func (l *ListPodsOptions) Run() error {
nodes, err := l.Options.GetNodes()
if err != nil {
return err
}
var printer kubectl.ResourcePrinter
if l.Options.CmdPrinterOutput {
printer = l.Options.CmdPrinter
} else {
printer, err = l.Options.GetPrintersByResource(unversioned.GroupVersionResource{Resource: "pod"})
if err != nil {
return err
}
}
// determine if printer kind is json or yaml and modify output
// to combine all pod lists into a single list
if l.Options.CmdPrinterOutput {
errs := l.handleRESTOutput(nodes, printer)
return kerrors.NewAggregate(errs)
}
errList := []error{}
for _, node := range nodes {
err := l.runListPods(node, printer)
if err != nil {
// Don't bail out if one node fails
errList = append(errList, err)
}
}
return kerrors.NewAggregate(errList)
}
func (g *configRESTOptionsGetter) loadWatchCacheSettings() error {
if g.masterOptions.KubernetesMasterConfig == nil {
return nil
}
server := apiserveroptions.NewAPIServer()
if errs := cmdflags.Resolve(g.masterOptions.KubernetesMasterConfig.APIServerArguments, server.AddFlags); len(errs) > 0 {
return kerrors.NewAggregate(errs)
}
g.cacheEnabled = server.EnableWatchCache
errs := []error{}
for _, c := range server.WatchCacheSizes {
tokens := strings.Split(c, "#")
if len(tokens) != 2 {
errs = append(errs, fmt.Errorf("invalid watch cache size value '%s', expecting <resource>#<size> format (e.g. builds#100)", c))
continue
}
resource := unversioned.ParseGroupResource(tokens[0])
size, err := strconv.Atoi(tokens[1])
if err != nil {
errs = append(errs, fmt.Errorf("invalid watch cache size value '%s': %v", c, err))
continue
}
g.cacheSizes[resource] = size
}
return kerrors.NewAggregate(errs)
}
func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cmd *cobra.Command, f *clientcmd.Factory) error {
changedClusterRoleBindings, fetchErr := o.ChangedClusterRoleBindings()
if fetchErr != nil && !IsClusterRoleBindingLookupError(fetchErr) {
// we got an error that isn't due to a partial match, so we can't continue
return fetchErr
}
if len(changedClusterRoleBindings) == 0 {
return fetchErr
}
if (len(o.Output) != 0) && !o.Confirmed {
list := &kapi.List{}
for _, item := range changedClusterRoleBindings {
list.Items = append(list.Items, item)
}
mapper, _ := f.Object(false)
fn := cmdutil.VersionedPrintObject(f.PrintObject, cmd, mapper, o.Out)
if err := fn(list); err != nil {
return kutilerrors.NewAggregate([]error{fetchErr, err})
}
}
if o.Confirmed {
if err := o.ReplaceChangedRoleBindings(changedClusterRoleBindings); err != nil {
return kutilerrors.NewAggregate([]error{fetchErr, err})
}
}
return fetchErr
}
// Resolve resolves the provided input and returns only exact matches
func (r PerfectMatchWeightedResolver) Resolve(value string) (*ComponentMatch, error) {
var errs []error
candidates := ScoredComponentMatches{}
var group MultiSimpleSearcher
var groupWeight float32 = 0.0
for i, resolver := range r {
// lump all resolvers with the same weight into a single group
if len(group) == 0 || resolver.Weight == groupWeight {
group = append(group, resolver.Searcher)
groupWeight = resolver.Weight
if i != len(r)-1 && r[i+1].Weight == groupWeight {
continue
}
}
matches, err := group.Search(true, value)
if err != nil {
glog.V(5).Infof("Error from resolver: %v\n", err)
errs = append(errs, err...)
