Domů Procházet Nápověda
Přihlásit se
tzeneto
/
custom-kube-scheduler
Sledovat 1
Oblíbit 0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 6ab2f91fe3
Větve Značky
custom-kube-...
/
kubernetes-v1.15.4
/
plugin
/
pkg
/
admission
/
gc
/
gc_admission_test.go

gc_admission_test.go 22 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package gc
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"strings"
    22. 

  22. 	"testing"
    23. 

  23. 

  24. 	appsv1 "k8s.io/api/apps/v1"
    25. 

  25. 	corev1 "k8s.io/api/core/v1"
    26. 

  26. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    27. 

  27. 	"k8s.io/apimachinery/pkg/runtime"
    28. 

  28. 	"k8s.io/apimachinery/pkg/runtime/schema"
    29. 

  29. 	"k8s.io/apiserver/pkg/admission"
    30. 

  30. 	"k8s.io/apiserver/pkg/admission/initializer"
    31. 

  31. 	"k8s.io/apiserver/pkg/authentication/user"
    32. 

  32. 	"k8s.io/apiserver/pkg/authorization/authorizer"
    33. 

  33. 	fakediscovery "k8s.io/client-go/discovery/fake"
    34. 

  34. 	"k8s.io/client-go/restmapper"
    35. 

  35. 	coretesting "k8s.io/client-go/testing"
    36. 

  36. 	api "k8s.io/kubernetes/pkg/apis/core"
    37. 

  37. 	kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
    38. 

  38. )
    39. 

  39. 

  40. type fakeAuthorizer struct{}
    41. 

  41. 

  42. func (fakeAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
    43. 

  43. 	username := a.GetUser().GetName()
    44. 

  44. 

  45. 	if username == "non-deleter" {
    46. 

  46. 		if a.GetVerb() == "delete" {
    47. 

  47. 			return authorizer.DecisionNoOpinion, "", nil
    48. 

  48. 		}
    49. 

  49. 		if a.GetVerb() == "update" && a.GetSubresource() == "finalizers" {
    50. 

  50. 			return authorizer.DecisionNoOpinion, "", nil
    51. 

  51. 		}
    52. 

  52. 		return authorizer.DecisionAllow, "", nil
    53. 

  53. 	}
    54. 

  54. 

  55. 	if username == "non-pod-deleter" {
    56. 

  56. 		if a.GetVerb() == "delete" && a.GetResource() == "pods" {
    57. 

  57. 			return authorizer.DecisionNoOpinion, "", nil
    58. 

  58. 		}
    59. 

  59. 		if a.GetVerb() == "update" && a.GetResource() == "pods" && a.GetSubresource() == "finalizers" {
    60. 

  60. 			return authorizer.DecisionNoOpinion, "", nil
    61. 

  61. 		}
    62. 

  62. 		return authorizer.DecisionAllow, "", nil
    63. 

  63. 	}
    64. 

  64. 

  65. 	if username == "non-rc-deleter" {
    66. 

  66. 		if a.GetVerb() == "delete" && a.GetResource() == "replicationcontrollers" {
    67. 

  67. 			return authorizer.DecisionNoOpinion, "", nil
    68. 

  68. 		}
    69. 

  69. 		if a.GetVerb() == "update" && a.GetResource() == "replicationcontrollers" && a.GetSubresource() == "finalizers" {
    70. 

  70. 			return authorizer.DecisionNoOpinion, "", nil
    71. 

  71. 		}
    72. 

  72. 		return authorizer.DecisionAllow, "", nil
    73. 

  73. 	}
    74. 

  74. 

  75. 	if username == "non-node-deleter" {
    76. 

  76. 		if a.GetVerb() == "delete" && a.GetResource() == "nodes" {
    77. 

  77. 			return authorizer.DecisionNoOpinion, "", nil
    78. 

  78. 		}
    79. 

  79. 		if a.GetVerb() == "update" && a.GetResource() == "nodes" && a.GetSubresource() == "finalizers" {
    80. 

  80. 			return authorizer.DecisionNoOpinion, "", nil
    81. 

  81. 		}
    82. 

  82. 		return authorizer.DecisionAllow, "", nil
    83. 

  83. 	}
    84. 

  84. 	return authorizer.DecisionAllow, "", nil
    85. 

