Merge pull request #12066 from liggitt/lifecycle-admission-1.3

Only pay attention to origin types in project lifecycle admission - 1.3.x

Author: liggitt

pkg/cmd/server/origin/master_config.go

@@ -322,8 +322,8 @@ var (
 
 	// KubeAdmissionPlugins gives the in-order default admission chain for kube resources.
 	KubeAdmissionPlugins = []string{
-		"RunOnceDuration",
 		lifecycle.PluginName,
+		"RunOnceDuration",
 		"PodNodeConstraints",
 		"OriginPodNodeEnvironment",
 		overrideapi.PluginName,
@@ -350,14 +350,14 @@ var (
 	// When possible, this list is used.  The set of openshift+kube chains must exactly match this set.  In addition,
 	// the order specified in the openshift and kube chains must match the order here.
 	CombinedAdmissionControlPlugins = []string{
+		lifecycle.PluginName,
 		"ProjectRequestLimit",
 		"OriginNamespaceLifecycle",
 		"PodNodeConstraints",
 		"openshift.io/JenkinsBootstrapper",
 		"BuildByStrategy",
 		imageadmission.PluginName,
 		"RunOnceDuration",
-		lifecycle.PluginName,
 		"PodNodeConstraints",
 		"OriginPodNodeEnvironment",
 		overrideapi.PluginName,

pkg/project/admission/lifecycle/admission.go

@@ -15,6 +15,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 
 	"github.com/openshift/origin/pkg/api"
+	"github.com/openshift/origin/pkg/api/latest"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	"github.com/openshift/origin/pkg/project/cache"
 	projectutil "github.com/openshift/origin/pkg/project/util"
@@ -40,12 +41,15 @@ var recommendedCreatableResources = sets.NewString("resourceaccessreviews", "loc
 var _ = oadmission.WantsProjectCache(&lifecycle{})
 var _ = oadmission.Validator(&lifecycle{})
 
-// Admit enforces that a namespace must exist in order to associate content with it.
-// Admit enforces that a namespace that is terminating cannot accept new content being associated with it.
+// Admit enforces that a namespace must have the openshift finalizer associated with it in order to create origin API objects within it
 func (e *lifecycle) Admit(a admission.Attributes) (err error) {
 	if len(a.GetNamespace()) == 0 {
 		return nil
 	}
+	// only pay attention to origin resources
+	if !latest.OriginKind(a.GetKind()) {
+		return nil
+	}
 	// always allow a SAR request through, the SAR will return information about
 	// the ability to take action on the object, no need to verify it here.
 	if isSubjectAccessReview(a) {

pkg/project/admission/lifecycle/admission_test.go

@@ -73,7 +73,7 @@ func TestAdmissionExists(t *testing.T) {
 			Phase: buildapi.BuildPhaseNew,
 		},
 	}
-	err := handler.Admit(admission.NewAttributesRecord(build, nil, kapi.Kind("Build").WithVersion("version"), "namespace", "name", kapi.Resource("builds").WithVersion("version"), "", "CREATE", nil))
+	err := handler.Admit(admission.NewAttributesRecord(build, nil, kapi.Kind("Build").WithVersion("v1"), "namespace", "name", kapi.Resource("builds").WithVersion("v1"), "", "CREATE", nil))
 	if err == nil {
 		t.Errorf("Expected an error because namespace does not exist")
 	}
@@ -106,7 +106,7 @@ func TestSAR(t *testing.T) {
 	}
 
 	for k, v := range tests {
-		err := handler.Admit(admission.NewAttributesRecord(nil, nil, kapi.Kind(v.kind).WithVersion("version"), "foo", "name", kapi.Resource(v.resource).WithVersion("version"), "", "CREATE", nil))
+		err := handler.Admit(admission.NewAttributesRecord(nil, nil, kapi.Kind(v.kind).WithVersion("v1"), "foo", "name", kapi.Resource(v.resource).WithVersion("v1"), "", "CREATE", nil))
 		if err != nil {
 			t.Errorf("Unexpected error for %s returned from admission handler: %v", k, err)
 		}