}
sort.Sort(ScoredComponentMatches(matches))
if len(matches) > 0 && matches[0].Score == 0.0 && (len(matches) == 1 || matches[1].Score != 0.0) {
return matches[0], errors.NewAggregate(errs)
}
for _, m := range matches {
if groupWeight != 0.0 {
m.Score = groupWeight * m.Score
}
candidates = append(candidates, m)
}
group = nil
}
switch len(candidates) {
case 0:
return nil, ErrNoMatch{Value: value, Errs: errs}
case 1:
if candidates[0].Score != 0.0 {
if candidates[0].NoTagsFound {
return nil, ErrNoTagsFound{Value: value, Match: candidates[0], Errs: errs}
}
return nil, ErrPartialMatch{Value: value, Match: candidates[0], Errs: errs}
}
return candidates[0], errors.NewAggregate(errs)
default:
sort.Sort(candidates)
if candidates[0].Score < candidates[1].Score {
if candidates[0].Score != 0.0 {
return nil, ErrPartialMatch{Value: value, Match: candidates[0], Errs: errs}
}
return candidates[0], errors.NewAggregate(errs)
}
return nil, ErrMultipleMatches{Value: value, Matches: candidates, Errs: errs}
}
}
func (g *configRESTOptionsGetter) loadSettings() error {
server := apiserveroptions.NewAPIServer()
if g.masterOptions.KubernetesMasterConfig != nil {
if errs := cmdflags.Resolve(g.masterOptions.KubernetesMasterConfig.APIServerArguments, server.AddFlags); len(errs) > 0 {
return kerrors.NewAggregate(errs)
}
}
storageGroupsToEncodingVersion, err := server.StorageGroupsToEncodingVersion()
if err != nil {
return err
}
storageConfig := server.StorageConfig
storageConfig.Prefix = g.masterOptions.EtcdStorageConfig.OpenShiftStoragePrefix
storageConfig.ServerList = g.masterOptions.EtcdClientInfo.URLs
storageConfig.KeyFile = g.masterOptions.EtcdClientInfo.ClientCert.KeyFile
storageConfig.CertFile = g.masterOptions.EtcdClientInfo.ClientCert.CertFile
storageConfig.CAFile = g.masterOptions.EtcdClientInfo.CA
storageFactory, err := genericapiserver.BuildDefaultStorageFactory(
storageConfig, server.DefaultStorageMediaType, kapi.Codecs,
genericapiserver.NewDefaultResourceEncodingConfig(), storageGroupsToEncodingVersion,
nil,
g.defaultResourceConfig, server.RuntimeConfig)
if err != nil {
return err
}
storageFactory.DefaultResourcePrefixes = g.defaultResourcePrefixes
g.storageFactory = storageFactory
g.cacheEnabled = server.EnableWatchCache
errs := []error{}
for _, c := range server.WatchCacheSizes {
tokens := strings.Split(c, "#")
if len(tokens) != 2 {
errs = append(errs, fmt.Errorf("invalid watch cache size value '%s', expecting <resource>#<size> format (e.g. builds#100)", c))
continue
}
resource := unversioned.ParseGroupResource(tokens[0])
size, err := strconv.Atoi(tokens[1])
if err != nil {
errs = append(errs, fmt.Errorf("invalid watch cache size value '%s': %v", c, err))
continue
}
g.cacheSizes[resource] = size
}
return kerrors.NewAggregate(errs)
}
// Run identifies images eligible for pruning, invoking imagePruner for each image, and then it identifies
// image configs and layers eligible for pruning, invoking layerLinkPruner for each registry URL that has
// layers or configs that can be pruned.
func (p *pruner) Prune(
imagePruner ImageDeleter,
streamPruner ImageStreamDeleter,
layerLinkPruner LayerLinkDeleter,
blobPruner BlobDeleter,
manifestPruner ManifestDeleter,
) error {
allNodes := p.g.Nodes()
imageNodes := getImageNodes(allNodes)
if len(imageNodes) == 0 {
return nil
}
registryURL, err := p.determineRegistry(imageNodes)
if err != nil {
return fmt.Errorf("unable to determine registry: %v", err)
}
glog.V(1).Infof("Using registry: %s", registryURL)
if err := p.registryPinger.ping(registryURL); err != nil {
return fmt.Errorf("error communicating with registry: %v", err)
}
prunableImageNodes, prunableImageIDs := calculatePrunableImages(p.g, imageNodes)
errs := []error{}
errs = append(errs, pruneStreams(p.g, prunableImageNodes, streamPruner)...)
