From bc1fb1f7e8c60781bf5d9dded149c4dbc62ff8a6 Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Wed, 8 Aug 2018 20:41:00 +0800 Subject: [PATCH] node authz/ad externalization --- pkg/kubeapiserver/admission/BUILD | 1 - pkg/kubeapiserver/admission/initializer.go | 2 - pkg/kubeapiserver/authorizer/config.go | 2 +- plugin/pkg/admission/noderestriction/BUILD | 9 +- .../admission/noderestriction/admission.go | 14 +- .../noderestriction/admission_test.go | 214 +++++++++--------- plugin/pkg/auth/authorizer/node/BUILD | 5 +- plugin/pkg/auth/authorizer/node/graph.go | 5 +- .../auth/authorizer/node/graph_populator.go | 10 +- .../authorizer/node/node_authorizer_test.go | 71 +++--- test/integration/auth/node_test.go | 2 +- 11 files changed, 174 insertions(+), 161 deletions(-) diff --git a/pkg/kubeapiserver/admission/BUILD b/pkg/kubeapiserver/admission/BUILD index 59468cd06c6..46b8805356a 100644 --- a/pkg/kubeapiserver/admission/BUILD +++ b/pkg/kubeapiserver/admission/BUILD @@ -25,7 +25,6 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes:go_default_library", ], ) diff --git a/pkg/kubeapiserver/admission/initializer.go b/pkg/kubeapiserver/admission/initializer.go index 0a7903227c7..d47338ac2f4 100644 --- a/pkg/kubeapiserver/admission/initializer.go +++ b/pkg/kubeapiserver/admission/initializer.go @@ -21,7 +21,6 @@ import ( "k8s.io/apiserver/pkg/admission" webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config" "k8s.io/apiserver/pkg/authorization/authorizer" - clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/quota" @@ -60,7 +59,6 @@ type WantsQuotaConfiguration interface { // PluginInitializer is used for initialization of the Kubernetes specific admission plugins. type PluginInitializer struct { internalClient internalclientset.Interface - externalClient clientset.Interface informers informers.SharedInformerFactory authorizer authorizer.Authorizer cloudConfig []byte diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index a72ba5ee63c..71c4dcdc008 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -75,7 +75,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR node.AddGraphEventHandlers( graph, config.InformerFactory.Core().InternalVersion().Nodes(), - config.InformerFactory.Core().InternalVersion().Pods(), + config.VersionedInformerFactory.Core().V1().Pods(), config.InformerFactory.Core().InternalVersion().PersistentVolumes(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), ) diff --git a/plugin/pkg/admission/noderestriction/BUILD b/plugin/pkg/admission/noderestriction/BUILD index 202c760aaf0..21f09b3a709 100644 --- a/plugin/pkg/admission/noderestriction/BUILD +++ b/plugin/pkg/admission/noderestriction/BUILD @@ -16,15 +16,15 @@ go_library( "//pkg/apis/core:go_default_library", "//pkg/apis/policy:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/client/listers/core/internalversion:go_default_library", "//pkg/features:go_default_library", - "//pkg/kubeapiserver/admission:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", + "//staging/src/k8s.io/client-go/informers:go_default_library", + "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", ], ) @@ -37,13 +37,14 @@ go_test( "//pkg/apis/core:go_default_library", "//pkg/apis/policy:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", - "//pkg/client/listers/core/internalversion:go_default_library", "//pkg/features:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", + "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library", ], ) diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go index 1b9851dd505..4d803d82683 100644 --- a/plugin/pkg/admission/noderestriction/admission.go +++ b/plugin/pkg/admission/noderestriction/admission.go @@ -24,16 +24,16 @@ import ( "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/util/diff" "k8s.io/apiserver/pkg/admission" + apiserveradmission "k8s.io/apiserver/pkg/admission/initializer" utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/client-go/informers" + corev1lister "k8s.io/client-go/listers/core/v1" podutil "k8s.io/kubernetes/pkg/api/pod" authenticationapi "k8s.io/kubernetes/pkg/apis/authentication" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/auth/nodeidentifier" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - internalversion "k8s.io/kubernetes/pkg/client/listers/core/internalversion" "k8s.io/kubernetes/pkg/features" - kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" ) const ( @@ -61,18 +61,18 @@ func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *nodePlugin { type nodePlugin struct { *admission.Handler nodeIdentifier nodeidentifier.NodeIdentifier - podsGetter internalversion.PodLister + podsGetter corev1lister.PodLister // allows overriding for testing features utilfeature.FeatureGate } var ( _ = admission.Interface(&nodePlugin{}) - _ = kubeapiserveradmission.WantsInternalKubeInformerFactory(&nodePlugin{}) + _ = apiserveradmission.WantsExternalKubeInformerFactory(&nodePlugin{}) ) -func (p *nodePlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) { - p.podsGetter = f.Core().InternalVersion().Pods().Lister() +func (p *nodePlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) { + p.podsGetter = f.Core().V1().Pods().Lister() } func (p *nodePlugin) ValidateInitialization() error { diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go index c608b46c915..6774dfd4bd5 100644 --- a/plugin/pkg/admission/noderestriction/admission_test.go +++ b/plugin/pkg/admission/noderestriction/admission_test.go @@ -20,17 +20,18 @@ import ( "strings" "testing" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/user" utilfeature "k8s.io/apiserver/pkg/util/feature" + corev1lister "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/tools/cache" authenticationapi "k8s.io/kubernetes/pkg/apis/authentication" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/auth/nodeidentifier" - "k8s.io/kubernetes/pkg/client/listers/core/internalversion" "k8s.io/kubernetes/pkg/features" ) @@ -48,16 +49,22 @@ func init() { } } -func makeTestPod(namespace, name, node string, mirror bool) *api.Pod { - pod := &api.Pod{} - pod.Namespace = namespace - pod.UID = types.UID("pod-uid") - pod.Name = name - pod.Spec.NodeName = node +func makeTestPod(namespace, name, node string, mirror bool) (*api.Pod, *corev1.Pod) { + corePod := &api.Pod{} + corePod.Namespace = namespace + corePod.UID = types.UID("pod-uid") + corePod.Name = name + corePod.Spec.NodeName = node + v1Pod := &corev1.Pod{} + v1Pod.Namespace = namespace + v1Pod.UID = types.UID("pod-uid") + v1Pod.Name = name + v1Pod.Spec.NodeName = node if mirror { - pod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"} + corePod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"} + v1Pod.Annotations = map[string]string{api.MirrorPodAnnotationKey: "true"} } - return pod + return corePod, v1Pod } func makeTestPodEviction(name string) *policy.Eviction { @@ -105,17 +112,18 @@ func Test_nodePlugin_Admit(t *testing.T) { UID: "quxUID", KubeletConfigKey: "kubelet", }}}} + mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}} mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}} othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}} - mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true) - othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true) - unboundmirrorpod = makeTestPod("ns", "unboundmirrorpod", "", true) - mypod = makeTestPod("ns", "mypod", "mynode", false) - otherpod = makeTestPod("ns", "otherpod", "othernode", false) - unboundpod = makeTestPod("ns", "unboundpod", "", false) - unnamedpod = makeTestPod("ns", "", "mynode", false) + coremymirrorpod, v1mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true) + coreothermirrorpod, v1othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true) + coreunboundmirrorpod, v1unboundmirrorpod = makeTestPod("ns", "unboundmirrorpod", "", true) + coremypod, v1mypod = makeTestPod("ns", "mypod", "mynode", false) + coreotherpod, v1otherpod = makeTestPod("ns", "otherpod", "othernode", false) + coreunboundpod, v1unboundpod = makeTestPod("ns", "unboundpod", "", false) + coreunnamedpod, _ = makeTestPod("ns", "", "mynode", false) mymirrorpodEviction = makeTestPodEviction("mymirrorpod") othermirrorpodEviction = makeTestPodEviction("othermirrorpod") @@ -139,34 +147,34 @@ func Test_nodePlugin_Admit(t *testing.T) { tokenrequestKind = api.Kind("TokenRequest").WithVersion("v1") noExistingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil) - noExistingPods = internalversion.NewPodLister(noExistingPodsIndex) + noExistingPods = corev1lister.NewPodLister(noExistingPodsIndex) existingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil) - existingPods = internalversion.NewPodLister(existingPodsIndex) + existingPods = corev1lister.NewPodLister(existingPodsIndex) ) - existingPodsIndex.Add(mymirrorpod) - existingPodsIndex.Add(othermirrorpod) - existingPodsIndex.Add(unboundmirrorpod) - existingPodsIndex.Add(mypod) - existingPodsIndex.Add(otherpod) - existingPodsIndex.Add(unboundpod) + existingPodsIndex.Add(v1mymirrorpod) + existingPodsIndex.Add(v1othermirrorpod) + existingPodsIndex.Add(v1unboundmirrorpod) + existingPodsIndex.Add(v1mypod) + existingPodsIndex.Add(v1otherpod) + existingPodsIndex.Add(v1unboundpod) - sapod := makeTestPod("ns", "mysapod", "mynode", true) + sapod, _ := makeTestPod("ns", "mysapod", "mynode", true) sapod.Spec.ServiceAccountName = "foo" - secretpod := makeTestPod("ns", "mysecretpod", "mynode", true) + secretpod, _ := makeTestPod("ns", "mysecretpod", "mynode", true) secretpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}} - configmappod := makeTestPod("ns", "myconfigmappod", "mynode", true) + configmappod, _ := makeTestPod("ns", "myconfigmappod", "mynode", true) configmappod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: "foo"}}}}} - pvcpod := makeTestPod("ns", "mypvcpod", "mynode", true) + pvcpod, _ := makeTestPod("ns", "mypvcpod", "mynode", true) pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}} tests := []struct { name string - podsGetter internalversion.PodLister + podsGetter corev1lister.PodLister attributes admission.Attributes features utilfeature.FeatureGate err string @@ -175,61 +183,61 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "allow creating a mirror pod bound to self", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coremymirrorpod, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Create, false, mynode), err: "", }, { name: "forbid update of mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coremymirrorpod, coremymirrorpod, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow delete of mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "", admission.Delete, false, mynode), err: "", }, { name: "forbid create of mirror pod status bound to self", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mymirrorpod, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coremymirrorpod, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow update of mirror pod status bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mymirrorpod, mymirrorpod, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coremymirrorpod, coremymirrorpod, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Update, false, mynode), err: "", }, { name: "forbid delete of mirror pod status bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow create of eviction for mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "", }, { name: "forbid update of eviction for mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(mymirrorpodEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow create of unnamed eviction for mirror pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mymirrorpod.Namespace, mymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremymirrorpod.Namespace, coremymirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "", }, @@ -237,61 +245,61 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid creating a mirror pod bound to another", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreothermirrorpod, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid update of mirror pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreothermirrorpod, coreothermirrorpod, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of mirror pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "", admission.Delete, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid create of mirror pod status bound to another", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(othermirrorpod, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreothermirrorpod, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid update of mirror pod status bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(othermirrorpod, othermirrorpod, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreothermirrorpod, coreothermirrorpod, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Update, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid delete of mirror pod status bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of eviction for mirror pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid update of eviction for mirror pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for mirror pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(othermirrorpodEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of unnamed eviction for mirror pod to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, othermirrorpod.Namespace, othermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreothermirrorpod.Namespace, coreothermirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, @@ -299,61 +307,61 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid creating a mirror pod unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundmirrorpod, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid update of mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundmirrorpod, coreunboundmirrorpod, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "", admission.Delete, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid create of mirror pod status unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpod, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundmirrorpod, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid update of mirror pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpod, unboundmirrorpod, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundmirrorpod, coreunboundmirrorpod, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Update, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid delete of mirror pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of eviction for mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid update of eviction for mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(unboundmirrorpodEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of