From eb6c7169276a1978b851deafb25b507caf696ac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20R=C3=BCger?= Date: Mon, 27 Jan 2020 22:29:32 +0100 Subject: [PATCH] PodTolerationRestriction: Mention Whitelist Scope in Error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently it's not clear if the issue came from the namespace whitelist of if the namespace whitelist was not applied at all (i.e. via a misspelled annotation). This makes the error more explicit if the pod tolerations caused a conflict with cluster-level or namespace-level whitelist. Signed-off-by: Manuel RĂ¼ger --- plugin/pkg/admission/podtolerationrestriction/admission.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/admission/podtolerationrestriction/admission.go b/plugin/pkg/admission/podtolerationrestriction/admission.go index 25bfdc37551..4fdf1328fb5 100644 --- a/plugin/pkg/admission/podtolerationrestriction/admission.go +++ b/plugin/pkg/admission/podtolerationrestriction/admission.go @@ -127,6 +127,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi pod := a.GetObject().(*api.Pod) if len(pod.Spec.Tolerations) > 0 { whitelist, err := p.getNamespaceTolerationsWhitelist(a.GetNamespace()) + whitelistScope := "namespace" if err != nil { return err } @@ -135,12 +136,13 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi // fall back to cluster's whitelist of tolerations. if whitelist == nil { whitelist = p.pluginConfig.Whitelist + whitelistScope = "cluster" } if len(whitelist) > 0 { // check if the merged pod tolerations satisfy its namespace whitelist if !tolerations.VerifyAgainstWhitelist(pod.Spec.Tolerations, whitelist) { - return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its namespace whitelist") + return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its %s whitelist", whitelistScope) } } }