Merge pull request #18687 from pravisankar/fix-isolate-projects

Automatic merge from submit-queue. Bug 1547284 - Do not allow 'default' project to be isolated using 'oc adm pod-network'
openshift · Feb 24, 2018 · 0ad3c11 · 0ad3c11
2 parents f5afaba + 9780ac3
commit 0ad3c11
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 14 deletions.
diff --git a/pkg/network/common/dns.go b/pkg/network/common/dns.go
@@ -110,7 +110,7 @@ func (d *DNS) updateOne(dns string) (error, bool) {
 	// <domain-name>.		<<ttl from authoritative ns>	IN	A	<IP addr>
 	out, err := d.execer.Command(dig, "+nocmd", "+noall", "+answer", "+ttlid", "a", dns).CombinedOutput()
 	if err != nil || len(out) == 0 {
-		return fmt.Errorf("Failed to fetch IP addr and TTL value for domain: %q, err: %v", dns, err), false
+		return fmt.Errorf("failed to fetch IP addr and TTL value for domain: %q, err: %v", dns, err), false
 	}
 	outStr := strings.Trim(string(out[:]), "\n")
 

diff --git a/pkg/network/master/subnets.go b/pkg/network/master/subnets.go
@@ -33,7 +33,7 @@ func (master *OsdnMaster) SubnetStartMaster(clusterNetworks []common.ClusterNetw
 			glog.Infof("Found existing HostSubnet %s", common.HostSubnetToString(&sub))
 			_, subnetIP, err := net.ParseCIDR(sub.Subnet)
 			if err != nil {
-				return fmt.Errorf("Failed to parse network address: %q", sub.Subnet)
+				return fmt.Errorf("failed to parse network address: %q", sub.Subnet)
 			}
 
 			for _, cn := range clusterNetworks {

diff --git a/pkg/network/master/vnids.go b/pkg/network/master/vnids.go
@@ -140,7 +140,7 @@ func (vmap *masterVNIDMap) releaseNetID(nsName string) error {
 	// If not, then release the netid
 	if count := vmap.getVNIDCount(netid); count == 0 {
 		if err := vmap.netIDManager.Release(netid); err != nil {
-			return fmt.Errorf("Error while releasing netid %d for namespace %q, %v", netid, nsName, err)
+			return fmt.Errorf("error while releasing netid %d for namespace %q, %v", netid, nsName, err)
 		}
 		glog.Infof("Released netid %d for namespace %q", netid, nsName)
 	} else {
@@ -170,6 +170,9 @@ func (vmap *masterVNIDMap) updateNetID(nsName string, action network.PodNetworkA
 			return 0, fmt.Errorf("netid not found for namespace %q", joinNsName)
 		}
 	case network.IsolatePodNetwork:
+		if nsName == kapi.NamespaceDefault {
+			return 0, fmt.Errorf("network isolation for namespace %q is not allowed", nsName)
+		}
 		// Check if the given namespace is already isolated
 		if count := vmap.getVNIDCount(oldnetid); count == 1 {
 			return oldnetid, nil

diff --git a/pkg/network/node/runtime.go b/pkg/network/node/runtime.go
@@ -35,7 +35,7 @@ func (node *OsdnNode) getRuntimeService() (kubeletapi.RuntimeService, error) {
 			return true, nil
 		})
 	if err != nil {
-		return nil, fmt.Errorf("Failed to fetch runtime service: %v", err)
+		return nil, fmt.Errorf("failed to fetch runtime service: %v", err)
 	}
 	return node.runtimeService, nil
 }
@@ -48,10 +48,10 @@ func (node *OsdnNode) getPodSandboxID(filter *kruntimeapi.PodSandboxFilter) (str
 
 	podSandboxList, err := runtimeService.ListPodSandbox(filter)
 	if err != nil {
-		return "", fmt.Errorf("Failed to list pod sandboxes: %v", err)
+		return "", fmt.Errorf("failed to list pod sandboxes: %v", err)
 	}
 	if len(podSandboxList) == 0 {
-		return "", fmt.Errorf("Pod sandbox not found for filter: %v", filter)
+		return "", fmt.Errorf("pod sandbox not found for filter: %v", filter)
 	}
 	return podSandboxList[0].Id, nil
 }
diff --git a/pkg/oc/admin/network/isolate_projects.go b/pkg/oc/admin/network/isolate_projects.go
@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
+	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
@@ -72,8 +73,12 @@ func (i *IsolateOptions) Run() error {
 
