github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

[kubelet] Reject pods with OS field mismatch

Browse Source 
Once kubernetes#104613 and kubernetes#104693
merge, we'll have OS field in pod spec. Kubelet should start rejecting pods
where pod.Spec.OS and node's OS(using runtime.GOOS) won't match
This commit is contained in:
ravisantoshgudimetla 2021-11-08 17:49:52 -05:00
parent cda360c59f
commit 889d45d3fb
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/kubelet/lifecycle/predicate.go
View File

@ -161,6 +161,14 @@ func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
Message: "Failed to admit pod as the `kubernetes.io/os` label doesn't match node label", Message: "Failed to admit pod as the `kubernetes.io/os` label doesn't match node label",
} }
} }
// By this time, node labels should have been synced, this helps in identifying the pod with the usage.
if rejectPodAdmissionBasedOnOSField(admitPod) {
return PodAdmitResult{
Admit: false,
Reason: "PodOSNotSupported",
Message: "Failed to admit pod as the OS field doesn't match node OS",
}
}
return PodAdmitResult{ return PodAdmitResult{
Admit: true, Admit: true,
} }
@ -187,6 +195,17 @@ func rejectPodAdmissionBasedOnOSSelector(pod *v1.Pod, node *v1.Node) bool {
return false return false
} }
// rejectPodAdmissionBasedOnOSField rejects pods if their OS field doesn't match runtime.GOOS.
// TODO: Relax this restriction when we start supporting LCOW in kubernetes where podOS may not match
// node's OS.
func rejectPodAdmissionBasedOnOSField(pod *v1.Pod) bool {
if pod.Spec.OS == nil {
return false
}
// If the pod OS doesn't match runtime.GOOS return false
return string(pod.Spec.OS.Name) != runtime.GOOS
}
func removeMissingExtendedResources(pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) *v1.Pod { func removeMissingExtendedResources(pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) *v1.Pod {
podCopy := pod.DeepCopy() podCopy := pod.DeepCopy()
for i, c := range pod.Spec.Containers { for i, c := range pod.Spec.Containers {

32
pkg/kubelet/lifecycle/predicate_test.go
View File

@ -322,3 +322,35 @@ func TestRejectPodAdmissionBasedOnOSSelector(t *testing.T) {
}) })
} }
} }
func TestRejectPodAdmissionBasedOnOSField(t *testing.T) {
tests := []struct {
name string
pod *v1.Pod
expectRejection bool
}{
{
name: "OS field match",
pod: &v1.Pod{Spec: v1.PodSpec{OS: &v1.PodOS{Name: v1.OSName(goruntime.GOOS)}}},
expectRejection: false,
},
{
name: "OS field mismatch",
pod: &v1.Pod{Spec: v1.PodSpec{OS: &v1.PodOS{Name: "dummyOS"}}},
expectRejection: true,
},
{
name: "no OS field",
pod: &v1.Pod{Spec: v1.PodSpec{}},
expectRejection: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
actualResult := rejectPodAdmissionBasedOnOSField(test.pod)
if test.expectRejection != actualResult {
t.Errorf("unexpected result, expected %v but got %v", test.expectRejection, actualResult)
}
})
}
}