Improve node restriction message
This commit is contained in:
		| @@ -92,7 +92,7 @@ func (c *nodePlugin) Admit(a admission.Attributes) error { | ||||
|  | ||||
| 	if len(nodeName) == 0 { | ||||
| 		// disallow requests we cannot match to a particular node | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("could not determine node from user %s", a.GetUserInfo().GetName())) | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("could not determine node from user %q", a.GetUserInfo().GetName())) | ||||
| 	} | ||||
|  | ||||
| 	switch a.GetResource().GroupResource() { | ||||
| @@ -103,7 +103,7 @@ func (c *nodePlugin) Admit(a admission.Attributes) error { | ||||
| 		case "status": | ||||
| 			return c.admitPodStatus(nodeName, a) | ||||
| 		default: | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("unexpected pod subresource %s", a.GetSubresource())) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("unexpected pod subresource %q", a.GetSubresource())) | ||||
| 		} | ||||
|  | ||||
| 	case nodeResource: | ||||
| @@ -125,31 +125,31 @@ func (c *nodePlugin) admitPod(nodeName string, a admission.Attributes) error { | ||||
|  | ||||
| 		// only allow nodes to create mirror pods | ||||
| 		if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; !isMirrorPod { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("pod does not have %q annotation, node %s can only create mirror pods", api.MirrorPodAnnotationKey, nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("pod does not have %q annotation, node %q can only create mirror pods", api.MirrorPodAnnotationKey, nodeName)) | ||||
| 		} | ||||
|  | ||||
| 		// only allow nodes to create a pod bound to itself | ||||
| 		if pod.Spec.NodeName != nodeName { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can only create pods with spec.nodeName set to itself", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can only create pods with spec.nodeName set to itself", nodeName)) | ||||
| 		} | ||||
|  | ||||
| 		// don't allow a node to create a pod that references any other API objects | ||||
| 		if pod.Spec.ServiceAccountName != "" { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference a service account", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference a service account", nodeName)) | ||||
| 		} | ||||
| 		hasSecrets := false | ||||
| 		podutil.VisitPodSecretNames(pod, func(name string) (shouldContinue bool) { hasSecrets = true; return false }) | ||||
| 		if hasSecrets { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference secrets", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference secrets", nodeName)) | ||||
| 		} | ||||
| 		hasConfigMaps := false | ||||
| 		podutil.VisitPodConfigmapNames(pod, func(name string) (shouldContinue bool) { hasConfigMaps = true; return false }) | ||||
| 		if hasConfigMaps { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference configmaps", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference configmaps", nodeName)) | ||||
| 		} | ||||
| 		for _, v := range pod.Spec.Volumes { | ||||
| 			if v.PersistentVolumeClaim != nil { | ||||
| 				return admission.NewForbidden(a, fmt.Errorf("node %s can not create pods that reference persistentvolumeclaims", nodeName)) | ||||
| 				return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference persistentvolumeclaims", nodeName)) | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
| @@ -167,12 +167,12 @@ func (c *nodePlugin) admitPod(nodeName string, a admission.Attributes) error { | ||||
| 		} | ||||
| 		// only allow a node to delete a pod bound to itself | ||||
| 		if existingPod.Spec.NodeName != nodeName { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can only delete pods with spec.nodeName set to itself", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can only delete pods with spec.nodeName set to itself", nodeName)) | ||||
| 		} | ||||
| 		return nil | ||||
|  | ||||
| 	default: | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %s", a.GetOperation())) | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %q", a.GetOperation())) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -186,12 +186,12 @@ func (c *nodePlugin) admitPodStatus(nodeName string, a admission.Attributes) err | ||||
| 		} | ||||
| 		// only allow a node to update status of a pod bound to itself | ||||
| 		if pod.Spec.NodeName != nodeName { | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %s can only update pod status for pods with spec.nodeName set to itself", nodeName)) | ||||
| 			return admission.NewForbidden(a, fmt.Errorf("node %q can only update pod status for pods with spec.nodeName set to itself", nodeName)) | ||||
| 		} | ||||
| 		return nil | ||||
|  | ||||
| 	default: | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %s", a.GetOperation())) | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("unexpected operation %q", a.GetOperation())) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -208,7 +208,7 @@ func (c *nodePlugin) admitNode(nodeName string, a admission.Attributes) error { | ||||
| 	} | ||||
|  | ||||
| 	if requestedName != nodeName { | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("node %s cannot modify node %s", nodeName, requestedName)) | ||||
| 		return admission.NewForbidden(a, fmt.Errorf("node %q cannot modify node %q", nodeName, requestedName)) | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|   | ||||
| @@ -113,7 +113,7 @@ func (r *NodeAuthorizer) authorizeGet(nodeName string, startingType vertexType, | ||||
| 		return false, "no path found to object", nil | ||||
| 	} | ||||
| 	if !ok { | ||||
| 		glog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) | ||||
| 		glog.V(2).Infof("NODE DENY: %q %#v", nodeName, attrs) | ||||
| 		return false, "no path found to object", nil | ||||
| 	} | ||||
| 	return ok, "", nil | ||||
| @@ -126,12 +126,12 @@ func (r *NodeAuthorizer) hasPathFrom(nodeName string, startingType vertexType, s | ||||
|  | ||||
| 	nodeVertex, exists := r.graph.getVertex_rlocked(nodeVertexType, "", nodeName) | ||||
| 	if !exists { | ||||
| 		return false, fmt.Errorf("unknown node %s cannot get %s %s/%s", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 		return false, fmt.Errorf("unknown node %q cannot get %s %s/%s", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 	} | ||||
|  | ||||
| 	startingVertex, exists := r.graph.getVertex_rlocked(startingType, startingNamespace, startingName) | ||||
| 	if !exists { | ||||
| 		return false, fmt.Errorf("node %s cannot get unknown %s %s/%s", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 		return false, fmt.Errorf("node %q cannot get unknown %s %s/%s", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 	} | ||||
|  | ||||
| 	found := false | ||||
| @@ -158,7 +158,7 @@ func (r *NodeAuthorizer) hasPathFrom(nodeName string, startingType vertexType, s | ||||
| 		return found | ||||
| 	}) | ||||
| 	if !found { | ||||
| 		return false, fmt.Errorf("node %s cannot get %s %s/%s, no path was found", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 		return false, fmt.Errorf("node %q cannot get %s %s/%s, no path was found", nodeName, vertexTypes[startingType], startingNamespace, startingName) | ||||
| 	} | ||||
| 	return true, nil | ||||
| } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Jordan Liggitt
					Jordan Liggitt