diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-03-06 13:21:25 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-06 13:21:25 -0500 |
commit | 839f19377361bbf562f59e833baf2c0799921402 (patch) | |
tree | 8cdf5136ef8c6ac3fc00a8cf3016bab4c35611a7 /roles/lib_openshift/library | |
parent | 816df41015439e266f38ad25fb2def223e412b3e (diff) | |
parent | 66cc0be1dc9ba371ff8d5b537ea6a6798fe11cae (diff) | |
download | openshift-839f19377361bbf562f59e833baf2c0799921402.tar.gz openshift-839f19377361bbf562f59e833baf2c0799921402.tar.bz2 openshift-839f19377361bbf562f59e833baf2c0799921402.tar.xz openshift-839f19377361bbf562f59e833baf2c0799921402.zip |
Merge pull request #3535 from enj/enj/f/reserve_ns_module
Add pre-upgrade check for reserved namespaces
Diffstat (limited to 'roles/lib_openshift/library')
-rw-r--r-- | roles/lib_openshift/library/oc_objectvalidator.py (renamed from roles/lib_openshift/library/oc_sdnvalidator.py) | 71 |
1 files changed, 45 insertions, 26 deletions
diff --git a/roles/lib_openshift/library/oc_sdnvalidator.py b/roles/lib_openshift/library/oc_objectvalidator.py index bc7487b95..f6802a9b3 100644 --- a/roles/lib_openshift/library/oc_sdnvalidator.py +++ b/roles/lib_openshift/library/oc_objectvalidator.py @@ -50,14 +50,14 @@ from ansible.module_utils.basic import AnsibleModule # -*- -*- -*- End included fragment: lib/import.py -*- -*- -*- -# -*- -*- -*- Begin included fragment: doc/sdnvalidator -*- -*- -*- +# -*- -*- -*- Begin included fragment: doc/objectvalidator -*- -*- -*- DOCUMENTATION = ''' --- -module: oc_sdnvalidator -short_description: Validate SDN objects +module: oc_objectvalidator +short_description: Validate OpenShift objects description: - - Validate SDN objects + - Validate OpenShift objects options: kubeconfig: description: @@ -71,13 +71,13 @@ extends_documentation_fragment: [] ''' EXAMPLES = ''' -oc_version: -- name: get oc sdnvalidator - sdnvalidator: - register: oc_sdnvalidator +oc_objectvalidator: +- name: run oc_objectvalidator + oc_objectvalidator: + register: oc_objectvalidator ''' -# -*- -*- -*- End included fragment: doc/sdnvalidator -*- -*- -*- +# -*- -*- -*- End included fragment: doc/objectvalidator -*- -*- -*- # -*- -*- -*- Begin included fragment: ../../lib_utils/src/class/yedit.py -*- -*- -*- # pylint: disable=undefined-variable,missing-docstring @@ -1307,25 +1307,25 @@ class OpenShiftCLIConfig(object): # -*- -*- -*- End included fragment: lib/base.py -*- -*- -*- -# -*- -*- -*- Begin included fragment: class/oc_sdnvalidator.py -*- -*- -*- +# -*- -*- -*- Begin included fragment: class/oc_objectvalidator.py -*- -*- -*- # pylint: disable=too-many-instance-attributes -class OCSDNValidator(OpenShiftCLI): +class OCObjectValidator(OpenShiftCLI): ''' Class to wrap the oc command line tools ''' def __init__(self, kubeconfig): - ''' Constructor for OCSDNValidator ''' - # namespace has no meaning for SDN validation, hardcode to 'default' - super(OCSDNValidator, self).__init__('default', kubeconfig) + ''' Constructor for OCObjectValidator ''' + # namespace has no meaning for object validation, hardcode to 'default' + super(OCObjectValidator, self).__init__('default', kubeconfig) - def get(self, kind, invalid_filter): - ''' return SDN information ''' + def get_invalid(self, kind, invalid_filter): + ''' return invalid object information ''' rval = self._get(kind) if rval['returncode'] != 0: return False, rval, [] - return True, rval, filter(invalid_filter, rval['results'][0]['items']) + return True, rval, list(filter(invalid_filter, rval['results'][0]['items'])) # wrap filter with list for py3 # pylint: disable=too-many-return-statements @staticmethod @@ -1335,10 +1335,24 @@ class OCSDNValidator(OpenShiftCLI): params comes from the ansible portion of this module ''' - sdnvalidator = OCSDNValidator(params['kubeconfig']) + objectvalidator = OCObjectValidator(params['kubeconfig']) all_invalid = {} failed = False + def _is_invalid_namespace(namespace): + # check if it uses a reserved name + name = namespace['metadata']['name'] + if not any((name == 'kube', + name == 'openshift', + name.startswith('kube-'), + name.startswith('openshift-'),)): + return False + + # determine if the namespace was created by a user + if 'annotations' not in namespace['metadata']: + return False + return 'openshift.io/requester' in namespace['metadata']['annotations'] + checks = ( ( 'hostsubnet', @@ -1350,10 +1364,15 @@ class OCSDNValidator(OpenShiftCLI): lambda x: x['metadata']['name'] != x['netname'], u'netnamespaces where metadata.name != netname', ), + ( + 'namespace', + _is_invalid_namespace, + u'namespaces that use reserved names and were not created by infrastructure components', + ), ) for resource, invalid_filter, invalid_msg in checks: - success, rval, invalid = sdnvalidator.get(resource, invalid_filter) + success, rval, invalid = objectvalidator.get_invalid(resource, invalid_filter) if not success: return {'failed': True, 'msg': 'Failed to GET {}.'.format(resource), 'state': 'list', 'results': rval} if invalid: @@ -1361,17 +1380,17 @@ class OCSDNValidator(OpenShiftCLI): all_invalid[invalid_msg] = invalid if failed: - return {'failed': True, 'msg': 'All SDN objects are not valid.', 'state': 'list', 'results': all_invalid} + return {'failed': True, 'msg': 'All objects are not valid.', 'state': 'list', 'results': all_invalid} - return {'msg': 'All SDN objects are valid.'} + return {'msg': 'All objects are valid.'} -# -*- -*- -*- End included fragment: class/oc_sdnvalidator.py -*- -*- -*- +# -*- -*- -*- End included fragment: class/oc_objectvalidator.py -*- -*- -*- -# -*- -*- -*- Begin included fragment: ansible/oc_sdnvalidator.py -*- -*- -*- +# -*- -*- -*- Begin included fragment: ansible/oc_objectvalidator.py -*- -*- -*- def main(): ''' - ansible oc module for validating OpenShift SDN objects + ansible oc module for validating OpenShift objects ''' module = AnsibleModule( @@ -1382,7 +1401,7 @@ def main(): ) - rval = OCSDNValidator.run_ansible(module.params) + rval = OCObjectValidator.run_ansible(module.params) if 'failed' in rval: module.fail_json(**rval) @@ -1391,4 +1410,4 @@ def main(): if __name__ == '__main__': main() -# -*- -*- -*- End included fragment: ansible/oc_sdnvalidator.py -*- -*- -*- +# -*- -*- -*- End included fragment: ansible/oc_objectvalidator.py -*- -*- -*- |