// if namespace is specified prune only ImageStreams and nothing more
if len(p.algorithm.namespace) > 0 {
return kerrors.NewAggregate(errs)
}
graphWithoutPrunableImages := subgraphWithoutPrunableImages(p.g, prunableImageIDs)
prunableComponents := calculatePrunableImageComponents(graphWithoutPrunableImages)
errs = append(errs, pruneImageComponents(p.g, p.registryClient, registryURL, prunableComponents, layerLinkPruner)...)
errs = append(errs, pruneBlobs(p.g, p.registryClient, registryURL, prunableComponents, blobPruner)...)
errs = append(errs, pruneManifests(p.g, p.registryClient, registryURL, prunableImageNodes, manifestPruner)...)
if len(errs) > 0 {
// If we had any errors removing image references from image streams or deleting
// layers, blobs, or manifest data from the registry, stop here and don't
// delete any images. This way, you can rerun prune and retry things that failed.
return kerrors.NewAggregate(errs)
}
errs = append(errs, pruneImages(p.g, prunableImageNodes, imagePruner)...)
return kerrors.NewAggregate(errs)
}
// ServerPreferredNamespacedGroupVersionResources uses the specified client to discover the set of preferred groupVersionResources that are namespaced
func ServerPreferredNamespacedGroupVersionResources(discoveryClient discovery.DiscoveryInterface) ([]unversioned.GroupVersionResource, error) {
results := []unversioned.GroupVersionResource{}
serverGroupList, err := discoveryClient.ServerGroups()
if err != nil {
return results, err
}
allErrs := []error{}
for _, apiGroup := range serverGroupList.Groups {
preferredVersion := apiGroup.PreferredVersion
apiResourceList, err := discoveryClient.ServerResourcesForGroupVersion(preferredVersion.GroupVersion)
if err != nil {
allErrs = append(allErrs, err)
continue
}
groupVersion := unversioned.GroupVersion{Group: apiGroup.Name, Version: preferredVersion.Version}
for _, apiResource := range apiResourceList.APIResources {
if !apiResource.Namespaced {
continue
}
if strings.Contains(apiResource.Name, "/") {
continue
}
results = append(results, groupVersion.WithResource(apiResource.Name))
}
}
return results, utilerrors.NewAggregate(allErrs)
}
// resolve the references to ensure they are all valid, and identify any images that don't match user input.
func (c *AppConfig) resolve(components app.ComponentReferences) error {
errs := []error{}
for _, ref := range components {
if err := ref.Resolve(); err != nil {
errs = append(errs, err)
continue
}
switch input := ref.Input(); {
case !input.ExpectToBuild && input.ResolvedMatch.Builder:
if c.Strategy != "docker" {
glog.Infof("Image %q is a builder, so a repository will be expected unless you also specify --strategy=docker", input)
input.ExpectToBuild = true
}
case input.ExpectToBuild && input.ResolvedMatch.IsTemplate():
// TODO: harder - break the template pieces and check if source code can be attached (look for a build config, build image, etc)
errs = append(errs, fmt.Errorf("template with source code explicitly attached is not supported - you must either specify the template and source code separately or attach an image to the source code using the '[image]~[code]' form"))
continue
case input.ExpectToBuild && !input.ResolvedMatch.Builder && !input.Uses.IsDockerBuild():
if len(c.Strategy) == 0 {
errs = append(errs, fmt.Errorf("none of the images that match %q can build source code - check whether this is the image you want to use, then use --strategy=source to build using source or --strategy=docker to treat this as a Docker base image and set up a layered Docker build", ref))
continue
}
}
}
return errors.NewAggregate(errs)
}
// tagImages tags images from the deployment
func (e *HookExecutor) tagImages(hook *deployapi.LifecycleHook, deployment *kapi.ReplicationController, suffix, label string) error {
var errs []error
for _, action := range hook.TagImages {
value, ok := findContainerImage(deployment, action.ContainerName)
if !ok {
errs = append(errs, fmt.Errorf("unable to find image for container %q, container could not be found", action.ContainerName))
continue
}
namespace := action.To.Namespace
if len(namespace) == 0 {
namespace = deployment.Namespace
}
if _, err := e.tags.ImageStreamTags(namespace).Update(&imageapi.ImageStreamTag{
ObjectMeta: kapi.ObjectMeta{
Name: action.To.Name,
Namespace: namespace,
},
Tag: &imageapi.TagReference{
From: &kapi.ObjectReference{
Kind: "DockerImage",
Name: value,
},
},
}); err != nil {
errs = append(errs, err)
continue
}
fmt.Fprintf(e.out, "--> %s: Tagged %q into %s/%s\n", label, value, action.To.Namespace, action.To.Name)
}
return utilerrors.NewAggregate(errs)
}
// addDockerfile adds a Dockerfile passed in the command line to the reference
// builder.
