From a56087cdf8a8831a968c00c335588b7906150ea7 Mon Sep 17 00:00:00 2001 From: derekwaynecarr Date: Wed, 7 Jan 2015 14:33:21 -0500 Subject: [PATCH] Remove client from attributes, remove admission control interface, fix-up error codes --- cmd/integration/integration.go | 4 +- cmd/kube-apiserver/apiserver.go | 2 +- pkg/admission/admission_control.go | 69 --------------------- pkg/admission/attributes.go | 9 +-- pkg/admission/chain.go | 8 ++- pkg/admission/interfaces.go | 7 --- pkg/admission/plugins.go | 13 ++-- pkg/api/errors/errors.go | 14 +++++ pkg/api/types.go | 11 ++++ pkg/apiserver/apiserver.go | 4 +- pkg/apiserver/apiserver_test.go | 18 +++--- pkg/apiserver/resthandler.go | 8 +-- pkg/master/master.go | 8 +-- plugin/pkg/admission/admit/admission.go | 8 ++- plugin/pkg/admission/deny/admission.go | 7 ++- plugin/pkg/admission/deny/admission_test.go | 2 +- test/integration/auth_test.go | 18 +++--- test/integration/client_test.go | 4 +- 18 files changed, 84 insertions(+), 130 deletions(-) delete mode 100644 pkg/admission/admission_control.go diff --git a/cmd/integration/integration.go b/cmd/integration/integration.go index 1f8b8e1d618..65d14aa94dd 100644 --- a/cmd/integration/integration.go +++ b/cmd/integration/integration.go @@ -31,7 +31,6 @@ import ( "sync" "time" - "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" "github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest" @@ -48,6 +47,7 @@ import ( "github.com/GoogleCloudPlatform/kubernetes/pkg/standalone" "github.com/GoogleCloudPlatform/kubernetes/pkg/util" "github.com/GoogleCloudPlatform/kubernetes/pkg/util/wait" + "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/admit" "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/scheduler" "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/scheduler/factory" @@ -163,7 +163,7 @@ func startComponents(manifestURL string) (apiServerURL string) { EnableLogsSupport: false, APIPrefix: "/api", Authorizer: apiserver.NewAlwaysAllowAuthorizer(), - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), ReadWritePort: portNumber, ReadOnlyPort: portNumber, PublicAddress: host, diff --git a/cmd/kube-apiserver/apiserver.go b/cmd/kube-apiserver/apiserver.go index d60fb4be2e1..cdcc5d997d9 100644 --- a/cmd/kube-apiserver/apiserver.go +++ b/cmd/kube-apiserver/apiserver.go @@ -168,7 +168,7 @@ func main() { } admissionControlPluginNames := strings.Split(*admissionControl, ",") - admissionController := admission.NewAdmissionControl(client, admissionControlPluginNames, *admissionControlConfigFile) + admissionController := admission.NewFromPlugins(client, admissionControlPluginNames, *admissionControlConfigFile) config := &master.Config{ Client: client, diff --git a/pkg/admission/admission_control.go b/pkg/admission/admission_control.go deleted file mode 100644 index 2941a38c4bc..00000000000 --- a/pkg/admission/admission_control.go +++ /dev/null @@ -1,69 +0,0 @@ -/* -Copyright 2014 Google Inc. All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package admission - -import ( - "errors" - - apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors" - "github.com/GoogleCloudPlatform/kubernetes/pkg/client" - "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime" -) - -// stubAdmissionController is capable of either always admitting or always denying incoming requests -type stubAdmissionController struct { - admit bool -} - -func (ac *stubAdmissionController) AdmissionControl(operation, kind, namespace string, object runtime.Object) (err error) { - if !ac.admit { - err = apierrors.NewConflict(kind, "name", errors.New("No changes allowed")) - } - return err -} - -func NewAlwaysAdmitController() AdmissionControl { - return &stubAdmissionController{ - admit: true, - } -} - -func NewAlwaysDenyController() AdmissionControl { - return &stubAdmissionController{ - admit: false, - } -} - -type admissionController struct { - client client.Interface - admissionHandler Interface -} - -func NewAdmissionControl(client client.Interface, pluginNames []string, configFilePath string) AdmissionControl { - return NewAdmissionControlForHandler(client, newInterface(pluginNames, configFilePath)) -} - -func NewAdmissionControlForHandler(client client.Interface, handler Interface) AdmissionControl { - return &admissionController{ - client: client, - admissionHandler: handler, - } -} - -func (ac *admissionController) AdmissionControl(operation, kind, namespace string, object runtime.Object) (err error) { - return ac.admissionHandler.Admit(NewAttributesRecord(ac.client, object, namespace, kind, operation)) -} diff --git a/pkg/admission/attributes.go b/pkg/admission/attributes.go index 2a5d05849e7..f762116c725 100644 --- a/pkg/admission/attributes.go +++ b/pkg/admission/attributes.go @@ -17,21 +17,18 @@ limitations under the License. package admission import ( - "github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime" ) type attributesRecord struct { - client client.Interface namespace string kind string operation string object runtime.Object } -func NewAttributesRecord(client client.Interface, object runtime.Object, namespace, kind, operation string) Attributes { +func NewAttributesRecord(object runtime.Object, namespace, kind, operation string) Attributes { return &attributesRecord{ - client: client, namespace: namespace, kind: kind, operation: operation, @@ -39,10 +36,6 @@ func NewAttributesRecord(client client.Interface, object runtime.Object, namespa } } -func (record *attributesRecord) GetClient() client.Interface { - return record.client -} - func (record *attributesRecord) GetNamespace() string { return record.namespace } diff --git a/pkg/admission/chain.go b/pkg/admission/chain.go index 544c825b800..696c1f23497 100644 --- a/pkg/admission/chain.go +++ b/pkg/admission/chain.go @@ -16,16 +16,18 @@ limitations under the License. package admission -import () +import ( + "github.com/GoogleCloudPlatform/kubernetes/pkg/client" +) // chainAdmissionHandler is an instance of admission.Interface that performs admission control using a chain of admission handlers type chainAdmissionHandler []Interface // New returns an admission.Interface that will enforce admission control decisions -func newInterface(pluginNames []string, configFilePath string) Interface { +func NewFromPlugins(client client.Interface, pluginNames []string, configFilePath string) Interface { plugins := []Interface{} for _, pluginName := range pluginNames { - plugin := InitPlugin(pluginName, configFilePath) + plugin := InitPlugin(pluginName, client, configFilePath) if plugin != nil { plugins = append(plugins, plugin) } diff --git a/pkg/admission/interfaces.go b/pkg/admission/interfaces.go index 8dd9ee127cf..9f72c0b35c2 100644 --- a/pkg/admission/interfaces.go +++ b/pkg/admission/interfaces.go @@ -17,14 +17,12 @@ limitations under the License. package admission import ( - "github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime" ) // Attributes is an interface used by AdmissionController to get information about a request // that is used to make an admission decision. type Attributes interface { - GetClient() client.Interface GetNamespace() string GetKind() string GetOperation() string @@ -36,8 +34,3 @@ type Interface interface { // Admit makes an admission decision based on the request attributes Admit(a Attributes) (err error) } - -// AdmissionControl is responsible for performing Admission control decisions -type AdmissionControl interface { - AdmissionControl(operation, kind, namespace string, object runtime.Object) (err error) -} diff --git a/pkg/admission/plugins.go b/pkg/admission/plugins.go index d4ff6dfb7a9..6fecabd9f6c 100644 --- a/pkg/admission/plugins.go +++ b/pkg/admission/plugins.go @@ -21,6 +21,7 @@ import ( "os" "sync" + "github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/golang/glog" ) @@ -28,7 +29,7 @@ import ( // The config parameter provides an io.Reader handler to the factory in // order to load specific configurations. If no configuration is provided // the parameter is nil. -type Factory func(config io.Reader) (Interface, error) +type Factory func(client client.Interface, config io.Reader) (Interface, error) // All registered admission options. var pluginsMutex sync.Mutex @@ -62,19 +63,19 @@ func RegisterPlugin(name string, plugin Factory) { // the name is not known. The error return is only used if the named provider // was known but failed to initialize. The config parameter specifies the // io.Reader handler of the configuration file for the cloud provider, or nil -// for no configuation. -func GetPlugin(name string, config io.Reader) (Interface, error) { +// for no configuration. +func GetPlugin(name string, client client.Interface, config io.Reader) (Interface, error) { pluginsMutex.Lock() defer pluginsMutex.Unlock() f, found := plugins[name] if !found { return nil, nil } - return f(config) + return f(client, config) } // InitPlugin creates an instance of the named interface -func InitPlugin(name string, configFilePath string) Interface { +func InitPlugin(name string, client client.Interface, configFilePath string) Interface { var config *os.File if name == "" { @@ -94,7 +95,7 @@ func InitPlugin(name string, configFilePath string) Interface { defer config.Close() } - plugin, err := GetPlugin(name, config) + plugin, err := GetPlugin(name, client, config) if err != nil { glog.Fatalf("Couldn't init admission plugin %q: %v", name, err) } diff --git a/pkg/api/errors/errors.go b/pkg/api/errors/errors.go index 6304be652f9..9f24248571a 100644 --- a/pkg/api/errors/errors.go +++ b/pkg/api/errors/errors.go @@ -92,6 +92,20 @@ func NewAlreadyExists(kind, name string) error { }} } +// NewForbidden returns an error indicating the requested action was forbidden +func NewForbidden(kind, name string, err error) error { + return &StatusError{api.Status{ + Status: api.StatusFailure, + Code: http.StatusForbidden, + Reason: api.StatusReasonForbidden, + Details: &api.StatusDetails{ + Kind: kind, + ID: name, + }, + Message: fmt.Sprintf("%s %q is forbidden", kind, name), + }} +} + // NewConflict returns an error indicating the item can't be updated as provided. func NewConflict(kind, name string, err error) error { return &StatusError{api.Status{ diff --git a/pkg/api/types.go b/pkg/api/types.go index d7c0e6e3cf6..eeb9c1d9675 100644 --- a/pkg/api/types.go +++ b/pkg/api/types.go @@ -856,6 +856,17 @@ const ( // Status code 202 StatusReasonWorking StatusReason = "Working" + // StatusReasonForbidden means the server can be reached and understood the request, but refuses + // to take any further action. It is the result of the server being configured to deny access for some reason + // to the requested resource by the client. + // Details (optional): + // "kind" string - the kind attribute of the forbidden resource + // on some operations may differ from the requested + // resource. + // "id" string - the identifier of the forbidden resource + // Status code 403 + StatusReasonForbidden StatusReason = "Forbidden" + // StatusReasonNotFound means one or more resources required for this operation // could not be found. // Details (optional): diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 561f9ae4116..076f9ced270 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -56,7 +56,7 @@ const ( // Handle returns a Handler function that exposes the provided storage interfaces // as RESTful resources at prefix, serialized by codec, and also includes the support // http resources. -func Handle(storage map[string]RESTStorage, codec runtime.Codec, root string, version string, selfLinker runtime.SelfLinker, admissionControl admission.AdmissionControl) http.Handler { +func Handle(storage map[string]RESTStorage, codec runtime.Codec, root string, version string, selfLinker runtime.SelfLinker, admissionControl admission.Interface) http.Handler { prefix := root + "/" + version group := NewAPIGroupVersion(storage, codec, prefix, selfLinker, admissionControl) container := restful.NewContainer() @@ -84,7 +84,7 @@ type APIGroupVersion struct { // This is a helper method for registering multiple sets of REST handlers under different // prefixes onto a server. // TODO: add multitype codec serialization -func NewAPIGroupVersion(storage map[string]RESTStorage, codec runtime.Codec, canonicalPrefix string, selfLinker runtime.SelfLinker, admissionControl admission.AdmissionControl) *APIGroupVersion { +func NewAPIGroupVersion(storage map[string]RESTStorage, codec runtime.Codec, canonicalPrefix string, selfLinker runtime.SelfLinker, admissionControl admission.Interface) *APIGroupVersion { return &APIGroupVersion{RESTHandler{ storage: storage, codec: codec, diff --git a/pkg/apiserver/apiserver_test.go b/pkg/apiserver/apiserver_test.go index e585ccffee1..dd4803e79ec 100644 --- a/pkg/apiserver/apiserver_test.go +++ b/pkg/apiserver/apiserver_test.go @@ -39,6 +39,8 @@ import ( "github.com/GoogleCloudPlatform/kubernetes/pkg/util" "github.com/GoogleCloudPlatform/kubernetes/pkg/version" "github.com/GoogleCloudPlatform/kubernetes/pkg/watch" + "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/admit" + "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/deny" ) func convert(obj runtime.Object) (runtime.Object, error) { @@ -54,7 +56,7 @@ var accessor = meta.NewAccessor() var versioner runtime.ResourceVersioner = accessor var selfLinker runtime.SelfLinker = accessor var mapper meta.RESTMapper -var admissionControl admission.AdmissionControl +var admissionControl admission.Interface func interfacesFor(version string) (*meta.VersionInterfaces, error) { switch version { @@ -94,7 +96,7 @@ func init() { ) defMapper.Add(api.Scheme, true, versions...) mapper = defMapper - admissionControl = admission.NewAlwaysAdmitController() + admissionControl = admit.NewAlwaysAdmit() } type Simple struct { @@ -482,7 +484,7 @@ func TestDeleteInvokesAdmissionControl(t *testing.T) { simpleStorage := SimpleRESTStorage{} ID := "id" storage["simple"] = &simpleStorage - handler := Handle(storage, codec, "/prefix", testVersion, selfLinker, admission.NewAlwaysDenyController()) + handler := Handle(storage, codec, "/prefix", testVersion, selfLinker, deny.NewAlwaysDeny()) server := httptest.NewServer(handler) defer server.Close() @@ -492,7 +494,7 @@ func TestDeleteInvokesAdmissionControl(t *testing.T) { if err != nil { t.Errorf("unexpected error: %v", err) } - if response.StatusCode != http.StatusConflict { + if response.StatusCode != http.StatusForbidden { t.Errorf("Unexpected response %#v", response) } } @@ -566,7 +568,7 @@ func TestUpdateInvokesAdmissionControl(t *testing.T) { t: t, expectedSet: "/prefix/version/simple/" + ID, } - handler := Handle(storage, codec, "/prefix", testVersion, selfLinker, admission.NewAlwaysDenyController()) + handler := Handle(storage, codec, "/prefix", testVersion, selfLinker, deny.NewAlwaysDeny()) server := httptest.NewServer(handler) defer server.Close() @@ -585,7 +587,7 @@ func TestUpdateInvokesAdmissionControl(t *testing.T) { if err != nil { t.Errorf("unexpected error: %v", err) } - if response.StatusCode != http.StatusConflict { + if response.StatusCode != http.StatusForbidden { t.Errorf("Unexpected response %#v", response) } } @@ -679,7 +681,7 @@ func TestCreateInvokesAdmissionControl(t *testing.T) { } handler := Handle(map[string]RESTStorage{ "foo": simpleStorage, - }, codec, "/prefix", testVersion, selfLinker, admission.NewAlwaysDenyController()) + }, codec, "/prefix", testVersion, selfLinker, deny.NewAlwaysDeny()) handler.(*defaultAPIServer).group.handler.asyncOpWait = 0 server := httptest.NewServer(handler) defer server.Close() @@ -698,7 +700,7 @@ func TestCreateInvokesAdmissionControl(t *testing.T) { if err != nil { t.Errorf("unexpected error: %v", err) } - if response.StatusCode != http.StatusConflict { + if response.StatusCode != http.StatusForbidden { t.Errorf("Unexpected response %#v", response) } } diff --git a/pkg/apiserver/resthandler.go b/pkg/apiserver/resthandler.go index 13e007dd88c..978a5149212 100644 --- a/pkg/apiserver/resthandler.go +++ b/pkg/apiserver/resthandler.go @@ -38,7 +38,7 @@ type RESTHandler struct { selfLinker runtime.SelfLinker ops *Operations asyncOpWait time.Duration - admissionControl admission.AdmissionControl + admissionControl admission.Interface } // ServeHTTP handles requests to all RESTStorage objects. @@ -209,7 +209,7 @@ func (h *RESTHandler) handleRESTStorage(parts []string, req *http.Request, w htt } // invoke admission control - err = h.admissionControl.AdmissionControl("CREATE", parts[0], namespace, obj) + err = h.admissionControl.Admit(admission.NewAttributesRecord(obj, namespace, parts[0], "CREATE")) if