forked from kubernetes/kubernetes
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
UPSTREAM: <carry>: STOR-1270: Admission plugin to deny deletion of st…
…orages.operator.openshift.io
- Loading branch information
Showing
3 changed files
with
128 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
...rver/admission/customresourcevalidation/operator/deny_delete_cluster_operator_resource.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
package operator | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"io" | ||
|
||
"k8s.io/apiserver/pkg/admission" | ||
) | ||
|
||
const PluginName = "operator.openshift.io/DenyDeleteClusterOperators" | ||
|
||
// Register registers an admission plugin factory whose plugin prevents the deletion of cluster operator resources. | ||
func Register(plugins *admission.Plugins) { | ||
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) { | ||
return newAdmissionPlugin(), nil | ||
}) | ||
} | ||
|
||
var _ admission.ValidationInterface = &admissionPlugin{} | ||
|
||
type admissionPlugin struct { | ||
*admission.Handler | ||
} | ||
|
||
func newAdmissionPlugin() *admissionPlugin { | ||
return &admissionPlugin{Handler: admission.NewHandler(admission.Delete)} | ||
} | ||
|
||
// Validate returns an error if there is an attempt to delete a cluster operator resource. | ||
func (p *admissionPlugin) Validate(ctx context.Context, attributes admission.Attributes, _ admission.ObjectInterfaces) error { | ||
if len(attributes.GetSubresource()) > 0 { | ||
return nil | ||
} | ||
if attributes.GetResource().Group != "operator.openshift.io" { | ||
return nil | ||
} | ||
switch attributes.GetResource().Resource { | ||
// Deletion is denied for storages.operator.openshift.io objects named cluster, | ||
// because MCO and KCM-O depend on this resource being present in order to | ||
// correctly set environment variables on kubelet and kube-controller-manager. | ||
case "storages": | ||
if attributes.GetName() != "cluster" { | ||
return nil | ||
} | ||
// Deletion is allowed for all other operator.openshift.io objects unless | ||
// explicitly listed above. | ||
default: | ||
return nil | ||
} | ||
return admission.NewForbidden(attributes, fmt.Errorf("deleting required %s.%s resource, named %s, is not allowed", attributes.GetResource().Resource, attributes.GetResource().Group, attributes.GetName())) | ||
} |
73 changes: 73 additions & 0 deletions
73
...admission/customresourcevalidation/operator/deny_delete_cluster_operator_resource_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package operator | ||
|
||
import ( | ||
"context" | ||
"testing" | ||
|
||
"k8s.io/apimachinery/pkg/runtime/schema" | ||
"k8s.io/apiserver/pkg/admission" | ||
) | ||
|
||
func TestAdmissionPlugin_Validate(t *testing.T) { | ||
testCases := []struct { | ||
tcName string | ||
group string | ||
resource string | ||
name string | ||
denyDelete bool | ||
}{ | ||
{ | ||
tcName: "NotBlackListedResourceNamedCluster", | ||
group: "operator.openshift.io", | ||
resource: "notBlacklisted", | ||
name: "cluster", | ||
denyDelete: false, | ||
}, | ||
{ | ||
tcName: "NotBlackListedResourceNamedNotCluster", | ||
group: "operator.openshift.io", | ||
resource: "notBlacklisted", | ||
name: "notCluster", | ||
denyDelete: false, | ||
}, | ||
{ | ||
tcName: "StorageResourceNamedCluster", | ||
group: "operator.openshift.io", | ||
resource: "storages", | ||
name: "cluster", | ||
denyDelete: true, | ||
}, | ||
{ | ||
tcName: "StorageResourceNamedNotCluster", | ||
group: "operator.openshift.io", | ||
resource: "storages", | ||
name: "notCluster", | ||
denyDelete: false, | ||
}, | ||
{ | ||
tcName: "ClusterVersionNotVersion", | ||
group: "config.openshift.io", | ||
resource: "clusterversions", | ||
name: "instance", | ||
denyDelete: false, | ||
}, | ||
{ | ||
tcName: "OtherGroup", | ||
group: "not.operator.openshift.io", | ||
resource: "notBlacklisted", | ||
name: "cluster", | ||
denyDelete: false, | ||
}, | ||
} | ||
for _, tc := range testCases { | ||
t.Run(tc.tcName, func(t *testing.T) { | ||
err := newAdmissionPlugin().Validate(context.TODO(), admission.NewAttributesRecord( | ||
nil, nil, schema.GroupVersionKind{}, "", | ||
tc.name, schema.GroupVersionResource{Group: tc.group, Resource: tc.resource}, | ||
"", admission.Delete, nil, false, nil), nil) | ||
if tc.denyDelete != (err != nil) { | ||
t.Error(tc.denyDelete, err) | ||
} | ||
}) | ||
} | ||
} |