vendor files

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/BUILD

@@ -0,0 +1,59 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "admission_failure_handler_stub.go",
+        "doc.go",
+        "fake_handler_runner.go",
+        "handlers.go",
+        "interfaces.go",
+        "predicate.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/kubelet/lifecycle",
+    deps = [
+        "//pkg/kubelet/container:go_default_library",
+        "//pkg/kubelet/types:go_default_library",
+        "//pkg/kubelet/util/format:go_default_library",
+        "//pkg/security/apparmor:go_default_library",
+        "//plugin/pkg/scheduler/algorithm:go_default_library",
+        "//plugin/pkg/scheduler/algorithm/predicates:go_default_library",
+        "//plugin/pkg/scheduler/schedulercache:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["handlers_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubelet/lifecycle",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/kubelet/container:go_default_library",
+        "//pkg/kubelet/util/format:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/admission_failure_handler_stub.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/kubernetes/plugin/pkg/scheduler/algorithm"
+)
+
+// AdmissionFailureHandlerStub is an AdmissionFailureHandler that does not perform any handling of admission failure.
+// It simply passes the failure on.
+type AdmissionFailureHandlerStub struct{}
+
+var _ AdmissionFailureHandler = &AdmissionFailureHandlerStub{}
+
+func NewAdmissionFailureHandlerStub() *AdmissionFailureHandlerStub {
+	return &AdmissionFailureHandlerStub{}
+}
+
+func (n *AdmissionFailureHandlerStub) HandleAdmissionFailure(pod *v1.Pod, failureReasons []algorithm.PredicateFailureReason) (bool, []algorithm.PredicateFailureReason, error) {
+	return false, failureReasons, nil
+}

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Handlers for pod lifecycle events and interfaces to integrate
+// with kubelet admission, synchronization, and eviction of pods.
+package lifecycle // import "k8s.io/kubernetes/pkg/kubelet/lifecycle"

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/fake_handler_runner.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import (
+	"fmt"
+	"sync"
+
+	"k8s.io/api/core/v1"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/util/format"
+)
+
+type FakeHandlerRunner struct {
+	sync.Mutex
+	HandlerRuns []string
+	Err         error
+}
+
+func NewFakeHandlerRunner() *FakeHandlerRunner {
+	return &FakeHandlerRunner{HandlerRuns: []string{}}
+}
+
+func (hr *FakeHandlerRunner) Run(containerID kubecontainer.ContainerID, pod *v1.Pod, container *v1.Container, handler *v1.Handler) (string, error) {
+	hr.Lock()
+	defer hr.Unlock()
+
+	if hr.Err != nil {
+		return "", hr.Err
+	}
+
+	switch {
+	case handler.Exec != nil:
+		hr.HandlerRuns = append(hr.HandlerRuns, fmt.Sprintf("exec on pod: %v, container: %v: %v", format.Pod(pod), container.Name, containerID.String()))
+	case handler.HTTPGet != nil:
+		hr.HandlerRuns = append(hr.HandlerRuns, fmt.Sprintf("http-get on pod: %v, container: %v: %v", format.Pod(pod), container.Name, containerID.String()))
+	case handler.TCPSocket != nil:
+		hr.HandlerRuns = append(hr.HandlerRuns, fmt.Sprintf("tcp-socket on pod: %v, container: %v: %v", format.Pod(pod), container.Name, containerID.String()))
+	default:
+		return "", fmt.Errorf("Invalid handler: %v", handler)
+	}
+	return "", nil
+}
+
+func (hr *FakeHandlerRunner) Reset() {
+	hr.HandlerRuns = []string{}
+	hr.Err = nil
+}

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/handlers.go

@@ -0,0 +1,232 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"strconv"
+
+	"github.com/golang/glog"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
+	"k8s.io/kubernetes/pkg/kubelet/util/format"
+	"k8s.io/kubernetes/pkg/security/apparmor"
+)
+
+type HandlerRunner struct {
+	httpGetter       kubetypes.HttpGetter
+	commandRunner    kubecontainer.ContainerCommandRunner
+	containerManager podStatusProvider
+}
+
+type podStatusProvider interface {
+	GetPodStatus(uid types.UID, name, namespace string) (*kubecontainer.PodStatus, error)
+}
+
+func NewHandlerRunner(httpGetter kubetypes.HttpGetter, commandRunner kubecontainer.ContainerCommandRunner, containerManager podStatusProvider) kubecontainer.HandlerRunner {
+	return &HandlerRunner{
+		httpGetter:       httpGetter,
+		commandRunner:    commandRunner,
+		containerManager: containerManager,
+	}
+}
+
+func (hr *HandlerRunner) Run(containerID kubecontainer.ContainerID, pod *v1.Pod, container *v1.Container, handler *v1.Handler) (string, error) {
+	switch {
+	case handler.Exec != nil:
+		var msg string
+		// TODO(tallclair): Pass a proper timeout value.