 	errList := []error{}
 	for _, project := range projects {
+		if project.Name == kapi.NamespaceDefault {
+			errList = append(errList, fmt.Errorf("network isolation for project %q is forbidden", project.Name))
+			continue
+		}
 		if err = i.Options.UpdatePodNetwork(project.Name, network.IsolatePodNetwork, ""); err != nil {
-			errList = append(errList, fmt.Errorf("Network isolation for project %q failed, error: %v", project.Name, err))
+			errList = append(errList, fmt.Errorf("network isolation for project %q failed, error: %v", project.Name, err))
 		}
 	}
 	return kerrors.NewAggregate(errList)

diff --git a/pkg/oc/admin/network/join_projects.go b/pkg/oc/admin/network/join_projects.go
@@ -92,7 +92,7 @@ func (j *JoinOptions) Run() error {
 	for _, project := range projects {
 		if project.Name != j.joinProjectName {
 			if err = j.Options.UpdatePodNetwork(project.Name, network.JoinPodNetwork, j.joinProjectName); err != nil {
-				errList = append(errList, fmt.Errorf("Project %q failed to join %q, error: %v", project.Name, j.joinProjectName, err))
+				errList = append(errList, fmt.Errorf("project %q failed to join %q, error: %v", project.Name, j.joinProjectName, err))
 			}
 		}
 	}

diff --git a/pkg/oc/admin/network/make_projects_global.go b/pkg/oc/admin/network/make_projects_global.go
@@ -74,7 +74,7 @@ func (m *MakeGlobalOptions) Run() error {
 	errList := []error{}
 	for _, project := range projects {
 		if err = m.Options.UpdatePodNetwork(project.Name, network.GlobalPodNetwork, ""); err != nil {
-			errList = append(errList, fmt.Errorf("Removing network isolation for project %q failed, error: %v", project.Name, err))
+			errList = append(errList, fmt.Errorf("removing network isolation for project %q failed, error: %v", project.Name, err))
 		}
 	}
 	return kerrors.NewAggregate(errList)

diff --git a/pkg/oc/admin/network/project_options.go b/pkg/oc/admin/network/project_options.go
@@ -90,12 +90,12 @@ func (p *ProjectOptions) Validate() error {
 	clusterNetwork, err := p.Oclient.Network().ClusterNetworks().Get(networkapi.ClusterNetworkDefault, metav1.GetOptions{})
 	if err != nil {
 		if kapierrors.IsNotFound(err) {
-			errList = append(errList, errors.New("Managing pod network is only supported for openshift multitenant network plugin"))
+			errList = append(errList, errors.New("managing pod network is only supported for openshift multitenant network plugin"))
 		} else {
-			errList = append(errList, errors.New("Failed to fetch current network plugin info"))
+			errList = append(errList, errors.New("failed to fetch current network plugin info"))
 		}
 	} else if !network.IsOpenShiftMultitenantNetworkPlugin(clusterNetwork.PluginName) {
-		errList = append(errList, fmt.Errorf("Using plugin: %q, managing pod network is only supported for openshift multitenant network plugin", clusterNetwork.PluginName))
+		errList = append(errList, fmt.Errorf("using plugin: %q, managing pod network is only supported for openshift multitenant network plugin", clusterNetwork.PluginName))
 	}
 
 	return kerrors.NewAggregate(errList)
@@ -140,7 +140,7 @@ func (p *ProjectOptions) GetProjects() ([]*projectapi.Project, error) {
 	}
 
 	if len(projectList) == 0 {
-		return projectList, fmt.Errorf("No projects found")
+		return projectList, fmt.Errorf("no projects found")
 	} else {
 		givenProjectNames := sets.NewString(p.ProjectNames...)
 		foundProjectNames := sets.String{}
@@ -149,7 +149,7 @@ func (p *ProjectOptions) GetProjects() ([]*projectapi.Project, error) {
 		}
 		skippedProjectNames := givenProjectNames.Difference(foundProjectNames)
 		if skippedProjectNames.Len() > 0 {
-			return projectList, fmt.Errorf("Projects %v not found", strings.Join(skippedProjectNames.List(), ", "))
+			return projectList, fmt.Errorf("projects %v not found", strings.Join(skippedProjectNames.List(), ", "))
 		}
 	}
 	return projectList, nil