kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

return an error in case nil selectors are passed to matcher functions 

Signed-off-by: aerosouund <aerosound161@gmail.com>

Kubernetes-commit: f1d0c5dbc398ceeb9d62d7cb2ab11a3aed3fc14a
This commit is contained in:
aerosouund 2025-08-29 16:12:31 +03:00 committed by Kubernetes Publisher
parent 0edea778d6
commit a793a9ad31
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/admission/plugin/policy/generic/policy_matcher.go
View File

@ -45,6 +45,8 @@ type PolicyMatcher interface {
GetNamespace(name string) (*corev1.Namespace, error)
}
var errNilSelector = "a nil %s selector was passed, please ensure selectors are initialized properly"
type matcher struct {
Matcher *matching.Matcher
}
@ -66,6 +68,13 @@ func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectIn
if constraints == nil {
return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf("policy contained no match constraints, a required field")
}
if constraints.NamespaceSelector == nil {
return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "namespace")
}
if constraints.ObjectSelector == nil {
return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "object")
}
criteria := matchCriteria{constraints: constraints}
return c.Matcher.Matches(a, o, &criteria)
}
@ -76,6 +85,12 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter
if matchResources == nil {
return true, nil
}
if matchResources.NamespaceSelector == nil {
return false, fmt.Errorf(errNilSelector, "namespace")
}
if matchResources.ObjectSelector == nil {
return false, fmt.Errorf(errNilSelector, "object")
}
criteria := matchCriteria{constraints: matchResources}
isMatch, _, _, err := c.Matcher.Matches(a, o, &criteria)