Modify podpreset lister to use correct namespace

Previously a pod with an empty namespace field submitted to a given namespace was incorrectly matching preset labels in a different namespace.
2017-07-18 10:46:45 -04:00 · 2017-07-18 10:46:45 -04:00 · 74463e5e66
parent 4103f40fc2
commit 74463e5e66
2 changed files with 69 additions and 1 deletions
--- a/plugin/pkg/admission/podpreset/admission.go
+++ b/plugin/pkg/admission/podpreset/admission.go
@ -103,7 +103,7 @@ func (c *podPresetPlugin) Admit(a admission.Attributes) error {
 		return nil
 	}

-	list, err := c.lister.PodPresets(pod.GetNamespace()).List(labels.Everything())
+	list, err := c.lister.PodPresets(a.GetNamespace()).List(labels.Everything())

 	// Ignore if exclusion annotation is present
 	if podAnnotations := pod.GetAnnotations(); podAnnotations != nil {
--- a/plugin/pkg/admission/podpreset/admission_test.go
+++ b/plugin/pkg/admission/podpreset/admission_test.go
@ -695,6 +695,74 @@ func TestExclusionNoAdmit(t *testing.T) {
 	}
 }

+func TestAdmitEmptyPodNamespace(t *testing.T) {
+	containerName := "container"
+
+	pod := &api.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "mypod",
+			Labels: map[string]string{
+				"security": "S2",
+			},
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{
+					Name: containerName,
+					Env:  []api.EnvVar{{Name: "abc", Value: "value2"}, {Name: "ABCD", Value: "value3"}},
+				},
+			},
+		},
+	}
+
+	pip := &settings.PodPreset{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "hello",
+			Namespace: "different", // (pod will be submitted to namespace 'namespace')
+		},
+		Spec: settings.PodPresetSpec{
+			Selector: v1.LabelSelector{
+				MatchExpressions: []v1.LabelSelectorRequirement{
+					{
+						Key:      "security",
+						Operator: v1.LabelSelectorOpIn,
+						Values:   []string{"S2"},
+					},
+				},
+			},
+			Volumes: []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}},
+			Env:     []api.EnvVar{{Name: "abcd", Value: "value"}, {Name: "ABC", Value: "value"}},
+			EnvFrom: []api.EnvFromSource{
+				{
+					ConfigMapRef: &api.ConfigMapEnvSource{
+						LocalObjectReference: api.LocalObjectReference{Name: "abc"},
+					},
+				},
+				{
+					Prefix: "pre_",
+					ConfigMapRef: &api.ConfigMapEnvSource{
+						LocalObjectReference: api.LocalObjectReference{Name: "abc"},
+					},
+				},
+			},
+		},
+	}
+	originalPod, err := api.Scheme.Copy(pod)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = admitPod(pod, pip)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// verify PodSpec has not been mutated
+	if !reflect.DeepEqual(pod, originalPod) {
+		t.Fatalf("Expected pod spec of '%v' to be unchanged", pod.Name)
+	}
+}
+
 func admitPod(pod *api.Pod, pip *settings.PodPreset) error {
 	informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc())
 	store := informerFactory.Settings().InternalVersion().PodPresets().Informer().GetStore()