Merge pull request #17856 from php-coder/improve_scc_admission_plugin

Automatic merge from submit-queue (batch tested with PRs 17856, 16934, 17979, 17993, 18001).

SCC admission plugin: extract name to a constant

I hope that it won't create unnecessary package coupling.

PTAL @pweil- @liggitt
CC @simo5

Author: openshift-merge-robot

pkg/cmd/server/origin/admission/chain_builder.go

@@ -24,6 +24,7 @@ import (
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 	ingressadmission "github.com/openshift/origin/pkg/ingress/admission"
 	overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
+	sccadmission "github.com/openshift/origin/pkg/security/admission"
 	serviceadmit "github.com/openshift/origin/pkg/service/admission"
 )
 
@@ -61,7 +62,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		sccadmission.PluginName,
 		storageclassdefaultadmission.PluginName,
 		"AlwaysPullImages",
 		"LimitPodHardAntiAffinityTopology",
@@ -107,7 +108,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		sccadmission.PluginName,
 		storageclassdefaultadmission.PluginName,
 		"AlwaysPullImages",
 		"LimitPodHardAntiAffinityTopology",

pkg/cmd/server/origin/admission/config_test.go

@@ -11,6 +11,7 @@ import (
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
+	sccadmission "github.com/openshift/origin/pkg/security/admission"
 	serviceadmit "github.com/openshift/origin/pkg/service/admission"
 )
 
@@ -66,7 +67,7 @@ var legacyOpenshiftAdmissionPlugins = sets.NewString(
 	"OriginPodNodeEnvironment",
 	overrideapi.PluginName,
 	serviceadmit.ExternalIPPluginName,
-	"SecurityContextConstraint",
+	sccadmission.PluginName,
 	"SCCExecRestrictions",
 	"ResourceQuota",
 )

pkg/cmd/server/origin/admission/register.go

@@ -85,7 +85,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		securityadmission.PluginName,
 		"SCCExecRestrictions",
 		"PersistentVolumeLabel",
 		"DefaultStorageClass",

pkg/security/admission/admission.go

@@ -24,8 +24,10 @@ import (
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
 
+const PluginName = "SecurityContextConstraint"
+
 func Register(plugins *admission.Plugins) {
-	plugins.Register("SecurityContextConstraint",
+	plugins.Register(PluginName,
 		func(config io.Reader) (admission.Interface, error) {
 			return NewConstraint(), nil
 		})
@@ -137,8 +139,7 @@ func (c *constraint) Admit(a admission.Attributes) error {
 	return admission.NewForbidden(a, fmt.Errorf("unable to validate against any security context constraint: %v", validationErrs))
 }
 
-// SetInformers implements WantsInformers interface for constraint.
-
+// SetSecurityInformers implements WantsSecurityInformer interface for constraint.
 func (c *constraint) SetSecurityInformers(informers securityinformer.SharedInformerFactory) {
 	c.sccLister = informers.Security().InternalVersion().SecurityContextConstraints().Lister()
 }
@@ -147,10 +148,13 @@ func (c *constraint) SetInternalKubeClientSet(client kclientset.Interface) {
 	c.client = client
 }
 
-// Validate defines actions to vallidate security admission
+// ValidateInitialization implements InitializationValidator interface for constraint.
 func (c *constraint) ValidateInitialization() error {
 	if c.sccLister == nil {
-		return fmt.Errorf("sccLister not initialized")
+		return fmt.Errorf("%s requires an sccLister", PluginName)
+	}
+	if c.client == nil {
+		return fmt.Errorf("%s requires a client", PluginName)
 	}
 	return nil
 }