func (c *AppConfig) addDockerfile() error {
if len(c.Strategy) != 0 && c.Strategy != "docker" {
return fmt.Errorf("when directly referencing a Dockerfile, the strategy must must be 'docker'")
}
_, repos, errs := c.refBuilder.Result()
if err := errors.NewAggregate(errs); err != nil {
return err
}
switch len(repos) {
case 0:
// Create a new SourceRepository with the Dockerfile.
repo, err := app.NewSourceRepositoryForDockerfile(c.Dockerfile)
if err != nil {
return fmt.Errorf("provided Dockerfile is not valid: %v", err)
}
c.refBuilder.AddExistingSourceRepository(repo)
case 1:
// Add the Dockerfile to the existing SourceRepository, so that
// eventually we generate a single BuildConfig with multiple
// sources.
if err := repos[0].AddDockerfile(c.Dockerfile); err != nil {
return fmt.Errorf("provided Dockerfile is not valid: %v", err)
}
default:
// Invalid.
return fmt.Errorf("--dockerfile cannot be used with multiple source repositories")
}
return nil
}
func (b *Builder) visitorResult() *Result {
if len(b.errs) > 0 {
return &Result{err: utilerrors.NewAggregate(b.errs)}
}
if b.selectAll {
b.selector = labels.Everything()
}
// visit items specified by paths
if len(b.paths) != 0 {
return b.visitByPaths()
}
// visit selectors
if b.selector != nil {
return b.visitBySelector()
}
// visit items specified by resource and name
if len(b.resourceTuples) != 0 {
return b.visitByResource()
}
// visit items specified by name
if len(b.names) != 0 {
return b.visitByName()
}
if len(b.resources) != 0 {
return &Result{err: fmt.Errorf("resource(s) were provided, but no name, label selector, or --all flag specified")}
}
return &Result{err: missingResourceError}
}
func (oc *OvsController) validateServiceNetwork(networkCIDR string, hostIPNets []*net.IPNet) error {
serviceIP, serviceIPNet, err := net.ParseCIDR(networkCIDR)
if err != nil {
return fmt.Errorf("Failed to parse network address: %s", networkCIDR)
}
errList := []error{}
for _, ipNet := range hostIPNets {
if ipNet.Contains(serviceIP) {
errList = append(errList, fmt.Errorf("Error: Service IP: %s conflicts with host network: %s", ipNet.String(), networkCIDR))
}
if serviceIPNet.Contains(ipNet.IP) {
errList = append(errList, fmt.Errorf("Error: Host network with IP: %s conflicts with service network: %s", ipNet.IP.String(), networkCIDR))
}
}
services, _, err := oc.Registry.GetServices()
if err != nil {
return err
}
for _, svc := range services {
if !serviceIPNet.Contains(net.ParseIP(svc.IP)) {
errList = append(errList, fmt.Errorf("Error: Existing service with IP: %s is not part of service network: %s", svc.IP, networkCIDR))
}
}
return kerrors.NewAggregate(errList)
}
// ToAggregate converts the ErrorList into an errors.Aggregate.
func (list ErrorList) ToAggregate() utilerrors.Aggregate {
errs := make([]error, len(list))
for i := range list {
errs[i] = list[i]
}
return utilerrors.NewAggregate(errs)
}
func statusCausesToAggrError(scs []api.StatusCause) utilerrors.Aggregate {
errs := make([]error, len(scs))
for i, sc := range scs {
errs[i] = fmt.Errorf("%s: %s", sc.Field, sc.Message)
}
return utilerrors.NewAggregate(errs)
}
// collectData collects requested downwardAPI in data map.
// Map's key is the requested name of file to dump
// Map's value is the (sorted) content of the field to be dumped in the file.
