mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-04 04:08:16 +00:00
Validate involvedObject.Namespace matches event.Namespace
This commit is contained in:
Jordan Liggitt
@@ -17,7 +17,13 @@ limitations under the License.
|
|||||||
package validation
|
package validation
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
"k8s.io/kubernetes/pkg/api"
|
"k8s.io/kubernetes/pkg/api"
|
||||||
|
"k8s.io/kubernetes/pkg/api/meta"
|
||||||
|
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||||
|
apiutil "k8s.io/kubernetes/pkg/api/util"
|
||||||
|
"k8s.io/kubernetes/pkg/apimachinery/registered"
|
||||||
"k8s.io/kubernetes/pkg/util/validation"
|
"k8s.io/kubernetes/pkg/util/validation"
|
||||||
"k8s.io/kubernetes/pkg/util/validation/field"
|
"k8s.io/kubernetes/pkg/util/validation/field"
|
||||||
)
|
)
|
||||||
@@ -25,21 +31,50 @@ import (
|
|||||||
// ValidateEvent makes sure that the event makes sense.
|
// ValidateEvent makes sure that the event makes sense.
|
||||||
func ValidateEvent(event *api.Event) field.ErrorList {
|
func ValidateEvent(event *api.Event) field.ErrorList {
|
||||||
allErrs := field.ErrorList{}
|
allErrs := field.ErrorList{}
|
||||||
// There is no namespace required for node or persistent volume.
|
|
||||||
// However, older client code accidentally sets event.Namespace
|
// Make sure event.Namespace and the involvedObject.Namespace agree
|
||||||
// to api.NamespaceDefault, so we accept that too, but "" is preferred.
|
if len(event.InvolvedObject.Namespace) == 0 {
|
||||||
if (event.InvolvedObject.Kind == "Node" || event.InvolvedObject.Kind == "PersistentVolume") &&
|
// event.Namespace must also be empty (or "default", for compatibility with old clients)
|
||||||
event.Namespace != api.NamespaceDefault &&
|
if event.Namespace != api.NamespaceNone && event.Namespace != api.NamespaceDefault {
|
||||||
event.Namespace != "" {
|
allErrs = append(allErrs, field.Invalid(field.NewPath("involvedObject", "namespace"), event.InvolvedObject.Namespace, "does not match event.namespace"))
|
||||||
allErrs = append(allErrs, field.Invalid(field.NewPath("involvedObject", "namespace"), event.InvolvedObject.Namespace, "not allowed for node"))
|
}
|
||||||
|
} else {
|
||||||
|
// event namespace must match
|
||||||
|
if event.Namespace != event.InvolvedObject.Namespace {
|
||||||
|
allErrs = append(allErrs, field.Invalid(field.NewPath("involvedObject", "namespace"), event.InvolvedObject.Namespace, "does not match event.namespace"))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if event.InvolvedObject.Kind != "Node" &&
|
|
||||||
event.InvolvedObject.Kind != "PersistentVolume" &&
|
// For kinds we recognize, make sure involvedObject.Namespace is set for namespaced kinds
|
||||||
event.Namespace != event.InvolvedObject.Namespace {
|
if namespaced, err := isNamespacedKind(event.InvolvedObject.Kind, event.InvolvedObject.APIVersion); err == nil {
|
||||||
allErrs = append(allErrs, field.Invalid(field.NewPath("involvedObject", "namespace"), event.InvolvedObject.Namespace, "does not match involvedObject"))
|
if namespaced && len(event.InvolvedObject.Namespace) == 0 {
|
||||||
|
allErrs = append(allErrs, field.Required(field.NewPath("involvedObject", "namespace"), fmt.Sprintf("required for kind %s", event.InvolvedObject.Kind)))
|
||||||
|
}
|
||||||
|
if !namespaced && len(event.InvolvedObject.Namespace) > 0 {
|
||||||
|
allErrs = append(allErrs, field.Invalid(field.NewPath("involvedObject", "namespace"), event.InvolvedObject.Namespace, fmt.Sprintf("not allowed for kind %s", event.InvolvedObject.Kind)))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, msg := range validation.IsDNS1123Subdomain(event.Namespace) {
|
for _, msg := range validation.IsDNS1123Subdomain(event.Namespace) {
|
||||||
allErrs = append(allErrs, field.Invalid(field.NewPath("namespace"), event.Namespace, msg))
|
allErrs = append(allErrs, field.Invalid(field.NewPath("namespace"), event.Namespace, msg))
|
||||||
}
|
}
|
||||||
return allErrs
|
return allErrs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check whether the kind in groupVersion is scoped at the root of the api hierarchy
|
||||||
|
func isNamespacedKind(kind, groupVersion string) (bool, error) {
|
||||||
|
group := apiutil.GetGroup(groupVersion)
|
||||||
|
g, err := registered.Group(group)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
restMapping, err := g.RESTMapper.RESTMapping(unversioned.GroupKind{Group: group, Kind: kind}, apiutil.GetVersion(groupVersion))
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
scopeName := restMapping.Scope.Name()
|
||||||
|
if scopeName == meta.RESTScopeNameNamespace {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|||||||
@@ -35,17 +35,177 @@ func TestValidateEvent(t *testing.T) {
|
|||||||
},
|
},
|
||||||
InvolvedObject: api.ObjectReference{
|
InvolvedObject: api.ObjectReference{
|
||||||
Namespace: "bar",
|
Namespace: "bar",
|
||||||
|
Kind: "Pod",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
false,
|
false,
|
||||||
}, {
|
}, {
|
||||||
&api.Event{
|
&api.Event{
|
||||||
ObjectMeta: api.ObjectMeta{
|
ObjectMeta: api.ObjectMeta{
|
||||||
Name: "test1",
|
Name: "test2",
|
||||||
Namespace: "aoeu-_-aoeu",
|
Namespace: "aoeu-_-aoeu",
|
||||||
},
|
},
|
||||||
InvolvedObject: api.ObjectReference{
|
InvolvedObject: api.ObjectReference{
|
||||||
Namespace: "aoeu-_-aoeu",
|
Namespace: "aoeu-_-aoeu",
|
||||||
|
Kind: "Pod",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test3",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "v1",
|
||||||
|
Kind: "Node",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test4",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "v1",
|
||||||
|
Kind: "Namespace",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test5",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "extensions/v1beta1",
|
||||||
|
Kind: "NoKind",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test6",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "extensions/v1beta1",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test7",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "extensions/v1beta1",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test8",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "other/v1beta1",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test9",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "other/v1beta1",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test10",
|
||||||
|
Namespace: api.NamespaceDefault,
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "extensions",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
}, {
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test11",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
// must register in v1beta1 to be true
|
||||||
|
APIVersion: "extensions/v1beta1",
|
||||||
|
Kind: "Job",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test12",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "other/v1beta1",
|
||||||
|
Kind: "FooBar",
|
||||||
|
Namespace: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test13",
|
||||||
|
Namespace: "",
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "other/v1beta1",
|
||||||
|
Kind: "FooBar",
|
||||||
|
Namespace: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
&api.Event{
|
||||||
|
ObjectMeta: api.ObjectMeta{
|
||||||
|
Name: "test14",
|
||||||
|
Namespace: "foo",
|
||||||
|
},
|
||||||
|
InvolvedObject: api.ObjectReference{
|
||||||
|
APIVersion: "other/v1beta1",
|
||||||
|
Kind: "FooBar",
|
||||||
|
Namespace: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
false,
|
false,
|
||||||
|
|||||||
Reference in New Issue
Block a user