-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
split limitranger admission #55487
Merged
k8s-github-robot
merged 2 commits into
kubernetes:master
from
deads2k:admission-16-limit
Nov 13, 2017
Merged
split limitranger admission #55487
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -64,6 +64,10 @@ type LimitRanger struct { | |
liveTTL time.Duration | ||
} | ||
|
||
var _ admission.MutationInterface = &LimitRanger{} | ||
var _ admission.ValidationInterface = &LimitRanger{} | ||
var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &LimitRanger{} | ||
|
||
type liveLookupEntry struct { | ||
expiry time.Time | ||
items []*api.LimitRange | ||
|
@@ -87,6 +91,15 @@ func (l *LimitRanger) ValidateInitialization() error { | |
|
||
// Admit admits resources into cluster that do not violate any defined LimitRange in the namespace | ||
func (l *LimitRanger) Admit(a admission.Attributes) (err error) { | ||
return l.runLimitFunc(a, l.actions.MutateLimit) | ||
} | ||
|
||
// Validate admits resources into cluster that do not violate any defined LimitRange in the namespace | ||
func (l *LimitRanger) Validate(a admission.Attributes) (err error) { | ||
return l.runLimitFunc(a, l.actions.ValidateLimit) | ||
} | ||
|
||
func (l *LimitRanger) runLimitFunc(a admission.Attributes, limitFn func(limitRange *api.LimitRange, kind string, obj runtime.Object) error) (err error) { | ||
if !l.actions.SupportsAttributes(a) { | ||
return nil | ||
} | ||
|
@@ -100,9 +113,31 @@ func (l *LimitRanger) Admit(a admission.Attributes) (err error) { | |
} | ||
} | ||
|
||
items, err := l.GetLimitRanges(a) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// ensure it meets each prescribed min/max | ||
for i := range items { | ||
limitRange := items[i] | ||
|
||
if !l.actions.SupportsLimit(limitRange) { | ||
continue | ||
} | ||
|
||
err = limitFn(limitRange, a.GetResource().Resource, a.GetObject()) | ||
if err != nil { | ||
return admission.NewForbidden(a, err) | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func (l *LimitRanger) GetLimitRanges(a admission.Attributes) ([]*api.LimitRange, error) { | ||
items, err := l.lister.LimitRanges(a.GetNamespace()).List(labels.Everything()) | ||
if err != nil { | ||
return admission.NewForbidden(a, fmt.Errorf("unable to %s %v at this time because there was an error enforcing limit ranges", a.GetOperation(), a.GetResource())) | ||
return nil, admission.NewForbidden(a, fmt.Errorf("unable to %s %v at this time because there was an error enforcing limit ranges", a.GetOperation(), a.GetResource())) | ||
} | ||
|
||
// if there are no items held in our indexer, check our live-lookup LRU, if that misses, do the live lookup to prime it. | ||
|
@@ -116,7 +151,7 @@ func (l *LimitRanger) Admit(a admission.Attributes) (err error) { | |
// throttling - see #22422 for details. | ||
liveList, err := l.client.Core().LimitRanges(a.GetNamespace()).List(metav1.ListOptions{}) | ||
if err != nil { | ||
return admission.NewForbidden(a, err) | ||
return nil, admission.NewForbidden(a, err) | ||
} | ||
newEntry := liveLookupEntry{expiry: time.Now().Add(l.liveTTL)} | ||
for i := range liveList.Items { | ||
|
@@ -133,20 +168,7 @@ func (l *LimitRanger) Admit(a admission.Attributes) (err error) { | |
|
||
} | ||
|
||
// ensure it meets each prescribed min/max | ||
for i := range items { | ||
limitRange := items[i] | ||
|
||
if !l.actions.SupportsLimit(limitRange) { | ||
continue | ||
} | ||
|
||
err = l.actions.Limit(limitRange, a.GetResource().Resource, a.GetObject()) | ||
if err != nil { | ||
return admission.NewForbidden(a, err) | ||
} | ||
} | ||
return nil | ||
return items, nil | ||
} | ||
|
||
// NewLimitRanger returns an object that enforces limits based on the supplied limit function | ||
|
@@ -399,12 +421,23 @@ var _ LimitRangerActions = &DefaultLimitRangerActions{} | |
// Limit enforces resource requirements of incoming resources against enumerated constraints | ||
// on the LimitRange. It may modify the incoming object to apply default resource requirements | ||
// if not specified, and enumerated on the LimitRange | ||
func (d *DefaultLimitRangerActions) Limit(limitRange *api.LimitRange, resourceName string, obj runtime.Object) error { | ||
