github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

PodTolerationRestriction: Mention Whitelist Scope in Error

Browse Source 
Currently it's not clear if the issue came from the namespace whitelist
of if the namespace whitelist was not applied at all (i.e. via a misspelled
annotation). This makes the error more explicit if the pod tolerations
caused a conflict with cluster-level or namespace-level whitelist.

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
This commit is contained in:
Manuel Rüger 2020-01-27 22:29:32 +01:00
parent 919871e86a
commit eb6c716927
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugin/pkg/admission/podtolerationrestriction/admission.go
View File

@ -127,6 +127,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
pod := a.GetObject().(*api.Pod) pod := a.GetObject().(*api.Pod)
if len(pod.Spec.Tolerations) > 0 { if len(pod.Spec.Tolerations) > 0 {
whitelist, err := p.getNamespaceTolerationsWhitelist(a.GetNamespace()) whitelist, err := p.getNamespaceTolerationsWhitelist(a.GetNamespace())
whitelistScope := "namespace"
if err != nil { if err != nil {
return err return err
} }
@ -135,12 +136,13 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
// fall back to cluster's whitelist of tolerations. // fall back to cluster's whitelist of tolerations.
if whitelist == nil { if whitelist == nil {
whitelist = p.pluginConfig.Whitelist whitelist = p.pluginConfig.Whitelist
whitelistScope = "cluster"
} }
if len(whitelist) > 0 { if len(whitelist) > 0 {
// check if the merged pod tolerations satisfy its namespace whitelist // check if the merged pod tolerations satisfy its namespace whitelist
if !tolerations.VerifyAgainstWhitelist(pod.Spec.Tolerations, whitelist) { if !tolerations.VerifyAgainstWhitelist(pod.Spec.Tolerations, whitelist) {
return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its namespace whitelist") return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its %s whitelist", whitelistScope)
} }
} }
} }