github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-30 23:57:46 +00:00
Code Issues Projects Releases Wiki Activity

check block owner ref on finalizers subresource

Browse Source
This commit is contained in:
David Eads 2017-09-05 11:08:53 -04:00
parent 6003f87b78
commit 6d040812f0
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
plugin/pkg/admission/gc/gc_admission.go
View File

@ -122,7 +122,7 @@ func (a *gcPermissionsEnforcement) Admit(attributes admission.Attributes) (err e
for _, record := range records {
allowed, reason, err := a.authorizer.Authorize(record)
if !allowed {
return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete: %v, %v", reason, err))
return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: %v, %v", reason, err))
}
}
}
@ -178,12 +178,13 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
for _, mapping := range mappings {
ret = append(ret, authorizer.AttributesRecord{
User: attributes.GetUserInfo(),
Verb: "delete",
Verb: "update",
// ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace
Namespace: attributes.GetNamespace(),
APIGroup: groupVersion.Group,
APIVersion: groupVersion.Version,
Resource: mapping.Resource,
Subresource: "finalizers",
Name: ref.Name,
ResourceRequest: true,
Path: "",

14
plugin/pkg/admission/gc/gc_admission_test.go
View File

@ -39,6 +39,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" {
return false, "", nil
}
if a.GetVerb() == "update" && a.GetSubresource() == "/finalizers" {
return false, "", nil
}
return true, "", nil
}
@ -46,6 +49,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" && a.GetResource() == "pods" {
return false, "", nil
}
if a.GetVerb() == "update" && a.GetResource() == "pods" && a.GetSubresource() == "finalizers" {
return false, "", nil
}
return true, "", nil
}
@ -53,6 +59,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" && a.GetResource() == "replicationcontrollers" {
return false, "", nil
}
if a.GetVerb() == "update" && a.GetResource() == "replicationcontrollers" && a.GetSubresource() == "finalizers" {
return false, "", nil
}
return true, "", nil
}
@ -326,7 +335,10 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
return err == nil
}
expectCantSetBlockOwnerDeletionError := func(err error) bool {
return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete")
if err == nil {
return false
}
return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on")
}
tests := []struct {
name string