Admission plugin to merge pod and namespace tolerations for restricting pod placement on nodes

cmd/kube-apiserver/app/BUILD

@@ -57,6 +57,7 @@ go_library(
         "//plugin/pkg/admission/persistentvolume/label:go_default_library",
         "//plugin/pkg/admission/podnodeselector:go_default_library",
         "//plugin/pkg/admission/podpreset:go_default_library",
+        "//plugin/pkg/admission/podtolerationrestriction:go_default_library",
         "//plugin/pkg/admission/resourcequota:go_default_library",
         "//plugin/pkg/admission/security/podsecuritypolicy:go_default_library",
         "//plugin/pkg/admission/securitycontext/scdeny:go_default_library",

cmd/kube-apiserver/app/plugins.go

@@ -40,6 +40,7 @@ import (
 	_ "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/label"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/podpreset"
+	_ "k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
 	_ "k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"

hack/.linted_packages

@@ -279,6 +279,8 @@ plugin/pkg/admission/gc
 plugin/pkg/admission/imagepolicy
 plugin/pkg/admission/namespace/autoprovision
 plugin/pkg/admission/namespace/exists
+plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/install
+plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/validation
 plugin/pkg/admission/resourcequota/apis/resourcequota/install
 plugin/pkg/admission/resourcequota/apis/resourcequota/validation
 plugin/pkg/admission/securitycontext/scdeny

pkg/api/validation/validation.go

@@ -155,7 +155,7 @@ func ValidateTolerationsInPodAnnotations(annotations map[string]string, fldPath
 	}
 
 	if len(tolerations) > 0 {
-		allErrs = append(allErrs, validateTolerations(tolerations, fldPath.Child(api.TolerationsAnnotationKey))...)
+		allErrs = append(allErrs, ValidateTolerations(tolerations, fldPath.Child(api.TolerationsAnnotationKey))...)
 	}
 
 	return allErrs
@@ -2000,12 +2000,12 @@ func validateOnlyAddedTolerations(newTolerations []api.Toleration, oldToleration
 		}
 	}
 
-	allErrs = append(allErrs, validateTolerations(newTolerations, fldPath)...)
+	allErrs = append(allErrs, ValidateTolerations(newTolerations, fldPath)...)
 	return allErrs
 }
 
-// validateTolerations tests if given tolerations have valid data.
-func validateTolerations(tolerations []api.Toleration, fldPath *field.Path) field.ErrorList {
+// ValidateTolerations tests if given tolerations have valid data.
+func ValidateTolerations(tolerations []api.Toleration, fldPath *field.Path) field.ErrorList {
 	allErrors := field.ErrorList{}
 	for i, toleration := range tolerations {
 		idxPath := fldPath.Index(i)
@@ -2102,7 +2102,7 @@ func ValidatePodSpec(spec *api.PodSpec, fldPath *field.Path) field.ErrorList {
 	}
 
 	if len(spec.Tolerations) > 0 {
-		allErrs = append(allErrs, validateTolerations(spec.Tolerations, fldPath.Child("tolerations"))...)
+		allErrs = append(allErrs, ValidateTolerations(spec.Tolerations, fldPath.Child("tolerations"))...)
 	}
 
 	return allErrs

pkg/util/BUILD

@@ -96,6 +96,7 @@ filegroup(
         "//pkg/util/taints:all-srcs",
         "//pkg/util/term:all-srcs",
         "//pkg/util/threading:all-srcs",
+        "//pkg/util/tolerations:all-srcs",
         "//pkg/util/uuid:all-srcs",
         "//pkg/util/validation:all-srcs",
         "//pkg/util/version:all-srcs",

pkg/util/tolerations/BUILD

@@ -0,0 +1,40 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "tolerations.go",
+    ],
+    tags = ["automanaged"],
+    deps = ["//pkg/api:go_default_library"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["tolerations_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = ["//pkg/api:go_default_library"],
+)

pkg/util/tolerations/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package tolerations provides utilities to work with pod spec tolerations.
+package tolerations // import "k8s.io/kubernetes/pkg/util/tolerations"