func (d *downwardAPIVolume) collectData() (map[string][]byte, error) {
errlist := []error{}
data := make(map[string][]byte)
for _, fileInfo := range d.items {
if fileInfo.FieldRef != nil {
if values, err := fieldpath.ExtractFieldPathAsString(d.pod, fileInfo.FieldRef.FieldPath); err != nil {
glog.Errorf("Unable to extract field %s: %s", fileInfo.FieldRef.FieldPath, err.Error())
errlist = append(errlist, err)
} else {
data[path.Clean(fileInfo.Path)] = []byte(sortLines(values))
}
} else if fileInfo.ResourceFieldRef != nil {
containerName := fileInfo.ResourceFieldRef.ContainerName
nodeAllocatable, err := d.plugin.host.GetNodeAllocatable()
if err != nil {
errlist = append(errlist, err)
} else if values, err := fieldpath.ExtractResourceValueByContainerNameAndNodeAllocatable(fileInfo.ResourceFieldRef, d.pod, containerName, nodeAllocatable); err != nil {
glog.Errorf("Unable to extract field %s: %s", fileInfo.ResourceFieldRef.Resource, err.Error())
errlist = append(errlist, err)
} else {
data[path.Clean(fileInfo.Path)] = []byte(sortLines(values))
}
}
}
return data, utilerrors.NewAggregate(errlist)
}
// reorganizeTaints returns the updated set of taints, taking into account old taints that were not updated,
// old taints that were updated, old taints that were deleted, and new taints.
func reorganizeTaints(accessor meta.Object, overwrite bool, taintsToAdd []api.Taint, taintsToRemove []api.Taint) ([]api.Taint, error) {
newTaints := append([]api.Taint{}, taintsToAdd...)
var oldTaints []api.Taint
var err error
annotations := accessor.GetAnnotations()
if annotations != nil {
if oldTaints, err = api.GetTaintsFromNodeAnnotations(annotations); err != nil {
return nil, err
}
}
// add taints that already existing but not updated to newTaints
for _, oldTaint := range oldTaints {
existsInNew := false
for _, taint := range newTaints {
if taint.MatchTaint(oldTaint) {
existsInNew = true
break
}
}
if !existsInNew {
newTaints = append(newTaints, oldTaint)
}
}
allErrs := []error{}
for _, taintToRemove := range taintsToRemove {
newTaints, err = deleteTaint(newTaints, taintToRemove)
if err != nil {
allErrs = append(allErrs, err)
}
}
return newTaints, utilerrors.NewAggregate(allErrs)
}
func (node *OsdnNode) updatePodNetwork(namespace string, netID uint32) error {
// Update OF rules for the existing/old pods in the namespace
pods, err := node.GetLocalPods(namespace)
if err != nil {
return err
}
for _, pod := range pods {
err = node.UpdatePod(pod.Namespace, pod.Name, kubetypes.DockerID(getPodContainerID(&pod)))
if err != nil {
return err
}
}
// Update OF rules for the old services in the namespace
services, err := node.registry.GetServicesForNamespace(namespace)
if err != nil {
return err
}
errList := []error{}
for _, svc := range services {
if err = node.DeleteServiceRules(&svc); err != nil {
log.Error(err)
}
if err = node.AddServiceRules(&svc, netID); err != nil {
errList = append(errList, err)
}
}
return kerrors.NewAggregate(errList)
}
// setupKernelTunables validates kernel tunable flags are set as expected
// depending upon the specified option, it will either warn, error, or modify the kernel tunable flags
func setupKernelTunables(option KernelTunableBehavior) error {
desiredState := map[string]int{
utilsysctl.VmOvercommitMemory: utilsysctl.VmOvercommitMemoryAlways,
utilsysctl.VmPanicOnOOM: utilsysctl.VmPanicOnOOMInvokeOOMKiller,
utilsysctl.KernelPanic: utilsysctl.KernelPanicRebootTimeout,
utilsysctl.KernelPanicOnOops: utilsysctl.KernelPanicOnOopsAlways,
}
errList := []error{}
for flag, expectedValue := range desiredState {
val, err := utilsysctl.GetSysctl(flag)
if err != nil {
errList = append(errList, err)
continue
}
if val == expectedValue {
continue
}
switch option {
case KernelTunableError:
errList = append(errList, fmt.Errorf("Invalid kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val))
case KernelTunableWarn:
glog.V(2).Infof("Invalid kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val)
case KernelTunableModify:
glog.V(2).Infof("Updating kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val)
err = utilsysctl.SetSysctl(flag, expectedValue)
if err != nil {
errList = append(errList, err)
}
}
}
return utilerrors.NewAggregate(errList)
}
func (oc *OvsController) validateClusterNetwork(networkCIDR string, subnetsInUse []string, hostIPNets []*net.IPNet) error {
clusterIP, clusterIPNet, err := net.ParseCIDR(networkCIDR)
if err != nil {
return fmt.Errorf("Failed to parse network address: %s", networkCIDR)
}
errList := []error{}
for _, ipNet := range hostIPNets {
if ipNet.Contains(clusterIP) {
errList = append(errList, fmt.Errorf("Error: Cluster IP: %s conflicts with host network: %s", clusterIP.String(), ipNet.String()))
}
if clusterIPNet.Contains(ipNet.IP) {
errList = append(errList, fmt.Errorf("Error: Host network with IP: %s conflicts with cluster network: %s", ipNet.IP.String(), networkCIDR))
}
}
for _, netStr := range subnetsInUse {
subnetIP, _, err := net.ParseCIDR(netStr)
if err != nil {
errList = append(errList, fmt.Errorf("Failed to parse network address: %s", netStr))
continue
}
if !clusterIPNet.Contains(subnetIP) {
errList = append(errList, fmt.Errorf("Error: Existing node subnet: %s is not part of cluster network: %s", netStr, networkCIDR))
}
}
return kerrors.NewAggregate(errList)
}
func ensureProcessInContainer(pid int, oomScoreAdj int, manager *fs.Manager) error {
if runningInHost, err := isProcessRunningInHost(pid); err != nil {
// Err on the side of caution. Avoid moving the docker daemon unless we are able to identify its context.
