github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #66698 from WanLinghao/token_projected_improve

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

refuse serviceaccount projection volume request when pod has no servceaccount bounded

**What this PR does / why we need it**:
Currently, if user starts a cluster with ServiceAccount admission plugin disabled, then creates a Pod 
like this:
```
kind: Pod 
apiVersion: v1
metadata:
  labels:
    run: nginx
  name: busybox2
spec:
      containers:
      - image: gcr.io/google-containers/nginx
        name: nginx
        volumeMounts:
        - mountPath: /var/run/secrets/tokens
          name: token
      - image: ubuntu
        name: ttt 
        volumeMounts:
        - mountPath: /var/run/secrets/tokens
          name: token
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "while true; do sleep 30; done;" ]
      volumes:
      - name: token
        projected:
          sources:
          - serviceAccountToken:
              path: tokenPath
              expirationSeconds: 6000
              audience: gakki-audiences
```
The pod creation will fail with error info like:
Events:
```
  Type     Reason       Age               From                Message
  ----     ------       ----              ----                -------
  Normal   Scheduled    23s               default-scheduler   Successfully assigned office/busybox2 to 127.0.0.1
  Warning  FailedMount  8s (x6 over 23s)  kubelet, 127.0.0.1  MountVolume.SetUp failed for volume "token" : failed to fetch token: resource name may not be empty
```
We should refuse the projection request earlier. This patch fix this.


**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2018-08-08 07:46:17 -07:00 committed by GitHub
commit e38efdcce6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/apis/core/validation/validation.go
View File

@ -2913,6 +2913,20 @@ func ValidatePod(pod *core.Pod) field.ErrorList {
// this was done to preserve backwards compatibility // this was done to preserve backwards compatibility
specPath := field.NewPath("spec") specPath := field.NewPath("spec")
if pod.Spec.ServiceAccountName == "" {
for vi, volume := range pod.Spec.Volumes {
path := specPath.Child("volumes").Index(vi).Child("projected")
if volume.Projected != nil {
for si, source := range volume.Projected.Sources {
saPath := path.Child("sources").Index(si).Child("serviceAccountToken")
if source.ServiceAccountToken != nil {
allErrs = append(allErrs, field.Forbidden(saPath, "must not be specified when serviceAccountName is not set"))
}
}
}
}
}
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...) allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...) allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)

29
pkg/apis/core/validation/validation_test.go
View File

@ -7670,6 +7670,35 @@ func TestValidatePod(t *testing.T) {
}, },
}, },
}, },
"serviceaccount token projected volume with no serviceaccount name specified": {
expectedError: "must not be specified when serviceAccountName is not set",
spec: core.Pod{
ObjectMeta: metav1.ObjectMeta{Name: "123", Namespace: "ns"},
Spec: core.PodSpec{
Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
RestartPolicy: core.RestartPolicyAlways,
DNSPolicy: core.DNSClusterFirst,
Volumes: []core.Volume{
{
Name: "projected-volume",
VolumeSource: core.VolumeSource{
Projected: &core.ProjectedVolumeSource{
Sources: []core.VolumeProjection{
{
ServiceAccountToken: &core.ServiceAccountTokenProjection{
Audience: "foo-audience",
ExpirationSeconds: 6000,
Path: "foo-path",
},
},
},
},
},
},
},
},
},
},
} }
for k, v := range errorCases { for k, v := range errorCases {
if errs := ValidatePod(&v.spec); len(errs) == 0 { if errs := ValidatePod(&v.spec); len(errs) == 0 {