diff --git a/pkg/scheduler/webhook.go b/pkg/scheduler/webhook.go index 563f372a3..f11dd6f26 100644 --- a/pkg/scheduler/webhook.go +++ b/pkg/scheduler/webhook.go @@ -62,12 +62,13 @@ func (h *webhook) Handle(_ context.Context, req admission.Request) admission.Res } klog.Infof(template, req.Namespace, req.Name, req.UID) hasResource := false + privileged := false for idx, ctr := range pod.Spec.Containers { c := &pod.Spec.Containers[idx] if ctr.SecurityContext != nil { if ctr.SecurityContext.Privileged != nil && *ctr.SecurityContext.Privileged { klog.Warningf(template+" - Denying admission as container %s is privileged", req.Namespace, req.Name, req.UID, c.Name) - continue + privileged = true } } for _, val := range device.GetDevices() { @@ -79,11 +80,13 @@ func (h *webhook) Handle(_ context.Context, req admission.Request) admission.Res hasResource = hasResource || found } } - - if !hasResource { + switch { + case !hasResource: klog.Infof(template+" - Allowing admission for pod: no resource found", req.Namespace, req.Name, req.UID) - //return admission.Allowed("no resource found") - } else if len(config.SchedulerName) > 0 { + case privileged: + klog.Infof(template+" - Denying admission for pod: privileged container found", req.Namespace, req.Name, req.UID) + return admission.Denied("privileged container found") + case len(config.SchedulerName) > 0: pod.Spec.SchedulerName = config.SchedulerName if pod.Spec.NodeName != "" { klog.Infof(template+" - Pod already has node assigned", req.Namespace, req.Name, req.UID) diff --git a/pkg/scheduler/webhook_test.go b/pkg/scheduler/webhook_test.go index b53ecf17b..a0714874b 100644 --- a/pkg/scheduler/webhook_test.go +++ b/pkg/scheduler/webhook_test.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" "github.com/Project-HAMi/HAMi/pkg/device" @@ -160,3 +161,71 @@ func TestPodHasNodeName(t *testing.T) { } } + +func TestPodHasPrivilegedContainer(t *testing.T) { + config.SchedulerName = "hami-scheduler" + device.InitDevicesWithConfig(&device.Config{ + NvidiaConfig: nvidia.NvidiaConfig{ + ResourceCountName: "hami.io/gpu", + ResourceMemoryName: "hami.io/gpumem", + ResourceMemoryPercentageName: "hami.io/gpumem-percentage", + ResourceCoreName: "hami.io/gpucores", + }, + }) + // create a Pod object + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Namespace: "default", + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "container1", + SecurityContext: &corev1.SecurityContext{ + Privileged: ptr.To(true), + }, + Resources: corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "hami.io/gpu": resource.MustParse("1"), + }, + }, + }, + }, + }, + } + + // encode the Pod object + scheme := runtime.NewScheme() + corev1.AddToScheme(scheme) + codec := serializer.NewCodecFactory(scheme).LegacyCodec(corev1.SchemeGroupVersion) + podBytes, err := runtime.Encode(codec, pod) + if err != nil { + t.Fatalf("Error encoding pod: %v", err) + } + + // create an AdmissionRequest object + req := admission.Request{ + AdmissionRequest: admissionv1.AdmissionRequest{ + UID: "test-uid", + Namespace: "default", + Name: "test-pod", + Object: runtime.RawExtension{ + Raw: podBytes, + }, + }, + } + + // create a WebHook object + wh, err := NewWebHook() + if err != nil { + t.Fatalf("Error creating WebHook: %v", err) + } + + // call the Handle method + resp := wh.Handle(context.Background(), req) + if resp.Allowed { + t.Errorf("Expected denied response, but got: %v", resp) + } + +}