Merge pull request #7003 from derekwaynecarr/enforce_unbounded

Reject unbounded cpu and memory pods if quota is restricting it

plugin/pkg/admission/resourcequota/admission.go

@@ -171,6 +171,9 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli
 
 		hardMem, hardMemFound := status.Hard[api.ResourceMemory]
 		if hardMemFound {
+			if set[api.ResourceMemory] && resourcequota.IsPodMemoryUnbounded(pod) {
+				return false, fmt.Errorf("Limited to %s memory, but pod has no specified memory limit", hardMem.String())
+			}
 			used, usedFound := status.Used[api.ResourceMemory]
 			if !usedFound {
 				return false, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")
@@ -184,6 +187,9 @@ func IncrementUsage(a admission.Attributes, status *api.ResourceQuotaStatus, cli
 		}
 		hardCPU, hardCPUFound := status.Hard[api.ResourceCPU]
 		if hardCPUFound {
+			if set[api.ResourceCPU] && resourcequota.IsPodCPUUnbounded(pod) {
+				return false, fmt.Errorf("Limited to %s CPU, but pod has no specified cpu limit", hardCPU.String())
+			}
 			used, usedFound := status.Used[api.ResourceCPU]
 			if !usedFound {
 				return false, fmt.Errorf("Quota usage stats are not yet known, unable to admit resource until an accurate count is completed.")

plugin/pkg/admission/resourcequota/admission_test.go

@@ -195,6 +195,72 @@ func TestIncrementUsageCPU(t *testing.T) {
 	}
 }
 
+func TestUnboundedCPU(t *testing.T) {
+	namespace := "default"
+	client := testclient.NewSimpleFake(&api.PodList{
+		Items: []api.Pod{
+			{
+				ObjectMeta: api.ObjectMeta{Name: "123", Namespace: namespace},
+				Spec: api.PodSpec{
+					Volumes:    []api.Volume{{Name: "vol"}},
+					Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("100m", "1Gi")}},
+				},
+			},
+		},
+	})
+	status := &api.ResourceQuotaStatus{
+		Hard: api.ResourceList{},
+		Used: api.ResourceList{},
+	}
+	r := api.ResourceCPU
+	status.Hard[r] = resource.MustParse("200m")
+	status.Used[r] = resource.MustParse("100m")
+
+	newPod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "123", Namespace: namespace},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("0m", "1Gi")}},
+		}}
+	_, err := IncrementUsage(admission.NewAttributesRecord(newPod, "Pod", namespace, "pods", "CREATE"), status, client)
+	if err == nil {
+		t.Errorf("Expected CPU unbounded usage error")
+	}
+}
+
+func TestUnboundedMemory(t *testing.T) {
+	namespace := "default"
+	client := testclient.NewSimpleFake(&api.PodList{
+		Items: []api.Pod{
+			{
+				ObjectMeta: api.ObjectMeta{Name: "123", Namespace: namespace},
+				Spec: api.PodSpec{
+					Volumes:    []api.Volume{{Name: "vol"}},
+					Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("100m", "1Gi")}},
+				},
+			},
+		},
+	})
+	status := &api.ResourceQuotaStatus{
+		Hard: api.ResourceList{},
+		Used: api.ResourceList{},
+	}
+	r := api.ResourceMemory
+	status.Hard[r] = resource.MustParse("10Gi")
+	status.Used[r] = resource.MustParse("1Gi")
+
+	newPod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: "123", Namespace: namespace},
+		Spec: api.PodSpec{
+			Volumes:    []api.Volume{{Name: "vol"}},
+			Containers: []api.Container{{Name: "ctr", Image: "image", Resources: getResourceRequirements("250m", "0")}},
+		}}
+	_, err := IncrementUsage(admission.NewAttributesRecord(newPod, "Pod", namespace, "pods", "CREATE"), status, client)
+	if err == nil {
+		t.Errorf("Expected memory unbounded usage error")
+	}
+}
+
 func TestExceedUsageCPU(t *testing.T) {
 	namespace := "default"
 	client := testclient.NewSimpleFake(&api.PodList{