github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 07:47:56 +00:00
Code Issues Projects Releases Wiki Activity

Tighten validation on the qosClass field of pod status

Browse Source
This commit is contained in:
carlory 2024-10-30 10:43:06 +08:00
parent 1af81c223d
commit 9cb7d58b3c
3 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/apis/core/validation/validation.go
View File

@ -5373,6 +5373,9 @@ func ValidatePodStatusUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions
} }
} }
// Pod QoS is immutable
allErrs = append(allErrs, ValidateImmutableField(newPod.Status.QOSClass, oldPod.Status.QOSClass, fldPath.Child("qosClass"))...)
// If pod should not restart, make sure the status update does not transition // If pod should not restart, make sure the status update does not transition
// any terminated containers to a non-terminated state. // any terminated containers to a non-terminated state.
allErrs = append(allErrs, ValidateContainerStateTransition(newPod.Status.ContainerStatuses, oldPod.Status.ContainerStatuses, fldPath.Child("containerStatuses"), oldPod.Spec.RestartPolicy)...) allErrs = append(allErrs, ValidateContainerStateTransition(newPod.Status.ContainerStatuses, oldPod.Status.ContainerStatuses, fldPath.Child("containerStatuses"), oldPod.Spec.RestartPolicy)...)

26
pkg/apis/core/validation/validation_test.go
View File

@ -14454,6 +14454,32 @@ func TestValidatePodStatusUpdate(t *testing.T) {
), ),
"", "",
"restartable init container can restart if RestartPolicyAlways", "restartable init container can restart if RestartPolicyAlways",
}, {
*podtest.MakePod("foo",
podtest.SetStatus(core.PodStatus{
QOSClass: core.PodQOSBurstable,
}),
),
*podtest.MakePod("foo",
podtest.SetStatus(core.PodStatus{
QOSClass: core.PodQOSGuaranteed,
}),
),
"tatus.qosClass: Invalid value: \"Burstable\": field is immutable",
"qosClass can not be changed",
}, {
*podtest.MakePod("foo",
podtest.SetStatus(core.PodStatus{
QOSClass: core.PodQOSBurstable,
}),
),
*podtest.MakePod("foo",
podtest.SetStatus(core.PodStatus{
QOSClass: core.PodQOSBurstable,
}),
),
"",
"qosClass no change",
}, },
} }

5
pkg/registry/core/pod/strategy.go
View File

@ -226,6 +226,11 @@ func (podStatusStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.
// don't allow the pods/status endpoint to touch owner references since old kubelets corrupt them in a way // don't allow the pods/status endpoint to touch owner references since old kubelets corrupt them in a way
// that breaks garbage collection // that breaks garbage collection
newPod.OwnerReferences = oldPod.OwnerReferences newPod.OwnerReferences = oldPod.OwnerReferences
// the Pod QoS is immutable and populated at creation time by the kube-apiserver.
// we need to backfill it for backward compatibility because the old kubelet dropped this field when the pod was rejected.
if newPod.Status.QOSClass == "" {
newPod.Status.QOSClass = oldPod.Status.QOSClass
}
} }
func (podStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList { func (podStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {