vendor update for CSI 0.3.0

2025-06-14 10:53:34 +00:00 · 2018-07-18 16:47:22 +02:00
parent 6f484f92fc
commit 8ea659f0d5
6810 changed files with 438061 additions and 193861 deletions
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/BUILD
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/BUILD
@ -16,13 +16,12 @@ go_library(
        "//pkg/apis/core:go_default_library",
        "//pkg/apis/policy:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
-        "//pkg/client/clientset_generated/internalclientset:go_default_library",
-        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
+        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
+        "//pkg/client/listers/core/internalversion:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
@ -38,14 +37,14 @@ go_test(
        "//pkg/apis/core:go_default_library",
        "//pkg/apis/policy:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
-        "//pkg/client/clientset_generated/internalclientset/fake:go_default_library",
-        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
+        "//pkg/client/listers/core/internalversion:go_default_library",
        "//pkg/features:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//vendor/k8s.io/client-go/tools/cache:go_default_library",
    ],
 )

--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/OWNERS
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/OWNERS
@ -2,7 +2,9 @@ approvers:
 - deads2k
 - liggitt
 - tallclair
+- mikedanese
 reviewers:
 - deads2k
 - liggitt
 - tallclair
+- mikedanese
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission.go
@ -22,7 +22,6 @@ import (

 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apiserver/pkg/admission"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@ -31,8 +30,8 @@ import (
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
-	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	coreinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
+	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
+	internalversion "k8s.io/kubernetes/pkg/client/listers/core/internalversion"
 	"k8s.io/kubernetes/pkg/features"
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 )
@ -62,18 +61,18 @@ func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *nodePlugin {
 type nodePlugin struct {
 	*admission.Handler
 	nodeIdentifier nodeidentifier.NodeIdentifier
-	podsGetter     coreinternalversion.PodsGetter
+	podsGetter     internalversion.PodLister
 	// allows overriding for testing
 	features utilfeature.FeatureGate
 }

 var (
 	_ = admission.Interface(&nodePlugin{})
-	_ = kubeapiserveradmission.WantsInternalKubeClientSet(&nodePlugin{})
+	_ = kubeapiserveradmission.WantsInternalKubeInformerFactory(&nodePlugin{})
 )

-func (p *nodePlugin) SetInternalKubeClientSet(f internalclientset.Interface) {
-	p.podsGetter = f.Core()
+func (p *nodePlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) {
+	p.podsGetter = f.Core().InternalVersion().Pods().Lister()
 }

 func (p *nodePlugin) ValidateInitialization() error {
@ -183,14 +182,10 @@ func (c *nodePlugin) admitPod(nodeName string, a admission.Attributes) error {
 		return nil

 	case admission.Delete:
-		// get the existing pod from the server cache
-		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName(), v1.GetOptions{ResourceVersion: "0"})
+		// get the existing pod
+		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName())
 		if errors.IsNotFound(err) {
-			// wasn't found in the server cache, do a live lookup before forbidding
-			existingPod, err = c.podsGetter.Pods(a.GetNamespace()).Get(a.GetName(), v1.GetOptions{})
-			if errors.IsNotFound(err) {
-				return err
-			}
+			return err
 		}
 		if err != nil {
 			return admission.NewForbidden(a, err)
@ -241,14 +236,10 @@ func (c *nodePlugin) admitPodEviction(nodeName string, a admission.Attributes) e
 			}
 			podName = eviction.Name
 		}
-		// get the existing pod from the server cache
-		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(podName, v1.GetOptions{ResourceVersion: "0"})
+		// get the existing pod
+		existingPod, err := c.podsGetter.Pods(a.GetNamespace()).Get(podName)
 		if errors.IsNotFound(err) {
-			// wasn't found in the server cache, do a live lookup before forbidding
-			existingPod, err = c.podsGetter.Pods(a.GetNamespace()).Get(podName, v1.GetOptions{})
-			if errors.IsNotFound(err) {
-				return err
-			}
+			return err
 		}
 		if err != nil {
 			return admission.NewForbidden(a, err)
@ -347,6 +338,12 @@ func (c *nodePlugin) admitNode(nodeName string, a admission.Attributes) error {
 		if node.Spec.ConfigSource != nil && !apiequality.Semantic.DeepEqual(node.Spec.ConfigSource, oldNode.Spec.ConfigSource) {
 			return admission.NewForbidden(a, fmt.Errorf("cannot update configSource to a new non-nil configSource"))
 		}
+
+		// Don't allow a node to update its own taints. This would allow a node to remove or modify its
+		// taints in a way that would let it steer disallowed workloads to itself.
+		if !apiequality.Semantic.DeepEqual(node.Spec.Taints, oldNode.Spec.Taints) {
+			return admission.NewForbidden(a, fmt.Errorf("cannot modify taints"))
+		}
 	}

 	return nil
@ -376,7 +373,7 @@ func (c *nodePlugin) admitServiceAccount(nodeName string, a admission.Attributes
 	if ref.UID == "" {
 		return admission.NewForbidden(a, fmt.Errorf("node requested token with a pod binding without a uid"))
 	}
-	pod, err := c.podsGetter.Pods(a.GetNamespace()).Get(ref.Name, v1.GetOptions{})
+	pod, err := c.podsGetter.Pods(a.GetNamespace()).Get(ref.Name)
 	if errors.IsNotFound(err) {
 		return err
 	}
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/noderestriction/admission_test.go
@ -25,12 +25,12 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/tools/cache"
 	authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
-	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
-	coreinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
+	"k8s.io/kubernetes/pkg/client/listers/core/internalversion"
 	"k8s.io/kubernetes/pkg/features"
 )