return err
} else if !runningInHost {
// Process is running inside a container. Don't touch that.
return nil
}
var errs []error
cont, err := getContainer(pid)
if err != nil {
errs = append(errs, fmt.Errorf("failed to find container of PID %d: %v", pid, err))
}
if cont != manager.Cgroups.Name {
err = manager.Apply(pid)
if err != nil {
errs = append(errs, fmt.Errorf("failed to move PID %d (in %q) to %q", pid, cont, manager.Cgroups.Name))
}
}
// Also apply oom-score-adj to processes
oomAdjuster := oom.NewOOMAdjuster()
if err := oomAdjuster.ApplyOOMScoreAdj(pid, oomScoreAdj); err != nil {
errs = append(errs, fmt.Errorf("failed to apply oom score %d to PID %d", oomScoreAdj, pid))
}
return utilerrors.NewAggregate(errs)
}
// InitPlugins initializes each plugin. All plugins must have unique names.
// This must be called exactly once before any New* methods are called on any
// plugins.
func (pm *VolumePluginMgr) InitPlugins(plugins []VolumePlugin, host VolumeHost) error {
pm.mutex.Lock()
defer pm.mutex.Unlock()
if pm.plugins == nil {
pm.plugins = map[string]VolumePlugin{}
}
allErrs := []error{}
for _, plugin := range plugins {
name := plugin.Name()
if errs := validation.IsQualifiedName(name); len(errs) != 0 {
allErrs = append(allErrs, fmt.Errorf("volume plugin has invalid name: %q: %s", name, strings.Join(errs, ";")))
continue
}
if _, found := pm.plugins[name]; found {
allErrs = append(allErrs, fmt.Errorf("volume plugin %q was registered more than once", name))
continue
}
err := plugin.Init(host)
if err != nil {
glog.Errorf("Failed to load volume plugin %s, error: %s", plugin, err.Error())
allErrs = append(allErrs, err)
continue
}
pm.plugins[name] = plugin
glog.V(1).Infof("Loaded volume plugin %q", name)
}
return utilerrors.NewAggregate(allErrs)
}
// ScopesToRules takes the scopes and return the rules back. We ALWAYS add the discovery rules and it is possible to get some rules and and
// an error since errors aren't fatal to evaluation
func ScopesToRules(scopes []string, namespace string, clusterPolicyGetter rulevalidation.ClusterPolicyGetter) ([]authorizationapi.PolicyRule, error) {
rules := append([]authorizationapi.PolicyRule{}, authorizationapi.DiscoveryRule)
errors := []error{}
for _, scope := range scopes {
found := false
for _, evaluator := range ScopeEvaluators {
if evaluator.Handles(scope) {
found = true
currRules, err := evaluator.ResolveRules(scope, namespace, clusterPolicyGetter)
if err != nil {
errors = append(errors, err)
continue
}
rules = append(rules, currRules...)
