kubernetes · k8s-github-robot · Mar 30, 2018 · Feb 20, 2018 · liggitt · Mar 22, 2018
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
@@ -4098,6 +4098,9 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList {
 
 	// Allow updates to Node.Spec.ConfigSource if DynamicKubeletConfig feature gate is enabled
 	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicKubeletConfig) {
+		if node.Spec.ConfigSource != nil {
+			allErrs = append(allErrs, validateNodeConfigSource(node.Spec.ConfigSource, field.NewPath("spec", "configSource"))...)
+		}
 		oldNode.Spec.ConfigSource = node.Spec.ConfigSource
 	}
 
@@ -4111,6 +4114,25 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList {
 	return allErrs
 }
 
+func validateNodeConfigSource(source *core.NodeConfigSource, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	count := int(0)
+	if ref := source.ConfigMapRef; ref != nil {
+		count++
+		// name, namespace, and UID must all be non-empty for ConfigMapRef
+		if ref.Name == "" || ref.Namespace == "" || string(ref.UID) == "" {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("configMapRef"), ref, "name, namespace, and UID must all be non-empty"))
+		}
+	}
+	// add more subfields here in the future as they are added to NodeConfigSource
+
+	// exactly one reference subfield must be non-nil
+	if count != 1 {
+		allErrs = append(allErrs, field.Invalid(fldPath, source, "exactly one reference subfield must be non-nil"))
+	}
+	return allErrs
+}
+
 // Validate compute resource typename.
 // Refer to docs/design/resources.md for more details.
 func validateResourceName(value string, fldPath *field.Path) field.ErrorList {

diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go
@@ -68,12 +68,13 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
 	)
 
 	for _, authorizationMode := range config.AuthorizationModes {
-		// Keep cases in sync with constant list above.
+		// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
 		switch authorizationMode {
 		case modes.ModeNode:
 			graph := node.NewGraph()
 			node.AddGraphEventHandlers(
 				graph,
+				config.InformerFactory.Core().InternalVersion().Nodes(),
 				config.InformerFactory.Core().InternalVersion().Pods(),
 				config.InformerFactory.Core().InternalVersion().PersistentVolumes(),
 				config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),

diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD
@@ -8,15 +8,20 @@ load(
 
 go_test(
     name = "go_default_test",
-    srcs = ["node_authorizer_test.go"],
+    srcs = [
+        "graph_test.go",
+        "node_authorizer_test.go",
+    ],
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core:go_default_library",
         "//pkg/auth/nodeidentifier:go_default_library",
         "//pkg/features:go_default_library",
         "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
         "//vendor/k8s.io/api/storage/v1beta1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",

diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go
@@ -198,6 +198,50 @@ func (g *Graph) deleteVertex_locked(vertexType vertexType, namespace, name strin
 	}
 }
 
+// must be called under write lock
+// deletes edges from a given vertex type to a specific vertex
+// will delete each orphaned "from" vertex, but will never delete the "to" vertex
+func (g *Graph) deleteEdges_locked(fromType, toType vertexType, toNamespace, toName string) {
+	// get the "to" side
+	toVert, exists := g.getVertex_rlocked(toType, toNamespace, toName)
+	if !exists {
+		return
+	}
+
+	// get potential "from" verts that match fromType
+	namespaces, exists := g.vertices[fromType]
+	if !exists {
+		return
+	}
+
+	// delete all edges between vertices of fromType and toVert
+	removeVerts := []*namedVertex{}
+	for _, vertexMapping := range namespaces {
+		for _, fromVert := range vertexMapping {
+			if g.graph.HasEdgeBetween(fromVert, toVert) {
+				// remove the edge (no-op if edge doesn't exist)
+				g.graph.RemoveEdge(newDestinationEdge(fromVert, toVert, nil))
+				// remember to clean up the fromVert if we orphaned it
+				if g.graph.Degree(fromVert) == 0 {
+					removeVerts = append(removeVerts, fromVert)
+				}
+			}
+		}
+	}
+
+	// clean up orphaned verts
+	for _, v := range removeVerts {
+		g.graph.RemoveNode(v)
+		delete(g.vertices[v.vertexType][v.namespace], v.name)
+		if len(g.vertices[v.vertexType][v.namespace]) == 0 {
+			delete(g.vertices[v.vertexType], v.namespace)
+		}
+		if len(g.vertices[v.vertexType]) == 0 {
+			delete(g.vertices, v.vertexType)
+		}
+	}
+}
+
 // AddPod should only be called once spec.NodeName is populated.
 // It sets up edges for the following relationships (which are immutable for a pod once bound to a node):
 //
@@ -301,3 +345,25 @@ func (g *Graph) DeleteVolumeAttachment(name string) {
 	defer g.lock.Unlock()
 	g.deleteVertex_locked(vaVertexType, "", name)
 }
+
+// SetNodeConfigMap sets up edges for the Node.Spec.ConfigSource.ConfigMapRef relationship:
+//
+// configmap -> node
+func (g *Graph) SetNodeConfigMap(nodeName, configMapName, configMapNamespace string) {
+	g.lock.Lock()
+	defer g.lock.Unlock()
+
+	// TODO(mtaufen): ensure len(nodeName) > 0 in all cases (would sure be nice to have a dependently-typed language here...)
+
+	// clear edges configmaps -> node where the destination is the current node *only*
+	// at present, a node can only have one *direct* configmap reference at a time
+	g.deleteEdges_locked(configMapVertexType, nodeVertexType, "", nodeName)
+
+	// establish new edges if we have a real ConfigMap to reference
+	if len(configMapName) > 0 && len(configMapNamespace) > 0 {
+		configmapVertex := g.getOrCreateVertex_locked(configMapVertexType, configMapNamespace, configMapName)
+		nodeVertex := g.getOrCreateVertex_locked(nodeVertexType, "", nodeName)
+		g.graph.SetEdge(newDestinationEdge(configmapVertex, nodeVertex, nodeVertex))
+	}
+
+}
diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go
@@ -17,6 +17,7 @@ limitations under the License.
 package node
 
