github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Disallow PriorityClass names with 'system-' prefix for user defined priority classes

pull/6/head
Bobby (Babak) Salamat 2018-02-05 16:57:32 -08:00
parent f821a54d39
commit 1016d2d16a
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
plugin/pkg/admission/priority/admission.go
View File

@ -19,6 +19,7 @@ package admission
import (
"fmt"
"io"
"strings"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
@ -41,6 +42,9 @@ const (
HighestUserDefinablePriority = 1000000000
// SystemCriticalPriority is the beginning of the range of priority values for critical system components.
SystemCriticalPriority = 2 * HighestUserDefinablePriority
// SystemPriorityClassPrefix is the prefix reserved for system priority class names. Other priority
// classes are not allowed to start with this prefix.
SystemPriorityClassPrefix = "system-"
)
// SystemPriorityClasses defines special priority classes which are used by system critical pods that should not be preempted by workload pods.
@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error {
if pc.Value > HighestUserDefinablePriority {
return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority))
}
if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) {
return admission.NewForbidden(a, fmt.Errorf("priority class names with '%v' prefix are reserved for system use only: %v", SystemPriorityClassPrefix, pc.Name))
}
if _, ok := SystemPriorityClasses[pc.Name]; ok {
return admission.NewForbidden(a, fmt.Errorf("the name of the priority class is a reserved name for system use only: %v", pc.Name))
}

15
plugin/pkg/admission/priority/admission_test.go
View File

@ -127,6 +127,21 @@ func TestPriorityClassAdmission(t *testing.T) {
systemClass,
true,
},
{
"forbidden system name prefix",
[]*scheduling.PriorityClass{},
&scheduling.PriorityClass{
TypeMeta: metav1.TypeMeta{
Kind: "PriorityClass",
},
ObjectMeta: metav1.ObjectMeta{
Name: "system-something",
},
Value: 5,
Description: "Name with 'system-' prefix is reserved for system use",
},
true,
},
}
for _, test := range tests {