unnamed eviction for mirror pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unboundmirrorpod.Namespace, unboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunboundmirrorpod.Namespace, coreunboundmirrorpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, @@ -361,55 +369,55 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid creating a normal pod bound to self", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coremypod, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Create, false, mynode), err: "can only create mirror pods", }, { name: "forbid update of normal pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coremypod, coremypod, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow delete of normal pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "", admission.Delete, false, mynode), err: "", }, { name: "forbid create of normal pod status bound to self", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mypod, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coremypod, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow update of normal pod status bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypod, mypod, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coremypod, coremypod, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Update, false, mynode), err: "", }, { name: "forbid delete of normal pod status bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, mypod.Namespace, mypod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coremypod.Namespace, coremypod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid update of eviction for normal pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for normal pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "allow create of unnamed eviction for normal pod bound to self", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode), err: "", }, @@ -417,37 +425,37 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid creating a normal pod bound to another", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreotherpod, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Create, false, mynode), err: "can only create mirror pods", }, { name: "forbid update of normal pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreotherpod, coreotherpod, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of normal pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "", admission.Delete, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid create of normal pod status bound to another", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(otherpod, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreotherpod, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid update of normal pod status bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(otherpod, otherpod, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreotherpod, coreotherpod, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Update, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid delete of normal pod status bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, otherpod.Namespace, otherpod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { @@ -471,7 +479,7 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid create of unnamed eviction for normal pod bound to another", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, otherpod.Namespace, otherpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreotherpod.Namespace, coreotherpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, @@ -479,61 +487,61 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid creating a normal pod unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Create, false, mynode), err: "can only create mirror pods", }, { name: "forbid update of normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid create of normal pod status unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Create, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid update of normal pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Update, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid delete of normal pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of eviction for normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, { name: "forbid update of eviction for normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(unboundpodEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of unnamed eviction for normal unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unboundpod.Namespace, unboundpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "spec.nodeName set to itself", }, @@ -541,31 +549,31 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "forbid delete of unknown pod", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, mynode), err: "not found", }, { name: "forbid create of eviction for unknown