mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-31 23:37:01 +00:00
Admission control errors should have consistent lower casing
This commit is contained in:
parent
1bd37f477f
commit
a672a986e3
@ -92,15 +92,15 @@ func (d *denyExec) Admit(a admission.Attributes) (err error) {
|
||||
}
|
||||
|
||||
if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
|
||||
return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host pid"))
|
||||
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
|
||||
}
|
||||
|
||||
if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
|
||||
return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host ipc"))
|
||||
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host ipc"))
|
||||
}
|
||||
|
||||
if d.privileged && isPrivileged(pod) {
|
||||
return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a privileged container"))
|
||||
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a privileged container"))
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -53,5 +53,5 @@ func newDataSource(kind string) (dataSource, error) {
|
||||
if kind == "hawkular" {
|
||||
return newHawkularSource(*hawkularConfig)
|
||||
}
|
||||
return nil, fmt.Errorf("Unknown data source %v", kind)
|
||||
return nil, fmt.Errorf("unknown data source %v", kind)
|
||||
}
|
||||
|
@ -163,7 +163,7 @@ func (hs *hawkularSource) init() error {
|
||||
|
||||
if v, found := opts["auth"]; found {
|
||||
if _, f := opts["caCert"]; f {
|
||||
return fmt.Errorf("Both auth and caCert files provided, combination is not supported")
|
||||
return fmt.Errorf("both auth and caCert files provided, combination is not supported")
|
||||
}
|
||||
if len(v[0]) > 0 {
|
||||
// Authfile
|
||||
@ -182,7 +182,7 @@ func (hs *hawkularSource) init() error {
|
||||
|
||||
if u, found := opts["user"]; found {
|
||||
if _, wrong := opts["useServiceAccount"]; wrong {
|
||||
return fmt.Errorf("If user and password are used, serviceAccount cannot be used")
|
||||
return fmt.Errorf("if user and password are used, serviceAccount cannot be used")
|
||||
}
|
||||
if p, f := opts["pass"]; f {
|
||||
hs.modifiers = append(hs.modifiers, func(req *http.Request) error {
|
||||
|
@ -67,7 +67,7 @@ func (s *influxdbSource) GetUsagePercentile(kind api.ResourceName, perc int64, i
|
||||
|
||||
query := fmt.Sprintf("select percentile(value, %v), count(pod_id) from %v where container_base_image%v%v and time > '%v' and time < '%v'", perc, series, imgPattern, namespaceCond, start.UTC().Format(timeFormat), end.UTC().Format(timeFormat))
|
||||
if _, err := s.query(query); err != nil {
|
||||
return 0, 0, fmt.Errorf("Error while trying to query InfluxDB: %v", err)
|
||||
return 0, 0, fmt.Errorf("error while trying to query InfluxDB: %v", err)
|
||||
}
|
||||
return 0, 0, nil
|
||||
}
|
||||
|
@ -23,7 +23,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/golang-lru"
|
||||
lru "github.com/hashicorp/golang-lru"
|
||||
|
||||
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
||||
|
||||
@ -89,7 +89,7 @@ func (l *limitRanger) Admit(a admission.Attributes) (err error) {
|
||||
}
|
||||
items, err := l.indexer.Index("namespace", key)
|
||||
if err != nil {
|
||||
return admission.NewForbidden(a, fmt.Errorf("Unable to %s %v at this time because there was an error enforcing limit ranges", a.GetOperation(), a.GetResource()))
|
||||
return admission.NewForbidden(a, fmt.Errorf("unable to %s %v at this time because there was an error enforcing limit ranges", a.GetOperation(), a.GetResource()))
|
||||
}
|
||||
|
||||
// if there are no items held in our indexer, check our live-lookup LRU, if that misses, do the live lookup to prime it.
