Create helpers for iterating containers in a pod

2025-09-26 12:46:06 +00:00 · 2019-06-14 15:20:16 +00:00
parent 4683054ff6
commit ee821e2a04
15 changed files with 467 additions and 271 deletions
--- a/plugin/pkg/admission/alwayspullimages/admission.go
+++ b/plugin/pkg/admission/alwayspullimages/admission.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/admission"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/core/pods"
 )

 // PluginName indicates name of admission plugin.
@@ -63,13 +64,9 @@ func (a *AlwaysPullImages) Admit(attributes admission.Attributes, o admission.Ob
 		return apierrors.NewBadRequest("Resource was marked with kind Pod but was unable to be converted")
 	}

-	for i := range pod.Spec.InitContainers {
-		pod.Spec.InitContainers[i].ImagePullPolicy = api.PullAlways
-	}
-
-	for i := range pod.Spec.Containers {
-		pod.Spec.Containers[i].ImagePullPolicy = api.PullAlways
-	}
+	pods.VisitContainersWithPath(&pod.Spec, func(c *api.Container, _ *field.Path) {
+		c.ImagePullPolicy = api.PullAlways
+	})

 	return nil
 }
@@ -85,23 +82,17 @@ func (*AlwaysPullImages) Validate(attributes admission.Attributes, o admission.O
 		return apierrors.NewBadRequest("Resource was marked with kind Pod but was unable to be converted")
 	}

-	for i := range pod.Spec.InitContainers {
-		if pod.Spec.InitContainers[i].ImagePullPolicy != api.PullAlways {
-			return admission.NewForbidden(attributes,
-				field.NotSupported(field.NewPath("spec", "initContainers").Index(i).Child("imagePullPolicy"),
-					pod.Spec.InitContainers[i].ImagePullPolicy, []string{string(api.PullAlways)},
-				),
-			)
-		}
-	}
-	for i := range pod.Spec.Containers {
-		if pod.Spec.Containers[i].ImagePullPolicy != api.PullAlways {
-			return admission.NewForbidden(attributes,
-				field.NotSupported(field.NewPath("spec", "containers").Index(i).Child("imagePullPolicy"),
-					pod.Spec.Containers[i].ImagePullPolicy, []string{string(api.PullAlways)},
-				),
-			)
+	var allErrs []error
+	pods.VisitContainersWithPath(&pod.Spec, func(c *api.Container, p *field.Path) {
+		if c.ImagePullPolicy != api.PullAlways {
+			allErrs = append(allErrs, admission.NewForbidden(attributes,
+				field.NotSupported(p.Child("imagePullPolicy"), c.ImagePullPolicy, []string{string(api.PullAlways)}),
+			))
 		}
+	})
+	if len(allErrs) > 0 {
+		// TODO: consider using utilerrors.NewAggregate(allErrs)
+		return allErrs[0]
 	}

 	return nil
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@@ -26,6 +26,7 @@ import (
 	genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 )

 const (
@@ -146,21 +147,16 @@ func (d *DenyExec) Validate(a admission.Attributes, o admission.ObjectInterfaces

 // isPrivileged will return true a pod has any privileged containers
 func isPrivileged(pod *corev1.Pod) bool {
-	for _, c := range pod.Spec.InitContainers {
+	var privileged bool
+	podutil.VisitContainers(&pod.Spec, func(c *corev1.Container) bool {
 		if c.SecurityContext == nil || c.SecurityContext.Privileged == nil {
-			continue
-		}
-		if *c.SecurityContext.Privileged {
 			return true
 		}
-	}
-	for _, c := range pod.Spec.Containers {
-		if c.SecurityContext == nil || c.SecurityContext.Privileged == nil {
-			continue
-		}
 		if *c.SecurityContext.Privileged {
-			return true
+			privileged = true
+			return false
 		}
-	}
-	return false
+		return true
+	})
+	return privileged
 }
--- a/plugin/pkg/admission/podpreset/admission.go
+++ b/plugin/pkg/admission/podpreset/admission.go
@@ -29,12 +29,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/admission"
 	genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	settingsv1alpha1listers "k8s.io/client-go/listers/settings/v1alpha1"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/core/pods"
 	apiscorev1 "k8s.io/kubernetes/pkg/apis/core/v1"
 )

@@ -183,16 +185,11 @@ func safeToApplyPodPresetsOnPod(pod *api.Pod, podPresets []*settingsv1alpha1.Pod
 	if _, err := mergeVolumes(pod.Spec.Volumes, podPresets); err != nil {
 		errs = append(errs, err)
 	}
-	for _, ctr := range pod.Spec.Containers {
-		if err := safeToApplyPodPresetsOnContainer(&ctr, podPresets); err != nil {
+	pods.VisitContainersWithPath(&pod.Spec, func(c *api.Container, _ *field.Path) {
+		if err := safeToApplyPodPresetsOnContainer(c, podPresets); err != nil {
 			errs = append(errs, err)
 		}
-	}
-	for _, iCtr := range pod.Spec.InitContainers {
-		if err := safeToApplyPodPresetsOnContainer(&iCtr, podPresets); err != nil {
-			errs = append(errs, err)
-		}
-	}
+	})

 	return utilerrors.NewAggregate(errs)
 }