Check live pod on cache miss before forbidding node deletion

2017-06-05 11:19:20 -04:00 · 2017-06-05 11:19:20 -04:00 · 2106a2bbe5
parent 07f85565a2
commit 2106a2bbe5
2 changed files with 7 additions and 1 deletions
--- a/plugin/pkg/admission/noderestriction/BUILD
+++ b/plugin/pkg/admission/noderestriction/BUILD
@ -19,6 +19,7 @@ go_library(
        "//pkg/client/clientset_generated/internalclientset:go_default_library",
        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
    ],
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io"

+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/kubernetes/pkg/api"
@ -155,8 +156,12 @@ func (c *nodePlugin) admitPod(nodeName string, a admission.Attributes) error {
 		return nil

 	case admission.Delete:
-		// get the existing pod
+		// get the existing pod from the server cache
 		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName(), v1.GetOptions{ResourceVersion: "0"})
+		if errors.IsNotFound(err) {
+			// wasn't found in the server cache, do a live lookup before forbidding
+			existingPod, err = c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName(), v1.GetOptions{})
+		}
 		if err != nil {
 			return admission.NewForbidden(a, err)
 		}