Merge pull request #45958 from k82cn/k8s_45925

Automatic merge from submit-queue (batch tested with PRs 45346, 45903, 45958, 46042, 45975) Ignored mirror pods in PodPreset admission plugin **What this PR does / why we need it**: Ignored mirror pods in PodPreset admission plugin. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #45925 **Release note**: ```release-note Ignored mirror pods in PodPreset admission plugin. ```
2017-05-19 22:29:33 -07:00 · 2017-05-19 22:29:33 -07:00 · 46a38b0e2f
parent 113cf85612 9862cdb4c5
commit 46a38b0e2f
2 changed files with 72 additions and 0 deletions
--- a/plugin/pkg/admission/podpreset/admission.go
+++ b/plugin/pkg/admission/podpreset/admission.go
@ -102,6 +102,11 @@ func (c *podPresetPlugin) Admit(a admission.Attributes) error {
 	if !ok {
 		return errors.NewBadRequest("Resource was marked with kind Pod but was unable to be converted")
 	}
+
+	if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
+		return nil
+	}
+
 	list, err := c.lister.PodPresets(pod.GetNamespace()).List(labels.Everything())
 	if err != nil {
 		return fmt.Errorf("listing pod presets failed: %v", err)
--- a/plugin/pkg/admission/podpreset/admission_test.go
+++ b/plugin/pkg/admission/podpreset/admission_test.go
@ -556,6 +556,73 @@ func TestAdmit(t *testing.T) {
 	}
 }

+func TestAdmitMirrorPod(t *testing.T) {
+	containerName := "container"
+
+	mirrorPod := &api.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "mypod",
+			Namespace: "namespace",
+			Labels: map[string]string{
+				"security": "S2",
+			},
+			Annotations: map[string]string{api.MirrorPodAnnotationKey: "mirror"},
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{
+					Name: containerName,
+				},
+			},
+		},
+	}
+
+	pip := &settings.PodPreset{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "hello",
+			Namespace: "namespace",
+		},
+		Spec: settings.PodPresetSpec{
+			Selector: v1.LabelSelector{
+				MatchExpressions: []v1.LabelSelectorRequirement{
+					{
+						Key:      "security",
+						Operator: v1.LabelSelectorOpIn,
+						Values:   []string{"S2"},
+					},
+				},
+			},
+			Volumes: []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}},
+			Env:     []api.EnvVar{{Name: "abcd", Value: "value"}, {Name: "ABC", Value: "value"}},
+			EnvFrom: []api.EnvFromSource{
+				{
+					ConfigMapRef: &api.ConfigMapEnvSource{
+						LocalObjectReference: api.LocalObjectReference{Name: "abc"},
+					},
+				},
+				{
+					Prefix: "pre_",
+					ConfigMapRef: &api.ConfigMapEnvSource{
+						LocalObjectReference: api.LocalObjectReference{Name: "abc"},
+					},
+				},
+			},
+		},
+	}
+
+	if err := admitPod(mirrorPod, pip); err != nil {
+		t.Fatal(err)
+	}
+
+	container := mirrorPod.Spec.Containers[0]
+	if len(mirrorPod.Spec.Volumes) != 0 ||
+		len(container.VolumeMounts) != 0 ||
+		len(container.Env) != 0 ||
+		len(container.EnvFrom) != 0 {
+		t.Fatalf("mirror pod is updated by PodPreset admission:\n\tVolumes got %d, expected 0\n\tVolumeMounts go %d, expected 0\n\tEnv got, %d expected 0\n\tEnvFrom got %d, expected 0", len(mirrorPod.Spec.Volumes), len(container.VolumeMounts), len(container.Env), len(container.EnvFrom))
+	}
+}
+
 func admitPod(pod *api.Pod, pip *settings.PodPreset) error {
 	informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc())
 	store := informerFactory.Settings().InternalVersion().PodPresets().Informer().GetStore()