Bumping k8s dependencies to 1.13

vendor/k8s.io/kubernetes/plugin/pkg/admission/priority/BUILD

@@ -16,11 +16,11 @@ go_test(
         "//pkg/client/informers/informers_generated/internalversion:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/features:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
     ],
 )
 
@@ -37,10 +37,11 @@ go_library(
         "//pkg/features:go_default_library",
         "//pkg/kubeapiserver/admission:go_default_library",
         "//pkg/kubelet/types:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
-        "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
     ],
 )
 

vendor/k8s.io/kubernetes/plugin/pkg/admission/priority/admission.go

@@ -21,6 +21,7 @@ import (
 	"io"
 
 	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/admission"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -96,6 +97,10 @@ var (
 // Admit checks Pods and admits or rejects them. It also resolves the priority of pods based on their PriorityClass.
 // Note that pod validation mechanism prevents update of a pod priority.
 func (p *priorityPlugin) Admit(a admission.Attributes) error {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
+		return nil
+	}
+
 	operation := a.GetOperation()
 	// Ignore all calls to subresources
 	if len(a.GetSubresource()) != 0 {
@@ -104,7 +109,7 @@ func (p *priorityPlugin) Admit(a admission.Attributes) error {
 
 	switch a.GetResource().GroupResource() {
 	case podResource:
-		if operation == admission.Create {
+		if operation == admission.Create || operation == admission.Update {
 			return p.admitPod(a)
 		}
 		return nil
@@ -134,6 +139,20 @@ func (p *priorityPlugin) Validate(a admission.Attributes) error {
 	}
 }
 
+// priorityClassPermittedInNamespace returns true if we allow the given priority class name in the
+// given namespace. It currently checks that system priorities are created only in the system namespace.
+func priorityClassPermittedInNamespace(priorityClassName string, namespace string) bool {
+	// Only allow system priorities in the system namespace. This is to prevent abuse or incorrect
+	// usage of these priorities. Pods created at these priorities could preempt system critical
+	// components.
+	for _, spc := range scheduling.SystemPriorityClasses() {
+		if spc.Name == priorityClassName && namespace != metav1.NamespaceSystem {
+			return false
+		}
+	}
+	return true
+}
+
 // admitPod makes sure a new pod does not set spec.Priority field. It also makes sure that the PriorityClassName exists if it is provided and resolves the pod priority from the PriorityClassName.
 func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 	operation := a.GetOperation()
@@ -142,11 +161,22 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 		return errors.NewBadRequest("resource was marked with kind Pod but was unable to be converted")
 	}
 
-	// Make sure that the client has not set `priority` at the time of pod creation.
-	if operation == admission.Create && pod.Spec.Priority != nil {
-		return admission.NewForbidden(a, fmt.Errorf("the integer value of priority must not be provided in pod spec. Priority admission controller populates the value from the given PriorityClass name"))
+	if operation == admission.Update {
+		oldPod, ok := a.GetOldObject().(*api.Pod)
+		if !ok {
+			return errors.NewBadRequest("resource was marked with kind Pod but was unable to be converted")
+		}
+
+		// This admission plugin set pod.Spec.Priority on create.
+		// Ensure the existing priority is preserved on update.
+		// API validation prevents mutations to Priority and PriorityClassName, so any other changes will fail update validation and not be persisted.
+		if pod.Spec.Priority == nil && oldPod.Spec.Priority != nil {
+			pod.Spec.Priority = oldPod.Spec.Priority
+		}
+		return nil
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.PodPriority) {
+
+	if operation == admission.Create {
 		var priority int32
 		// TODO: @ravig - This is for backwards compatibility to ensure that critical pods with annotations just work fine.
 		// Remove when no longer needed.
@@ -162,6 +192,11 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 				return fmt.Errorf("failed to get default priority class: %v", err)
 			}
 		} else {
+			pcName := pod.Spec.PriorityClassName
+			if !priorityClassPermittedInNamespace(pcName, a.GetNamespace()) {
+				return admission.NewForbidden(a, fmt.Errorf("pods with %v priorityClass is not permitted in %v namespace", pcName, a.GetNamespace()))
+			}
+
 			// Try resolving the priority class name.
 			pc, err := p.lister.Get(pod.Spec.PriorityClassName)
 			if err != nil {
@@ -174,6 +209,10 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 
 			priority = pc.Value
 		}
+		// if the pod contained a priority that differs from the one computed from the priority class, error
+		if pod.Spec.Priority != nil && *pod.Spec.Priority != priority {
+			return admission.NewForbidden(a, fmt.Errorf("the integer value of priority (%d) must not be provided in pod spec; priority admission controller computed %d from the given PriorityClass name", *pod.Spec.Priority, priority))
+		}
 		pod.Spec.Priority = &priority
 	}
 	return nil