+		output, err := hr.commandRunner.RunInContainer(containerID, handler.Exec.Command, 0)
+		if err != nil {
+			msg = fmt.Sprintf("Exec lifecycle hook (%v) for Container %q in Pod %q failed - error: %v, message: %q", handler.Exec.Command, container.Name, format.Pod(pod), err, string(output))
+			glog.V(1).Infof(msg)
+		}
+		return msg, err
+	case handler.HTTPGet != nil:
+		msg, err := hr.runHTTPHandler(pod, container, handler)
+		if err != nil {
+			msg = fmt.Sprintf("Http lifecycle hook (%s) for Container %q in Pod %q failed - error: %v, message: %q", handler.HTTPGet.Path, container.Name, format.Pod(pod), err, msg)
+			glog.V(1).Infof(msg)
+		}
+		return msg, err
+	default:
+		err := fmt.Errorf("Invalid handler: %v", handler)
+		msg := fmt.Sprintf("Cannot run handler: %v", err)
+		glog.Errorf(msg)
+		return msg, err
+	}
+}
+
+// resolvePort attempts to turn an IntOrString port reference into a concrete port number.
+// If portReference has an int value, it is treated as a literal, and simply returns that value.
+// If portReference is a string, an attempt is first made to parse it as an integer.  If that fails,
+// an attempt is made to find a port with the same name in the container spec.
+// If a port with the same name is found, it's ContainerPort value is returned.  If no matching
+// port is found, an error is returned.
+func resolvePort(portReference intstr.IntOrString, container *v1.Container) (int, error) {
+	if portReference.Type == intstr.Int {
+		return portReference.IntValue(), nil
+	}
+	portName := portReference.StrVal
+	port, err := strconv.Atoi(portName)
+	if err == nil {
+		return port, nil
+	}
+	for _, portSpec := range container.Ports {
+		if portSpec.Name == portName {
+			return int(portSpec.ContainerPort), nil
+		}
+	}
+	return -1, fmt.Errorf("couldn't find port: %v in %v", portReference, container)
+}
+
+func (hr *HandlerRunner) runHTTPHandler(pod *v1.Pod, container *v1.Container, handler *v1.Handler) (string, error) {
+	host := handler.HTTPGet.Host
+	if len(host) == 0 {
+		status, err := hr.containerManager.GetPodStatus(pod.UID, pod.Name, pod.Namespace)
+		if err != nil {
+			glog.Errorf("Unable to get pod info, event handlers may be invalid.")
+			return "", err
+		}
+		if status.IP == "" {
+			return "", fmt.Errorf("failed to find networking container: %v", status)
+		}
+		host = status.IP
+	}
+	var port int
+	if handler.HTTPGet.Port.Type == intstr.String && len(handler.HTTPGet.Port.StrVal) == 0 {
+		port = 80
+	} else {
+		var err error
+		port, err = resolvePort(handler.HTTPGet.Port, container)
+		if err != nil {
+			return "", err
+		}
+	}
+	url := fmt.Sprintf("http://%s/%s", net.JoinHostPort(host, strconv.Itoa(port)), handler.HTTPGet.Path)
+	resp, err := hr.httpGetter.Get(url)
+	return getHttpRespBody(resp), err
+}
+
+func getHttpRespBody(resp *http.Response) string {
+	if resp == nil {
+		return ""
+	}
+	defer resp.Body.Close()
+	if bytes, err := ioutil.ReadAll(resp.Body); err == nil {
+		return string(bytes)
+	}
+	return ""
+}
+
+func NewAppArmorAdmitHandler(validator apparmor.Validator) PodAdmitHandler {
+	return &appArmorAdmitHandler{
+		Validator: validator,
+	}
+}
+
+type appArmorAdmitHandler struct {
+	apparmor.Validator
+}
+
+func (a *appArmorAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	// If the pod is already running or terminated, no need to recheck AppArmor.
