Volume node affinity enforcement

pkg/volume/util/util.go

@@ -237,6 +237,13 @@ func GetClassForVolume(kubeClient clientset.Interface, pv *v1.PersistentVolume)
 // CheckNodeAffinity looks at the PV node affinity, and checks if the node has the same corresponding labels
 // This ensures that we don't mount a volume that doesn't belong to this node
 func CheckNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
+	if err := checkAlphaNodeAffinity(pv, nodeLabels); err != nil {
+		return err
+	}
+	return checkVolumeNodeAffinity(pv, nodeLabels)
+}
+
+func checkAlphaNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
 	affinity, err := v1helper.GetStorageNodeAffinityFromAnnotation(pv.Annotations)
 	if err != nil {
 		return fmt.Errorf("Error getting storage node affinity: %v", err)
@@ -261,6 +268,27 @@ func CheckNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) er
 	return nil
 }
 
+func checkVolumeNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
+	if pv.Spec.NodeAffinity == nil {
+		return nil
+	}
+
+	if pv.Spec.NodeAffinity.Required != nil {
+		terms := pv.Spec.NodeAffinity.Required.NodeSelectorTerms
+		glog.V(10).Infof("Match for Required node selector terms %+v", terms)
+		for _, term := range terms {
+			selector, err := v1helper.NodeSelectorRequirementsAsSelector(term.MatchExpressions)
+			if err != nil {
+				return fmt.Errorf("Failed to parse MatchExpressions: %v", err)
+			}
+			if !selector.Matches(labels.Set(nodeLabels)) {
+				return fmt.Errorf("NodeSelectorTerm %+v does not match node labels", term.MatchExpressions)
+			}
+		}
+	}
+	return nil
+}
+
 // LoadPodFromFile will read, decode, and return a Pod from a file.
 func LoadPodFromFile(filePath string) (*v1.Pod, error) {
 	if filePath == "" {