mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 12:43:23 +00:00
Short-circuit quota admission rejection on zero-delta updates
This commit is contained in:
parent
7a47bc3d1d
commit
4e6a8fbd15
@ -468,29 +468,6 @@ func CheckRequest(quotas []corev1.ResourceQuota, a admission.Attributes, evaluat
|
|||||||
restrictedResourcesSet.Insert(localRestrictedResourcesSet.List()...)
|
restrictedResourcesSet.Insert(localRestrictedResourcesSet.List()...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// verify that for every resource that had limited by default consumption
|
|
||||||
// enabled that there was a corresponding quota that covered its use.
|
|
||||||
// if not, we reject the request.
|
|
||||||
hasNoCoveringQuota := limitedResourceNamesSet.Difference(restrictedResourcesSet)
|
|
||||||
if len(hasNoCoveringQuota) > 0 {
|
|
||||||
return quotas, admission.NewForbidden(a, fmt.Errorf("insufficient quota to consume: %v", strings.Join(hasNoCoveringQuota.List(), ",")))
|
|
||||||
}
|
|
||||||
|
|
||||||
// verify that for every scope that had limited access enabled
|
|
||||||
// that there was a corresponding quota that covered it.
|
|
||||||
// if not, we reject the request.
|
|
||||||
scopesHasNoCoveringQuota, err := evaluator.UncoveredQuotaScopes(limitedScopes, restrictedScopes)
|
|
||||||
if err != nil {
|
|
||||||
return quotas, err
|
|
||||||
}
|
|
||||||
if len(scopesHasNoCoveringQuota) > 0 {
|
|
||||||
return quotas, fmt.Errorf("insufficient quota to match these scopes: %v", scopesHasNoCoveringQuota)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(interestingQuotaIndexes) == 0 {
|
|
||||||
return quotas, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Usage of some resources cannot be counted in isolation. For example, when
|
// Usage of some resources cannot be counted in isolation. For example, when
|
||||||
// the resource represents a number of unique references to external
|
// the resource represents a number of unique references to external
|
||||||
// resource. In such a case an evaluator needs to process other objects in
|
// resource. In such a case an evaluator needs to process other objects in
|
||||||
@ -537,6 +514,29 @@ func CheckRequest(quotas []corev1.ResourceQuota, a admission.Attributes, evaluat
|
|||||||
return quotas, nil
|
return quotas, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// verify that for every resource that had limited by default consumption
|
||||||
|
// enabled that there was a corresponding quota that covered its use.
|
||||||
|
// if not, we reject the request.
|
||||||
|
hasNoCoveringQuota := limitedResourceNamesSet.Difference(restrictedResourcesSet)
|
||||||
|
if len(hasNoCoveringQuota) > 0 {
|
||||||
|
return quotas, admission.NewForbidden(a, fmt.Errorf("insufficient quota to consume: %v", strings.Join(hasNoCoveringQuota.List(), ",")))
|
||||||
|
}
|
||||||
|
|
||||||
|
// verify that for every scope that had limited access enabled
|
||||||
|
// that there was a corresponding quota that covered it.
|
||||||
|
// if not, we reject the request.
|
||||||
|
scopesHasNoCoveringQuota, err := evaluator.UncoveredQuotaScopes(limitedScopes, restrictedScopes)
|
||||||
|
if err != nil {
|
||||||
|
return quotas, err
|
||||||
|
}
|
||||||
|
if len(scopesHasNoCoveringQuota) > 0 {
|
||||||
|
return quotas, fmt.Errorf("insufficient quota to match these scopes: %v", scopesHasNoCoveringQuota)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(interestingQuotaIndexes) == 0 {
|
||||||
|
return quotas, nil
|
||||||
|
}
|
||||||
|
|
||||||
outQuotas, err := copyQuotas(quotas)
|
outQuotas, err := copyQuotas(quotas)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
Loading…
Reference in New Issue
Block a user