|
||||
@ -288,13 +288,13 @@ func minConstraint(limitType api.LimitType, resourceName api.ResourceName, enfor
|
||||
observedReqValue, observedLimValue, enforcedValue := requestLimitEnforcedValues(req, lim, enforced)
|
||||
|
||||
if !reqExists {
|
||||
return fmt.Errorf("Minimum %s usage per %s is %s. No request is specified.", resourceName, limitType, enforced.String())
|
||||
return fmt.Errorf("minimum %s usage per %s is %s. No request is specified.", resourceName, limitType, enforced.String())
|
||||
}
|
||||
if observedReqValue < enforcedValue {
|
||||
return fmt.Errorf("Minimum %s usage per %s is %s, but request is %s.", resourceName, limitType, enforced.String(), req.String())
|
||||
return fmt.Errorf("minimum %s usage per %s is %s, but request is %s.", resourceName, limitType, enforced.String(), req.String())
|
||||
}
|
||||
if limExists && (observedLimValue < enforcedValue) {
|
||||
return fmt.Errorf("Minimum %s usage per %s is %s, but limit is %s.", resourceName, limitType, enforced.String(), lim.String())
|
||||
return fmt.Errorf("minimum %s usage per %s is %s, but limit is %s.", resourceName, limitType, enforced.String(), lim.String())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@ -306,13 +306,13 @@ func maxConstraint(limitType api.LimitType, resourceName api.ResourceName, enfor
|
||||
observedReqValue, observedLimValue, enforcedValue := requestLimitEnforcedValues(req, lim, enforced)
|
||||
|
||||
if !limExists {
|
||||
return fmt.Errorf("Maximum %s usage per %s is %s. No limit is specified.", resourceName, limitType, enforced.String())
|
||||
return fmt.Errorf("maximum %s usage per %s is %s. No limit is specified.", resourceName, limitType, enforced.String())
|
||||
}
|
||||
if observedLimValue > enforcedValue {
|
||||
return fmt.Errorf("Maximum %s usage per %s is %s, but limit is %s.", resourceName, limitType, enforced.String(), lim.String())
|
||||
return fmt.Errorf("maximum %s usage per %s is %s, but limit is %s.", resourceName, limitType, enforced.String(), lim.String())
|
||||
}
|
||||
if reqExists && (observedReqValue > enforcedValue) {
|
||||
return fmt.Errorf("Maximum %s usage per %s is %s, but request is %s.", resourceName, limitType, enforced.String(), req.String())
|
||||
return fmt.Errorf("maximum %s usage per %s is %s, but request is %s.", resourceName, limitType, enforced.String(), req.String())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
@ -141,7 +141,7 @@ func (l *lifecycle) Admit(a admission.Attributes) error {
|
||||
}
|
||||
|
||||
// TODO: This should probably not be a 403
|
||||
return admission.NewForbidden(a, fmt.Errorf("Unable to create new content in namespace %s because it is being terminated.", a.GetNamespace()))
|
||||
return admission.NewForbidden(a, fmt.Errorf("unable to create new content in namespace %s because it is being terminated.", a.GetNamespace()))
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -331,10 +331,10 @@ func (e *quotaEvaluator) checkRequest(quotas []api.ResourceQuota, a admission.At
|
||||
requiredResources := quota.Intersection(hardResources, evaluatorResources)
|
||||
err := evaluator.Constraints(requiredResources, inputObject)
|
||||
if err != nil {
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("Failed quota: %s: %v", resourceQuota.Name, err))
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("failed quota: %s: %v", resourceQuota.Name, err))
|
||||
}
|
||||
if !hasUsageStats(&resourceQuota) {
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("Status unknown for quota: %s", resourceQuota.Name))
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("status unknown for quota: %s", resourceQuota.Name))
|
||||
}
|
||||
|
||||
interestingQuotaIndexes = append(interestingQuotaIndexes, i)
|
||||
@ -361,7 +361,7 @@ func (e *quotaEvaluator) checkRequest(quotas []api.ResourceQuota, a admission.At
|
||||
if admission.Update == op {
|
||||
prevItem := a.GetOldObject()
|
||||
if prevItem == nil {
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("Unable to get previous usage since prior version of object was not found"))
|
||||
return nil, admission.NewForbidden(a, fmt.Errorf("unable to get previous usage since prior version of object was not found"))
|
||||
}
|
||||
prevUsage := evaluator.Usage(prevItem)
|
||||
deltaUsage = quota.Subtract(deltaUsage, prevUsage)
|
||||
@ -381,7 +381,7 @@ func (e *quotaEvaluator) checkRequest(quotas []api.ResourceQuota, a admission.At
|
||||
failedUsed := quota.Mask(resourceQuota.Status.Used, exceeded)
|
||||
failedHard := quota.Mask(resourceQuota.Status.Hard, exceeded)
|
||||
return nil, admission.NewForbidden(a,
|
||||
fmt.Errorf("Exceeded quota: %s, requested: %s, used: %s, limited: %s",
|
||||
fmt.Errorf("exceeded quota: %s, requested: %s, used: %s, limited: %s",
|
||||
resourceQuota.Name,
|
||||
prettyPrint(failedRequestedUsage),
|
||||
prettyPrint(failedUsed),
|
||||
|
@ -138,7 +138,7 @@ func (e *quotaAccessor) GetQuotas(namespace string) ([]api.ResourceQuota, error)
|
||||
// if there are no quotas, we don't need to do anything
|
||||
items, err := e.indexer.Index("namespace", &api.ResourceQuota{ObjectMeta: api.ObjectMeta{Namespace: namespace, Name: ""}})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Error resolving quota.")