  85. }
    86. 

  86. 

  87. // newGCPermissionsEnforcement returns the admission controller configured for testing.
    88. 

  88. func newGCPermissionsEnforcement() (*gcPermissionsEnforcement, error) {
    89. 

  89. 	// the pods/status endpoint is ignored by this plugin since old kubelets
    90. 

  90. 	// corrupt them.  the pod status strategy ensures status updates cannot mutate
    91. 

  91. 	// ownerRef.
    92. 

  92. 	whiteList := []whiteListItem{
    93. 

  93. 		{
    94. 

  94. 			groupResource: schema.GroupResource{Resource: "pods"},
    95. 

  95. 			subresource:   "status",
    96. 

  96. 		},
    97. 

  97. 	}
    98. 

  98. 	gcAdmit := &gcPermissionsEnforcement{
    99. 

  99. 		Handler:   admission.NewHandler(admission.Create, admission.Update),
    100. 

  100. 		whiteList: whiteList,
    101. 

  101. 	}
    102. 

  102. 

  103. 	genericPluginInitializer := initializer.New(nil, nil, fakeAuthorizer{})
    104. 

  104. 	fakeDiscoveryClient := &fakediscovery.FakeDiscovery{Fake: &coretesting.Fake{}}
    105. 

  105. 	fakeDiscoveryClient.Resources = []*metav1.APIResourceList{
    106. 

  106. 		{
    107. 

  107. 			GroupVersion: corev1.SchemeGroupVersion.String(),
    108. 

  108. 			APIResources: []metav1.APIResource{
    109. 

  109. 				{Name: "nodes", Namespaced: false, Kind: "Node"},
    110. 

  110. 				{Name: "pods", Namespaced: true, Kind: "Pod"},
    111. 

  111. 				{Name: "replicationcontrollers", Namespaced: true, Kind: "ReplicationController"},
    112. 

  112. 			},
    113. 

  113. 		},
    114. 

  114. 		{
    115. 

  115. 			GroupVersion: appsv1.SchemeGroupVersion.String(),
    116. 

  116. 			APIResources: []metav1.APIResource{
    117. 

  117. 				{Name: "daemonsets", Namespaced: true, Kind: "DaemonSet"},
    118. 

  118. 			},
    119. 

  119. 		},
    120. 

  120. 	}
    121. 

  121. 

  122. 	restMapperRes, err := restmapper.GetAPIGroupResources(fakeDiscoveryClient)
    123. 

  123. 	if err != nil {
    124. 

  124. 		return nil, fmt.Errorf("unexpected error while constructing resource list from fake discovery client: %v", err)
    125. 

  125. 	}
    126. 

  126. 	restMapper := restmapper.NewDiscoveryRESTMapper(restMapperRes)
    127. 

  127. 	pluginInitializer := kubeadmission.NewPluginInitializer(nil, restMapper, nil)
    128. 

  128. 	initializersChain := admission.PluginInitializers{}
    129. 

  129. 	initializersChain = append(initializersChain, genericPluginInitializer)
    130. 

  130. 	initializersChain = append(initializersChain, pluginInitializer)
    131. 

  131. 

  132. 	initializersChain.Initialize(gcAdmit)
    133. 

  133. 	return gcAdmit, nil
    134. 

  134. }
    135. 

  135. 

  136. func TestGCAdmission(t *testing.T) {
    137. 

  137. 	expectNoError := func(err error) bool {
    138. 

  138. 		return err == nil
    139. 

  139. 	}
    140. 

  140. 	expectCantSetOwnerRefError := func(err error) bool {
    141. 

  141. 		if err == nil {
    142. 

  142. 			return false
    143. 

  143. 		}
    144. 

  144. 		return strings.Contains(err.Error(), "cannot set an ownerRef on a resource you can't delete")
    145. 

  145. 	}
    146. 

  146. 	tests := []struct {
    147. 

  147. 		name        string
    148. 

  148. 		username    string
    149. 

  149. 		resource    schema.GroupVersionResource
    150. 

  150. 		subresource string
    151. 

  151. 		oldObj      runtime.Object
    152. 

  152. 		newObj      runtime.Object
    153. 

  153. 

  154. 		checkError func(error) bool
    155. 

