github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Use EphemeralContainers for storage validation

Browse Source 
When updating ephemeral containers, convert Pod to EphemeralContainers
in storage validation. This resolves a bug where admission webhook
validation fails for ephemeral container updates because the webhook
client cannot perform the conversion.

Also enable the EphemeralContainers feature gate for the admission
control integration test, which would have caught this bug.
This commit is contained in:
Lee Verberne 2020-09-10 17:24:52 +02:00
parent c3b888f647
commit bf0a33d1de
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/registry/core/pod/storage/storage.go
View File

@ -346,13 +346,26 @@ func (r *EphemeralContainersREST) Update(ctx context.Context, name string, objIn
return newPod, nil
})
obj, _, err = r.store.Update(ctx, name, updatedPodInfo, createValidation, updateValidation, false, options)
// Validation should be passed the API kind (EphemeralContainers) rather than the storage kind.
obj, _, err = r.store.Update(ctx, name, updatedPodInfo, toEphemeralContainersCreateValidation(createValidation), toEphemeralContainersUpdateValidation(updateValidation), false, options)
if err != nil {
return nil, false, err
}
return ephemeralContainersInPod(obj.(*api.Pod)), false, err
}
func toEphemeralContainersCreateValidation(f rest.ValidateObjectFunc) rest.ValidateObjectFunc {
return func(ctx context.Context, obj runtime.Object) error {
return f(ctx, ephemeralContainersInPod(obj.(*api.Pod)))
}
}
func toEphemeralContainersUpdateValidation(f rest.ValidateObjectUpdateFunc) rest.ValidateObjectUpdateFunc {
return func(ctx context.Context, obj, old runtime.Object) error {
return f(ctx, ephemeralContainersInPod(obj.(*api.Pod)), ephemeralContainersInPod(old.(*api.Pod)))
}
}
// Extract the list of Ephemeral Containers from a Pod
func ephemeralContainersInPod(pod *api.Pod) *api.EphemeralContainers {
ephemeralContainers := pod.Spec.EphemeralContainers

2
test/integration/apiserver/admissionwebhook/admission_test.go
View File

@ -480,6 +480,8 @@ func testWebhookAdmission(t *testing.T, watchCache bool) {
"--disable-admission-plugins=ServiceAccount,StorageObjectInUseProtection",
// force enable all resources so we can check storage.
"--runtime-config=api/all=true",
// enable feature-gates that protect resources to check their storage, too.
"--feature-gates=EphemeralContainers=true",
}, etcdConfig)
defer server.TearDownFn()