Merge pull request #88794 from MikeSpreitzer/full-nru-match

Generalized NonResourcePolicyRule.NonResourceURLs impl
2025-07-25 20:53:33 +00:00 · 2020-03-05 20:04:47 -08:00 · 2020-03-05 20:04:47 -08:00 · fa78f6b1a0
commit fa78f6b1a0
parent 50dd75f9c5 2e97d3c873
2 changed files with 24 additions and 5 deletions
--- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/gen_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/gen_test.go
@ -588,10 +588,14 @@ func genNRRIs(rng *rand.Rand, m int, verbs, urls []string) []*request.RequestInf
 	coords := chooseInts(rng, nv*nu, m)
 	ans := make([]*request.RequestInfo, 0, m)
 	for _, coord := range coords {
-		ans = append(ans, &request.RequestInfo{
+		ri := &request.RequestInfo{
 			IsResourceRequest: false,
 			Verb:              verbs[coord%nv],
-			Path:              urls[coord/nv]})
+			Path:              urls[coord/nv]}
 		if rng.Intn(2) == 1 {
 			ri.Path = ri.Path + "/more"
 		}
 		ans = append(ans, ri)
 	}
 	return ans
 }
@ -614,14 +618,14 @@ func chooseInts(rng *rand.Rand, n, m int) []int {
 func genNonResourceRule(rng *rand.Rand, pfx string, matchAllNonResources, someMatchesAllNonResources bool) (fcv1a1.NonResourcePolicyRule, []*request.RequestInfo, []*request.RequestInfo) {
 	nrr := fcv1a1.NonResourcePolicyRule{
 		Verbs:           []string{pfx + "-v1", pfx + "-v2", pfx + "-v3"},
-		NonResourceURLs: []string{"/" + pfx + "/p1", "/" + pfx + "/p2", "/" + pfx + "/p3"},
+		NonResourceURLs: []string{"/" + pfx + "/g/p1", "/" + pfx + "/g/p2", "/" + pfx + "/g/p3"},
 	}
 	matchingRIs := genNRRIs(rng, 3, nrr.Verbs, nrr.NonResourceURLs)
 	var skippingRIs []*request.RequestInfo
 	if !someMatchesAllNonResources {
 		skippingRIs = genNRRIs(rng, 3,
 			[]string{pfx + "-v4", pfx + "-v5", pfx + "-v6"},
-			[]string{"/" + pfx + "/p4", "/" + pfx + "/p5", "/" + pfx + "/p6"})
+			[]string{"/" + pfx + "/b/p1", "/" + pfx + "/b/p2", "/" + pfx + "/b/p3"})
 	}
 	// choose a proper subset of fields to consider wildcarding; only matters if not matching all
 	starMask := rng.Intn(3)
@ -630,6 +634,9 @@ func genNonResourceRule(rng *rand.Rand, pfx string, matchAllNonResources, someMa
 	}
 	if matchAllNonResources || starMask&2 == 2 && rng.Float32() < 0.1 {
 		nrr.NonResourceURLs = []string{"*"}
 	} else {
 		nrr.NonResourceURLs[rng.Intn(3)] = "/" + pfx + "/g/*"
 		nrr.NonResourceURLs[rng.Intn(3)] = "/" + pfx + "/g"
 	}
 	return nrr, matchingRIs, skippingRIs
 }
--- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/rule.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/rule.go
@ -153,7 +153,19 @@ func matchPolicyRuleVerb(policyRuleVerbs []string, requestVerb string) bool {
 }
 func matchPolicyRuleNonResourceURL(policyRuleRequestURLs []string, requestPath string) bool {
-	return containsString(requestPath, policyRuleRequestURLs, fctypesv1a1.NonResourceAll)
+	for _, rulePath := range policyRuleRequestURLs {
 		if rulePath == fctypesv1a1.NonResourceAll || rulePath == requestPath {
 			return true
 		}
 		rulePrefix := strings.TrimSuffix(rulePath, "*")
 		if !strings.HasSuffix(rulePrefix, "/") {
 			rulePrefix = rulePrefix + "/"
 		}
 		if strings.HasPrefix(requestPath, rulePrefix) {
 			return true
 		}
 	}
 	return false
 }
 func matchPolicyRuleAPIGroup(policyRuleAPIGroups []string, requestAPIGroup string) bool {