github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-15 23:03:40 +00:00
Code Issues Projects Releases Wiki Activity

add warnings for duplicated paths in projected volumes

Browse Source
This commit is contained in:
Nikola 2023-11-18 17:14:39 +02:00
parent 95debfb5b6
commit 7708bcb4fc
2 changed files with 134 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
pkg/api/pod/warnings.go
View File

@ -170,6 +170,60 @@ func warningsForPodSpecAndMeta(fieldPath *field.Path, podSpec *api.PodSpec, meta
} }
} }
items := sets.NewString()
for _, v := range podSpec.Volumes {
if v.Projected != nil {
for _, k := range v.Projected.Sources {
if k.ServiceAccountToken != nil {
items.Insert(k.ServiceAccountToken.Path)
}
}
}
}
if items.Len() > 0 {
for i, item := range podSpec.Volumes {
if item.Projected != nil {
for _, k := range item.Projected.Sources {
if k.ConfigMap != nil {
if len(k.ConfigMap.Items) > 0 {
for j, item := range k.ConfigMap.Items {
if items.Has(item.Path) {
warnings = append(warnings, fmt.Sprintf("%s: has duplicated path with ServiceAccountToken %q", fieldPath.Child("spec", "volumes").Index(i).Child("projected", "sources", "configMap").Index(j), item.Path))
}
}
}
}
if k.Secret != nil {
if len(k.Secret.Items) > 0 {
for j, item := range k.Secret.Items {
if items.Has(item.Path) {
warnings = append(warnings, fmt.Sprintf("%s: has duplicated path with ServiceAccountToken %q", fieldPath.Child("spec", "volumes").Index(i).Child("projected", "sources", "secrets").Index(j), item.Path))
}
}
}
}
if k.DownwardAPI != nil {
for j, item := range k.DownwardAPI.Items {
if items.Has(item.Path) {
warnings = append(warnings, fmt.Sprintf("%s: has duplicated path with ServiceAccountToken %q", fieldPath.Child("spec", "volumes").Index(i).Child("projected", "sources", "downwardAPI").Index(j), item.Path))
}
}
}
if k.ClusterTrustBundle != nil {
if items.Has(k.ClusterTrustBundle.Path) {
warnings = append(warnings, fmt.Sprintf("%s: has duplicated path with ServiceAccountToken %q", fieldPath.Child("spec", "volumes").Index(i).Child("projected", "sources", "ClusterTrustBundle"), k.ClusterTrustBundle.Path))
}
}
}
}
}
}
// duplicate hostAliases (#91670, #58477) // duplicate hostAliases (#91670, #58477)
if len(podSpec.HostAliases) > 1 { if len(podSpec.HostAliases) > 1 {
items := sets.New[string]() items := sets.New[string]()

80
pkg/api/pod/warnings_test.go
View File

@ -235,6 +235,86 @@ func TestWarnings(t *testing.T) {
}, },
expected: []string{`spec.volumes[0].rbd: deprecated in v1.28, non-functional in v1.31+`}, expected: []string{`spec.volumes[0].rbd: deprecated in v1.28, non-functional in v1.31+`},
}, },
{
name: "duplicated path in projected volumes - secret and service account token",
template: &api.PodTemplateSpec{Spec: api.PodSpec{
Volumes: []api.Volume{
{
Name: "t",
VolumeSource: api.VolumeSource{
Projected: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
{Secret: &api.SecretProjection{Items: []api.KeyToPath{{Path: "/test-path", Key: "test"}}}},
{ServiceAccountToken: &api.ServiceAccountTokenProjection{Path: "/test-path"}},
}},
},
},
},
}},
expected: []string{
"spec.volumes[0].projected.sources.secrets[0]: has duplicated path with ServiceAccountToken \"/test-path\"",
},
},
{
name: "duplicated path in projected volumes - configMap and service account token",
template: &api.PodTemplateSpec{Spec: api.PodSpec{
Volumes: []api.Volume{
{
Name: "t",
VolumeSource: api.VolumeSource{
Projected: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
{ConfigMap: &api.ConfigMapProjection{Items: []api.KeyToPath{{Path: "/test-path", Key: "test"}}}},
{ServiceAccountToken: &api.ServiceAccountTokenProjection{Path: "/test-path"}},
}},
},
},
},
}},
expected: []string{
"spec.volumes[0].projected.sources.configMap[0]: has duplicated path with ServiceAccountToken \"/test-path\"",
},
},
{
name: "duplicated path in projected volumes - downwardAPI and service account token",
template: &api.PodTemplateSpec{Spec: api.PodSpec{
Volumes: []api.Volume{
{
Name: "t",
VolumeSource: api.VolumeSource{
Projected: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
{DownwardAPI: &api.DownwardAPIProjection{Items: []api.DownwardAPIVolumeFile{{Path: "/test-path"}}}},
{ServiceAccountToken: &api.ServiceAccountTokenProjection{Path: "/test-path"}},
}},
},
},
},
}},
expected: []string{
"spec.volumes[0].projected.sources.downwardAPI[0]: has duplicated path with ServiceAccountToken \"/test-path\"",
},
},
{
name: "duplicated path in projected volumes - ClusterTrustBundle and service account token",
template: &api.PodTemplateSpec{Spec: api.PodSpec{
Volumes: []api.Volume{
{
Name: "t",
VolumeSource: api.VolumeSource{
Projected: &api.ProjectedVolumeSource{
Sources: []api.VolumeProjection{
{ClusterTrustBundle: &api.ClusterTrustBundleProjection{Path: "/test-path"}},
{ServiceAccountToken: &api.ServiceAccountTokenProjection{Path: "/test-path"}},
}},
},
},
},
}},
expected: []string{
"spec.volumes[0].projected.sources.ClusterTrustBundle: has duplicated path with ServiceAccountToken \"/test-path\"",
},
},
{ {
name: "duplicate hostAlias", name: "duplicate hostAlias",
template: &api.PodTemplateSpec{Spec: api.PodSpec{ template: &api.PodTemplateSpec{Spec: api.PodSpec{