func (d *DefaultLimitRangerActions) MutateLimit(limitRange *api.LimitRange, resourceName string, obj runtime.Object) error { | ||
switch resourceName { | ||
case "pods": | ||
return PodLimitFunc(limitRange, obj.(*api.Pod)) | ||
return PodMutateLimitFunc(limitRange, obj.(*api.Pod)) | ||
} | ||
return nil | ||
} | ||
|
||
// Limit enforces resource requirements of incoming resources against enumerated constraints | ||
// on the LimitRange. It may modify the incoming object to apply default resource requirements | ||
// if not specified, and enumerated on the LimitRange | ||
func (d *DefaultLimitRangerActions) ValidateLimit(limitRange *api.LimitRange, resourceName string, obj runtime.Object) error { | ||
switch resourceName { | ||
case "pods": | ||
return PodValidateLimitFunc(limitRange, obj.(*api.Pod)) | ||
case "persistentvolumeclaims": | ||
return PersistentVolumeClaimLimitFunc(limitRange, obj.(*api.PersistentVolumeClaim)) | ||
return PersistentVolumeClaimValidateLimitFunc(limitRange, obj.(*api.PersistentVolumeClaim)) | ||
} | ||
return nil | ||
} | ||
|
@@ -424,11 +457,11 @@ func (d *DefaultLimitRangerActions) SupportsLimit(limitRange *api.LimitRange) bo | |
return true | ||
} | ||
|
||
// PersistentVolumeClaimLimitFunc enforces storage limits for PVCs. | ||
// PersistentVolumeClaimValidateLimitFunc enforces storage limits for PVCs. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. validates storage limits .... |
||
// Users request storage via pvc.Spec.Resources.Requests. Min/Max is enforced by an admin with LimitRange. | ||
// Claims will not be modified with default values because storage is a required part of pvc.Spec. | ||
// All storage enforced values *only* apply to pvc.Spec.Resources.Requests. | ||
func PersistentVolumeClaimLimitFunc(limitRange *api.LimitRange, pvc *api.PersistentVolumeClaim) error { | ||
func PersistentVolumeClaimValidateLimitFunc(limitRange *api.LimitRange, pvc *api.PersistentVolumeClaim) error { | ||
var errs []error | ||
for i := range limitRange.Spec.Limits { | ||
limit := limitRange.Spec.Limits[i] | ||
|
@@ -452,14 +485,19 @@ func PersistentVolumeClaimLimitFunc(limitRange *api.LimitRange, pvc *api.Persist | |
return utilerrors.NewAggregate(errs) | ||
} | ||
|
||
// PodLimitFunc enforces resource requirements enumerated by the pod against | ||
// PodMutateLimitFunc sets resource requirements enumerated by the pod against | ||
// the specified LimitRange. The pod may be modified to apply default resource | ||
// requirements if not specified, and enumerated on the LimitRange | ||
func PodLimitFunc(limitRange *api.LimitRange, pod *api.Pod) error { | ||
var errs []error | ||
|
||
func PodMutateLimitFunc(limitRange *api.LimitRange, pod *api.Pod) error { | ||
defaultResources := defaultContainerResourceRequirements(limitRange) | ||
mergePodResourceRequirements(pod, &defaultResources) | ||
return nil | ||
} | ||
|
||
// PodValidateLimitFunc enforces resource requirements enumerated by the pod against | ||
// the specified LimitRange. | ||
func PodValidateLimitFunc(limitRange *api.LimitRange, pod *api.Pod) error { | ||
var errs []error | ||
|
||
for i := range limitRange.Spec.Limits { | ||
limit := limitRange.Spec.Limits[i] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,8 +23,10 @@ import ( | |
) | ||
|
||
type LimitRangerActions interface { | ||
// Limit is a pluggable function to enforce limits on the object. | ||
Limit(limitRange *api.LimitRange, kind string, obj runtime.Object) error | ||
// MutateLimit is a pluggable function to set limits on the object. | ||
MutateLimit(limitRange *api.LimitRange, kind string, obj runtime.Object) error | ||
// ValidateLimits is a pluggable function to enforce limits on the object. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ic, enforce = validate |
||
ValidateLimit(limitRange *api.LimitRange, kind string, obj runtime.Object) error | ||
// SupportsAttributes is a pluggable function to allow overridding what resources the limitranger | ||
// supports. | ||
SupportsAttributes(attr admission.Attributes) bool | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are really the same with the exception
l.actions.ValidateLimit
vs.l.actions.MutateLimit
? Maybe make that explicit?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much better now.