+	if attrs.Pod.Status.Phase != v1.PodPending {
+		return PodAdmitResult{Admit: true}
+	}
+
+	err := a.Validate(attrs.Pod)
+	if err == nil {
+		return PodAdmitResult{Admit: true}
+	}
+	return PodAdmitResult{
+		Admit:   false,
+		Reason:  "AppArmor",
+		Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
+	}
+}
+
+func NewNoNewPrivsAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
+	return &noNewPrivsAdmitHandler{
+		Runtime: runtime,
+	}
+}
+
+type noNewPrivsAdmitHandler struct {
+	kubecontainer.Runtime
+}
+
+func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	// If the pod is already running or terminated, no need to recheck NoNewPrivs.
+	if attrs.Pod.Status.Phase != v1.PodPending {
+		return PodAdmitResult{Admit: true}
+	}
+
+	// If the containers in a pod do not require no-new-privs, admit it.
+	if !noNewPrivsRequired(attrs.Pod) {
+		return PodAdmitResult{Admit: true}
+	}
+
+	// Always admit runtimes except docker.
+	if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
+		return PodAdmitResult{Admit: true}
+	}
+
+	// Make sure docker api version is valid.
+	rversion, err := a.Runtime.APIVersion()
+	if err != nil {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "NoNewPrivs",
+			Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
+		}
+	}
+	v, err := rversion.Compare("1.23.0")
+	if err != nil {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "NoNewPrivs",
+			Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
+		}
+	}
+	// If the version is less than 1.23 it will return -1 above.
+	if v == -1 {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "NoNewPrivs",
+			Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
+		}
+	}
+
+	return PodAdmitResult{Admit: true}
+}
+
+func noNewPrivsRequired(pod *v1.Pod) bool {
+	// Iterate over pod containers and check if we added no-new-privs.
+	for _, c := range pod.Spec.Containers {
+		if c.SecurityContext != nil && c.SecurityContext.AllowPrivilegeEscalation != nil && !*c.SecurityContext.AllowPrivilegeEscalation {
+			return true
+		}
+	}
+	return false
+}

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/handlers_test.go

@@ -0,0 +1,261 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/util/format"
+)
+
+func TestResolvePortInt(t *testing.T) {
+	expected := 80
+	port, err := resolvePort(intstr.FromInt(expected), &v1.Container{})
+	if port != expected {
+		t.Errorf("expected: %d, saw: %d", expected, port)
+	}
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func TestResolvePortString(t *testing.T) {
+	expected := 80
+	name := "foo"
+	container := &v1.Container{
+		Ports: []v1.ContainerPort{
+			{Name: name, ContainerPort: int32(expected)},
+		},
+	}
+	port, err := resolvePort(intstr.FromString(name), container)
+	if port != expected {
+		t.Errorf("expected: %d, saw: %d", expected, port)
+	}
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func TestResolvePortStringUnknown(t *testing.T) {
+	expected := int32(80)
+	name := "foo"
+	container := &v1.Container{
+		Ports: []v1.ContainerPort{
+			{Name: "bar", ContainerPort: expected},
+		},
+	}
+	port, err := resolvePort(intstr.FromString(name), container)
+	if port != -1 {
+		t.Errorf("expected: -1, saw: %d", port)
+	}
+	if err == nil {
+		t.Error("unexpected non-error")
+	}
+}
+
+type fakeContainerCommandRunner struct {
+	Cmd []string
+	ID  kubecontainer.ContainerID
+	Err error
+	Msg string
+}
+