|
||||
return nil, fmt.Errorf("error resolving quota.")
|
||||
}
|
||||
|
||||
// if there are no items held in our indexer, check our live-lookup LRU, if that misses, do the live lookup to prime it.
|
||||
|
@ -167,11 +167,11 @@ func (s *serviceAccount) Admit(a admission.Attributes) (err error) {
|
||||
// That said, don't allow mirror pods to reference ServiceAccounts or SecretVolumeSources either
|
||||
if _, isMirrorPod := pod.Annotations[kubelet.ConfigMirrorAnnotationKey]; isMirrorPod {
|
||||
if len(pod.Spec.ServiceAccountName) != 0 {
|
||||
return admission.NewForbidden(a, fmt.Errorf("A mirror pod may not reference service accounts"))
|
||||
return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference service accounts"))
|
||||
}
|
||||
for _, volume := range pod.Spec.Volumes {
|
||||
if volume.VolumeSource.Secret != nil {
|
||||
return admission.NewForbidden(a, fmt.Errorf("A mirror pod may not reference secrets"))
|
||||
return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets"))
|
||||
}
|
||||
}
|
||||
return nil
|
||||
@ -185,7 +185,7 @@ func (s *serviceAccount) Admit(a admission.Attributes) (err error) {
|
||||
// Ensure the referenced service account exists
|
||||
serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
|
||||
if err != nil {
|
||||
return admission.NewForbidden(a, fmt.Errorf("Error looking up service account %s/%s: %v", a.GetNamespace(), pod.Spec.ServiceAccountName, err))
|
||||
return admission.NewForbidden(a, fmt.Errorf("error looking up service account %s/%s: %v", a.GetNamespace(), pod.Spec.ServiceAccountName, err))
|
||||
}
|
||||
if serviceAccount == nil {
|
||||
// TODO: convert to a ServerTimeout error (or other error that sends a Retry-After header)
|
||||
@ -324,7 +324,7 @@ func (s *serviceAccount) limitSecretReferences(serviceAccount *api.ServiceAccoun
|
||||
}
|
||||
secretName := source.Secret.SecretName
|
||||
if !mountableSecrets.Has(secretName) {
|
||||
return fmt.Errorf("Volume with secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", secretName, serviceAccount.Name)
|
||||
return fmt.Errorf("volume with secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", secretName, serviceAccount.Name)
|
||||
}
|
||||
}
|
||||
|
||||
@ -332,7 +332,7 @@ func (s *serviceAccount) limitSecretReferences(serviceAccount *api.ServiceAccoun
|
||||
for _, env := range container.Env {
|
||||
if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
|
||||
if !mountableSecrets.Has(env.ValueFrom.SecretKeyRef.Name) {
|
||||
return fmt.Errorf("Init container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
|
||||
return fmt.Errorf("init container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -342,7 +342,7 @@ func (s *serviceAccount) limitSecretReferences(serviceAccount *api.ServiceAccoun
|
||||
for _, env := range container.Env {
|
||||
if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
|
||||
if !mountableSecrets.Has(env.ValueFrom.SecretKeyRef.Name) {
|
||||
return fmt.Errorf("Container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
|
||||
return fmt.Errorf("container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user