Merge pull request #95179 from stevenshuang/master

Replace AreLabelsInWhiteList with IsSubset
2025-11-04 04:08:16 +00:00 · 2020-10-05 09:30:33 -07:00
parent 0ef37070dc f0ea54070b
commit c9051308be
2 changed files with 18 additions and 20 deletions
--- a/plugin/pkg/admission/podnodeselector/admission.go
+++ b/plugin/pkg/admission/podnodeselector/admission.go
@@ -148,7 +148,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
 	if err != nil {
 		return err
 	}
-	if !labels.AreLabelsInWhiteList(pod.Spec.NodeSelector, whitelist) {
+	if !isSubset(pod.Spec.NodeSelector, whitelist) {
 		return errors.NewForbidden(resource, pod.Name, fmt.Errorf("pod node label selector labels conflict with its namespace whitelist"))
 	}
@@ -259,3 +259,20 @@ func (p *Plugin) getNodeSelectorMap(namespace *corev1.Namespace) (labels.Set, er
 	}
 	return selector, nil
 }
 func isSubset(subSet, superSet labels.Set) bool {
 	if len(superSet) == 0 {
 		return true
 	}
 	for k, v := range subSet {
 		value, ok := superSet[k]
 		if !ok {
 			return false
 		}
 		if value != v {
 			return false
 		}
 	}
 	return true
 }
--- a/staging/src/k8s.io/apimachinery/pkg/labels/labels.go
+++ b/staging/src/k8s.io/apimachinery/pkg/labels/labels.go
@@ -141,25 +141,6 @@ func Equals(labels1, labels2 Set) bool {
 	return true
 }
 // AreLabelsInWhiteList verifies if the provided label list
 // is in the provided whitelist and returns true, otherwise false.
 func AreLabelsInWhiteList(labels, whitelist Set) bool {
 	if len(whitelist) == 0 {
 		return true
 	}
 	for k, v := range labels {
 		value, ok := whitelist[k]
 		if !ok {
 			return false
 		}
 		if value != v {
 			return false
 		}
 	}
 	return true
 }
 // ConvertSelectorToLabelsMap converts selector string to labels map
 // and validates keys and values
 func ConvertSelectorToLabelsMap(selector string) (Set, error) {