Make NodeRestriction admission require identifiable nodes

2025-07-28 05:57:25 +00:00 · 2017-05-27 02:33:53 -04:00 · 2017-05-27 02:33:53 -04:00 · fed30040c9
commit fed30040c9
parent d278a80a67
2 changed files with 7 additions and 14 deletions
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package node
+package noderestriction
 import (
 	"fmt"
@ -37,24 +37,22 @@ const (
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
-		return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), false), nil
+		return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier()), nil
 	})
 }
 // NewPlugin creates a new NodeRestriction admission plugin.
 // This plugin identifies requests from nodes
-func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier, strict bool) *nodePlugin {
+func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *nodePlugin {
 	return &nodePlugin{
 		Handler:        admission.NewHandler(admission.Create, admission.Update, admission.Delete),
 		nodeIdentifier: nodeIdentifier,
 		strict:         strict,
 	}
 }
 // nodePlugin holds state for and implements the admission plugin.
 type nodePlugin struct {
 	*admission.Handler
 	strict         bool
 	nodeIdentifier nodeidentifier.NodeIdentifier
 	podsGetter     coreinternalversion.PodsGetter
 }
@ -92,12 +90,8 @@ func (c *nodePlugin) Admit(a admission.Attributes) error {
 	}
 	if len(nodeName) == 0 {
-		if c.strict {
+		// disallow requests we cannot match to a particular node
-			// In strict mode, disallow requests from nodes we cannot match to a particular node
+		return admission.NewForbidden(a, fmt.Errorf("could not determine node from user %s", a.GetUserInfo().GetName()))
 			return admission.NewForbidden(a, fmt.Errorf("could not determine node identity from user"))
 		}
 		// Our job is just to restrict identifiable nodes
 		return nil
 	}
 	switch a.GetResource().GroupResource() {
--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
-package node
+package noderestriction
 import (
 	"strings"
@ -82,7 +82,6 @@ func Test_nodePlugin_Admit(t *testing.T) {
 	tests := []struct {
 		name       string
 		strict     bool
 		podsGetter coreinternalversion.PodsGetter
 		attributes admission.Attributes
 		err        string
@ -473,7 +472,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), tt.strict)
+			c := NewPlugin(nodeidentifier.NewDefaultNodeIdentifier())
 			c.podsGetter = tt.podsGetter
 			err := c.Admit(tt.attributes)
 			if (err == nil) != (len(tt.err) == 0) {