return err directly when nodename is not consistent in cert

This commit is contained in:
xufei 00416946 2020-07-23 23:02:37 +08:00
parent d5f76a9c6f
commit f787db2508
2 changed files with 6 additions and 4 deletions

View File

@ -390,6 +390,11 @@ func (p *Plugin) admitPVCStatus(nodeName string, a admission.Attributes) error {
func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
requestedName := a.GetName()
if requestedName != nodeName {
return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify node %q", nodeName, requestedName))
}
if a.GetOperation() == admission.Create {
node, ok := a.GetObject().(*api.Node)
if !ok {
@ -409,9 +414,6 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to set the following labels: %s", nodeName, strings.Join(forbiddenLabels.List(), ", ")))
}
}
if requestedName != nodeName {
return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify node %q", nodeName, requestedName))
}
if a.GetOperation() == admission.Update {
node, ok := a.GetObject().(*api.Node)

View File

@ -920,7 +920,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
{
name: "forbid create of my node with forbidden labels",
podsGetter: noExistingPods,
attributes: admission.NewAttributesRecord(setForbiddenCreateLabels(mynodeObj, ""), nil, nodeKind, mynodeObj.Namespace, "", nodeResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
attributes: admission.NewAttributesRecord(setForbiddenCreateLabels(mynodeObj, ""), nil, nodeKind, mynodeObj.Namespace, "mynode", nodeResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
err: `is not allowed to set the following labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
},
{