github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

Prevent deletion of default namespace

Browse Source
This commit is contained in:
derekwaynecarr 2015-06-19 12:24:54 -04:00
parent f6fb72ec51
commit d0441a9fba
2 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
plugin/pkg/admission/namespace/lifecycle/admission.go
View File

@ -22,6 +22,7 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/admission" "github.com/GoogleCloudPlatform/kubernetes/pkg/admission"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"
"github.com/GoogleCloudPlatform/kubernetes/pkg/client" "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
@ -29,6 +30,7 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/fields" "github.com/GoogleCloudPlatform/kubernetes/pkg/fields"
"github.com/GoogleCloudPlatform/kubernetes/pkg/labels" "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime" "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
"github.com/GoogleCloudPlatform/kubernetes/pkg/watch" "github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
) )
@ -42,11 +44,21 @@ func init() {
// It enforces life-cycle constraints around a Namespace depending on its Phase // It enforces life-cycle constraints around a Namespace depending on its Phase
type lifecycle struct { type lifecycle struct {
*admission.Handler *admission.Handler
client client.Interface client client.Interface
store cache.Store store cache.Store
immortalNamespaces util.StringSet
} }
func (l *lifecycle) Admit(a admission.Attributes) (err error) { func (l *lifecycle) Admit(a admission.Attributes) (err error) {
// prevent deletion of immortal namespaces
if a.GetOperation() == admission.Delete {
if a.GetKind() == "Namespace" && l.immortalNamespaces.Has(a.GetName()) {
return errors.NewForbidden(a.GetKind(), a.GetName(), fmt.Errorf("namespace can never be deleted"))
}
return nil
}
defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource()) defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource())
if err != nil { if err != nil {
return admission.NewForbidden(a, err) return admission.NewForbidden(a, err)
@ -96,8 +108,9 @@ func NewLifecycle(c client.Interface) admission.Interface {
) )
reflector.Run() reflector.Run()
return &lifecycle{ return &lifecycle{
Handler: admission.NewHandler(admission.Create), Handler: admission.NewHandler(admission.Create, admission.Delete),
client: c, client: c,
store: store, store: store,
immortalNamespaces: util.NewStringSet(api.NamespaceDefault),
} }
} }

13
plugin/pkg/admission/namespace/lifecycle/admission_test.go
View File

@ -75,4 +75,17 @@ func TestAdmission(t *testing.T) {
if err != nil { if err != nil {
t.Errorf("Unexpected error returned from admission handler: %v", err) t.Errorf("Unexpected error returned from admission handler: %v", err)
} }
// verify delete of namespace default can never proceed
err = handler.Admit(admission.NewAttributesRecord(nil, "Namespace", "", api.NamespaceDefault, "namespaces", "", admission.Delete, nil))
if err == nil {
t.Errorf("Expected an error that this namespace can never be deleted")
}
// verify delete of namespace other than default can proceed
err = handler.Admit(admission.NewAttributesRecord(nil, "Namespace", "", "other", "namespaces", "", admission.Delete, nil))
if err != nil {
t.Errorf("Did not expect an error %v", err)
}
} }