View File

@ -97,7 +97,7 @@ func TestNodeAuthorizer(t *testing.T) {
// Set up NodeRestriction admission // Set up NodeRestriction admission
nodeRestrictionAdmission := noderestriction.NewPlugin(nodeidentifier.NewDefaultNodeIdentifier()) nodeRestrictionAdmission := noderestriction.NewPlugin(nodeidentifier.NewDefaultNodeIdentifier())
nodeRestrictionAdmission.SetInternalKubeInformerFactory(informerFactory) nodeRestrictionAdmission.SetExternalKubeInformerFactory(versionedInformerFactory)
if err := nodeRestrictionAdmission.ValidateInitialization(); err != nil { if err := nodeRestrictionAdmission.ValidateInitialization(); err != nil {
t.Fatal(err) t.Fatal(err)
} }