func (l *lifecycle) Admit(a admission.Attributes) (err error) {
// prevent deletion of immortal namespaces
if a.GetOperation() == admission.Delete {
if a.GetKind() == "Namespace" && l.immortalNamespaces.Has(a.GetName()) {
return errors.NewForbidden(a.GetKind(), a.GetName(), fmt.Errorf("namespace can never be deleted"))
}
return nil
}
defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource())
if err != nil {
return admission.NewForbidden(a, err)
}
mapping, err := latest.RESTMapper.RESTMapping(kind, defaultVersion)
if err != nil {
return admission.NewForbidden(a, err)
}
if mapping.Scope.Name() != meta.RESTScopeNameNamespace {
return nil
}
namespaceObj, exists, err := l.store.Get(&api.Namespace{
ObjectMeta: api.ObjectMeta{
Name: a.GetNamespace(),
Namespace: "",
},
})
if err != nil {
return admission.NewForbidden(a, err)
}
if !exists {
return nil
}
namespace := namespaceObj.(*api.Namespace)
if namespace.Status.Phase != api.NamespaceTerminating {
return nil
}
return admission.NewForbidden(a, fmt.Errorf("Unable to create new content in namespace %s because it is being terminated.", a.GetNamespace()))
}
func (resourceDefaults) Admit(a admission.Attributes) (err error) {
// ignore deletes, only process create and update
if a.GetOperation() == "DELETE" {
return nil
}
// we only care about pods
if a.GetKind() != "pods" {
return nil
}
// get the pod, so we can validate each of the containers within have default mem / cpu constraints
obj := a.GetObject()
pod := obj.(*api.Pod)
for index := range pod.Spec.Containers {
if pod.Spec.Containers[index].Memory.Value() == 0 {
pod.Spec.Containers[index].Memory = resource.MustParse(defaultMemory)
}
if pod.Spec.Containers[index].CPU.Value() == 0 {
pod.Spec.Containers[index].CPU = resource.MustParse(defaultCPU)
}
}
return nil
}
func (alwaysDeny) Admit(a admission.Attributes) (err error) {
return apierrors.NewForbidden(a.GetKind(), "", errors.New("Admission control is denying all modifications"))
}