  155. 	}{
    156. 

  156. 		{
    157. 

  157. 			name:       "super-user, create, no objectref change",
    158. 

  158. 			username:   "super",
    159. 

  159. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    160. 

  160. 			newObj:     &api.Pod{},
    161. 

  161. 			checkError: expectNoError,
    162. 

  162. 		},
    163. 

  163. 		{
    164. 

  164. 			name:       "super-user, create, objectref change",
    165. 

  165. 			username:   "super",
    166. 

  166. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    167. 

  167. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    168. 

  168. 			checkError: expectNoError,
    169. 

  169. 		},
    170. 

  170. 		{
    171. 

  171. 			name:       "non-deleter, create, no objectref change",
    172. 

  172. 			username:   "non-deleter",
    173. 

  173. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    174. 

  174. 			newObj:     &api.Pod{},
    175. 

  175. 			checkError: expectNoError,
    176. 

  176. 		},
    177. 

  177. 		{
    178. 

  178. 			name:       "non-deleter, create, objectref change",
    179. 

  179. 			username:   "non-deleter",
    180. 

  180. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    181. 

  181. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    182. 

  182. 			checkError: expectNoError,
    183. 

  183. 		},
    184. 

  184. 		{
    185. 

  185. 			name:       "non-pod-deleter, create, no objectref change",
    186. 

  186. 			username:   "non-pod-deleter",
    187. 

  187. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    188. 

  188. 			newObj:     &api.Pod{},
    189. 

  189. 			checkError: expectNoError,
    190. 

  190. 		},
    191. 

  191. 		{
    192. 

  192. 			name:       "non-pod-deleter, create, objectref change",
    193. 

  193. 			username:   "non-pod-deleter",
    194. 

  194. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    195. 

  195. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    196. 

  196. 			checkError: expectNoError,
    197. 

  197. 		},
    198. 

  198. 		{
    199. 

  199. 			name:       "non-pod-deleter, create, objectref change, but not a pod",
    200. 

  200. 			username:   "non-pod-deleter",
    201. 

  201. 			resource:   api.SchemeGroupVersion.WithResource("not-pods"),
    202. 

  202. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    203. 

  203. 			checkError: expectNoError,
    204. 

  204. 		},
    205. 

  205. 

  206. 		{
    207. 

  207. 			name:       "super-user, update, no objectref change",
    208. 

  208. 			username:   "super",
    209. 

  209. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    210. 

  210. 			oldObj:     &api.Pod{},
    211. 

  211. 			newObj:     &api.Pod{},
    212. 

  212. 			checkError: expectNoError,
    213. 

  213. 		},
    214. 

  214. 		{
    215. 

  215. 			name:       "super-user, update, no objectref change two",
    216. 

  216. 			username:   "super",
    217. 

  217. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    218. 

  218. 			oldObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    219. 

  219. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    220. 

  220. 			checkError: expectNoError,
    221. 

  221. 		},
    222. 

  222. 		{
    223. 

  223. 			name:       "super-user, update, objectref change",
    224. 

  224. 			username:   "super",
    225. 

  225. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    226. 

  226. 			oldObj:     &api.Pod{},
    227. 

  227. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    228. 

  228. 			checkError: expectNoError,
    229. 

  229. 		},
    230. 

  230. 		{
    231. 

  231. 			name:       "non-deleter, update, no objectref change",
    232. 

  232. 			username:   "non-deleter",
    233. 

  233. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    234. 

  234. 			oldObj:     &api.Pod{},
    235. 

  235. 			newObj:     &api.Pod{},
    236. 

  236. 			checkError: expectNoError,
    237. 

  237. 		},
    238. 

  238. 		{
    239. 

  239. 			name:       "non-deleter, update, no objectref change two",
    240. 

  240. 			username:   "non-deleter",
    241. 

  241. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    242. 

  242. 			oldObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    243. 

  243. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    244. 

  244. 			checkError: expectNoError,
    245. 

  245. 		},
    246. 

  246. 		{
    247. 

  247. 			name:       "non-deleter, update, objectref change",
    248. 

  248. 			username:   "non-deleter",
    249. 

  249. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    250. 

  250. 			oldObj:     &api.Pod{},
    251. 

  251. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    252. 

  252. 			checkError: expectCantSetOwnerRefError,
    253. 

  253. 		},
    254. 

  254. 		{
    255. 

  255. 			name:       "non-deleter, update, objectref change two",
    256. 

  256. 			username:   "non-deleter",
    257. 

  257. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    258. 

  258. 			oldObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    259. 

  259. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}, {Name: "second"}}}},
    260. 

  260. 			checkError: expectCantSetOwnerRefError,
    261. 

  261. 		},
    262. 

  262. 		{
    263. 

  263. 			name:       "non-pod-deleter, update, no objectref change",
    264. 

  264. 			username:   "non-pod-deleter",
    265. 

  265. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    266. 

  266. 			oldObj:     &api.Pod{},
    267. 

  267. 			newObj:     &api.Pod{},
    268. 

  268. 			checkError: expectNoError,
    269. 

  269. 		},
    270. 

  270. 		{
    271. 

  271. 			name:        "non-pod-deleter, update status, objectref change",
    272. 

  272. 			username:    "non-pod-deleter",
    273. 

  273. 			resource:    api.SchemeGroupVersion.WithResource("pods"),
    274. 

  274. 			subresource: "status",
    275. 

  275. 			oldObj:      &api.Pod{},
    276. 

  276. 			newObj:      &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    277. 

  277. 			checkError:  expectNoError,
    278. 

  278. 		},
    279. 

  279. 		{
    280. 

  280. 			name:       "non-pod-deleter, update, objectref change",
    281. 

  281. 			username:   "non-pod-deleter",
    282. 

  282. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    283. 

  283. 			oldObj:     &api.Pod{},
    284. 

  284. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    285. 

  285. 			checkError: expectCantSetOwnerRefError,
    286. 

  286. 		},
    287. 

  287. 		{
    288. 

  288. 			name:       "non-pod-deleter, update, objectref change, but not a pod",
    289. 

  289. 			username:   "non-pod-deleter",
    290. 

  290. 			resource:   api.SchemeGroupVersion.WithResource("not-pods"),
    291. 

  291. 			oldObj:     &api.Pod{},
    292. 

  292. 			newObj:     &api.Pod{ObjectMeta: metav1.ObjectMeta{OwnerReferences: []metav1.OwnerReference{{Name: "first"}}}},
    293. 

  293. 			checkError: expectNoError,
    294. 

  294. 		},
    295. 

  295. 	}
    296. 

  296. 

  297. 	for _, tc := range tests {
    298. 

  298. 		t.Run(tc.name, func(t *testing.T) {
    299. 

  299. 			gcAdmit, err := newGCPermissionsEnforcement()
    300. 

  300. 			if err != nil {
    301. 

  301. 				t.Error(err)
    302. 

  302. 			}
    303. 

  303. 

  304. 			operation := admission.Create
    305. 

  305. 			var options runtime.Object = &metav1.CreateOptions{}
    306. 

  306. 			if tc.oldObj != nil {
    307. 

  307. 				operation = admission.Update
    308. 

  308. 				options = &metav1.UpdateOptions{}
    309. 

  309. 			}
    310. 

  310. 			user := &user.DefaultInfo{Name: tc.username}
    311. 

  311. 			attributes := admission.NewAttributesRecord(tc.newObj, tc.oldObj, schema.GroupVersionKind{}, metav1.NamespaceDefault, "foo", tc.resource, tc.subresource, operation, options, false, user)
    312. 

  312. 

  313. 			err = gcAdmit.Validate(attributes, nil)
    314. 

  314. 			if !tc.checkError(err) {
    315. 

  315. 				t.Errorf("unexpected err: %v", err)
    316. 

  316. 			}
    317. 

  317. 		})
    318. 

  318. 	}
    319. 

  319. }
    320. 

  320. 

  321. func TestBlockOwnerDeletionAdmission(t *testing.T) {
    322. 

  322. 	podWithOwnerRefs := func(refs ...metav1.OwnerReference) *api.Pod {
    323. 

  323. 		var refSlice []metav1.OwnerReference
    324. 

  324. 		refSlice = append(refSlice, refs...)
    325. 

  325. 

  326. 		return &api.Pod{
    327. 

  327. 			ObjectMeta: metav1.ObjectMeta{
    328. 

  328. 				OwnerReferences: refSlice,
    329. 

  329. 			},
    330. 