vendor/k8s.io/kubernetes/plugin/pkg/admission/priority/admission_test.go

@@ -146,6 +146,7 @@ func TestPriorityClassAdmission(t *testing.T) {
 			scheduling.Resource("priorityclasses").WithVersion("version"),
 			"",
 			admission.Create,
+			false,
 			test.userInfo,
 		)
 		err := ctrl.Validate(attrs)
@@ -186,7 +187,7 @@ func TestDefaultPriority(t *testing.T) {
 			name:                  "add a default class",
 			classesBefore:         []*scheduling.PriorityClass{nondefaultClass1},
 			classesAfter:          []*scheduling.PriorityClass{nondefaultClass1, defaultClass1},
-			attributes:            admission.NewAttributesRecord(defaultClass1, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Create, nil),
+			attributes:            admission.NewAttributesRecord(defaultClass1, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Create, false, nil),
 			expectedDefaultBefore: scheduling.DefaultPriorityWhenNoDefaultClassExists,
 			expectedDefaultAfter:  defaultClass1.Value,
 		},
@@ -194,7 +195,7 @@ func TestDefaultPriority(t *testing.T) {
 			name:                  "multiple default classes resolves to the minimum value among them",
 			classesBefore:         []*scheduling.PriorityClass{defaultClass1, defaultClass2},
 			classesAfter:          []*scheduling.PriorityClass{defaultClass2},
-			attributes:            admission.NewAttributesRecord(nil, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Delete, nil),
+			attributes:            admission.NewAttributesRecord(nil, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Delete, false, nil),
 			expectedDefaultBefore: defaultClass1.Value,
 			expectedDefaultAfter:  defaultClass2.Value,
 		},
@@ -202,7 +203,7 @@ func TestDefaultPriority(t *testing.T) {
 			name:                  "delete default priority class",
 			classesBefore:         []*scheduling.PriorityClass{defaultClass1},
 			classesAfter:          []*scheduling.PriorityClass{},
-			attributes:            admission.NewAttributesRecord(nil, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Delete, nil),
+			attributes:            admission.NewAttributesRecord(nil, nil, pcKind, "", defaultClass1.Name, pcResource, "", admission.Delete, false, nil),
 			expectedDefaultBefore: defaultClass1.Value,
 			expectedDefaultAfter:  scheduling.DefaultPriorityWhenNoDefaultClassExists,
 		},
@@ -210,7 +211,7 @@ func TestDefaultPriority(t *testing.T) {
 			name:                  "update default class and remove its global default",
 			classesBefore:         []*scheduling.PriorityClass{defaultClass1},
 			classesAfter:          []*scheduling.PriorityClass{&updatedDefaultClass1},
-			attributes:            admission.NewAttributesRecord(&updatedDefaultClass1, defaultClass1, pcKind, "", defaultClass1.Name, pcResource, "", admission.Update, nil),
+			attributes:            admission.NewAttributesRecord(&updatedDefaultClass1, defaultClass1, pcKind, "", defaultClass1.Name, pcResource, "", admission.Update, false, nil),
 			expectedDefaultBefore: defaultClass1.Value,
 			expectedDefaultAfter:  scheduling.DefaultPriorityWhenNoDefaultClassExists,
 		},
@@ -244,6 +245,7 @@ func TestDefaultPriority(t *testing.T) {
 	}
 }
 