err != nil { errorJSON(err, h.codec, w) return @@ -230,7 +230,7 @@ func (h *RESTHandler) handleRESTStorage(parts []string, req *http.Request, w htt } // invoke admission control - err := h.admissionControl.AdmissionControl("DELETE", parts[0], namespace, nil) + err := h.admissionControl.Admit(admission.NewAttributesRecord(nil, namespace, parts[0], "DELETE")) if err != nil { errorJSON(err, h.codec, w) return @@ -262,7 +262,7 @@ func (h *RESTHandler) handleRESTStorage(parts []string, req *http.Request, w htt } // invoke admission control - err = h.admissionControl.AdmissionControl("UPDATE", parts[0], namespace, obj) + err = h.admissionControl.Admit(admission.NewAttributesRecord(obj, namespace, parts[0], "UPDATE")) if err != nil { errorJSON(err, h.codec, w) return diff --git a/pkg/master/master.go b/pkg/master/master.go index b4770ed8465..1ad09d5c542 100644 --- a/pkg/master/master.go +++ b/pkg/master/master.go @@ -76,7 +76,7 @@ type Config struct { CorsAllowedOriginList util.StringList Authenticator authenticator.Request Authorizer authorizer.Authorizer - AdmissionControl admission.AdmissionControl + AdmissionControl admission.Interface // If specified, all web services will be registered into this container RestfulContainer *restful.Container @@ -120,7 +120,7 @@ type Master struct { corsAllowedOriginList util.StringList authenticator authenticator.Request authorizer authorizer.Authorizer - admissionControl admission.AdmissionControl + admissionControl admission.Interface masterCount int readOnlyServer string @@ -466,7 +466,7 @@ func (m *Master) getServersToValidate(c *Config) map[string]apiserver.Server { } // API_v1beta1 returns the resources and codec for API version v1beta1. -func (m *Master) API_v1beta1() (map[string]apiserver.RESTStorage, runtime.Codec, string, runtime.SelfLinker, admission.AdmissionControl) { +func (m *Master) API_v1beta1() (map[string]apiserver.RESTStorage, runtime.Codec, string, runtime.SelfLinker, admission.Interface) { storage := make(map[string]apiserver.RESTStorage) for k, v := range m.storage { storage[k] = v @@ -475,7 +475,7 @@ func (m *Master) API_v1beta1() (map[string]apiserver.RESTStorage, runtime.Codec, } // API_v1beta2 returns the resources and codec for API version v1beta2. -func (m *Master) API_v1beta2() (map[string]apiserver.RESTStorage, runtime.Codec, string, runtime.SelfLinker, admission.AdmissionControl) { +func (m *Master) API_v1beta2() (map[string]apiserver.RESTStorage, runtime.Codec, string, runtime.SelfLinker, admission.Interface) { storage := make(map[string]apiserver.RESTStorage) for k, v := range m.storage { storage[k] = v diff --git a/plugin/pkg/admission/admit/admission.go b/plugin/pkg/admission/admit/admission.go index 1264dec3c86..67c5c6cdd8c 100644 --- a/plugin/pkg/admission/admit/admission.go +++ b/plugin/pkg/admission/admit/admission.go @@ -17,12 +17,16 @@ limitations under the License. package admit import ( - "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" "io" + + "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" + "github.com/GoogleCloudPlatform/kubernetes/pkg/client" ) func init() { - admission.RegisterPlugin("AlwaysAdmit", func(config io.Reader) (admission.Interface, error) { return NewAlwaysAdmit(), nil }) + admission.RegisterPlugin("AlwaysAdmit", func(client client.Interface, config io.Reader) (admission.Interface, error) { + return NewAlwaysAdmit(), nil + }) } // alwaysAdmit is an implementation of admission.Interface which always says yes to an admit request. diff --git a/plugin/pkg/admission/deny/admission.go b/plugin/pkg/admission/deny/admission.go index 8f0f6243bdb..e780cab27b4 100644 --- a/plugin/pkg/admission/deny/admission.go +++ b/plugin/pkg/admission/deny/admission.go @@ -22,10 +22,13 @@ import ( "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors" + "github.com/GoogleCloudPlatform/kubernetes/pkg/client" ) func init() { - admission.RegisterPlugin("AlwaysDeny", func(config io.Reader) (admission.Interface, error) { return NewAlwaysDeny(), nil }) + admission.RegisterPlugin("AlwaysDeny", func(client client.Interface, config io.Reader) (admission.Interface, error) { + return