  330. 		}
    331. 

  331. 	}
    332. 

  332. 

  333. 	getTrueVar := func() *bool {
    334. 

  334. 		ret := true
    335. 

  335. 		return &ret
    336. 

  336. 	}
    337. 

  337. 

  338. 	getFalseVar := func() *bool {
    339. 

  339. 		ret := false
    340. 

  340. 		return &ret
    341. 

  341. 	}
    342. 

  342. 	blockRC1 := metav1.OwnerReference{
    343. 

  343. 		APIVersion:         "v1",
    344. 

  344. 		Kind:               "ReplicationController",
    345. 

  345. 		Name:               "rc1",
    346. 

  346. 		BlockOwnerDeletion: getTrueVar(),
    347. 

  347. 	}
    348. 

  348. 	blockRC2 := metav1.OwnerReference{
    349. 

  349. 		APIVersion:         "v1",
    350. 

  350. 		Kind:               "ReplicationController",
    351. 

  351. 		Name:               "rc2",
    352. 

  352. 		BlockOwnerDeletion: getTrueVar(),
    353. 

  353. 	}
    354. 

  354. 	notBlockRC1 := metav1.OwnerReference{
    355. 

  355. 		APIVersion:         "v1",
    356. 

  356. 		Kind:               "ReplicationController",
    357. 

  357. 		Name:               "rc1",
    358. 

  358. 		BlockOwnerDeletion: getFalseVar(),
    359. 

  359. 	}
    360. 

  360. 	notBlockRC2 := metav1.OwnerReference{
    361. 

  361. 		APIVersion:         "v1",
    362. 

  362. 		Kind:               "ReplicationController",
    363. 

  363. 		Name:               "rc2",
    364. 

  364. 		BlockOwnerDeletion: getFalseVar(),
    365. 

  365. 	}
    366. 

  366. 	nilBlockRC1 := metav1.OwnerReference{
    367. 

  367. 		APIVersion: "v1",
    368. 

  368. 		Kind:       "ReplicationController",
    369. 

  369. 		Name:       "rc1",
    370. 

  370. 	}
    371. 

  371. 	nilBlockRC2 := metav1.OwnerReference{
    372. 

  372. 		APIVersion: "v1",
    373. 

  373. 		Kind:       "ReplicationController",
    374. 

  374. 		Name:       "rc2",
    375. 

  375. 	}
    376. 

  376. 	blockDS1 := metav1.OwnerReference{
    377. 

  377. 		APIVersion:         "apps/v1",
    378. 

  378. 		Kind:               "DaemonSet",
    379. 

  379. 		Name:               "ds1",
    380. 

  380. 		BlockOwnerDeletion: getTrueVar(),
    381. 

  381. 	}
    382. 

  382. 	notBlockDS1 := metav1.OwnerReference{
    383. 

  383. 		APIVersion:         "apps/v1",
    384. 

  384. 		Kind:               "DaemonSet",
    385. 

  385. 		Name:               "ds1",
    386. 

  386. 		BlockOwnerDeletion: getFalseVar(),
    387. 

  387. 	}
    388. 

  388. 	blockNode := metav1.OwnerReference{
    389. 

  389. 		APIVersion:         "v1",
    390. 

  390. 		Kind:               "Node",
    391. 

  391. 		Name:               "node1",
    392. 

  392. 		BlockOwnerDeletion: getTrueVar(),
    393. 

  393. 	}
    394. 

  394. 	notBlockNode := metav1.OwnerReference{
    395. 

  395. 		APIVersion:         "v1",
    396. 

  396. 		Kind:               "Node",
    397. 

  397. 		Name:               "node",
    398. 

  398. 		BlockOwnerDeletion: getFalseVar(),
    399. 

  399. 	}
    400. 

  400. 	nilBlockNode := metav1.OwnerReference{
    401. 

  401. 		APIVersion: "v1",
    402. 

  402. 		Kind:       "Node",
    403. 

  403. 		Name:       "node",
    404. 

  404. 	}
    405. 

  405. 

  406. 	expectNoError := func(err error) bool {
    407. 

  407. 		return err == nil
    408. 

  408. 	}
    409. 

