Add glide.yaml and vendor deps

2016-12-03 22:43:32 -08:00 · 2016-12-03 22:43:32 -08:00 · 5b3d5e81bd
commit 5b3d5e81bd
parent db918f12ad
18880 changed files with 5166045 additions and 1 deletions
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/BUILD
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/BUILD
@ -0,0 +1,41 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "admission.go",
+        "doc.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/admission:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/api/errors:go_default_library",
+        "//pkg/apis/meta/v1:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//vendor:github.com/golang/glog",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["admission_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/admission:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/apis/meta/v1:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/admission.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/admission.go
@ -0,0 +1,83 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package antiaffinity
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/golang/glog"
+	"k8s.io/kubernetes/pkg/admission"
+	"k8s.io/kubernetes/pkg/api"
+	apierrors "k8s.io/kubernetes/pkg/api/errors"
+	metav1 "k8s.io/kubernetes/pkg/apis/meta/v1"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+)
+
+func init() {
+	admission.RegisterPlugin("LimitPodHardAntiAffinityTopology", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
+		return NewInterPodAntiAffinity(client), nil
+	})
+}
+
+// plugin contains the client used by the admission controller
+type plugin struct {
+	*admission.Handler
+	client clientset.Interface
+}
+
+// NewInterPodAntiAffinity creates a new instance of the LimitPodHardAntiAffinityTopology admission controller
+func NewInterPodAntiAffinity(client clientset.Interface) admission.Interface {
+	return &plugin{
+		Handler: admission.NewHandler(admission.Create, admission.Update),
+		client:  client,
+	}
+}
+
+// Admit will deny any pod that defines AntiAffinity topology key other than metav1.LabelHostname i.e. "kubernetes.io/hostname"
+// in  requiredDuringSchedulingRequiredDuringExecution and requiredDuringSchedulingIgnoredDuringExecution.
+func (p *plugin) Admit(attributes admission.Attributes) (err error) {
+	// Ignore all calls to subresources or resources other than pods.
+	if len(attributes.GetSubresource()) != 0 || attributes.GetResource().GroupResource() != api.Resource("pods") {
+		return nil
+	}
+	pod, ok := attributes.GetObject().(*api.Pod)
+	if !ok {
+		return apierrors.NewBadRequest("Resource was marked with kind Pod but was unable to be converted")
+	}
+	affinity, err := api.GetAffinityFromPodAnnotations(pod.Annotations)
+	if err != nil {
+		glog.V(5).Infof("Invalid Affinity detected, but we will leave handling of this to validation phase")
+		return nil
+	}
+	if affinity != nil && affinity.PodAntiAffinity != nil {
+		var podAntiAffinityTerms []api.PodAffinityTerm
+		if len(affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution) != 0 {
+			podAntiAffinityTerms = affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution
+		}
+		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
+		//if len(affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution) != 0 {
+		//        podAntiAffinityTerms = append(podAntiAffinityTerms, affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution...)
+		//}
+		for _, v := range podAntiAffinityTerms {
+			if v.TopologyKey != metav1.LabelHostname {
+				return apierrors.NewForbidden(attributes.GetResource().GroupResource(), pod.Name, fmt.Errorf("affinity.PodAntiAffinity.RequiredDuringScheduling has TopologyKey %v but only key %v is allowed", v.TopologyKey, metav1.LabelHostname))
+			}
+		}
+	}
+	return nil
+}
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/admission_test.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/admission_test.go
@ -0,0 +1,299 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package antiaffinity
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/admission"
+	"k8s.io/kubernetes/pkg/api"
+	metav1 "k8s.io/kubernetes/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// ensures the hard PodAntiAffinity is denied if it defines TopologyKey other than kubernetes.io/hostname.
+func TestInterPodAffinityAdmission(t *testing.T) {
+	handler := NewInterPodAntiAffinity(nil)
+	pod := api.Pod{
+		Spec: api.PodSpec{},
+	}
+	tests := []struct {
+		affinity      map[string]string
+		errorExpected bool
+	}{
+		// empty affinity its success.
+		{
+			affinity:      map[string]string{},
+			errorExpected: false,
+		},
+		// what ever topologyKey in preferredDuringSchedulingIgnoredDuringExecution, the admission should success.
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"preferredDuringSchedulingIgnoredDuringExecution": [{
+							"weight": 5,
+							"podAffinityTerm": {
+								"labelSelector": {
+									"matchExpressions": [{
+										"key": "security",
+										"operator": "In",
+										"values":["S2"]
+										}]
+									},
+								"namespaces": [],
+								"topologyKey": "az"
+							}
+						}]
+					}}`,
+			},
+			errorExpected: false,
+		},
+		// valid topologyKey in requiredDuringSchedulingIgnoredDuringExecution,
+		// plus any topologyKey in preferredDuringSchedulingIgnoredDuringExecution, then admission success.
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"preferredDuringSchedulingIgnoredDuringExecution": [{
+							"weight": 5,
+							"podAffinityTerm": {
+								"labelSelector": {
+									"matchExpressions": [{
+										"key": "security",
+										"operator": "In",
+										"values":["S2"]
+									}]
+								},
+								"namespaces": [],
+								"topologyKey": "az"
+							}
+						}],
+						"requiredDuringSchedulingIgnoredDuringExecution": [{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces": [],
+							"topologyKey": "` + metav1.LabelHostname + `"
+						}]
+					}}`,
+			},
+			errorExpected: false,
+		},
+		// valid topologyKey in requiredDuringSchedulingIgnoredDuringExecution then admission success.