+func (f *fakeContainerCommandRunner) RunInContainer(id kubecontainer.ContainerID, cmd []string, timeout time.Duration) ([]byte, error) {
+	f.Cmd = cmd
+	f.ID = id
+	return []byte(f.Msg), f.Err
+}
+
+func TestRunHandlerExec(t *testing.T) {
+	fakeCommandRunner := fakeContainerCommandRunner{}
+	handlerRunner := NewHandlerRunner(&fakeHTTP{}, &fakeCommandRunner, nil)
+
+	containerID := kubecontainer.ContainerID{Type: "test", ID: "abc1234"}
+	containerName := "containerFoo"
+
+	container := v1.Container{
+		Name: containerName,
+		Lifecycle: &v1.Lifecycle{
+			PostStart: &v1.Handler{
+				Exec: &v1.ExecAction{
+					Command: []string{"ls", "-a"},
+				},
+			},
+		},
+	}
+
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = "podFoo"
+	pod.ObjectMeta.Namespace = "nsFoo"
+	pod.Spec.Containers = []v1.Container{container}
+	_, err := handlerRunner.Run(containerID, &pod, &container, container.Lifecycle.PostStart)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if fakeCommandRunner.ID != containerID ||
+		!reflect.DeepEqual(container.Lifecycle.PostStart.Exec.Command, fakeCommandRunner.Cmd) {
+		t.Errorf("unexpected commands: %v", fakeCommandRunner)
+	}
+}
+
+type fakeHTTP struct {
+	url  string
+	err  error
+	resp *http.Response
+}
+
+func (f *fakeHTTP) Get(url string) (*http.Response, error) {
+	f.url = url
+	return f.resp, f.err
+}
+
+func TestRunHandlerHttp(t *testing.T) {
+	fakeHttp := fakeHTTP{}
+	handlerRunner := NewHandlerRunner(&fakeHttp, &fakeContainerCommandRunner{}, nil)
+
+	containerID := kubecontainer.ContainerID{Type: "test", ID: "abc1234"}
+	containerName := "containerFoo"
+
+	container := v1.Container{
+		Name: containerName,
+		Lifecycle: &v1.Lifecycle{
+			PostStart: &v1.Handler{
+				HTTPGet: &v1.HTTPGetAction{
+					Host: "foo",
+					Port: intstr.FromInt(8080),
+					Path: "bar",
+				},
+			},
+		},
+	}
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = "podFoo"
+	pod.ObjectMeta.Namespace = "nsFoo"
+	pod.Spec.Containers = []v1.Container{container}
+	_, err := handlerRunner.Run(containerID, &pod, &container, container.Lifecycle.PostStart)
+
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if fakeHttp.url != "http://foo:8080/bar" {
+		t.Errorf("unexpected url: %s", fakeHttp.url)
+	}
+}
+
+func TestRunHandlerNil(t *testing.T) {
+	handlerRunner := NewHandlerRunner(&fakeHTTP{}, &fakeContainerCommandRunner{}, nil)
+	containerID := kubecontainer.ContainerID{Type: "test", ID: "abc1234"}
+	podName := "podFoo"
+	podNamespace := "nsFoo"
+	containerName := "containerFoo"
+
+	container := v1.Container{
+		Name: containerName,
+		Lifecycle: &v1.Lifecycle{
+			PostStart: &v1.Handler{},
+		},
+	}
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = podName
+	pod.ObjectMeta.Namespace = podNamespace
+	pod.Spec.Containers = []v1.Container{container}
+	_, err := handlerRunner.Run(containerID, &pod, &container, container.Lifecycle.PostStart)
+	if err == nil {
+		t.Errorf("expect error, but got nil")
+	}
+}
+
+func TestRunHandlerExecFailure(t *testing.T) {
+	expectedErr := fmt.Errorf("invalid command")
+	fakeCommandRunner := fakeContainerCommandRunner{Err: expectedErr, Msg: expectedErr.Error()}
+	handlerRunner := NewHandlerRunner(&fakeHTTP{}, &fakeCommandRunner, nil)
+
+	containerID := kubecontainer.ContainerID{Type: "test", ID: "abc1234"}
+	containerName := "containerFoo"
+	command := []string{"ls", "--a"}
+
+	container := v1.Container{
+		Name: containerName,
+		Lifecycle: &v1.Lifecycle{
+			PostStart: &v1.Handler{