}
}
if !found {
errors = append(errors, fmt.Errorf("no scope evaluator found for %q", scope))
}
}
return rules, kutilerrors.NewAggregate(errors)
}
// validate converts all of the arguments on the config into references to objects, or returns an error
func (c *AppConfig) validate() (app.ComponentReferences, app.SourceRepositories, cmdutil.Environment, cmdutil.Environment, error) {
b := c.refBuilder
c.addReferenceBuilderComponents(b)
b.AddGroups(c.Groups)
refs, repos, errs := b.Result()
if len(c.Strategy) != 0 && len(repos) == 0 {
errs = append(errs, fmt.Errorf("when --strategy is specified you must provide at least one source code location"))
}
if c.BinaryBuild && (len(repos) > 0 || refs.HasSource()) {
errs = append(errs, fmt.Errorf("specifying binary builds and source repositories at the same time is not allowed"))
}
env, duplicateEnv, envErrs := cmdutil.ParseEnvironmentArguments(c.Environment)
for _, s := range duplicateEnv {
glog.V(1).Infof("The environment variable %q was overwritten", s)
}
errs = append(errs, envErrs...)
parms, duplicateParms, parmsErrs := cmdutil.ParseEnvironmentArguments(c.TemplateParameters)
for _, s := range duplicateParms {
glog.V(1).Infof("The template parameter %q was overwritten", s)
}
errs = append(errs, parmsErrs...)
return refs, repos, env, parms, errors.NewAggregate(errs)
}
func validateScopeRestrictions(client *oauthapi.OAuthClient, scope string) error {
errs := []error{}
if len(client.ScopeRestrictions) == 0 {
return nil
}
for _, restriction := range client.ScopeRestrictions {
if len(restriction.ExactValues) > 0 {
if err := ValidateLiteralScopeRestrictions(scope, restriction.ExactValues); err != nil {
errs = append(errs, err)
continue
}
return nil
}
if restriction.ClusterRole != nil {
if !clusterRoleEvaluatorInstance.Handles(scope) {
continue
}
if err := ValidateClusterRoleScopeRestrictions(scope, *restriction.ClusterRole); err != nil {
errs = append(errs, err)
continue
}
return nil
}
}
// if we got here, then nothing matched. If we already have errors, do nothing, otherwise add one to make it report failed.
if len(errs) == 0 {
errs = append(errs, fmt.Errorf("%v did not match any scope restriction", scope))
}
return kutilerrors.NewAggregate(errs)
}
// validate converts all of the arguments on the config into references to objects, or returns an error
func (c *AppConfig) validate() (app.ComponentReferences, app.SourceRepositories, cmdutil.Environment, cmdutil.Environment, error) {
b := c.refBuilder
c.addReferenceBuilderComponents(b)
b.AddGroups(c.Groups)
refs, repos, errs := b.Result()
if len(repos) > 0 {
repos[0].SetContextDir(c.ContextDir)
if len(repos) > 1 {
glog.Warningf("You have specified more than one source repository and a context directory. "+
"The context directory will be applied to the first repository: %q", repos[0])
}
}
if len(c.Strategy) != 0 && len(repos) == 0 {
errs = append(errs, fmt.Errorf("when --strategy is specified you must provide at least one source code location"))
}
env, duplicateEnv, envErrs := cmdutil.ParseEnvironmentArguments(c.Environment)
for _, s := range duplicateEnv {
glog.V(1).Infof("The environment variable %q was overwritten", s)
}
errs = append(errs, envErrs...)
parms, duplicateParms, parmsErrs := cmdutil.ParseEnvironmentArguments(c.TemplateParameters)
for _, s := range duplicateParms {
glog.V(1).Infof("The template parameter %q was overwritten", s)
}
errs = append(errs, parmsErrs...)
return refs, repos, env, parms, errors.NewAggregate(errs)
}
// openshiftGroupNamesOnlyBlacklist returns back a list that contains only the names of the groups.