@ -63,6 +63,7 @@ func makeTestPod(namespace, name, node string, mirror bool) *api.Pod {
 func makeTestPodEviction(name string) *policy.Eviction {
 	eviction := &policy.Eviction{}
 	eviction.Name = name
+	eviction.Namespace = "ns"
 	return eviction
 }

@ -91,10 +92,22 @@ func Test_nodePlugin_Admit(t *testing.T) {
 		mynodeObjMeta    = metav1.ObjectMeta{Name: "mynode"}
 		mynodeObj        = &api.Node{ObjectMeta: mynodeObjMeta}
 		mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
-			ConfigMapRef: &api.ObjectReference{Name: "foo", Namespace: "bar", UID: "fooUID"}}}}
+			ConfigMap: &api.ConfigMapNodeConfigSource{
+				Name:             "foo",
+				Namespace:        "bar",
+				UID:              "fooUID",
+				KubeletConfigKey: "kubelet",
+			}}}}
 		mynodeObjConfigB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
-			ConfigMapRef: &api.ObjectReference{Name: "qux", Namespace: "bar", UID: "quxUID"}}}}
-		othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
+			ConfigMap: &api.ConfigMapNodeConfigSource{
+				Name:             "qux",
+				Namespace:        "bar",
+				UID:              "quxUID",
+				KubeletConfigKey: "kubelet",
+			}}}}
+		mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
+		mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
+		othernodeObj    = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}

 		mymirrorpod      = makeTestPod("ns", "mymirrorpod", "mynode", true)
 		othermirrorpod   = makeTestPod("ns", "othermirrorpod", "othernode", true)
@ -125,10 +138,20 @@ func Test_nodePlugin_Admit(t *testing.T) {
 		svcacctResource  = api.Resource("serviceaccounts").WithVersion("v1")
 		tokenrequestKind = api.Kind("TokenRequest").WithVersion("v1")

-		noExistingPods = fake.NewSimpleClientset().Core()
-		existingPods   = fake.NewSimpleClientset(mymirrorpod, othermirrorpod, unboundmirrorpod, mypod, otherpod, unboundpod).Core()
+		noExistingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil)
+		noExistingPods      = internalversion.NewPodLister(noExistingPodsIndex)
+
+		existingPodsIndex = cache.NewIndexer(cache.MetaNamespaceKeyFunc, nil)
+		existingPods      = internalversion.NewPodLister(existingPodsIndex)
 	)

+	existingPodsIndex.Add(mymirrorpod)
+	existingPodsIndex.Add(othermirrorpod)
+	existingPodsIndex.Add(unboundmirrorpod)
+	existingPodsIndex.Add(mypod)
+	existingPodsIndex.Add(otherpod)
+	existingPodsIndex.Add(unboundpod)
+
 	sapod := makeTestPod("ns", "mysapod", "mynode", true)
 	sapod.Spec.ServiceAccountName = "foo"

@ -143,7 +166,7 @@ func Test_nodePlugin_Admit(t *testing.T) {

 	tests := []struct {
 		name       string
-		podsGetter coreinternalversion.PodsGetter
+		podsGetter internalversion.PodLister
 		attributes admission.Attributes
 		features   utilfeature.FeatureGate
 		err        string
@ -446,7 +469,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			err:        "forbidden: unexpected operation",
 		},
 		{
-			name:       "forbid create of eviction for normal pod bound to another",
+			name:       "forbid create of unnamed eviction for normal pod bound to another",
 			podsGetter: existingPods,
 			attributes: admission.NewAttributesRecord(unnamedEviction, nil, evictionKind, otherpod.Namespace, otherpod.Name, podResource, "eviction", admission.Create, mynode),
 			err:        "spec.nodeName set to itself",
@ -612,6 +635,12 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			attributes: admission.NewAttributesRecord(mynodeObj, nil, nodeKind, mynodeObj.Namespace, "", nodeResource, "", admission.Create, mynode),
 			err:        "",
 		},
+		{
+			name:       "allow create of my node with taints",
+			podsGetter: noExistingPods,
+			attributes: admission.NewAttributesRecord(mynodeObjTaintA, nil, nodeKind, mynodeObj.Namespace, "", nodeResource, "", admission.Create, mynode),
+			err:        "",
+		},
 		{
 			name:       "allow update of my node",
 			podsGetter: existingPods,
@ -660,6 +689,30 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjConfigA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
 			err:        "",
 		},
+		{
+			name:       "allow update of my node: no change to taints",
+			podsGetter: existingPods,
+			attributes: admission.NewAttributesRecord(mynodeObjTaintA, mynodeObjTaintA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
+			err:        "",
+		},
+		{
+			name:       "forbid update of my node: add taints",
+			podsGetter: existingPods,
+			attributes: admission.NewAttributesRecord(mynodeObjTaintA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
+			err:        "cannot modify taints",
+		},
+		{
+			name:       "forbid update of my node: remove taints",
+			podsGetter: existingPods,
+			attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjTaintA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
+			err:        "cannot modify taints",
+		},
+		{
+			name:       "forbid update of my node: change taints",
+			podsGetter: existingPods,
+			attributes: admission.NewAttributesRecord(mynodeObjTaintA, mynodeObjTaintB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, mynode),
+			err:        "cannot modify taints",
+		},

 		// Other node object
 		{