github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refuse serviceaccount projection volume request when pod has no serviceaccount bounded

Browse Source
This commit is contained in:
WanLinghao
2018-07-27 10:52:36 +08:00
parent 6764a79586
commit 5a27ee9282
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/apis/core/validation/validation.go
View File

@@ -2913,6 +2913,20 @@ func ValidatePod(pod *core.Pod) field.ErrorList {
// this was done to preserve backwards compatibility
specPath := field.NewPath("spec")
if pod.Spec.ServiceAccountName == "" {
for vi, volume := range pod.Spec.Volumes {
path := specPath.Child("volumes").Index(vi).Child("projected")
if volume.Projected != nil {
for si, source := range volume.Projected.Sources {
saPath := path.Child("sources").Index(si).Child("serviceAccountToken")
if source.ServiceAccountToken != nil {
allErrs = append(allErrs, field.Forbidden(saPath, "must not be specified when serviceAccountName is not set"))
}
}
}
}
}
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)