  409. 	expectCantSetBlockOwnerDeletionError := func(err error) bool {
    410. 

  410. 		if err == nil {
    411. 

  411. 			return false
    412. 

  412. 		}
    413. 

  413. 		return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on")
    414. 

  414. 	}
    415. 

  415. 	tests := []struct {
    416. 

  416. 		name        string
    417. 

  417. 		username    string
    418. 

  418. 		resource    schema.GroupVersionResource
    419. 

  419. 		subresource string
    420. 

  420. 		oldObj      runtime.Object
    421. 

  421. 		newObj      runtime.Object
    422. 

  422. 

  423. 		checkError func(error) bool
    424. 

  424. 	}{
    425. 

  425. 		// cases for create
    426. 

  426. 		{
    427. 

  427. 			name:       "super-user, create, no ownerReferences",
    428. 

  428. 			username:   "super",
    429. 

  429. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    430. 

  430. 			newObj:     podWithOwnerRefs(),
    431. 

  431. 			checkError: expectNoError,
    432. 

  432. 		},
    433. 

  433. 		{
    434. 

  434. 			name:       "super-user, create, all ownerReferences have blockOwnerDeletion=false",
    435. 

  435. 			username:   "super",
    436. 

  436. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    437. 

  437. 			newObj:     podWithOwnerRefs(notBlockRC1, notBlockRC2),
    438. 

  438. 			checkError: expectNoError,
    439. 

  439. 		},
    440. 

  440. 		{
    441. 

  441. 			name:       "super-user, create, some ownerReferences have blockOwnerDeletion=true",
    442. 

  442. 			username:   "super",
    443. 

  443. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    444. 

  444. 			newObj:     podWithOwnerRefs(blockRC1, blockRC2, blockNode),
    445. 

  445. 			checkError: expectNoError,
    446. 

  446. 		},
    447. 

  447. 		{
    448. 

  448. 			name:       "non-rc-deleter, create, no ownerReferences",
    449. 

  449. 			username:   "non-rc-deleter",
    450. 

  450. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    451. 

  451. 			newObj:     podWithOwnerRefs(),
    452. 

  452. 			checkError: expectNoError,
    453. 

  453. 		},
    454. 

  454. 		{
    455. 

  455. 			name:       "non-rc-deleter, create, all ownerReferences have blockOwnerDeletion=false or nil",
    456. 

  456. 			username:   "non-rc-deleter",
    457. 

  457. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    458. 

  458. 			newObj:     podWithOwnerRefs(notBlockRC1, nilBlockRC2),
    459. 

  459. 			checkError: expectNoError,
    460. 

  460. 		},
    461. 

  461. 		{
    462. 

  462. 			name:       "non-node-deleter, create, all ownerReferences have blockOwnerDeletion=false",
    463. 

  463. 			username:   "non-node-deleter",
    464. 

  464. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    465. 

  465. 			newObj:     podWithOwnerRefs(notBlockNode),
    466. 

  466. 			checkError: expectNoError,
    467. 

  467. 		},
    468. 

  468. 		{
    469. 

  469. 			name:       "non-rc-deleter, create, some ownerReferences have blockOwnerDeletion=true",
    470. 

  470. 			username:   "non-rc-deleter",
    471. 

  471. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    472. 

  472. 			newObj:     podWithOwnerRefs(blockRC1, notBlockRC2),
    473. 

  473. 			checkError: expectCantSetBlockOwnerDeletionError,
    474. 

  474. 		},
    475. 

  475. 		{
    476. 

  476. 			name:       "non-rc-deleter, create, some ownerReferences have blockOwnerDeletion=true, but are pointing to daemonset",
    477. 

  477. 			username:   "non-rc-deleter",
    478. 

  478. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    479. 

  479. 			newObj:     podWithOwnerRefs(blockDS1),
    480. 

  480. 			checkError: expectNoError,
    481. 

  481. 		},
    482. 

  482. 		{
    483. 

  483. 			name:       "non-node-deleter, create, some ownerReferences have blockOwnerDeletion=true",
    484. 

  484. 			username:   "non-node-deleter",
    485. 

  485. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    486. 

  486. 			newObj:     podWithOwnerRefs(blockNode),
    487. 

  487. 			checkError: expectCantSetBlockOwnerDeletionError,
    488. 

