scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Relax namespace restriction for critical pods

Browse Source
This commit is contained in:
ravisantoshgudimetla
2019-11-04 17:26:16 -05:00
parent fb87f72b88
commit fe4cac73c8
5 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/registry/scheduling/rest/BUILD
View File

@@ -16,6 +16,7 @@ go_library(
"//pkg/apis/scheduling/v1alpha1:go_default_library", "//pkg/apis/scheduling/v1alpha1:go_default_library",
"//pkg/apis/scheduling/v1beta1:go_default_library", "//pkg/apis/scheduling/v1beta1:go_default_library",
"//pkg/registry/scheduling/priorityclass/storage:go_default_library", "//pkg/registry/scheduling/priorityclass/storage:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
@@ -24,6 +25,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library", "//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],

18
plugin/pkg/admission/priority/admission.go
View File

@@ -28,10 +28,10 @@ import (
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
genericadmissioninitializers "k8s.io/apiserver/pkg/admission/initializer" genericadmissioninitializers "k8s.io/apiserver/pkg/admission/initializer"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/informers" "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
schedulingv1listers "k8s.io/client-go/listers/scheduling/v1" schedulingv1listers "k8s.io/client-go/listers/scheduling/v1"
"k8s.io/component-base/featuregate"
"k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/core"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/scheduling" "k8s.io/kubernetes/pkg/apis/scheduling"
@@ -56,10 +56,13 @@ type Plugin struct {
*admission.Handler *admission.Handler
client kubernetes.Interface client kubernetes.Interface
lister schedulingv1listers.PriorityClassLister lister schedulingv1listers.PriorityClassLister
resourceQuotaFeatureGateEnabled bool
nonPreemptingPriority bool
} }
var _ admission.MutationInterface = &Plugin{} var _ admission.MutationInterface = &Plugin{}
var _ admission.ValidationInterface = &Plugin{} var _ admission.ValidationInterface = &Plugin{}
var _ genericadmissioninitializers.WantsFeatures = &Plugin{}
var _ = genericadmissioninitializers.WantsExternalKubeInformerFactory(&Plugin{}) var _ = genericadmissioninitializers.WantsExternalKubeInformerFactory(&Plugin{})
var _ = genericadmissioninitializers.WantsExternalKubeClientSet(&Plugin{}) var _ = genericadmissioninitializers.WantsExternalKubeClientSet(&Plugin{})
@@ -81,6 +84,12 @@ func (p *Plugin) ValidateInitialization() error {
return nil return nil
} }
// InspectFeatureGates allows setting bools without taking a dep on a global variable
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
p.nonPreemptingPriority = featureGates.Enabled(features.NonPreemptingPriority)
p.resourceQuotaFeatureGateEnabled = featureGates.Enabled(features.ResourceQuotaScopeSelectors)
}
// SetExternalKubeClientSet implements the WantsInternalKubeClientSet interface. // SetExternalKubeClientSet implements the WantsInternalKubeClientSet interface.
func (p *Plugin) SetExternalKubeClientSet(client kubernetes.Interface) { func (p *Plugin) SetExternalKubeClientSet(client kubernetes.Interface) {
p.client = client p.client = client
@@ -106,7 +115,6 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
if len(a.GetSubresource()) != 0 { if len(a.GetSubresource()) != 0 {
return nil return nil
} }
switch a.GetResource().GroupResource() { switch a.GetResource().GroupResource() {
case podResource: case podResource:
if operation == admission.Create || operation == admission.Update { if operation == admission.Create || operation == admission.Update {
@@ -189,9 +197,13 @@ func (p *Plugin) admitPod(a admission.Attributes) error {
pod.Spec.PriorityClassName = pcName pod.Spec.PriorityClassName = pcName
} else { } else {
pcName := pod.Spec.PriorityClassName pcName := pod.Spec.PriorityClassName
// If ResourceQuotaScopeSelectors is enabled, we should let pods with critical priorityClass to be created
// any namespace where administrator wants it to be created.
if !p.resourceQuotaFeatureGateEnabled {
if !priorityClassPermittedInNamespace(pcName, a.GetNamespace()) { if !priorityClassPermittedInNamespace(pcName, a.GetNamespace()) {
return admission.NewForbidden(a, fmt.Errorf("pods with %v priorityClass is not permitted in %v namespace", pcName, a.GetNamespace())) return admission.NewForbidden(a, fmt.Errorf("pods with %v priorityClass is not permitted in %v namespace", pcName, a.GetNamespace()))
} }
}
// Try resolving the priority class name. // Try resolving the priority class name.
pc, err := p.lister.Get(pod.Spec.PriorityClassName) pc, err := p.lister.Get(pod.Spec.PriorityClassName)
@@ -212,7 +224,7 @@ func (p *Plugin) admitPod(a admission.Attributes) error {
} }
pod.Spec.Priority = &priority pod.Spec.Priority = &priority
if utilfeature.DefaultFeatureGate.Enabled(features.NonPreemptingPriority) { if p.nonPreemptingPriority {
var corePolicy core.PreemptionPolicy var corePolicy core.PreemptionPolicy
if preemptionPolicy != nil { if preemptionPolicy != nil {
corePolicy = core.PreemptionPolicy(*preemptionPolicy) corePolicy = core.PreemptionPolicy(*preemptionPolicy)

