mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #66698 from WanLinghao/token_projected_improve
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. refuse serviceaccount projection volume request when pod has no servceaccount bounded **What this PR does / why we need it**: Currently, if user starts a cluster with ServiceAccount admission plugin disabled, then creates a Pod like this: ``` kind: Pod apiVersion: v1 metadata: labels: run: nginx name: busybox2 spec: containers: - image: gcr.io/google-containers/nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: token - image: ubuntu name: ttt volumeMounts: - mountPath: /var/run/secrets/tokens name: token command: [ "/bin/bash", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] volumes: - name: token projected: sources: - serviceAccountToken: path: tokenPath expirationSeconds: 6000 audience: gakki-audiences ``` The pod creation will fail with error info like: Events: ``` Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 23s default-scheduler Successfully assigned office/busybox2 to 127.0.0.1 Warning FailedMount 8s (x6 over 23s) kubelet, 127.0.0.1 MountVolume.SetUp failed for volume "token" : failed to fetch token: resource name may not be empty ``` We should refuse the projection request earlier. This patch fix this. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
This commit is contained in:
commit
e38efdcce6
@ -2913,6 +2913,20 @@ func ValidatePod(pod *core.Pod) field.ErrorList {
|
|||||||
// this was done to preserve backwards compatibility
|
// this was done to preserve backwards compatibility
|
||||||
specPath := field.NewPath("spec")
|
specPath := field.NewPath("spec")
|
||||||
|
|
||||||
|
if pod.Spec.ServiceAccountName == "" {
|
||||||
|
for vi, volume := range pod.Spec.Volumes {
|
||||||
|
path := specPath.Child("volumes").Index(vi).Child("projected")
|
||||||
|
if volume.Projected != nil {
|
||||||
|
for si, source := range volume.Projected.Sources {
|
||||||
|
saPath := path.Child("sources").Index(si).Child("serviceAccountToken")
|
||||||
|
if source.ServiceAccountToken != nil {
|
||||||
|
allErrs = append(allErrs, field.Forbidden(saPath, "must not be specified when serviceAccountName is not set"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
|
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
|
||||||
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)
|
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)
|
||||||
|
|
||||||
|
@ -7670,6 +7670,35 @@ func TestValidatePod(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"serviceaccount token projected volume with no serviceaccount name specified": {
|
||||||
|
expectedError: "must not be specified when serviceAccountName is not set",
|
||||||
|
spec: core.Pod{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "123", Namespace: "ns"},
|
||||||
|
Spec: core.PodSpec{
|
||||||
|
Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
|
||||||
|
RestartPolicy: core.RestartPolicyAlways,
|
||||||
|
DNSPolicy: core.DNSClusterFirst,
|
||||||
|
Volumes: []core.Volume{
|
||||||
|
{
|
||||||
|
Name: "projected-volume",
|
||||||
|
VolumeSource: core.VolumeSource{
|
||||||
|
Projected: &core.ProjectedVolumeSource{
|
||||||
|
Sources: []core.VolumeProjection{
|
||||||
|
{
|
||||||
|
ServiceAccountToken: &core.ServiceAccountTokenProjection{
|
||||||
|
Audience: "foo-audience",
|
||||||
|
ExpirationSeconds: 6000,
|
||||||
|
Path: "foo-path",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for k, v := range errorCases {
|
for k, v := range errorCases {
|
||||||
if errs := ValidatePod(&v.spec); len(errs) == 0 {
|
if errs := ValidatePod(&v.spec); len(errs) == 0 {
|
||||||
|
Loading…
Reference in New Issue
Block a user