  488. 		},
    489. 

  489. 		// cases are for update
    490. 

  490. 		{
    491. 

  491. 			name:       "super-user, update, no ownerReferences change blockOwnerDeletion",
    492. 

  492. 			username:   "super",
    493. 

  493. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    494. 

  494. 			oldObj:     podWithOwnerRefs(nilBlockRC1, nilBlockNode),
    495. 

  495. 			newObj:     podWithOwnerRefs(notBlockRC1, notBlockNode),
    496. 

  496. 			checkError: expectNoError,
    497. 

  497. 		},
    498. 

  498. 		{
    499. 

  499. 			name:       "super-user, update, some ownerReferences change to blockOwnerDeletion=true",
    500. 

  500. 			username:   "super",
    501. 

  501. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    502. 

  502. 			oldObj:     podWithOwnerRefs(notBlockRC1, notBlockNode),
    503. 

  503. 			newObj:     podWithOwnerRefs(blockRC1, blockNode),
    504. 

  504. 			checkError: expectNoError,
    505. 

  505. 		},
    506. 

  506. 		{
    507. 

  507. 			name:       "super-user, update, add new ownerReferences with blockOwnerDeletion=true",
    508. 

  508. 			username:   "super",
    509. 

  509. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    510. 

  510. 			oldObj:     podWithOwnerRefs(),
    511. 

  511. 			newObj:     podWithOwnerRefs(blockRC1, blockNode),
    512. 

  512. 			checkError: expectNoError,
    513. 

  513. 		},
    514. 

  514. 		{
    515. 

  515. 			name:       "non-rc-deleter, update, no ownerReferences change blockOwnerDeletion",
    516. 

  516. 			username:   "non-rc-deleter",
    517. 

  517. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    518. 

  518. 			oldObj:     podWithOwnerRefs(nilBlockRC1),
    519. 

  519. 			newObj:     podWithOwnerRefs(notBlockRC1),
    520. 

  520. 			checkError: expectNoError,
    521. 

  521. 		},
    522. 

  522. 		{
    523. 

  523. 			name:       "non-rc-deleter, update, some ownerReferences change from blockOwnerDeletion=false to true",
    524. 

  524. 			username:   "non-rc-deleter",
    525. 

  525. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    526. 

  526. 			oldObj:     podWithOwnerRefs(notBlockRC1),
    527. 

  527. 			newObj:     podWithOwnerRefs(blockRC1),
    528. 

  528. 			checkError: expectCantSetBlockOwnerDeletionError,
    529. 

  529. 		},
    530. 

  530. 		{
    531. 

  531. 			name:       "non-rc-deleter, update, some ownerReferences change from blockOwnerDeletion=nil to true",
    532. 

  532. 			username:   "non-rc-deleter",
    533. 

  533. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    534. 

  534. 			oldObj:     podWithOwnerRefs(nilBlockRC1),
    535. 

  535. 			newObj:     podWithOwnerRefs(blockRC1),
    536. 

  536. 			checkError: expectCantSetBlockOwnerDeletionError,
    537. 

  537. 		},
    538. 

  538. 		{
    539. 

  539. 			name:       "non-node-deleter, update, some ownerReferences change from blockOwnerDeletion=nil to true",
    540. 

  540. 			username:   "non-node-deleter",
    541. 

  541. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    542. 

  542. 			oldObj:     podWithOwnerRefs(nilBlockNode),
    543. 

  543. 			newObj:     podWithOwnerRefs(blockNode),
    544. 

  544. 			checkError: expectCantSetBlockOwnerDeletionError,
    545. 

  545. 		},
    546. 

  546. 		{
    547. 

  547. 			name:       "non-rc-deleter, update, some ownerReferences change from blockOwnerDeletion=true to false",
    548. 

  548. 			username:   "non-rc-deleter",
    549. 

  549. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    550. 

  550. 			oldObj:     podWithOwnerRefs(blockRC1),
    551. 

  551. 			newObj:     podWithOwnerRefs(notBlockRC1),
    552. 

  552. 			checkError: expectNoError,
    553. 

  553. 		},
    554. 

  554. 		{
    555. 

  555. 			name:       "non-node-deleter, update, some ownerReferences change from blockOwnerDeletion=true to false",
    556. 