// Since Group.Name cannot contain '/', the split is safe. Any resource ref that is not a group
// is skipped.
func openshiftGroupNamesOnlyList(list []string) ([]string, error) {
ret := []string{}
errs := []error{}
for _, curr := range list {
tokens := strings.SplitN(curr, "/", 2)
if len(tokens) == 1 {
ret = append(ret, tokens[0])
continue
}
if tokens[0] != "group" && tokens[0] != "groups" {
errs = append(errs, fmt.Errorf("%q is not a valid OpenShift group", curr))
continue
}
ret = append(ret, tokens[1])
}
if len(errs) > 0 {
return nil, kerrs.NewAggregate(errs)
}
return ret, nil
}
// buildTemplates converts a set of resolved, valid references into references to template objects.
func (c *AppConfig) buildTemplates(components app.ComponentReferences, environment app.Environment) ([]runtime.Object, error) {
objects := []runtime.Object{}
for _, ref := range components {
tpl := ref.Input().ResolvedMatch.Template
glog.V(4).Infof("processing template %s/%s", c.originNamespace, tpl.Name)
for _, env := range environment.List() {
// only set environment values that match what's expected by the template.
if v := template.GetParameterByName(tpl, env.Name); v != nil {
v.Value = env.Value
v.Generate = ""
template.AddParameter(tpl, *v)
} else {
return nil, fmt.Errorf("unexpected parameter name %q", env.Name)
}
}
result, err := c.osclient.TemplateConfigs(c.originNamespace).Create(tpl)
if err != nil {
return nil, fmt.Errorf("error processing template %s/%s: %v", c.originNamespace, tpl.Name, err)
}
errs := runtime.DecodeList(result.Objects, kapi.Scheme)
if len(errs) > 0 {
err = errors.NewAggregate(errs)
return nil, fmt.Errorf("error processing template %s/%s: %v", c.originNamespace, tpl.Name, errs)
}
objects = append(objects, result.Objects...)
}
return objects, nil
}
// AuthenticateRequest authenticates the request using presented client certificates
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
if req.TLS == nil {
return nil, false, nil
}
var errlist []error
for _, cert := range req.TLS.PeerCertificates {
chains, err := cert.Verify(a.opts)
if err != nil {
errlist = append(errlist, err)
continue
}
for _, chain := range chains {
user, ok, err := a.user.User(chain)
if err != nil {
errlist = append(errlist, err)
continue
}
if ok {
return user, ok, err
}
}
}
return nil, false, utilerrors.NewAggregate(errlist)
}
func instantiateTemplate(client client.Interface, mapper configcmd.Mapper, templateNamespace, templateName, targetNamespace string, params map[string]string) error {
template, err := client.Templates(templateNamespace).Get(templateName)
if err != nil {
return errors.NewError("cannot retrieve template %q from namespace %q", templateName, templateNamespace).WithCause(err)
}
// process the template
result, err := genappcmd.TransformTemplate(template, client, targetNamespace, params)
if err != nil {
return errors.NewError("cannot process template %s/%s", templateNamespace, templateName).WithCause(err)
}
// Create objects
bulk := &configcmd.Bulk{
Mapper: mapper,
Op: configcmd.Create,
}
itemsToCreate := &kapi.List{
Items: result.Objects,
}
if errs := bulk.Run(itemsToCreate, targetNamespace); len(errs) > 0 {
err = kerrors.NewAggregate(errs)
return errors.NewError("cannot create objects from template %s/%s", templateNamespace, templateName).WithCause(err)
}
return nil
}
// cleanupDeployment is responsible for cleaning up a deployment ie. retains all but the latest N old replica sets
// where N=d.Spec.RevisionHistoryLimit. Old replica sets are older versions of the podtemplate of a deployment kept
// around by default 1) for historical reasons and 2) for the ability to rollback a deployment.
func (dc *DeploymentController) cleanupDeployment(oldRSs []*extensions.ReplicaSet, deployment *extensions.Deployment) error {
if deployment.Spec.RevisionHistoryLimit == nil {
return nil
}
diff := int32(len(oldRSs)) - *deployment.Spec.RevisionHistoryLimit
if diff <= 0 {
return nil
}
sort.Sort(controller.ReplicaSetsByCreationTimestamp(oldRSs))
var errList []error
// TODO: This should be parallelized.
for i := int32(0); i < diff; i++ {
rs := oldRSs[i]
// Avoid delete replica set with non-zero replica counts
if rs.Status.Replicas != 0 || *(rs.Spec.Replicas) != 0 || rs.Generation > rs.Status.ObservedGeneration {
continue
}
if err := dc.client.Extensions().ReplicaSets(rs.Namespace).Delete(rs.Name, nil); err != nil && !errors.IsNotFound(err) {
glog.V(2).Infof("Failed deleting old replica set %v for deployment %v: %v", rs.Name, deployment.Name, err)
errList = append(errList, err)
}
}
return utilerrors.NewAggregate(errList)
}
