func (l *lifecycle) Admit(a admission.Attributes) (err error) { // prevent deletion of immortal namespaces if a.GetOperation() == admission.Delete { if a.GetKind() == "Namespace" && l.immortalNamespaces.Has(a.GetName()) { return errors.NewForbidden(a.GetKind(), a.GetName(), fmt.Errorf("namespace can never be deleted")) } return nil } defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource()) if err != nil { return admission.NewForbidden(a, err) } mapping, err := latest.RESTMapper.RESTMapping(kind, defaultVersion) if err != nil { return admission.NewForbidden(a, err) } if mapping.Scope.Name() != meta.RESTScopeNameNamespace { return nil } namespaceObj, exists, err := l.store.Get(&api.Namespace{ ObjectMeta: api.ObjectMeta{ Name: a.GetNamespace(), Namespace: "", }, }) if err != nil { return admission.NewForbidden(a, err) } if !exists { return nil } namespace := namespaceObj.(*api.Namespace) if namespace.Status.Phase != api.NamespaceTerminating { return nil } return admission.NewForbidden(a, fmt.Errorf("Unable to create new content in namespace %s because it is being terminated.", a.GetNamespace())) }
func (resourceDefaults) Admit(a admission.Attributes) (err error) { // ignore deletes, only process create and update if a.GetOperation() == "DELETE" { return nil } // we only care about pods if a.GetKind() != "pods" { return nil } // get the pod, so we can validate each of the containers within have default mem / cpu constraints obj := a.GetObject() pod := obj.(*api.Pod) for index := range pod.Spec.Containers { if pod.Spec.Containers[index].Memory.Value() == 0 { pod.Spec.Containers[index].Memory = resource.MustParse(defaultMemory) } if pod.Spec.Containers[index].CPU.Value() == 0 { pod.Spec.Containers[index].CPU = resource.MustParse(defaultCPU) } } return nil }
func (alwaysDeny) Admit(a admission.Attributes) (err error) { return apierrors.NewForbidden(a.GetKind(), "", errors.New("Admission control is denying all modifications")) }