Skip to content

Commit bbee78e

Browse files
benluddybenluddy
committed
wip: require static pod node statuses to begin with revision unset
1 parent acb9630 commit bbee78e

File tree

2 files changed

+120
-0
lines changed

2 files changed

+120
-0
lines changed

openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go

+2
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package customresourcevalidationregistration
33
import (
44
"k8s.io/apiserver/pkg/admission"
55
"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/apirequestcount"
6+
"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/staticpodoperator"
67

78
"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/apiserver"
89
"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/authentication"
@@ -66,6 +67,7 @@ func RegisterCustomResourceValidation(plugins *admission.Plugins) {
6667
operator.Register(plugins)
6768
scheduler.Register(plugins)
6869
kubecontrollermanager.Register(plugins)
70+
staticpodoperator.Register(plugins)
6971

7072
// This plugin validates the quota.openshift.io/v1 ClusterResourceQuota resources.
7173
// NOTE: This is only allowed because it is required to get a running control plane operator.

openshift-kube-apiserver/admission/customresourcevalidation/staticpodoperator/validate_static_pod_operator.go

+118
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
package staticpodoperator
2+
3+
import (
4+
"context"
5+
"fmt"
6+
"io"
7+
"reflect"
8+
9+
operatorv1 "github.com/openshift/api/operator/v1"
10+
11+
"k8s.io/apimachinery/pkg/runtime"
12+
"k8s.io/apimachinery/pkg/runtime/schema"
13+
"k8s.io/apimachinery/pkg/util/validation/field"
14+
"k8s.io/apiserver/pkg/admission"
15+
16+
"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation"
17+
)
18+
19+
const PluginName = "operator.openshift.io/ValidateStaticPodOperator"
20+
21+
func Register(plugins *admission.Plugins) {
22+
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
23+
return customresourcevalidation.NewValidator(
24+
map[schema.GroupResource]bool{
25+
operatorv1.Resource("etcds"): true,
26+
operatorv1.Resource("kubeapiservers"): true,
27+
operatorv1.Resource("kubecontrollermanagers"): true,
28+
operatorv1.Resource("kubeschedulers"): true,
29+
},
30+
map[schema.GroupVersionKind]customresourcevalidation.ObjectValidator{
31+
operatorv1.GroupVersion.WithKind("Etcd"): staticPodOperatorValidator[*operatorv1.Etcd]{
32+
getStatus: func(o *operatorv1.Etcd) operatorv1.StaticPodOperatorStatus {
33+
return o.Status.StaticPodOperatorStatus
34+
},
35+
},
36+
operatorv1.GroupVersion.WithKind("KubeAPIServer"): staticPodOperatorValidator[*operatorv1.KubeAPIServer]{
37+
getStatus: func(o *operatorv1.KubeAPIServer) operatorv1.StaticPodOperatorStatus {
38+
return o.Status.StaticPodOperatorStatus
39+
},
40+
},
41+
operatorv1.GroupVersion.WithKind("KubeControllerManager"): staticPodOperatorValidator[*operatorv1.KubeControllerManager]{
42+
getStatus: func(o *operatorv1.KubeControllerManager) operatorv1.StaticPodOperatorStatus {
43+
return o.Status.StaticPodOperatorStatus
44+
},
45+
},
46+
operatorv1.GroupVersion.WithKind("KubeScheduler"): staticPodOperatorValidator[*operatorv1.KubeScheduler]{
47+
getStatus: func(o *operatorv1.KubeScheduler) operatorv1.StaticPodOperatorStatus {
48+
return o.Status.StaticPodOperatorStatus
49+
},
50+
},
51+
})
52+
})
53+
}
54+
55+
func toKubeControllerManager(uncastObj runtime.Object) (*operatorv1.KubeControllerManager, field.ErrorList) {
56+
if uncastObj == nil {
57+
return nil, nil
58+
}
59+
60+
allErrs := field.ErrorList{}
61+
62+
obj, ok := uncastObj.(*operatorv1.KubeControllerManager)
63+
if !ok {
64+
return nil, append(allErrs,
65+
field.NotSupported(field.NewPath("kind"), fmt.Sprintf("%T", uncastObj), []string{"KubeControllerManager"}),
66+
field.NotSupported(field.NewPath("apiVersion"), fmt.Sprintf("%T", uncastObj), []string{"operator.openshift.io/v1"}))
67+
}
68+
69+
return obj, nil
70+
}
71+
72+
type staticPodOperatorValidator[T runtime.Object] struct {
73+
getStatus func(o T) operatorv1.StaticPodOperatorStatus
74+
}
75+
76+
func (staticPodOperatorValidator[T]) ValidateCreate(_ context.Context, uncastObj runtime.Object) field.ErrorList {
77+
return nil
78+
}
79+
80+
func (staticPodOperatorValidator[T]) ValidateUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList {
81+
return nil
82+
}
83+
84+
func (v staticPodOperatorValidator[T]) ValidateStatusUpdate(_ context.Context, uncastObj runtime.Object, uncastOldObj runtime.Object) field.ErrorList {
85+
obj, ok := uncastObj.(T)
86+
if !ok {
87+
panic(fmt.Sprintf("cannot validate object of unexpected type %T (expected %T)", uncastObj, reflect.TypeFor[T]()))
88+
}
89+
oldObj, ok := uncastOldObj.(T)
90+
if !ok {
91+
panic(fmt.Sprintf("cannot validate object of unexpected type %T (expected %T)", uncastOldObj, reflect.TypeFor[T]()))
92+
}
93+
94+
status := v.getStatus(obj)
95+
oldStatus := v.getStatus(oldObj)
96+
97+
var errors field.ErrorList
98+
for _, node := range status.NodeStatuses {
99+
preexisting := false
100+
for _, oldNode := range oldStatus.NodeStatuses {
101+
if node.NodeName == oldNode.NodeName {
102+
preexisting = true
103+
}
104+
}
105+
if preexisting {
106+
continue
107+
}
108+
109+
if node.CurrentRevision > 0 {
110+
errors = append(errors, field.Invalid(field.NewPath("status", "nodeStatuses"), node, "new node statuses can not have nonzero currentRevision"))
111+
}
112+
if node.TargetRevision > 0 {
113+
errors = append(errors, field.Invalid(field.NewPath("status", "nodeStatuses"), node, "new node statuses can not have nonzero targetRevision"))
114+
}
115+
}
116+
117+
return errors
118+
}

0 commit comments

Comments
 (0)