Merge pull request kubernetes#87582 from mrueg/ptr

k8s-ci-robot · web-flow · commit 71c352dee310 · 2020-06-29T13:07:59.000-07:00
PodTolerationRestriction: Mention Whitelist Scope in Error
diff --git a/plugin/pkg/admission/podtolerationrestriction/admission.go b/plugin/pkg/admission/podtolerationrestriction/admission.go
@@ -127,6 +127,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
 	pod := a.GetObject().(*api.Pod)
 	if len(pod.Spec.Tolerations) > 0 {
 		whitelist, err := p.getNamespaceTolerationsWhitelist(a.GetNamespace())
+		whitelistScope := "namespace"
 		if err != nil {
 			return err
 		}
@@ -135,12 +136,13 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
 		// fall back to cluster's whitelist of tolerations.
 		if whitelist == nil {
 			whitelist = p.pluginConfig.Whitelist
+			whitelistScope = "cluster"
 		}
 
 		if len(whitelist) > 0 {
 			// check if the merged pod tolerations satisfy its namespace whitelist
 			if !tolerations.VerifyAgainstWhitelist(pod.Spec.Tolerations, whitelist) {
-				return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its namespace whitelist")
+				return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its %s whitelist", whitelistScope)
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi`
`127`	`127`	`pod := a.GetObject().(*api.Pod)`
`128`	`128`	`if len(pod.Spec.Tolerations) > 0 {`
`129`	`129`	`whitelist, err := p.getNamespaceTolerationsWhitelist(a.GetNamespace())`
	`130`	`+ whitelistScope := "namespace"`
`130`	`131`	`if err != nil {`
`131`	`132`	`return err`
`132`	`133`	`}`
`@@ -135,12 +136,13 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi`
`135`	`136`	`// fall back to cluster's whitelist of tolerations.`
`136`	`137`	`if whitelist == nil {`
`137`	`138`	`whitelist = p.pluginConfig.Whitelist`
	`139`	`+ whitelistScope = "cluster"`
`138`	`140`	`}`
`139`	`141`
`140`	`142`	`if len(whitelist) > 0 {`
`141`	`143`	`// check if the merged pod tolerations satisfy its namespace whitelist`
`142`	`144`	`if !tolerations.VerifyAgainstWhitelist(pod.Spec.Tolerations, whitelist) {`
`143`		`- return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its namespace whitelist")`
	`145`	`+ return fmt.Errorf("pod tolerations (possibly merged with namespace default tolerations) conflict with its %s whitelist", whitelistScope)`
`144`	`146`	`}`
`145`	`147`	`}`
`146`	`148`	`}`