mirror of https://github.com/k3s-io/k3s
Make NodeRestriction admission require identifiable nodes
Jordan Liggitt
parent
d278a80a67
commit
fed30040c9
|
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
|||
limitations under the License.
|
||||
*/
|
||||
|
||||
package node
|
||||
package noderestriction
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
|
@ -37,24 +37,22 @@ const (
|
|||
// Register registers a plugin
|
||||
func Register(plugins *admission.Plugins) {
|
||||
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
|
||||
return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), false), nil
|
||||
return NewPlugin(nodeidentifier.NewDefaultNodeIdentifier()), nil
|
||||
})
|
||||
}
|
||||
|
||||
// NewPlugin creates a new NodeRestriction admission plugin.
|
||||
// This plugin identifies requests from nodes
|
||||
func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier, strict bool) *nodePlugin {
|
||||
func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *nodePlugin {
|
||||
return &nodePlugin{
|
||||
Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete),
|
||||
nodeIdentifier: nodeIdentifier,
|
||||
strict: strict,
|
||||
}
|
||||
}
|
||||
|
||||
// nodePlugin holds state for and implements the admission plugin.
|
||||
type nodePlugin struct {
|
||||
*admission.Handler
|
||||
strict bool
|
||||
nodeIdentifier nodeidentifier.NodeIdentifier
|
||||
podsGetter coreinternalversion.PodsGetter
|
||||
}
|
||||
|
|
@ -92,12 +90,8 @@ func (c *nodePlugin) Admit(a admission.Attributes) error {
|
|||
}
|
||||
|
||||
if len(nodeName) == 0 {
|
||||
if c.strict {
|
||||
// In strict mode, disallow requests from nodes we cannot match to a particular node
|
||||
return admission.NewForbidden(a, fmt.Errorf("could not determine node identity from user"))
|
||||
}
|
||||
// Our job is just to restrict identifiable nodes
|
||||
return nil
|
||||
// disallow requests we cannot match to a particular node
|
||||
return admission.NewForbidden(a, fmt.Errorf("could not determine node from user %s", a.GetUserInfo().GetName()))
|
||||
}
|
||||
|
||||
switch a.GetResource().GroupResource() {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
|||
limitations under the License.
|
||||
*/
|
||||
|
||||
package node
|
||||
package noderestriction
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
|
@ -82,7 +82,6 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
|
||||
tests := []struct {
|
||||
name string
|
||||
strict bool
|
||||
podsGetter coreinternalversion.PodsGetter
|
||||
attributes admission.Attributes
|
||||
err string
|
||||
|
|
@ -473,7 +472,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
c := NewPlugin(nodeidentifier.NewDefaultNodeIdentifier(), tt.strict)
|
||||
c := NewPlugin(nodeidentifier.NewDefaultNodeIdentifier())
|
||||
c.podsGetter = tt.podsGetter
|
||||
err := c.Admit(tt.attributes)
|
||||
if (err == nil) != (len(tt.err) == 0) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue