}) } type internalConfig struct { limitCPUToMemoryRatio *inf.Dec cpuRequestToLimitRatio *inf.Dec memoryRequestToLimitRatio *inf.Dec } type clusterResourceOverridePlugin struct { *admission.Handler config *internalConfig ProjectCache *cache.ProjectCache LimitRanger admission.Interface } var _ = oadmission.WantsProjectCache(&clusterResourceOverridePlugin{}) var _ = oadmission.Validator(&clusterResourceOverridePlugin{}) // newClusterResourceOverride returns an admission controller for containers that // configurably overrides container resource request/limits func newClusterResourceOverride(client clientset.Interface, config io.Reader) (admission.Interface, error) { parsed, err := ReadConfig(config) if err != nil { glog.V(5).Infof("%s admission controller loaded with error: (%T) %[2]v", api.PluginName, err) return nil, err } if errs := validation.Validate(parsed); len(errs) > 0 { return nil, errs.ToAggregate() } glog.V(5).Infof("%s admission controller loaded with config: %v", api.PluginName, parsed) var internal *internalConfig
func init() { admission.RegisterPlugin("OriginNamespaceLifecycle", func(client client.Interface, config io.Reader) (admission.Interface, error) { return NewLifecycle(client, recommendedCreatableResources) }) } type lifecycle struct { client client.Interface cache *cache.ProjectCache // creatableResources is a set of resources that can be created even if the namespace is terminating creatableResources sets.String } var recommendedCreatableResources = sets.NewString("resourceaccessreviews", "localresourceaccessreviews") var _ = oadmission.WantsProjectCache(&lifecycle{}) var _ = oadmission.Validator(&lifecycle{}) // Admit enforces that a namespace must exist in order to associate content with it. // Admit enforces that a namespace that is terminating cannot accept new content being associated with it. func (e *lifecycle) Admit(a admission.Attributes) (err error) { if len(a.GetNamespace()) == 0 { return nil } // always allow a SAR request through, the SAR will return information about // the ability to take action on the object, no need to verify it here. if isSubjectAccessReview(a) { return nil } mapping, err := latest.RESTMapper.RESTMapping(a.GetKind()) if err != nil {
) func init() { admission.RegisterPlugin("OriginPodNodeEnvironment", func(client clientset.Interface, config io.Reader) (admission.Interface, error) { return NewPodNodeEnvironment(client) }) } // podNodeEnvironment is an implementation of admission.Interface. type podNodeEnvironment struct { *admission.Handler client clientset.Interface cache *cache.ProjectCache } var _ = oadmission.WantsProjectCache(&podNodeEnvironment{}) var _ = oadmission.Validator(&podNodeEnvironment{}) // Admit enforces that pod and its project node label selectors matches at least a node in the cluster. func (p *podNodeEnvironment) Admit(a admission.Attributes) (err error) { resource := a.GetResource() if resource != kapi.Resource("pods") { return nil } if a.GetSubresource() != "" { // only run the checks below on pods proper and not subresources return nil } obj := a.GetObject() pod, ok := obj.(*kapi.Pod)
errs := ValidateProjectRequestLimitConfig(config) if len(errs) > 0 { return nil, errs.ToAggregate() } return config, nil } type projectRequestLimit struct { *admission.Handler client client.Interface config *ProjectRequestLimitConfig cache *projectcache.ProjectCache } // ensure that the required Openshift admission interfaces are implemented var _ = oadmission.WantsProjectCache(&projectRequestLimit{}) var _ = oadmission.WantsOpenshiftClient(&projectRequestLimit{}) var _ = oadmission.Validator(&projectRequestLimit{}) // Admit ensures that only a configured number of projects can be requested by a particular user. func (o *projectRequestLimit) Admit(a admission.Attributes) (err error) { if a.GetResource() != projectapi.Resource("projectrequests") { return nil } if _, isProjectRequest := a.GetObject().(*projectapi.ProjectRequest); !isProjectRequest { return nil } userName := a.GetUserInfo().GetName() projectCount, err := o.projectCountByRequester(userName) if err != nil { return err
} func NewRunOnceDuration(config *api.RunOnceDurationConfig) admission.Interface { return &runOnceDuration{ Handler: admission.NewHandler(admission.Create, admission.Update), config: config, } } type runOnceDuration struct { *admission.Handler config *api.RunOnceDurationConfig cache *projectcache.ProjectCache } var _ = oadmission.WantsProjectCache(&runOnceDuration{}) var _ = oadmission.Validator(&runOnceDuration{}) func (a *runOnceDuration) Admit(attributes admission.Attributes) error { switch { case a.config == nil, !a.config.Enabled, attributes.GetResource() != kapi.Resource("pods"), len(attributes.GetSubresource()) > 0: return nil } pod, ok := attributes.GetObject().(*kapi.Pod) if !ok { return admission.NewForbidden(attributes, fmt.Errorf("unexpected object: %#v", attributes.GetObject())) }