Merge pull request kubernetes#81072 from draveness/feature/runtime-class-scheduling-admission-plugin

k8s-ci-robot · web-flow · commit ce8cccb96659 · 2019-08-23T22:26:37.000-07:00
[RuntimeClassScheduling] Update runtime class admission plugin - Part2
diff --git a/plugin/pkg/admission/runtimeclass/BUILD b/plugin/pkg/admission/runtimeclass/BUILD
@@ -10,6 +10,7 @@ go_library(
         "//pkg/apis/node:go_default_library",
         "//pkg/apis/node/v1beta1:go_default_library",
         "//pkg/features:go_default_library",
+        "//pkg/util/tolerations:go_default_library",
         "//staging/src/k8s.io/api/node/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
diff --git a/plugin/pkg/admission/runtimeclass/admission.go b/plugin/pkg/admission/runtimeclass/admission.go
@@ -38,6 +38,7 @@ import (
 	node "k8s.io/kubernetes/pkg/apis/node"
 	nodev1beta1 "k8s.io/kubernetes/pkg/apis/node/v1beta1"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/util/tolerations"
 )
 
 // PluginName indicates name of admission plugin.
@@ -81,6 +82,9 @@ func (r *RuntimeClass) ValidateInitialization() error {
 
 // Admit makes an admission decision based on the request attributes
 func (r *RuntimeClass) Admit(ctx context.Context, attributes admission.Attributes, o admission.ObjectInterfaces) error {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) {
+		return nil
+	}
 
 	// Ignore all calls to subresources or resources other than pods.
 	if shouldIgnore(attributes) {
@@ -92,18 +96,20 @@ func (r *RuntimeClass) Admit(ctx context.Context, attributes admission.Attribute
 		return err
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.PodOverhead) {
-		err = setOverhead(attributes, pod, runtimeClass)
-		if err != nil {
+		if err := setOverhead(attributes, pod, runtimeClass); err != nil {
 			return err
 		}
 	}
 
+	if err := setScheduling(attributes, pod, runtimeClass); err != nil {
+		return err
+	}
+
 	return nil
 }
 
 // Validate makes sure that pod adhere's to RuntimeClass's definition
 func (r *RuntimeClass) Validate(ctx context.Context, attributes admission.Attributes, o admission.ObjectInterfaces) error {
-
 	// Ignore all calls to subresources or resources other than pods.
 	if shouldIgnore(attributes) {
 		return nil
@@ -114,7 +120,7 @@ func (r *RuntimeClass) Validate(ctx context.Context, attributes admission.Attrib
 		return err
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.PodOverhead) {
-		if err = validateOverhead(attributes, pod, runtimeClass); err != nil {
+		if err := validateOverhead(attributes, pod, runtimeClass); err != nil {
 			return err
 		}
 	}
@@ -131,34 +137,33 @@ func NewRuntimeClass() *RuntimeClass {
 
 // prepareObjects returns pod and runtimeClass types from the given admission attributes
 func (r *RuntimeClass) prepareObjects(attributes admission.Attributes) (pod *api.Pod, runtimeClass *v1beta1.RuntimeClass, err error) {
-
 	pod, ok := attributes.GetObject().(*api.Pod)
 	if !ok {
 		return nil, nil, apierrors.NewBadRequest("Resource was marked with kind Pod but was unable to be converted")
 	}
 
+	if pod.Spec.RuntimeClassName == nil {
+		return pod, nil, nil
+	}
+
 	// get RuntimeClass object
-	if pod.Spec.RuntimeClassName != nil {
-		runtimeClass, err = r.runtimeClassLister.Get(*pod.Spec.RuntimeClassName)
-		if err != nil {
-			return pod, nil, err
-		}
+	runtimeClass, err = r.runtimeClassLister.Get(*pod.Spec.RuntimeClassName)
+	if apierrors.IsNotFound(err) {
+		return pod, nil, admission.NewForbidden(attributes, fmt.Errorf("pod rejected: RuntimeClass %q not found", *pod.Spec.RuntimeClassName))
 	}
 
-	// return the pod and runtimeClass. If no RuntimeClass is specified in PodSpec, runtimeClass will be nil
-	return pod, runtimeClass, nil
+	// return the pod and runtimeClass.
+	return pod, runtimeClass, err
 }
 
 func setOverhead(a admission.Attributes, pod *api.Pod, runtimeClass *v1beta1.RuntimeClass) (err error) {
-
 	if runtimeClass == nil || runtimeClass.Overhead == nil {
 		return nil
 	}
 
 	// convert to internal type and assign to pod's Overhead
 	nodeOverhead := &node.Overhead{}
-	err = nodev1beta1.Convert_v1beta1_Overhead_To_node_Overhead(runtimeClass.Overhead, nodeOverhead, nil)
-	if err != nil {
+	if err = nodev1beta1.Convert_v1beta1_Overhead_To_node_Overhead(runtimeClass.Overhead, nodeOverhead, nil); err != nil {
 		return err
 	}
 
@@ -172,13 +177,43 @@ func setOverhead(a admission.Attributes, pod *api.Pod, runtimeClass *v1beta1.Run
 	return nil
 }
 
-func validateOverhead(a admission.Attributes, pod *api.Pod, runtimeClass *v1beta1.RuntimeClass) (err error) {
+func setScheduling(a admission.Attributes, pod *api.Pod, runtimeClass *v1beta1.RuntimeClass) (err error) {
+	if runtimeClass == nil || runtimeClass.Scheduling == nil {
+		return nil
+	}
+
+	// convert to internal type and assign to pod's Scheduling
+	nodeScheduling := &node.Scheduling{}
+	if err = nodev1beta1.Convert_v1beta1_Scheduling_To_node_Scheduling(runtimeClass.Scheduling, nodeScheduling, nil); err != nil {
+		return err
+	}
+
+	runtimeNodeSelector := nodeScheduling.NodeSelector
+	newNodeSelector := pod.Spec.NodeSelector
+	if newNodeSelector == nil {
+		newNodeSelector = runtimeNodeSelector
+	} else {
+		for key, runtimeClassValue := range runtimeNodeSelector {
+			if podValue, ok := newNodeSelector[key]; ok && podValue != runtimeClassValue {
+				return admission.NewForbidden(a, fmt.Errorf("conflict: runtimeClass.scheduling.nodeSelector[%s] = %s; pod.spec.nodeSelector[%s] = %s", key, runtimeClassValue, key, podValue))
+			}
+			newNodeSelector[key] = runtimeClassValue
+		}
+	}
+
+	newTolerations := tolerations.MergeTolerations(pod.Spec.Tolerations, nodeScheduling.Tolerations)
 
+	pod.Spec.NodeSelector = newNodeSelector
+	pod.Spec.Tolerations = newTolerations
+
+	return nil
+}
+
+func validateOverhead(a admission.Attributes, pod *api.Pod, runtimeClass *v1beta1.RuntimeClass) (err error) {
 	if runtimeClass != nil && runtimeClass.Overhead != nil {
 		// If the Overhead set doesn't match what is provided in the RuntimeClass definition, reject the pod
 		nodeOverhead := &node.Overhead{}
-		err := nodev1beta1.Convert_v1beta1_Overhead_To_node_Overhead(runtimeClass.Overhead, nodeOverhead, nil)
-		if err != nil {
+		if err := nodev1beta1.Convert_v1beta1_Overhead_To_node_Overhead(runtimeClass.Overhead, nodeOverhead, nil); err != nil {
 			return err
 		}
 		if !apiequality.Semantic.DeepEqual(nodeOverhead.PodFixed, pod.Spec.Overhead) {
diff --git a/plugin/pkg/admission/runtimeclass/admission_test.go b/plugin/pkg/admission/runtimeclass/admission_test.go
