github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Never prevent deletion of resources as part of namespace lifecycle

Browse Source
This commit is contained in:
Jordan Liggitt 2017-07-10 17:03:47 -04:00
parent b039c6e185
commit 95bf4983de
No known key found for this signature in database
GPG Key ID: 39928704103C7229
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission.go
View File

@ -105,6 +105,11 @@ func (l *lifecycle) Admit(a admission.Attributes) error {
return nil return nil
} }
// always allow deletion of other resources
if a.GetOperation() == admission.Delete {
return nil
}
// always allow access review checks. Returning status about the namespace would be leaking information // always allow access review checks. Returning status about the namespace would be leaking information
if isAccessReview(a) { if isAccessReview(a) {
return nil return nil

18
staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
View File

@ -135,6 +135,24 @@ func TestAdmissionNamespaceDoesNotExist(t *testing.T) {
} }
t.Errorf("expected error returned from admission handler: %v", actions) t.Errorf("expected error returned from admission handler: %v", actions)
} }
// verify create operations in the namespace cause an error
err = handler.Admit(admission.NewAttributesRecord(&pod, nil, v1.SchemeGroupVersion.WithKind("Pod").GroupKind().WithVersion("version"), pod.Namespace, pod.Name, v1.Resource("pods").WithVersion("version"), "", admission.Create, nil))
if err == nil {
t.Errorf("Expected error rejecting creates in a namespace when it is missing")
}
// verify update operations in the namespace cause an error
err = handler.Admit(admission.NewAttributesRecord(&pod, nil, v1.SchemeGroupVersion.WithKind("Pod").GroupKind().WithVersion("version"), pod.Namespace, pod.Name, v1.Resource("pods").WithVersion("version"), "", admission.Update, nil))
if err == nil {
t.Errorf("Expected error rejecting updates in a namespace when it is missing")
}
// verify delete operations in the namespace can proceed
err = handler.Admit(admission.NewAttributesRecord(nil, nil, v1.SchemeGroupVersion.WithKind("Pod").GroupKind().WithVersion("version"), pod.Namespace, pod.Name, v1.Resource("pods").WithVersion("version"), "", admission.Delete, nil))
if err != nil {
t.Errorf("Unexpected error returned from admission handler: %v", err)
}
} }
// TestAdmissionNamespaceActive verifies a resource is admitted when the namespace is active. // TestAdmissionNamespaceActive verifies a resource is admitted when the namespace is active.