+				Exec: &v1.ExecAction{
+					Command: command,
+				},
+			},
+		},
+	}
+
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = "podFoo"
+	pod.ObjectMeta.Namespace = "nsFoo"
+	pod.Spec.Containers = []v1.Container{container}
+	expectedErrMsg := fmt.Sprintf("Exec lifecycle hook (%s) for Container %q in Pod %q failed - error: %v, message: %q", command, containerName, format.Pod(&pod), expectedErr, expectedErr.Error())
+	msg, err := handlerRunner.Run(containerID, &pod, &container, container.Lifecycle.PostStart)
+	if err == nil {
+		t.Errorf("expected error: %v", expectedErr)
+	}
+	if msg != expectedErrMsg {
+		t.Errorf("unexpected error message: %q; expected %q", msg, expectedErrMsg)
+	}
+}
+
+func TestRunHandlerHttpFailure(t *testing.T) {
+	expectedErr := fmt.Errorf("fake http error")
+	expectedResp := http.Response{
+		Body: ioutil.NopCloser(strings.NewReader(expectedErr.Error())),
+	}
+	fakeHttp := fakeHTTP{err: expectedErr, resp: &expectedResp}
+	handlerRunner := NewHandlerRunner(&fakeHttp, &fakeContainerCommandRunner{}, nil)
+	containerName := "containerFoo"
+	containerID := kubecontainer.ContainerID{Type: "test", ID: "abc1234"}
+	container := v1.Container{
+		Name: containerName,
+		Lifecycle: &v1.Lifecycle{
+			PostStart: &v1.Handler{
+				HTTPGet: &v1.HTTPGetAction{
+					Host: "foo",
+					Port: intstr.FromInt(8080),
+					Path: "bar",
+				},
+			},
+		},
+	}
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = "podFoo"
+	pod.ObjectMeta.Namespace = "nsFoo"
+	pod.Spec.Containers = []v1.Container{container}
+	expectedErrMsg := fmt.Sprintf("Http lifecycle hook (%s) for Container %q in Pod %q failed - error: %v, message: %q", "bar", containerName, format.Pod(&pod), expectedErr, expectedErr.Error())
+	msg, err := handlerRunner.Run(containerID, &pod, &container, container.Lifecycle.PostStart)
+	if err == nil {
+		t.Errorf("expected error: %v", expectedErr)
+	}
+	if msg != expectedErrMsg {
+		t.Errorf("unexpected error message: %q; expected %q", msg, expectedErrMsg)
+	}
+	if fakeHttp.url != "http://foo:8080/bar" {
+		t.Errorf("unexpected url: %s", fakeHttp.url)
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/interfaces.go

@@ -0,0 +1,122 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import "k8s.io/api/core/v1"
+
+// PodAdmitAttributes is the context for a pod admission decision.
+// The member fields of this struct should never be mutated.
+type PodAdmitAttributes struct {
+	// the pod to evaluate for admission
+	Pod *v1.Pod
+	// all pods bound to the kubelet excluding the pod being evaluated
+	OtherPods []*v1.Pod
+}
+
+// PodAdmitResult provides the result of a pod admission decision.
+type PodAdmitResult struct {
+	// if true, the pod should be admitted.
+	Admit bool
+	// a brief single-word reason why the pod could not be admitted.
+	Reason string
+	// a brief message explaining why the pod could not be admitted.
+	Message string
+}
+
+// PodAdmitHandler is notified during pod admission.
+type PodAdmitHandler interface {
+	// Admit evaluates if a pod can be admitted.
+	Admit(attrs *PodAdmitAttributes) PodAdmitResult
+}
+
+// PodAdmitTarget maintains a list of handlers to invoke.
+type PodAdmitTarget interface {
+	// AddPodAdmitHandler adds the specified handler.
+	AddPodAdmitHandler(a PodAdmitHandler)
+}
+
+// PodSyncLoopHandler is invoked during each sync loop iteration.
+type PodSyncLoopHandler interface {
+	// ShouldSync returns true if the pod needs to be synced.
