Skip to content

make gc admission set attribute namespace correctly for owners #70389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 1 commit into from
Oct 31, 2018
Merged

make gc admission set attribute namespace correctly for owners #70389

k8s-ci-robot merged 1 commit into from
Oct 31, 2018
+79 −12

Conversation

@caesarxuchao
Copy link
Contributor

@caesarxuchao caesarxuchao commented Oct 29, 2018
edited by liggitt
Loading

Fixing #70295 (comment)

In garbage collection, the owner object can be cluster-scoped. The gc admission plugin now deals with this case.

/assign @yue9944882
/sig api-machinery
/kind bug

The OwnerReferencesPermissionEnforcement admission plugin now checks authorization for the correct scope (namespaced or cluster-scoped) of the owner resource type. Previously, it always checked permissions at the same scope as the child resource.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. kind/bug Categorizes issue or PR as related to a bug. labels Oct 29, 2018
@caesarxuchao caesarxuchao mentioned this pull request Oct 29, 2018
Merged
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 30, 2018
@liggitt
Copy link
Member

liggitt commented Oct 30, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 30, 2018
@yue9944882
Copy link
Member

yue9944882 commented Oct 30, 2018

/lgtm

@caesarxuchao
Copy link
Contributor Author

caesarxuchao commented Oct 30, 2018

@deads2k can you approve? Thanks.

lavalamp
lavalamp reviewed Oct 31, 2018
View reviewed changes
plugin/pkg/admission/gc/gc_admission_test.go

if username == "non-node-deleter" {
if a.GetVerb() == "delete" && a.GetResource() == "nodes" {
return authorizer.DecisionNoOpinion, "", nil
Copy link
Contributor

@lavalamp lavalamp Oct 31, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume there's not other authorizers running and therefore this is the same as a reject? Would it make the test more obvious if we changed these to explicit rejections?

Copy link
Contributor Author

@caesarxuchao caesarxuchao Oct 31, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. Here I'm just trying to be consistent with the existing code.

@lavalamp
Copy link
Contributor

lavalamp commented Oct 31, 2018

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 31, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 31, 2018
@k8s-ci-robot k8s-ci-robot merged commit bf5c862 into kubernetes:master Oct 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

1 more reviewer

@lavalamp lavalamp lavalamp left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@liggitt liggitt

@yue9944882 yue9944882

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@caesarxuchao @liggitt @yue9944882 @lavalamp @k8s-ci-robot