Merge pull request #70389 from caesarxuchao/gc-admission-cluster-scoped-owner

make gc admission set attribute namespace correctly for owners
2025-07-31 23:37:01 +00:00 · 2018-10-31 14:48:07 -07:00 · 2018-10-31 14:48:07 -07:00 · bf5c862889
commit bf5c862889
parent 50dffba0f3 db3c84a97c
2 changed files with 79 additions and 12 deletions
--- a/plugin/pkg/admission/gc/gc_admission.go
+++ b/plugin/pkg/admission/gc/gc_admission.go
@ -186,11 +186,9 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
 		return ret, err
 	}
 	for _, mapping := range mappings {
-		ret = append(ret, authorizer.AttributesRecord{
-			User: attributes.GetUserInfo(),
-			Verb: "update",
-			// ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace
-			Namespace:       attributes.GetNamespace(),
+		ar := authorizer.AttributesRecord{
+			User:            attributes.GetUserInfo(),
+			Verb:            "update",
 			APIGroup:        mapping.Resource.Group,
 			APIVersion:      mapping.Resource.Version,
 			Resource:        mapping.Resource.Resource,
@ -198,7 +196,12 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
 			Name:            ref.Name,
 			ResourceRequest: true,
 			Path:            "",
-		})
+		}
+		if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
+			// if the owner is namespaced, it must be in the same namespace as the dependent is.
+			ar.Namespace = attributes.GetNamespace()
+		}
+		ret = append(ret, ar)
 	}
 	return ret, nil
 }
--- a/plugin/pkg/admission/gc/gc_admission_test.go
+++ b/plugin/pkg/admission/gc/gc_admission_test.go
@ -72,6 +72,15 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Decision, s
 		return authorizer.DecisionAllow, "", nil
 	}

+	if username == "non-node-deleter" {
+		if a.GetVerb() == "delete" && a.GetResource() == "nodes" {
+			return authorizer.DecisionNoOpinion, "", nil
+		}
+		if a.GetVerb() == "update" && a.GetResource() == "nodes" && a.GetSubresource() == "finalizers" {
+			return authorizer.DecisionNoOpinion, "", nil
+		}
+		return authorizer.DecisionAllow, "", nil
+	}
 	return authorizer.DecisionAllow, "", nil
 }

@ -351,6 +360,23 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 		Name:               "ds1",
 		BlockOwnerDeletion: getFalseVar(),
 	}
+	blockNode := metav1.OwnerReference{
+		APIVersion:         "v1",
+		Kind:               "Node",
+		Name:               "node1",
+		BlockOwnerDeletion: getTrueVar(),
+	}
+	notBlockNode := metav1.OwnerReference{
+		APIVersion:         "v1",
+		Kind:               "Node",
+		Name:               "node",
+		BlockOwnerDeletion: getFalseVar(),
+	}
+	nilBlockNode := metav1.OwnerReference{
+		APIVersion: "v1",
+		Kind:       "Node",
+		Name:       "node",
+	}

