From 889c4cc755e77d86840e3112fa432135288a9f33 Mon Sep 17 00:00:00 2001 From: deads2k Date: Fri, 30 Jan 2015 08:16:46 -0500 Subject: [PATCH] update admission control to properly indicate resource --- pkg/admission/attributes.go | 10 +++---- pkg/admission/interfaces.go | 2 +- plugin/pkg/admission/deny/admission.go | 2 +- plugin/pkg/admission/limitranger/admission.go | 10 +++---- .../admission/resourcedefaults/admission.go | 2 +- .../pkg/admission/resourcequota/admission.go | 28 +++++++++---------- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/pkg/admission/attributes.go b/pkg/admission/attributes.go index f762116c725..b4eac199e0d 100644 --- a/pkg/admission/attributes.go +++ b/pkg/admission/attributes.go @@ -22,15 +22,15 @@ import ( type attributesRecord struct { namespace string - kind string + resource string operation string object runtime.Object } -func NewAttributesRecord(object runtime.Object, namespace, kind, operation string) Attributes { +func NewAttributesRecord(object runtime.Object, namespace, resource, operation string) Attributes { return &attributesRecord{ namespace: namespace, - kind: kind, + resource: resource, operation: operation, object: object, } @@ -40,8 +40,8 @@ func (record *attributesRecord) GetNamespace() string { return record.namespace } -func (record *attributesRecord) GetKind() string { - return record.kind +func (record *attributesRecord) GetResource() string { + return record.resource } func (record *attributesRecord) GetOperation() string { diff --git a/pkg/admission/interfaces.go b/pkg/admission/interfaces.go index 9f72c0b35c2..af5d8b877a8 100644 --- a/pkg/admission/interfaces.go +++ b/pkg/admission/interfaces.go @@ -24,7 +24,7 @@ import ( // that is used to make an admission decision. type Attributes interface { GetNamespace() string - GetKind() string + GetResource() string GetOperation() string GetObject() runtime.Object } diff --git a/plugin/pkg/admission/deny/admission.go b/plugin/pkg/admission/deny/admission.go index e780cab27b4..203cc4f12b7 100644 --- a/plugin/pkg/admission/deny/admission.go +++ b/plugin/pkg/admission/deny/admission.go @@ -36,7 +36,7 @@ func init() { type alwaysDeny struct{} func (alwaysDeny) Admit(a admission.Attributes) (err error) { - return apierrors.NewForbidden(a.GetKind(), "", errors.New("Admission control is denying all modifications")) + return apierrors.NewForbidden(a.GetResource(), "", errors.New("Admission control is denying all modifications")) } func NewAlwaysDeny() admission.Interface { diff --git a/plugin/pkg/admission/limitranger/admission.go b/plugin/pkg/admission/limitranger/admission.go index f13c2294d1d..bf7f4f83a4c 100644 --- a/plugin/pkg/admission/limitranger/admission.go +++ b/plugin/pkg/admission/limitranger/admission.go @@ -58,7 +58,7 @@ func (l *limitRanger) Admit(a admission.Attributes) (err error) { // ensure it meets each prescribed min/max for i := range items.Items { limitRange := &items.Items[i] - err = l.limitFunc(limitRange, a.GetKind(), a.GetObject()) + err = l.limitFunc(limitRange, a.GetResource(), a.GetObject()) if err != nil { return err } @@ -86,8 +86,8 @@ func Max(a int64, b int64) int64 { } // PodLimitFunc enforces that a pod spec does not exceed any limits specified on the supplied limit range -func PodLimitFunc(limitRange *api.LimitRange, kind string, obj runtime.Object) error { - if kind != "pods" { +func PodLimitFunc(limitRange *api.LimitRange, resourceName string, obj runtime.Object) error { + if resourceName != "pods" { return nil } @@ -161,11 +161,11 @@ func PodLimitFunc(limitRange *api.LimitRange, kind string, obj runtime.Object) e switch minOrMax { case "Min": if observed < enforced { - return apierrors.NewForbidden(kind, pod.Name, err) + return apierrors.NewForbidden(resourceName, pod.Name, err) } case "Max": if observed > enforced { - return apierrors.NewForbidden(kind, pod.Name, err) + return apierrors.NewForbidden(resourceName, pod.Name, err) } } } diff --git a/plugin/pkg/admission/resourcedefaults/admission.go b/plugin/pkg/admission/resourcedefaults/admission.go index 11ea55a59ad..733dcf2a940 100644 --- a/plugin/pkg/admission/resourcedefaults/admission.go +++ b/plugin/pkg/admission/resourcedefaults/admission.go @@ -47,7 +47,7 @@ func (resourceDefaults) Admit(a admission.Attributes) (err error) { } // we only care about pods - if a.GetKind() != "pods" { + if a.GetResource() != "pods" { return nil } diff --git a/plugin/pkg/admission/resourcequota/admission.go b/plugin/pkg/admission/resourcequota/admission.go index 3093f95f5fe..bad1edbb750 100644 --- a/plugin/pkg/admission/resourcequota/admission.go +++ b/plugin/pkg/admission/resourcequota/admission.go @@ -44,7 +44,7 @@ func NewResourceQuota(client client.Interface) admission.Interface { return "a{client: client} } -var kindToResourceName = map[string]api.ResourceName{ +var resourceToResourceName = map[string]api.ResourceName{ "pods": api.ResourcePods, "services": api.ResourceServices, "replicationControllers": api.ResourceReplicationControllers, @@ -57,7 +57,7 @@ func (q *quota) Admit(a admission.Attributes) (err error) { } obj := a.GetObject() - kind := a.GetKind() + resource := a.GetResource() name := "Unknown" if obj != nil { name, _ = meta.NewAccessor().Name(obj) @@ -65,7 +65,7 @@ func (q *quota) Admit(a admission.Attributes) (err error) { list, err := q.client.ResourceQuotas(a.GetNamespace()).List(labels.Everything()) if err != nil { - return apierrors.NewForbidden(a.GetKind(), name, fmt.Errorf("Unable to %s %s at this time because there was an error enforcing quota", a.GetOperation(), kind)) + return apierrors.NewForbidden(a.GetResource(), name, fmt.Errorf("Unable to %s %s at this time because there was an error enforcing quota", a.GetOperation(), resource)) } if len(list.Items) == 0 { @@ -90,7 +90,7 @@ func (q *quota) Admit(a admission.Attributes) (err error) { usage.Status = quota.Status err = q.client.ResourceQuotaUsages(usage.Namespace).Create(&usage) if err != nil { - return apierrors.NewForbidden(a.GetKind(), name, fmt.Errorf("Unable to %s %s at this time because there was an error enforcing quota", a.GetOperation(), a.GetKind())) + return apierrors.NewForbidden(a.GetResource(), name, fmt.Errorf("Unable to %s %s at this time because there was an error enforcing quota", a.GetOperation(), a.GetResource())) } } } @@ -102,7 +102,7 @@ func (q *quota) Admit(a admission.Attributes) (err error) { // Return an error if the operation should not pass admission control func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, client client.Interface) (bool, error) { obj := a.GetObject() - kind := a.GetKind() + resourceName := a.GetResource() name := "Unknown" if obj != nil { name, _ = meta.NewAccessor().Name(obj) @@ -114,15 +114,15 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli } // handle max counts for each kind of resource (pods, services, replicationControllers, etc.) if a.GetOperation() == "CREATE" { - resourceName := kindToResourceName[a.GetKind()] + resourceName := resourceToResourceName[a.GetResource()] hard, hardFound := status.Hard[resourceName] if hardFound { used, usedFound := status.Used[resourceName] if !usedFound { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) + return false, apierrors.NewForbidden(a.GetResource(), name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) } if used.Value() >= hard.Value() { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Limited to %s %s", hard.String(), kind)) + return false, apierrors.NewForbidden(a.GetResource(), name, fmt.Errorf("Limited to %s %s", hard.String(), a.GetResource())) } else { status.Used[resourceName] = *resource.NewQuantity(used.Value()+int64(1), resource.DecimalSI) dirty = true @@ -130,7 +130,7 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli } } // handle memory/cpu constraints, and any diff of usage based on memory/cpu on updates - if a.GetKind() == "pods" && (set[api.ResourceMemory] || set[api.ResourceCPU]) { + if a.GetResource() == "pods" && (set[api.ResourceMemory] || set[api.ResourceCPU]) { pod := obj.(*api.Pod) deltaCPU := resourcequota.PodCPU(pod) deltaMemory := resourcequota.PodMemory(pod) @@ -138,7 +138,7 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli if a.GetOperation() == "UPDATE" { oldPod, err := client.Pods(a.GetNamespace()).Get(pod.Name) if err != nil { - return false, apierrors.NewForbidden(kind, name, err) + return false, apierrors.NewForbidden(resourceName, name, err) } oldCPU := resourcequota.PodCPU(oldPod) oldMemory := resourcequota.PodMemory(oldPod) @@ -150,10 +150,10 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli if hardMemFound { used, usedFound := status.Used[api.ResourceMemory] if !usedFound { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) + return false, apierrors.NewForbidden(resourceName, name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) } if used.Value()+deltaMemory.Value() > hardMem.Value() { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Limited to %s memory", hardMem.String())) + return false, apierrors.NewForbidden(resourceName, name, fmt.Errorf("Limited to %s memory", hardMem.String())) } else { status.Used[api.ResourceMemory] = *resource.NewQuantity(used.Value()+deltaMemory.Value(), resource.DecimalSI) dirty = true @@ -163,10 +163,10 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli if hardCPUFound { used, usedFound := status.Used[api.ResourceCPU] if !usedFound { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) + return false, apierrors.NewForbidden(resourceName, name, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")) } if used.MilliValue()+deltaCPU.MilliValue() > hardCPU.MilliValue() { - return false, apierrors.NewForbidden(kind, name, fmt.Errorf("Limited to %s CPU", hardCPU.String())) + return false, apierrors.NewForbidden(resourceName, name, fmt.Errorf("Limited to %s CPU", hardCPU.String())) } else { status.Used[api.ResourceCPU] = *resource.NewMilliQuantity(used.MilliValue()+deltaCPU.MilliValue(), resource.DecimalSI) dirty = true