+var zeroPriority = int32(0)
 var intPriority = int32(1000)
 
 func TestPodAdmission(t *testing.T) {
@@ -314,7 +316,7 @@ func TestPodAdmission(t *testing.T) {
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "pod-w-system-priority",
-				Namespace: "namespace",
+				Namespace: metav1.NamespaceSystem,
 			},
 			Spec: api.PodSpec{
 				Containers: []api.Container{
@@ -329,7 +331,7 @@ func TestPodAdmission(t *testing.T) {
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:        "mirror-pod-w-system-priority",
-				Namespace:   "namespace",
+				Namespace:   metav1.NamespaceSystem,
 				Annotations: map[string]string{api.MirrorPodAnnotationKey: ""},
 			},
 			Spec: api.PodSpec{
@@ -374,6 +376,67 @@ func TestPodAdmission(t *testing.T) {
 				},
 			},
 		},
+		// pod[8]: Pod with a system priority class name in non-system namespace
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "pod-w-system-priority-in-nonsystem-namespace",
+				Namespace: "non-system-namespace",
+			},
+			Spec: api.PodSpec{
+				Containers: []api.Container{
+					{
+						Name: containerName,
+					},
+				},
+				PriorityClassName: scheduling.SystemClusterCritical,
+			},
+		},
+		// pod[9]: Pod with a priority value that matches the resolved priority
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "pod-w-zero-priority-in-nonsystem-namespace",
+				Namespace: "non-system-namespace",
+			},
+			Spec: api.PodSpec{
+				Containers: []api.Container{
+					{
+						Name: containerName,
+					},
+				},
+				Priority: &zeroPriority,
+			},
+		},
+		// pod[10]: Pod with a priority value that matches the resolved default priority
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "pod-w-priority-matching-default-priority",
+				Namespace: "non-system-namespace",
+			},
+			Spec: api.PodSpec{
+				Containers: []api.Container{
+					{
+						Name: containerName,
+					},
+				},
+				Priority: &defaultClass2.Value,
+			},
+		},
+		// pod[11]: Pod with a priority value that matches the resolved priority
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "pod-w-priority-matching-resolved-default-priority",
+				Namespace: metav1.NamespaceSystem,
+			},
+			Spec: api.PodSpec{
+				Containers: []api.Container{
+					{
+						Name: containerName,
+					},
+				},
+				PriorityClassName: systemClusterCritical.Name,
+				Priority:          &systemClusterCritical.Value,
+			},
+		},
 	}
 	// Enable PodPriority feature gate.
 	utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=true", features.PodPriority))
@@ -459,6 +522,34 @@ func TestPodAdmission(t *testing.T) {
 			scheduling.SystemCriticalPriority,
 			false,
 		},
+		{
+			"pod with system critical priority in non-system namespace",
+			[]*scheduling.PriorityClass{systemClusterCritical},
+			*pods[8],
+			scheduling.SystemCriticalPriority,
+			true,
+		},
+		{
+			"pod with priority that matches computed priority",
+			[]*scheduling.PriorityClass{nondefaultClass1},
+			*pods[9],
+			0,
+			false,
+		},
+		{
+			"pod with priority that matches default priority",
+			[]*scheduling.PriorityClass{defaultClass2},
+			*pods[10],
+			defaultClass2.Value,
+			false,
+		},
+		{
+			"pod with priority that matches resolved priority",
+			[]*scheduling.PriorityClass{systemClusterCritical},
+			*pods[11],
+			systemClusterCritical.Value,
+			false,
+		},
 	}
 
 	for _, test := range tests {
@@ -478,6 +569,7 @@ func TestPodAdmission(t *testing.T) {
 			api.Resource("pods").WithVersion("version"),
 			"",
 			admission.Create,
+			false,
 			nil,
 		)
 		err := ctrl.Admit(attrs)
@@ -485,8 +577,7 @@ func TestPodAdmission(t *testing.T) {
 		if !test.expectError {
 			if err != nil {
 				t.Errorf("Test %q: unexpected error received: %v", test.name, err)
-			}
-			if *test.pod.Spec.Priority != test.expectedPriority {
+			} else if *test.pod.Spec.Priority != test.expectedPriority {
 				t.Errorf("Test %q: expected priority is %d, but got %d.", test.name, test.expectedPriority, *test.pod.Spec.Priority)
 			}
 		}