NewAlwaysDeny(), nil + }) } // alwaysDeny is an implementation of admission.Interface which always says no to an admission request. @@ -33,7 +36,7 @@ func init() { type alwaysDeny struct{} func (alwaysDeny) Admit(a admission.Attributes) (err error) { - return apierrors.NewConflict(a.GetKind(), "", errors.New("No changes allowed")) + return apierrors.NewForbidden(a.GetKind(), "", errors.New("Admission control is denying all modifications")) } func NewAlwaysDeny() admission.Interface { diff --git a/plugin/pkg/admission/deny/admission_test.go b/plugin/pkg/admission/deny/admission_test.go index d931ad2bffc..50e25971319 100644 --- a/plugin/pkg/admission/deny/admission_test.go +++ b/plugin/pkg/admission/deny/admission_test.go @@ -24,7 +24,7 @@ import ( func TestAdmission(t *testing.T) { handler := NewAlwaysDeny() - err := handler.Admit(admission.NewAttributesRecord(nil, nil, "foo", "Pod", "ignored")) + err := handler.Admit(admission.NewAttributesRecord(nil, "foo", "Pod", "ignored")) if err == nil { t.Errorf("Expected error returned from admission handler") } diff --git a/test/integration/auth_test.go b/test/integration/auth_test.go index ae27f445154..f90cf2bcf09 100644 --- a/test/integration/auth_test.go +++ b/test/integration/auth_test.go @@ -32,7 +32,6 @@ import ( "os" "testing" - "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" "github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator" "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator/bearertoken" @@ -41,6 +40,7 @@ import ( "github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user" "github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/master" + "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/admit" "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/auth/authenticator/token/tokentest" ) @@ -307,7 +307,7 @@ func TestAuthModeAlwaysAllow(t *testing.T) { EnableUISupport: false, APIPrefix: "/api", Authorizer: apiserver.NewAlwaysAllowAuthorizer(), - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -358,7 +358,7 @@ func TestAuthModeAlwaysDeny(t *testing.T) { EnableUISupport: false, APIPrefix: "/api", Authorizer: apiserver.NewAlwaysDenyAuthorizer(), - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -424,7 +424,7 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: allowAliceAuthorizer{}, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -484,7 +484,7 @@ func TestBobIsForbidden(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: allowAliceAuthorizer{}, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -544,7 +544,7 @@ func TestUnknownUserIsUnauthorized(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: allowAliceAuthorizer{}, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -623,7 +623,7 @@ func TestNamespaceAuthorization(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: a, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -707,7 +707,7 @@ func TestKindAuthorization(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: a, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport @@ -785,7 +785,7 @@ func TestReadOnlyAuthorization(t *testing.T) { APIPrefix: "/api", Authenticator: getTestTokenAuth(), Authorizer: a, - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) transport := http.DefaultTransport diff --git a/test/integration/client_test.go b/test/integration/client_test.go index 45928441705..9ad1bb83c7d 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -24,13 +24,13 @@ import ( "reflect" "testing" - "github.com/GoogleCloudPlatform/kubernetes/pkg/admission" "github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver" "github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/labels" "github.com/GoogleCloudPlatform/kubernetes/pkg/master" "github.com/GoogleCloudPlatform/kubernetes/pkg/version" + "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/admit" ) func init() { @@ -57,7 +57,7 @@ func TestClient(t *testing.T) { EnableUISupport: false, APIPrefix: "/api", Authorizer: apiserver.NewAlwaysAllowAuthorizer(), - AdmissionControl: admission.NewAlwaysAdmitController(), + AdmissionControl: admit.NewAlwaysAdmit(), }) testCases := []string{