From a26897362bfe3ef163882ea7ca296c4dcaff8d9e Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 19 May 2017 10:31:54 -0400 Subject: [PATCH] Use name from node object on create --- .../admission/noderestriction/admission.go | 15 ++++++++++++-- .../noderestriction/admission_test.go | 20 +++++++++++++++---- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go index 7eabfdf7a73..155763b3bca 100644 --- a/plugin/pkg/admission/noderestriction/admission.go +++ b/plugin/pkg/admission/noderestriction/admission.go @@ -196,8 +196,19 @@ func (c *nodePlugin) admitPodStatus(nodeName string, a admission.Attributes) err } func (c *nodePlugin) admitNode(nodeName string, a admission.Attributes) error { - if a.GetName() != nodeName { - return admission.NewForbidden(a, fmt.Errorf("cannot modify other nodes")) + requestedName := a.GetName() + + // On create, get name from new object if unset in admission + if len(requestedName) == 0 && a.GetOperation() == admission.Create { + node, ok := a.GetObject().(*api.Node) + if !ok { + return admission.NewForbidden(a, fmt.Errorf("unexpected type %T", a.GetObject())) + } + requestedName = node.Name + } + + if requestedName != nodeName { + return admission.NewForbidden(a, fmt.Errorf("node %s cannot modify node %s", nodeName, requestedName)) } return nil } diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go index 5cb0eb23bb8..71cea49e870 100644 --- a/plugin/pkg/admission/noderestriction/admission_test.go +++ b/plugin/pkg/admission/noderestriction/admission_test.go @@ -356,6 +356,12 @@ func Test_nodePlugin_Admit(t *testing.T) { attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Create, mynode), err: "", }, + { + name: "allow create of my node pulling name from object", + podsGetter: noExistingPods, + attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, "", nodeResource, "", admission.Create, mynode), + err: "", + }, { name: "allow update of my node", podsGetter: existingPods, @@ -380,25 +386,31 @@ func Test_nodePlugin_Admit(t *testing.T) { name: "forbid create of other node", podsGetter: noExistingPods, attributes: admission.NewAttributesRecord(othernodeObj, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Create, mynode), - err: "cannot modify other nodes", + err: "cannot modify node", + }, + { + name: "forbid create of other node pulling name from object", + podsGetter: noExistingPods, + attributes: admission.NewAttributesRecord(othernodeObj, nil, nodeKind, othernodeObj.Namespace, "", nodeResource, "", admission.Create, mynode), + err: "cannot modify node", }, { name: "forbid update of other node", podsGetter: existingPods, attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Update, mynode), - err: "cannot modify other nodes", + err: "cannot modify node", }, { name: "forbid delete of other node", podsGetter: existingPods, attributes: admission.NewAttributesRecord(nil, nil, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "", admission.Delete, mynode), - err: "cannot modify other nodes", + err: "cannot modify node", }, { name: "forbid update of other node status", podsGetter: existingPods, attributes: admission.NewAttributesRecord(othernodeObj, othernodeObj, nodeKind, othernodeObj.Namespace, othernodeObj.Name, nodeResource, "status", admission.Update, mynode), - err: "cannot modify other nodes", + err: "cannot modify node", }, // Unrelated objects