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"requiredDuringSchedulingIgnoredDuringExecution": [{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces":[],
+							"topologyKey": "` + metav1.LabelHostname + `"
+						}]
+					}}`,
+			},
+			errorExpected: false,
+		},
+		// invalid topologyKey in requiredDuringSchedulingIgnoredDuringExecution then admission fails.
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"requiredDuringSchedulingIgnoredDuringExecution": [{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces":[],
+							"topologyKey": " zone "
+						}]
+					}}`,
+			},
+			errorExpected: true,
+		},
+		// invalid topologyKey in requiredDuringSchedulingRequiredDuringExecution then admission fails.
+		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
+		// {
+		//         affinity: map[string]string{
+		//			api.AffinityAnnotationKey: `
+		//				{"podAntiAffinity": {
+		//					"requiredDuringSchedulingRequiredDuringExecution": [{
+		//						"labelSelector": {
+		//							"matchExpressions": [{
+		//								"key": "security",
+		//								"operator": "In",
+		//								"values":["S2"]
+		//							}]
+		//						},
+		//						"namespaces":[],
+		//						"topologyKey": " zone "
+		//					}]
+		//				}}`,
+		//			},
+		//			errorExpected: true,
+		//  }
+		// list of requiredDuringSchedulingIgnoredDuringExecution middle element topologyKey is not valid.
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"requiredDuringSchedulingIgnoredDuringExecution": [{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces":[],
+							"topologyKey": "` + metav1.LabelHostname + `"
+						},
+						{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces":[],
+							"topologyKey": " zone "
+						},
+						{
+							"labelSelector": {
+								"matchExpressions": [{
+									"key": "security",
+									"operator": "In",
+									"values":["S2"]
+								}]
+							},
+							"namespaces": [],
+							"topologyKey": "` + metav1.LabelHostname + `"
+						}]
+					}}`,
+			},
+			errorExpected: true,
+		},
+		{
+			affinity: map[string]string{
+				api.AffinityAnnotationKey: `
+					{"podAntiAffinity": {
+						"thisIsAInvalidAffinity": [{}
+					}}`,
+			},
+			// however, we should not get error here
+			errorExpected: false,
+		},
+	}
+	for _, test := range tests {
+		pod.ObjectMeta.Annotations = test.affinity
+		err := handler.Admit(admission.NewAttributesRecord(&pod, nil, api.Kind("Pod").WithVersion("version"), "foo", "name", api.Resource("pods").WithVersion("version"), "", "ignored", nil))
+
+		if test.errorExpected && err == nil {
+			t.Errorf("Expected error for Anti Affinity %+v but did not get an error", test.affinity)
+		}
+
+		if !test.errorExpected && err != nil {
+			t.Errorf("Unexpected error %v for AntiAffinity %+v", err, test.affinity)
+		}
+	}
+}
+func TestHandles(t *testing.T) {
+	handler := NewInterPodAntiAffinity(nil)
+	tests := map[admission.Operation]bool{
+		admission.Update:  true,
+		admission.Create:  true,
+		admission.Delete:  false,
+		admission.Connect: false,
+	}
+	for op, expected := range tests {
+		result := handler.Handles(op)
+		if result != expected {
+			t.Errorf("Unexpected result for operation %s: %v\n", op, result)
+		}
+	}
+}
+
+// TestOtherResources ensures that this admission controller is a no-op for other resources,
+// subresources, and non-pods.
+func TestOtherResources(t *testing.T) {
+	namespace := "testnamespace"
+	name := "testname"
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{Name: name, Namespace: namespace},
+	}
+	tests := []struct {
+		name        string
+		kind        string
+		resource    string
+		subresource string
+		object      runtime.Object
+		expectError bool
+	}{
+		{
+			name:     "non-pod resource",
+			kind:     "Foo",
+			resource: "foos",
+			object:   pod,
+		},
+		{
+			name:        "pod subresource",
+			kind:        "Pod",
+			resource:    "pods",
+			subresource: "eviction",
+			object:      pod,
+		},
+		{
+			name:        "non-pod object",
+			kind:        "Pod",
+			resource:    "pods",
+			object:      &api.Service{},
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		handler := &plugin{}
+
+		err := handler.Admit(admission.NewAttributesRecord(tc.object, nil, api.Kind(tc.kind).WithVersion("version"), namespace, name, api.Resource(tc.resource).WithVersion("version"), tc.subresource, admission.Create, nil))
+
+		if tc.expectError {
+			if err == nil {
+				t.Errorf("%s: unexpected nil error", tc.name)
+			}
+			continue
+		}
+
+		if err != nil {
+			t.Errorf("%s: unexpected error: %v", tc.name, err)
+			continue
+		}
+	}
+}
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/doc.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/antiaffinity/doc.go
@ -0,0 +1,28 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// LimitPodHardAntiAffinityTopology admission controller rejects any pod
+// that specifies "hard" (RequiredDuringScheduling) anti-affinity
+// with a TopologyKey other than metav1.LabelHostname.
+// Because anti-affinity is symmetric, without this admission controller,
+// a user could maliciously or accidentally specify that their pod (once it has scheduled)
+// should block other pods from scheduling into the same zone or some other large topology,
+// essentially DoSing the cluster.
+// In the future we will address this problem more fully by using quota and priority,
+// but for now this admission controller provides a simple protection,
+// on the assumption that the only legitimate use of hard pod anti-affinity
+// is to exclude other pods from the same node.
+package antiaffinity // import "k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"