kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Never let cluster-scoped resources skip webhooks 

Kubernetes-commit: 0d717272ccbec12189946325594a8a5f29d6bd68
This commit is contained in:
Chao Xu 2018-01-11 18:05:54 -08:00 committed by Kubernetes Publisher
parent d48bded43d
commit fcee784ffb
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/admission/plugin/webhook/namespace/matcher.go
View File

@ -90,10 +90,10 @@ func (m *Matcher) MatchNamespaceSelector(h *v1beta1.Webhook, attr admission.Attr
namespaceName := attr.GetNamespace() namespaceName := attr.GetNamespace()
if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" { if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" {
// If the request is about a cluster scoped resource, and it is not a // If the request is about a cluster scoped resource, and it is not a
// namespace, it is exempted from all webhooks for now. // namespace, it is never exempted.
// TODO: figure out a way selective exempt cluster scoped resources. // TODO: figure out a way selective exempt cluster scoped resources.
// Also update the comment in types.go // Also update the comment in types.go
return false, nil return true, nil
} }
namespaceLabels, err := m.GetNamespaceLabels(attr) namespaceLabels, err := m.GetNamespaceLabels(attr)
// this means the namespace is not found, for backwards compatibility, // this means the namespace is not found, for backwards compatibility,

6
pkg/admission/plugin/webhook/namespace/matcher_test.go
View File

@ -113,7 +113,7 @@ func TestGetNamespaceLabels(t *testing.T) {
} }
} }
func TestExemptClusterScopedResource(t *testing.T) { func TestNotExemptClusterScopedResource(t *testing.T) {
hook := &registrationv1beta1.Webhook{ hook := &registrationv1beta1.Webhook{
NamespaceSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{},
} }
@ -123,7 +123,7 @@ func TestExemptClusterScopedResource(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
if matches { if !matches {
t.Errorf("cluster scoped resources (but not a namespace) should be exempted from all webhooks") t.Errorf("cluster scoped resources (but not a namespace) should not be exempted from webhooks")
} }
} }