Allow system critical priority classes in API validation

2025-09-24 19:38:02 +00:00 · 2018-03-01 00:47:48 -08:00
parent 515ba9e8d4
commit 9592a9ecf4
12 changed files with 193 additions and 78 deletions
--- a/plugin/pkg/admission/priority/admission.go
+++ b/plugin/pkg/admission/priority/admission.go
@@ -19,12 +19,10 @@ package priority
 import (
 	"fmt"
 	"io"
-	"strings"

 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/admission"
-	"k8s.io/apiserver/pkg/authentication/user"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
@@ -188,16 +186,6 @@ func (p *priorityPlugin) validatePriorityClass(a admission.Attributes) error {
 	if !ok {
 		return errors.NewBadRequest("resource was marked with kind PriorityClass but was unable to be converted")
 	}
-	// API server adds system critical priority classes at bootstrapping. We should
-	// not enforce restrictions on adding system level priority classes for API server.
-	if userInfo := a.GetUserInfo(); userInfo == nil || userInfo.GetName() != user.APIServerUser {
-		if pc.Value > scheduling.HighestUserDefinablePriority {
-			return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", scheduling.HighestUserDefinablePriority))
-		}
-		if strings.HasPrefix(pc.Name, scheduling.SystemPriorityClassPrefix) {
-			return admission.NewForbidden(a, fmt.Errorf("priority class names with '"+scheduling.SystemPriorityClassPrefix+"' prefix are reserved for system use only"))
-		}
-	}
 	// If the new PriorityClass tries to be the default priority, make sure that no other priority class is marked as default.
 	if pc.GlobalDefault {
 		dpc, err := p.getDefaultPriorityClass()
--- a/plugin/pkg/admission/priority/admission_test.go
+++ b/plugin/pkg/admission/priority/admission_test.go
@@ -87,17 +87,6 @@ var systemClusterCritical = &scheduling.PriorityClass{
 }

 func TestPriorityClassAdmission(t *testing.T) {
-	var tooHighPriorityClass = &scheduling.PriorityClass{
-		TypeMeta: metav1.TypeMeta{
-			Kind: "PriorityClass",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "toohighclass",
-		},
-		Value:       scheduling.HighestUserDefinablePriority + 1,
-		Description: "Just a test priority class",
-	}
-
 	var systemClass = &scheduling.PriorityClass{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "PriorityClass",
@@ -131,21 +120,7 @@ func TestPriorityClassAdmission(t *testing.T) {
 			true,
 		},
 		{
-			"too high PriorityClass value",
-			[]*scheduling.PriorityClass{},
-			tooHighPriorityClass,
-			nil,
-			true,
-		},
-		{
-			"system name conflict",
-			[]*scheduling.PriorityClass{},
-			systemClass,
-			nil,
-			true,
-		},
-		{
-			"system name allowed for API server",
+			"system name and value are allowed by admission controller",
 			[]*scheduling.PriorityClass{},
 			systemClass,
 			&user.DefaultInfo{