6
plugin/pkg/admission/priority/admission_test.go
View File

@@ -626,7 +626,7 @@ func TestPodAdmission(t *testing.T) {
[]*scheduling.PriorityClass{systemClusterCritical}, []*scheduling.PriorityClass{systemClusterCritical},
*pods[7], *pods[7],
scheduling.SystemCriticalPriority, scheduling.SystemCriticalPriority,
true, false,
nil, nil,
}, },
{ {
@@ -681,8 +681,9 @@ func TestPodAdmission(t *testing.T) {
for _, test := range tests { for _, test := range tests {
klog.V(4).Infof("starting test %q", test.name) klog.V(4).Infof("starting test %q", test.name)
ctrl := NewPlugin() ctrl := NewPlugin()
ctrl.resourceQuotaFeatureGateEnabled = true
ctrl.nonPreemptingPriority = true
// Add existing priority classes. // Add existing priority classes.
if err := addPriorityClasses(ctrl, test.existingClasses); err != nil { if err := addPriorityClasses(ctrl, test.existingClasses); err != nil {
t.Errorf("Test %q: unable to add object to informer: %v", test.name, err) t.Errorf("Test %q: unable to add object to informer: %v", test.name, err)
@@ -704,6 +705,7 @@ func TestPodAdmission(t *testing.T) {
) )
err := admissiontesting.WithReinvocationTesting(t, ctrl).Admit(context.TODO(), attrs, nil) err := admissiontesting.WithReinvocationTesting(t, ctrl).Admit(context.TODO(), attrs, nil)
klog.Infof("Got %v", err) klog.Infof("Got %v", err)
if !test.expectError { if !test.expectError {
if err != nil { if err != nil {
t.Errorf("Test %q: unexpected error received: %v", test.name, err) t.Errorf("Test %q: unexpected error received: %v", test.name, err)

1
plugin/pkg/admission/resourcequota/BUILD
View File

@@ -22,7 +22,6 @@ go_library(
"//pkg/quota/v1/generic:go_default_library", "//pkg/quota/v1/generic:go_default_library",
"//plugin/pkg/admission/resourcequota/apis/resourcequota:go_default_library", "//plugin/pkg/admission/resourcequota/apis/resourcequota:go_default_library",
"//plugin/pkg/admission/resourcequota/apis/resourcequota/install:go_default_library", "//plugin/pkg/admission/resourcequota/apis/resourcequota/install:go_default_library",
"//plugin/pkg/admission/resourcequota/apis/resourcequota/v1beta1:go_default_library",
"//plugin/pkg/admission/resourcequota/apis/resourcequota/validation:go_default_library", "//plugin/pkg/admission/resourcequota/apis/resourcequota/validation:go_default_library",
"//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",

3
test/integration/quota/BUILD
View File

@@ -17,6 +17,7 @@ go_test(
"//pkg/controller:go_default_library", "//pkg/controller:go_default_library",
"//pkg/controller/replication:go_default_library", "//pkg/controller/replication:go_default_library",
"//pkg/controller/resourcequota:go_default_library", "//pkg/controller/resourcequota:go_default_library",
"//pkg/features:go_default_library",
"//pkg/quota/v1/generic:go_default_library", "//pkg/quota/v1/generic:go_default_library",
"//pkg/quota/v1/install:go_default_library", "//pkg/quota/v1/install:go_default_library",
"//plugin/pkg/admission/resourcequota:go_default_library", "//plugin/pkg/admission/resourcequota:go_default_library",
@@ -29,11 +30,13 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/informers:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/tools/record:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library",
"//staging/src/k8s.io/client-go/tools/watch:go_default_library", "//staging/src/k8s.io/client-go/tools/watch:go_default_library",
"//staging/src/k8s.io/component-base/featuregate/testing:go_default_library",
"//test/integration/framework:go_default_library", "//test/integration/framework:go_default_library",
], ],
) )