Merge pull request #46104 from liggitt/node-admission

Automatic merge from submit-queue (batch tested with PRs 46028, 46104) Use name from node object on create GetName() isn't populated in admission attributes on create unless the rest storage is a NamedCreator (which only specific subresources are today) Fixes #46085
2025-07-29 06:27:05 +00:00 · 2017-05-19 10:58:07 -07:00 · 2017-05-19 10:58:07 -07:00 · 65f5bff1df
commit 65f5bff1df
parent ea828d05b8 a26897362b
2 changed files with 29 additions and 6 deletions
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@ -196,8 +196,19 @@ func (c *nodePlugin) admitPodStatus(nodeName string, a admission.Attributes) err
 }
 func (c *nodePlugin) admitNode(nodeName string, a admission.Attributes) error {
-	if a.GetName() != nodeName {
+	requestedName := a.GetName()
-		return admission.NewForbidden(a, fmt.Errorf("cannot modify other nodes"))
+
 	// On create, get name from new object if unset in admission
 	if len(requestedName) == 0 && a.GetOperation() == admission.Create {
 		node, ok := a.GetObject().(*api.Node)
 		if !ok {
 			return admission.NewForbidden(a, fmt.Errorf("unexpected type %T", a.GetObject()))
 		}
 		requestedName = node.Name
 	}
 	if requestedName != nodeName {
 		return admission.NewForbidden(a, fmt.Errorf("node %s cannot modify node %s", nodeName, requestedName))
 	}
 	return nil
 }
--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
@ -356,6 +356,12 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Create, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow create of my node pulling name from object",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, "", nodeResource, "", admission.Create, mynode),
 			err:        "",
 		},
 		{
 			name:       "allow update of my node",
 			podsGetter: existingPods,
@ -380,25 +386,31 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			name:       "forbid create of other node",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Create, mynode),
-			err:        "cannot modify other nodes",
+			err:        "cannot modify node",
 		},
 		{
 			name:       "forbid create of other node pulling name from object",
 			podsGetter: noExistingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, nil, nodeKind, othernodeObj.Namespace, "", nodeResource, "", admission.Create, mynode),
 			err:        "cannot modify node",
 		},
 		{
 			name:       "forbid update of other node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Update, mynode),
-			err:        "cannot modify other nodes",
+			err:        "cannot modify node",
 		},
 		{
 			name:       "forbid delete of other node",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(nil, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Delete, mynode),
-			err:        "cannot modify other nodes",
+			err:        "cannot modify node",
 		},
 		{
 			name:       "forbid update of other node status",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "status", admission.Update, mynode),
-			err:        "cannot modify other nodes",
+			err:        "cannot modify node",
 		},
 		// Unrelated objects