pkg/util/tolerations/tolerations.go

@@ -0,0 +1,125 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tolerations
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+)
+
+type key struct {
+	tolerationKey string
+	effect        api.TaintEffect
+}
+
+// VerifyAgainstWhitelist checks if the provided tolerations
+// satisfy the provided whitelist and returns true, otherwise returns false
+func VerifyAgainstWhitelist(tolerations []api.Toleration, whitelist []api.Toleration) bool {
+	if len(whitelist) == 0 {
+		return true
+	}
+
+	t := ConvertTolerationToAMap(tolerations)
+	w := ConvertTolerationToAMap(whitelist)
+
+	for k1, v1 := range t {
+		if v2, ok := w[k1]; !ok || !AreEqual(v1, v2) {
+			return false
+		}
+	}
+	return true
+}
+
+// IsConflict returns true if the key of two tolerations match
+// but one or more other fields differ, otherwise returns false
+func IsConflict(first []api.Toleration, second []api.Toleration) bool {
+	firstMap := ConvertTolerationToAMap(first)
+	secondMap := ConvertTolerationToAMap(second)
+
+	for k1, v1 := range firstMap {
+		if v2, ok := secondMap[k1]; ok && !AreEqual(v1, v2) {
+			return true
+		}
+	}
+	return false
+}
+
+// MergeTolerations merges two sets of tolerations into one
+// it does not check for conflicts
+func MergeTolerations(first []api.Toleration, second []api.Toleration) []api.Toleration {
+	var mergedTolerations []api.Toleration
+	mergedTolerations = append(mergedTolerations, second...)
+
+	firstMap := ConvertTolerationToAMap(first)
+	secondMap := ConvertTolerationToAMap(second)
+
+	for k1, v1 := range firstMap {
+		if _, ok := secondMap[k1]; !ok {
+			mergedTolerations = append(mergedTolerations, v1)
+		}
+	}
+	return mergedTolerations
+}
+
+// EqualTolerations returns true if two sets of tolerations are equal, otherwise false
+// it assumes no duplicates in individual set of tolerations
+func EqualTolerations(first []api.Toleration, second []api.Toleration) bool {
+	if len(first) != len(second) {
+		return false
+	}
+
+	firstMap := ConvertTolerationToAMap(first)
+	secondMap := ConvertTolerationToAMap(second)
+
+	for k1, v1 := range firstMap {
+		if v2, ok := secondMap[k1]; !ok || !AreEqual(v1, v2) {
+			return false
+		}
+	}
+	return true
+}
+
+// ConvertTolerationToAMap converts toleration list into a map[string]api.Toleration
+func ConvertTolerationToAMap(in []api.Toleration) map[key]api.Toleration {
+	out := map[key]api.Toleration{}
+	for i := range in {
+		out[key{in[i].Key, in[i].Effect}] = in[i]
+	}
+	return out
+}
+
+// AreEqual checks if two provided tolerations are equal or not.
+func AreEqual(first, second api.Toleration) bool {
+	if first.Key == second.Key &&
+		first.Operator == second.Operator &&
+		first.Value == second.Value &&
+		first.Effect == second.Effect &&
+		AreTolerationSecondsEqual(first.TolerationSeconds, second.TolerationSeconds) {
+		return true
+	}
+	return false
+}
+
+// AreTolerationSecondsEqual checks if two provided TolerationSeconds are equal or not.
+func AreTolerationSecondsEqual(ts1, ts2 *int64) bool {
+	if ts1 == ts2 {
+		return true
+	}
+	if ts1 != nil && ts2 != nil && *ts1 == *ts2 {
+		return true
+	}
+	return false
+}

pkg/util/tolerations/tolerations_test.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tolerations
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+)
+
+func TestVerifyAgainstWhitelist(t *testing.T) {
+	tests := []struct {
+		input      []api.Toleration
+		whitelist  []api.Toleration
+		testName   string
+		testStatus bool
+	}{
+		{
+			input:      []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoSchedule"}},
+			whitelist:  []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoSchedule"}},
+			testName:   "equal input and whitelist",
+			testStatus: true,
+		},
+		{
+			input:      []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoSchedule"}},
+			whitelist:  []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoExecute"}},
+			testName:   "input does not exist in whitelist",
+			testStatus: false,
+		},
+	}
+
+	for _, c := range tests {
+		status := VerifyAgainstWhitelist(c.input, c.whitelist)
+		if status != c.testStatus {
+			t.Errorf("Test: %s, expected %v", c.testName, status)
+		}
+	}
+
+}
+
+func TestIsConflict(t *testing.T) {
+	tests := []struct {
+		input1     []api.Toleration
+		input2     []api.Toleration
+		testName   string
+		testStatus bool
+	}{
+		{
+			input1:     []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoSchedule"}},
+			input2:     []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoSchedule"}},
+			testName:   "equal inputs",
+			testStatus: true,
+		},
+		{
+			input1:     []api.Toleration{{Key: "foo", Operator: "Equal", Value: "foo", Effect: "NoExecute"}},
+			input2:     []api.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "NoExecute"}},
+			testName:   "mismatch values in inputs",
+			testStatus: false,
+		},
+	}
+
+	for _, c := range tests {
+		status := IsConflict(c.input1, c.input2)
+		if status == c.testStatus {
+			t.Errorf("Test: %s, expected %v", c.testName, status)
+		}
+	}
+}

plugin/BUILD

@@ -30,6 +30,7 @@ filegroup(
         "//plugin/pkg/admission/persistentvolume/label:all-srcs",
         "//plugin/pkg/admission/podnodeselector:all-srcs",
         "//plugin/pkg/admission/podpreset:all-srcs",
+        "//plugin/pkg/admission/podtolerationrestriction:all-srcs",
         "//plugin/pkg/admission/resourcequota:all-srcs",
         "//plugin/pkg/admission/security:all-srcs",
         "//plugin/pkg/admission/securitycontext/scdeny:all-srcs",