 import (
+	"fmt"
 	"github.com/golang/glog"
 
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
@@ -34,6 +35,7 @@ type graphPopulator struct {
 
 func AddGraphEventHandlers(
 	graph *Graph,
+	nodes coreinformers.NodeInformer,
 	pods coreinformers.PodInformer,
 	pvs coreinformers.PersistentVolumeInformer,
 	attachments storageinformers.VolumeAttachmentInformer,
@@ -42,6 +44,14 @@ func AddGraphEventHandlers(
 		graph: graph,
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicKubeletConfig) {
+		nodes.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+			AddFunc:    g.addNode,
+			UpdateFunc: g.updateNode,
+			DeleteFunc: g.deleteNode,
+		})
+	}
+
 	pods.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    g.addPod,
 		UpdateFunc: g.updatePod,
@@ -63,6 +73,57 @@ func AddGraphEventHandlers(
 	}
 }
 
+func (g *graphPopulator) addNode(obj interface{}) {
+	g.updateNode(nil, obj)
+}
+
+func (g *graphPopulator) updateNode(oldObj, obj interface{}) {
+	node := obj.(*api.Node)
+	var oldNode *api.Node
+	if oldObj != nil {
+		oldNode = oldObj.(*api.Node)
+	}
+
+	// we only set up rules for ConfigMapRef today, because that is the only reference type
+
+	var name, namespace string
+	if source := node.Spec.ConfigSource; source != nil && source.ConfigMapRef != nil {
+		name = source.ConfigMapRef.Name
+		namespace = source.ConfigMapRef.Namespace
+	}
+
+	var oldName, oldNamespace string
+	if oldNode != nil {
+		if oldSource := oldNode.Spec.ConfigSource; oldSource != nil && oldSource.ConfigMapRef != nil {
+			oldName = oldSource.ConfigMapRef.Name
+			oldNamespace = oldSource.ConfigMapRef.Namespace
+		}
+	}
+
+	// if Node.Spec.ConfigSource wasn't updated, nothing for us to do
+	if name == oldName && namespace == oldNamespace {
+		return
+	}
+
+	path := "nil"
+	if node.Spec.ConfigSource != nil {
+		path = fmt.Sprintf("%s/%s", namespace, name)
+	}
+	glog.V(4).Infof("updateNode configSource reference to %s for node %s", path, node.Name)
+	g.graph.SetNodeConfigMap(node.Name, name, namespace)
+}
+
+func (g *graphPopulator) deleteNode(obj interface{}) {
+	node := obj.(*api.Node)
+
+	// TODO(mtaufen): ensure len(nodeName) > 0 in all cases (would sure be nice to have a dependently-typed language here...)
+
+	// NOTE: We don't remove the node, because if the node is re-created not all pod -> node
+	// links are re-established (we don't get relevant events because the no mutations need
+	// to happen in the API; the state is already there).
+	g.graph.SetNodeConfigMap(node.Name, "", "")
+}
+
 func (g *graphPopulator) addPod(obj interface{}) {
 	g.updatePod(nil, obj)
 }