+	// This operation must return immediately as its called for each pod.
+	// The provided pod should never be modified.
+	ShouldSync(pod *v1.Pod) bool
+}
+
+// PodSyncLoopTarget maintains a list of handlers to pod sync loop.
+type PodSyncLoopTarget interface {
+	// AddPodSyncLoopHandler adds the specified handler.
+	AddPodSyncLoopHandler(a PodSyncLoopHandler)
+}
+
+// ShouldEvictResponse provides the result of a should evict request.
+type ShouldEvictResponse struct {
+	// if true, the pod should be evicted.
+	Evict bool
+	// a brief CamelCase reason why the pod should be evicted.
+	Reason string
+	// a brief message why the pod should be evicted.
+	Message string
+}
+
+// PodSyncHandler is invoked during each sync pod operation.
+type PodSyncHandler interface {
+	// ShouldEvict is invoked during each sync pod operation to determine
+	// if the pod should be evicted from the kubelet.  If so, the pod status
+	// is updated to mark its phase as failed with the provided reason and message,
+	// and the pod is immediately killed.
+	// This operation must return immediately as its called for each sync pod.
+	// The provided pod should never be modified.
+	ShouldEvict(pod *v1.Pod) ShouldEvictResponse
+}
+
+// PodSyncTarget maintains a list of handlers to pod sync.
+type PodSyncTarget interface {
+	// AddPodSyncHandler adds the specified handler
+	AddPodSyncHandler(a PodSyncHandler)
+}
+
+// PodLifecycleTarget groups a set of lifecycle interfaces for convenience.
+type PodLifecycleTarget interface {
+	PodAdmitTarget
+	PodSyncLoopTarget
+	PodSyncTarget
+}
+
+// PodAdmitHandlers maintains a list of handlers to pod admission.
+type PodAdmitHandlers []PodAdmitHandler
+
+// AddPodAdmitHandler adds the specified observer.
+func (handlers *PodAdmitHandlers) AddPodAdmitHandler(a PodAdmitHandler) {
+	*handlers = append(*handlers, a)
+}
+
+// PodSyncLoopHandlers maintains a list of handlers to pod sync loop.
+type PodSyncLoopHandlers []PodSyncLoopHandler
+
+// AddPodSyncLoopHandler adds the specified observer.
+func (handlers *PodSyncLoopHandlers) AddPodSyncLoopHandler(a PodSyncLoopHandler) {
+	*handlers = append(*handlers, a)
+}
+
+// PodSyncHandlers maintains a list of handlers to pod sync.
+type PodSyncHandlers []PodSyncHandler
+
+// AddPodSyncHandler adds the specified handler.
+func (handlers *PodSyncHandlers) AddPodSyncHandler(a PodSyncHandler) {
+	*handlers = append(*handlers, a)
+}

vendor/k8s.io/kubernetes/pkg/kubelet/lifecycle/predicate.go

@@ -0,0 +1,143 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lifecycle
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+	"k8s.io/api/core/v1"
+	"k8s.io/kubernetes/pkg/kubelet/util/format"
+	"k8s.io/kubernetes/plugin/pkg/scheduler/algorithm"
+	"k8s.io/kubernetes/plugin/pkg/scheduler/algorithm/predicates"
+	"k8s.io/kubernetes/plugin/pkg/scheduler/schedulercache"
+)
+
+type getNodeAnyWayFuncType func() (*v1.Node, error)
+
+type pluginResourceUpdateFuncType func(*schedulercache.NodeInfo, *PodAdmitAttributes) error
+
+// AdmissionFailureHandler is an interface which defines how to deal with a failure to admit a pod.
+// This allows for the graceful handling of pod admission failure.