  556. 			username:   "non-node-deleter",
    557. 

  557. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    558. 

  558. 			oldObj:     podWithOwnerRefs(blockNode),
    559. 

  559. 			newObj:     podWithOwnerRefs(notBlockNode),
    560. 

  560. 			checkError: expectNoError,
    561. 

  561. 		},
    562. 

  562. 		{
    563. 

  563. 			name:       "non-rc-deleter, update, some ownerReferences change blockOwnerDeletion, but all such references are to daemonset",
    564. 

  564. 			username:   "non-rc-deleter",
    565. 

  565. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    566. 

  566. 			oldObj:     podWithOwnerRefs(notBlockDS1),
    567. 

  567. 			newObj:     podWithOwnerRefs(blockDS1),
    568. 

  568. 			checkError: expectNoError,
    569. 

  569. 		},
    570. 

  570. 		{
    571. 

  571. 			name:       "non-rc-deleter, update, add new ownerReferences with blockOwnerDeletion=nil or false",
    572. 

  572. 			username:   "non-rc-deleter",
    573. 

  573. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    574. 

  574. 			oldObj:     podWithOwnerRefs(),
    575. 

  575. 			newObj:     podWithOwnerRefs(notBlockRC1, nilBlockRC2),
    576. 

  576. 			checkError: expectNoError,
    577. 

  577. 		},
    578. 

  578. 		{
    579. 

  579. 			name:       "non-rc-deleter, update, add new ownerReferences with blockOwnerDeletion=true",
    580. 

  580. 			username:   "non-rc-deleter",
    581. 

  581. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    582. 

  582. 			oldObj:     podWithOwnerRefs(),
    583. 

  583. 			newObj:     podWithOwnerRefs(blockRC1),
    584. 

  584. 			checkError: expectCantSetBlockOwnerDeletionError,
    585. 

  585. 		},
    586. 

  586. 		{
    587. 

  587. 			name:       "non-rc-deleter, update, add new ownerReferences with blockOwnerDeletion=true, but the references are to daemonset",
    588. 

  588. 			username:   "non-rc-deleter",
    589. 

  589. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    590. 

  590. 			oldObj:     podWithOwnerRefs(),
    591. 

  591. 			newObj:     podWithOwnerRefs(blockDS1),
    592. 

  592. 			checkError: expectNoError,
    593. 

  593. 		},
    594. 

  594. 		{
    595. 

  595. 			name:       "non-node-deleter, update, add ownerReferences with blockOwnerDeletion=true",
    596. 

  596. 			username:   "non-node-deleter",
    597. 

  597. 			resource:   api.SchemeGroupVersion.WithResource("pods"),
    598. 

  598. 			oldObj:     podWithOwnerRefs(),
    599. 

  599. 			newObj:     podWithOwnerRefs(blockNode),
    600. 

  600. 			checkError: expectCantSetBlockOwnerDeletionError,
    601. 

  601. 		},
    602. 

  602. 	}
    603. 

  603. 	gcAdmit, err := newGCPermissionsEnforcement()
    604. 

  604. 	if err != nil {
    605. 

  605. 		t.Error(err)
    606. 

  606. 	}
    607. 

  607. 

  608. 	for _, tc := range tests {
    609. 

  609. 		operation := admission.Create
    610. 

  610. 		var options runtime.Object = &metav1.CreateOptions{}
    611. 

  611. 		if tc.oldObj != nil {
    612. 

  612. 			operation = admission.Update
    613. 

  613. 			options = &metav1.UpdateOptions{}
    614. 

  614. 		}
    615. 

  615. 		user := &user.DefaultInfo{Name: tc.username}
    616. 

  616. 		attributes := admission.NewAttributesRecord(tc.newObj, tc.oldObj, schema.GroupVersionKind{}, metav1.NamespaceDefault, "foo", tc.resource, tc.subresource, operation, options, false, user)
    617. 

  617. 

  618. 		err := gcAdmit.Validate(attributes, nil)
    619. 

  619. 		if !tc.checkError(err) {
    620. 

  620. 			t.Errorf("%v: unexpected err: %v", tc.name, err)
    621. 

  621. 		}
    622. 

  622. 	}
    623. 

  623. }
    624. 

  624.