From f90d4a1787dd5b907c7fccacdaffbecb82322c0d Mon Sep 17 00:00:00 2001 From: acejilam Date: Wed, 21 Feb 2024 21:58:54 +0800 Subject: [PATCH] koord-manager: forbid use internal statements Signed-off-by: acejilam --- .../pod/validating/cluster_colocation_profile.go | 11 +++++++++++ .../validating/cluster_colocation_profile_test.go | 13 +++++++++++++ 2 files changed, 24 insertions(+) diff --git a/pkg/webhook/pod/validating/cluster_colocation_profile.go b/pkg/webhook/pod/validating/cluster_colocation_profile.go index 53b6d0a09..929fab223 100644 --- a/pkg/webhook/pod/validating/cluster_colocation_profile.go +++ b/pkg/webhook/pod/validating/cluster_colocation_profile.go @@ -55,6 +55,7 @@ func (h *PodValidatingHandler) clusterColocationProfileValidatingPod(ctx context } allErrs = append(allErrs, validateRequiredQoSClass(newPod)...) + allErrs = append(allErrs, forbidReservationAnnotations(newPod)...) allErrs = append(allErrs, forbidSpecialQoSClassAndPriorityClass(newPod, extension.QoSBE, extension.PriorityNone, extension.PriorityProd)...) allErrs = append(allErrs, forbidSpecialQoSClassAndPriorityClass(newPod, extension.QoSLSR, extension.PriorityNone, extension.PriorityMid, extension.PriorityBatch, extension.PriorityFree)...) allErrs = append(allErrs, validateResources(newPod)...) @@ -68,6 +69,16 @@ func (h *PodValidatingHandler) clusterColocationProfileValidatingPod(ctx context return allowed, reason, nil } +func forbidReservationAnnotations(pod *corev1.Pod) field.ErrorList { + if pod.Annotations == nil { + return nil + } + if _, ok := pod.Annotations[extension.AnnotationReservationAllocated]; ok { + return field.ErrorList{field.Required(field.NewPath("annotations", extension.AnnotationReservationAllocated), "cannot specify reservation allocated in annotations")} + } + return nil +} + func validateRequiredQoSClass(pod *corev1.Pod) field.ErrorList { request := util.GetPodRequest(pod) batchCPUQuantity := request[extension.BatchCPU] diff --git a/pkg/webhook/pod/validating/cluster_colocation_profile_test.go b/pkg/webhook/pod/validating/cluster_colocation_profile_test.go index 843dbdf6f..b526a630a 100644 --- a/pkg/webhook/pod/validating/cluster_colocation_profile_test.go +++ b/pkg/webhook/pod/validating/cluster_colocation_profile_test.go @@ -443,6 +443,19 @@ func TestClusterColocationProfileValidatingPod(t *testing.T) { wantAllowed: false, wantReason: `pod.spec.containers[*].resources.requests: Invalid value: "100m": the requested CPUs of LSR Pod must be integer`, }, + { + name: "forbidden resources annotations", + operation: admissionv1.Create, + newPod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + extension.AnnotationReservationAllocated: "", + }, + }, + }, + wantAllowed: false, + wantReason: `annotations.scheduling.koordinator.sh/reservation-allocated: Required value: cannot specify reservation allocated in annotations`, + }, } for _, tt := range tests {