+type AdmissionFailureHandler interface {
+	HandleAdmissionFailure(pod *v1.Pod, failureReasons []algorithm.PredicateFailureReason) (bool, []algorithm.PredicateFailureReason, error)
+}
+
+type predicateAdmitHandler struct {
+	getNodeAnyWayFunc        getNodeAnyWayFuncType
+	pluginResourceUpdateFunc pluginResourceUpdateFuncType
+	admissionFailureHandler  AdmissionFailureHandler
+}
+
+var _ PodAdmitHandler = &predicateAdmitHandler{}
+
+func NewPredicateAdmitHandler(getNodeAnyWayFunc getNodeAnyWayFuncType, admissionFailureHandler AdmissionFailureHandler, pluginResourceUpdateFunc pluginResourceUpdateFuncType) *predicateAdmitHandler {
+	return &predicateAdmitHandler{
+		getNodeAnyWayFunc,
+		pluginResourceUpdateFunc,
+		admissionFailureHandler,
+	}
+}
+
+func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	node, err := w.getNodeAnyWayFunc()
+	if err != nil {
+		glog.Errorf("Cannot get Node info: %v", err)
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "InvalidNodeInfo",
+			Message: "Kubelet cannot get node info.",
+		}
+	}
+	pod := attrs.Pod
+	pods := attrs.OtherPods
+	nodeInfo := schedulercache.NewNodeInfo(pods...)
+	nodeInfo.SetNode(node)
+	// ensure the node has enough plugin resources for that required in pods
+	if err = w.pluginResourceUpdateFunc(nodeInfo, attrs); err != nil {
+		message := fmt.Sprintf("Update plugin resources failed due to %v, which is unexpected.", err)
+		glog.Warningf("Failed to admit pod %v - %s", format.Pod(pod), message)
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  "UnexpectedAdmissionError",
+			Message: message,
+		}
+	}
+	fit, reasons, err := predicates.GeneralPredicates(pod, nil, nodeInfo)
+	if err != nil {
+		message := fmt.Sprintf("GeneralPredicates failed due to %v, which is unexpected.", err)
+		glog.Warningf("Failed to admit pod %v - %s", format.Pod(pod), message)
+		return PodAdmitResult{
+			Admit:   fit,
+			Reason:  "UnexpectedAdmissionError",
+			Message: message,
+		}
+	}
+	if !fit {
+		fit, reasons, err = w.admissionFailureHandler.HandleAdmissionFailure(pod, reasons)
+		if err != nil {
+			message := fmt.Sprintf("Unexpected error while attempting to recover from admission failure: %v", err)
+			glog.Warningf("Failed to admit pod %v - %s", format.Pod(pod), message)
+			return PodAdmitResult{
+				Admit:   fit,
+				Reason:  "UnexpectedAdmissionError",
+				Message: message,
+			}
+		}
+	}
+	if !fit {
+		var reason string
+		var message string
+		if len(reasons) == 0 {
+			message = fmt.Sprint("GeneralPredicates failed due to unknown reason, which is unexpected.")
+			glog.Warningf("Failed to admit pod %v - %s", format.Pod(pod), message)
+			return PodAdmitResult{
+				Admit:   fit,
+				Reason:  "UnknownReason",
+				Message: message,
+			}
+		}
+		// If there are failed predicates, we only return the first one as a reason.
+		r := reasons[0]
+		switch re := r.(type) {
+		case *predicates.PredicateFailureError:
+			reason = re.PredicateName
+			message = re.Error()
+			glog.V(2).Infof("Predicate failed on Pod: %v, for reason: %v", format.Pod(pod), message)
+		case *predicates.InsufficientResourceError:
+			reason = fmt.Sprintf("OutOf%s", re.ResourceName)
+			message = re.Error()
+			glog.V(2).Infof("Predicate failed on Pod: %v, for reason: %v", format.Pod(pod), message)
+		case *predicates.FailureReason:
+			reason = re.GetReason()
+			message = fmt.Sprintf("Failure: %s", re.GetReason())
+			glog.V(2).Infof("Predicate failed on Pod: %v, for reason: %v", format.Pod(pod), message)
+		default:
+			reason = "UnexpectedPredicateFailureType"
+			message = fmt.Sprintf("GeneralPredicates failed due to %v, which is unexpected.", r)
+			glog.Warningf("Failed to admit pod %v - %s", format.Pod(pod), message)
+		}
+		return PodAdmitResult{
+			Admit:   fit,
+			Reason:  reason,
+			Message: message,
+		}
+	}
+	return PodAdmitResult{
+		Admit: true,
+	}
+}