pod", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode), err: "not found", }, { name: "forbid update of eviction for unknown pod", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for unknown pod", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of unnamed eviction for unknown pod", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, mypod.Namespace, mypod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coremypod.Namespace, coremypod.Name, podResource, "eviction", admission.Create, false, mynode), err: "not found", }, @@ -573,26 +581,26 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "allow create of eviction for unnamed pod", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), // use the submitted eviction resource name as the pod name err: "", }, { name: "forbid update of eviction for unnamed pod", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Update, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Update, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid delete of eviction for unnamed pod", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Delete, false, mynode), + attributes: admission.NewAttributesRecord(mypodEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Delete, false, mynode), err: "forbidden: unexpected operation", }, { name: "forbid create of unnamed eviction for unnamed pod", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, unnamedpod.Namespace, unnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, coreunnamedpod.Namespace, coreunnamedpod.Name, podResource, "eviction", admission.Create, false, mynode), err: "could not determine pod from request data", }, @@ -765,21 +773,21 @@ func Test_nodePlugin_Admit(t *testing.T) { name: "forbid create of token bound to pod without uid", podsGetter: existingPods, features: trEnabledFeature, - attributes: admission.NewAttributesRecord(makeTokenRequest(mypod.Name, ""), nil, tokenrequestKind, "ns", "mysa", svcacctResource, "token", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, ""), nil, tokenrequestKind, "ns", "mysa", svcacctResource, "token", admission.Create, false, mynode), err: "pod binding without a uid", }, { name: "forbid create of token bound to pod scheduled on another node", podsGetter: existingPods, features: trEnabledFeature, - attributes: admission.NewAttributesRecord(makeTokenRequest(otherpod.Name, otherpod.UID), nil, tokenrequestKind, otherpod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(makeTokenRequest(coreotherpod.Name, coreotherpod.UID), nil, tokenrequestKind, coreotherpod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), err: "pod scheduled on a different node", }, { name: "allow create of token bound to pod scheduled this node", podsGetter: existingPods, features: trEnabledFeature, - attributes: admission.NewAttributesRecord(makeTokenRequest(mypod.Name, mypod.UID), nil, tokenrequestKind, mypod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), + attributes: admission.NewAttributesRecord(makeTokenRequest(coremypod.Name, coremypod.UID), nil, tokenrequestKind, coremypod.Namespace, "mysa", svcacctResource, "token", admission.Create, false, mynode), }, // Unrelated objects @@ -806,37 +814,37 @@ func Test_nodePlugin_Admit(t *testing.T) { { name: "allow unrelated user creating a normal pod unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Create, false, bob), + attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Create, false, bob), err: "", }, { name: "allow unrelated user update of normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Update, false, bob), + attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Update, false, bob), err: "", }, { name: "allow unrelated user delete of normal pod unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "", admission.Delete, false, bob), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "", admission.Delete, false, bob), err: "", }, { name: "allow unrelated user create of normal pod status unbound", podsGetter: noExistingPods, - attributes: admission.NewAttributesRecord(unboundpod, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Create, false, bob), + attributes: admission.NewAttributesRecord(coreunboundpod, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Create, false, bob), err: "", }, { name: "allow unrelated user update of normal pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(unboundpod, unboundpod, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Update, false, bob), + attributes: admission.NewAttributesRecord(coreunboundpod, coreunboundpod, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Update, false, bob), err: "", }, { name: "allow unrelated user delete of normal pod status unbound", podsGetter: existingPods, - attributes: admission.NewAttributesRecord(nil, nil, podKind, unboundpod.Namespace, unboundpod.Name, podResource, "status", admission.Delete, false, bob), + attributes: admission.NewAttributesRecord(nil, nil, podKind, coreunboundpod.Namespace, coreunboundpod.Name, podResource, "status", admission.Delete, false, bob), err: "", }, } diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD index c4a394e80d9..2719325fa43 100644 --- a/plugin/pkg/auth/authorizer/node/BUILD +++ b/plugin/pkg/auth/authorizer/node/BUILD @@ -19,6 +19,7 @@ go_test( "//pkg/auth/nodeidentifier:go_default_library", "//pkg/features:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", @@ -40,18 +41,20 @@ go_library( importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node", deps = [ "//pkg/api/persistentvolume:go_default_library", - "//pkg/api/pod:go_default_library", + "//pkg/api/v1/pod:go_default_library", "//pkg/apis/core:go_default_library", "//pkg/apis/storage:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", "//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library", "//pkg/features:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", + "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/informers/storage/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//third_party/forked/gonum/graph:go_default_library", diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go index 48e406d538a..240ac6e9ae9 100644 --- a/plugin/pkg/auth/authorizer/node/graph.go +++ b/plugin/pkg/auth/authorizer/node/graph.go @@ -19,8 +19,9 @@ package node import ( "sync" + corev1 "k8s.io/api/core/v1" pvutil "k8s.io/kubernetes/pkg/api/persistentvolume" - podutil "k8s.io/kubernetes/pkg/api/pod" + podutil "k8s.io/kubernetes/pkg/api/v1/pod" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/third_party/forked/gonum/graph" "k8s.io/kubernetes/third_party/forked/gonum/graph/simple" @@ -305,7 +306,7 @@ func (g *Graph) recomputeDestinationIndex_locked(n graph.Node) { // configmap -> pod // pvc -> pod // svcacct -> pod -func (g *Graph) AddPod(pod *api.Pod) { +func (g *Graph) AddPod(pod *corev1.Pod) { g.lock.Lock() defer g.lock.Unlock() diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go index 3d8f9baa6a7..bd33f18a574 100644 --- a/plugin/pkg/auth/authorizer/node/graph_populator.go +++ b/plugin/pkg/auth/authorizer/node/graph_populator.go @@ -20,8 +20,10 @@ import ( "fmt" "github.com/golang/glog" + corev1 "k8s.io/api/core/v1" storagev1beta1 "k8s.io/api/storage/v1beta1" utilfeature "k8s.io/apiserver/pkg/util/feature" + corev1informers "k8s.io/client-go/informers/core/v1" storageinformers "k8s.io/client-go/informers/storage/v1beta1" "k8s.io/client-go/tools/cache" api "k8s.io/kubernetes/pkg/apis/core" @@ -36,7 +38,7 @@ type graphPopulator struct { func AddGraphEventHandlers( graph *Graph, nodes coreinformers.NodeInformer, - pods coreinformers.PodInformer, + pods corev1informers.PodInformer, pvs coreinformers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, ) { @@ -134,13 +136,13 @@ func (g *graphPopulator) addPod(obj interface{}) { } func (g *graphPopulator) updatePod(oldObj, obj interface{}) { - pod := obj.(*api.Pod) + pod := obj.(*corev1.Pod) if len(pod.Spec.NodeName) == 0 { // No node assigned glog.V(5).Infof("updatePod %s/%s, no node", pod.Namespace, pod.Name) return } - if oldPod, ok := oldObj.(*api.Pod); ok && oldPod != nil { + if oldPod, ok := oldObj.(*corev1.Pod); ok && oldPod != nil { if (pod.Spec.NodeName == oldPod.Spec.NodeName) && (pod.UID == oldPod.UID) { // Node and uid are unchanged, all object references in the pod spec are immutable glog.V(5).Infof("updatePod %s/%s, node unchanged", pod.Namespace, pod.Name) @@ -155,7 +157,7 @@ func (g *graphPopulator) deletePod(obj interface{}) { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { obj = tombstone.Obj } - pod, ok := obj.(*api.Pod) + pod, ok := obj.(*corev1.Pod) if !ok { glog.Infof("unexpected type %T", obj) return diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index 956f8d29708..85a472c1bb2 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -26,6 +26,7 @@ import ( "os" + corev1 "k8s.io/api/core/v1" storagev1beta1 "k8s.io/api/storage/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -255,34 +256,34 @@ func TestAuthorizerSharedResources(t *testing.T) { node2 := &user.DefaultInfo{Name: "system:node:node2", Groups: []string{"system:nodes"}} node3 := &user.DefaultInfo{Name: "system:node:node3", Groups: []string{"system:nodes"}} - g.AddPod(&api.Pod{ + g.AddPod(&corev1.Pod{ ObjectMeta: metav1.ObjectMeta{Name: "pod1-node1", Namespace: "ns1"}, - Spec: api.PodSpec{ + Spec: corev1.PodSpec{ NodeName: "node1", - Volumes: []api.Volume{ - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-only"}}}, - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-node2-only"}}}, - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, + Volumes: []corev1.Volume{ + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-only"}}}, + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-node2-only"}}}, + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}}, }, }, }) - g.AddPod(&api.Pod{ + g.AddPod(&corev1.Pod{ ObjectMeta: metav1.ObjectMeta{Name: "pod2-node2", Namespace: "ns1"}, - Spec: api.PodSpec{ + Spec: corev1.PodSpec{ NodeName: "node2", - Volumes: []api.Volume{ - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "node1-node2-only"}}}, - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, + Volumes: []corev1.Volume{ + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "node1-node2-only"}}}, + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}}, }, }, }) - pod3 := &api.Pod{ + pod3 := &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{Name: "pod3-node3", Namespace: "ns1"}, - Spec: api.PodSpec{ + Spec: corev1.PodSpec{ NodeName: "node3", - Volumes: []api.Volume{ - {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "shared-all"}}}, + Volumes: []corev1.Volume{ + {VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "shared-all"}}}, }, }, } @@ -615,13 +616,13 @@ func BenchmarkAuthorization(b *testing.B) { for shouldWrite == 1 { go func() { start := time.Now() - authz.graph.AddPod(&api.Pod{ + authz.graph.AddPod(&corev1.Pod{ ObjectMeta: metav1.ObjectMeta{Name: "testwrite", Namespace: "ns0"}, - Spec: api.PodSpec{ + Spec: corev1.PodSpec{ NodeName: "node0", ServiceAccountName: "default", - Volumes: []api.Volume{ - {Name: "token", VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "secret0-shared"}}}, + Volumes: []corev1.Volume{ + {Name: "token", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: "secret0-shared"}}}, }, }, }) @@ -683,7 +684,7 @@ func BenchmarkAuthorization(b *testing.B) { } } -func populate(graph *Graph, nodes []*api.Node, pods []*api.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { +func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { p := &graphPopulator{} p.graph = graph for _, node := range nodes { @@ -704,40 +705,40 @@ func populate(graph *Graph, nodes []*api.Node, pods []*api.Pod, pvs []*api.Persi // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. -func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { +func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { nodes := make([]*api.Node, 0, opts.nodes) - pods := make([]*api.Pod, 0, opts.nodes*opts.podsPerNode) + pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode) pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) for n := 0; n < opts.nodes; n++ { nodeName := fmt.Sprintf("node%d", n) for p := 0; p < opts.podsPerNode; p++ { - pod := &api.Pod{} + pod := &corev1.Pod{} pod.Namespace = fmt.Sprintf("ns%d", p%opts.namespaces) pod.Name = fmt.Sprintf("pod%d-%s", p, nodeName) pod.Spec.NodeName = nodeName pod.Spec.ServiceAccountName = fmt.Sprintf("svcacct%d-%s", p, nodeName) for i := 0; i < opts.uniqueSecretsPerPod; i++ { - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - Secret: &api.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-%s", i, pod.Name)}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-%s", i, pod.Name)}, }}) } for i := 0; i < opts.sharedSecretsPerPod; i++ { - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - Secret: &api.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-shared", i)}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{SecretName: fmt.Sprintf("secret%d-shared", i)}, }}) } for i := 0; i < opts.uniqueConfigMapsPerPod; i++ { - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: fmt.Sprintf("configmap%d-%s", i, pod.Name)}}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("configmap%d-%s", i, pod.Name)}}, }}) } for i := 0; i < opts.sharedConfigMapsPerPod; i++ { - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - ConfigMap: &api.ConfigMapVolumeSource{LocalObjectReference: api.LocalObjectReference{Name: fmt.Sprintf("configmap%d-shared", i)}}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("configmap%d-shared", i)}}, }}) } @@ -748,8 +749,8 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVo pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} pvs = append(pvs, pv) - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, }}) } for i := 0; i < opts.sharedPVCsPerPod; i++ { @@ -759,8 +760,8 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*api.Pod, []*api.PersistentVo pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} pvs = append(pvs, pv) - pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{VolumeSource: api.VolumeSource{ - PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: pv.Spec.ClaimRef.Name}, }}) } diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index eb6526136ab..de109aa368a 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -97,7 +97,7 @@ func TestNodeAuthorizer(t *testing.T) { // Set up NodeRestriction admission nodeRestrictionAdmission := noderestriction.NewPlugin(nodeidentifier.NewDefaultNodeIdentifier()) - nodeRestrictionAdmission.SetInternalKubeInformerFactory(informerFactory) + nodeRestrictionAdmission.SetExternalKubeInformerFactory(versionedInformerFactory) if err := nodeRestrictionAdmission.ValidateInitialization(); err != nil { t.Fatal(err) }