 	expectNoError := func(err error) bool {
 		return err == nil
@ -390,7 +416,7 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			name:       "super-user, create, some ownerReferences have blockOwnerDeletion=true",
 			username:   "super",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
-			newObj:     podWithOwnerRefs(blockRC1, blockRC2),
+			newObj:     podWithOwnerRefs(blockRC1, blockRC2, blockNode),
 			checkError: expectNoError,
 		},
 		{
@ -407,6 +433,13 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			newObj:     podWithOwnerRefs(notBlockRC1, nilBlockRC2),
 			checkError: expectNoError,
 		},
+		{
+			name:       "non-node-deleter, create, all ownerReferences have blockOwnerDeletion=false",
+			username:   "non-node-deleter",
+			resource:   api.SchemeGroupVersion.WithResource("pods"),
+			newObj:     podWithOwnerRefs(notBlockNode),
+			checkError: expectNoError,
+		},
 		{
 			name:       "non-rc-deleter, create, some ownerReferences have blockOwnerDeletion=true",
 			username:   "non-rc-deleter",
@ -421,21 +454,28 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			newObj:     podWithOwnerRefs(blockDS1),
 			checkError: expectNoError,
 		},
+		{
+			name:       "non-node-deleter, create, some ownerReferences have blockOwnerDeletion=true",
+			username:   "non-node-deleter",
+			resource:   api.SchemeGroupVersion.WithResource("pods"),
+			newObj:     podWithOwnerRefs(blockNode),
+			checkError: expectCantSetBlockOwnerDeletionError,
+		},
 		// cases are for update
 		{
 			name:       "super-user, update, no ownerReferences change blockOwnerDeletion",
 			username:   "super",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
-			oldObj:     podWithOwnerRefs(nilBlockRC1),
-			newObj:     podWithOwnerRefs(notBlockRC1),
+			oldObj:     podWithOwnerRefs(nilBlockRC1, nilBlockNode),
+			newObj:     podWithOwnerRefs(notBlockRC1, notBlockNode),
 			checkError: expectNoError,
 		},
 		{
 			name:       "super-user, update, some ownerReferences change to blockOwnerDeletion=true",
 			username:   "super",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
-			oldObj:     podWithOwnerRefs(notBlockRC1),
-			newObj:     podWithOwnerRefs(blockRC1),
+			oldObj:     podWithOwnerRefs(notBlockRC1, notBlockNode),
+			newObj:     podWithOwnerRefs(blockRC1, blockNode),
 			checkError: expectNoError,
 		},
 		{
@ -443,7 +483,7 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			username:   "super",
 			resource:   api.SchemeGroupVersion.WithResource("pods"),
 			oldObj:     podWithOwnerRefs(),
-			newObj:     podWithOwnerRefs(blockRC1),
+			newObj:     podWithOwnerRefs(blockRC1, blockNode),
 			checkError: expectNoError,
 		},
 		{
@ -470,6 +510,14 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			newObj:     podWithOwnerRefs(blockRC1),
 			checkError: expectCantSetBlockOwnerDeletionError,
 		},
+		{
+			name:       "non-node-deleter, update, some ownerReferences change from blockOwnerDeletion=nil to true",
+			username:   "non-node-deleter",
+			resource:   api.SchemeGroupVersion.WithResource("pods"),
+			oldObj:     podWithOwnerRefs(nilBlockNode),
+			newObj:     podWithOwnerRefs(blockNode),
+			checkError: expectCantSetBlockOwnerDeletionError,
+		},
 		{
 			name:       "non-rc-deleter, update, some ownerReferences change from blockOwnerDeletion=true to false",
 			username:   "non-rc-deleter",
@ -478,6 +526,14 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			newObj:     podWithOwnerRefs(notBlockRC1),
 			checkError: expectNoError,
 		},
+		{
+			name:       "non-node-deleter, update, some ownerReferences change from blockOwnerDeletion=true to false",
+			username:   "non-node-deleter",
+			resource:   api.SchemeGroupVersion.WithResource("pods"),
+			oldObj:     podWithOwnerRefs(blockNode),
+			newObj:     podWithOwnerRefs(notBlockNode),
+			checkError: expectNoError,
+		},
 		{
 			name:       "non-rc-deleter, update, some ownerReferences change blockOwnerDeletion, but all such references are to daemonset",
 			username:   "non-rc-deleter",
@ -510,6 +566,14 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 			newObj:     podWithOwnerRefs(blockDS1),
 			checkError: expectNoError,
 		},
+		{
+			name:       "non-node-deleter, update, add ownerReferences with blockOwnerDeletion=true",
+			username:   "non-node-deleter",
+			resource:   api.SchemeGroupVersion.WithResource("pods"),
+			oldObj:     podWithOwnerRefs(),
+			newObj:     podWithOwnerRefs(blockNode),
+			checkError: expectCantSetBlockOwnerDeletionError,
+		},
 	}
 	gcAdmit, err := newGCPermissionsEnforcement()
 	if err != nil {