1318912 – [online_private_504] PodNodeConstraints is not enabled on online

Bug 1318912 - [online_private_504] PodNodeConstraints is not enabled on online

Summary: [online_private_504] PodNodeConstraints is not enabled on online

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Online
Classification:	Red Hat
Component:	Pod
Sub Component:
Version:	3.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Abhishek Gupta
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	OSOPS_V3
TreeView+	depends on / blocked

Reported:	2016-03-18 06:16 UTC by DeShuai Ma
Modified:	2016-09-02 06:56 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-23 15:10:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description DeShuai Ma 2016-03-18 06:16:11 UTC

Description of problem:
For online env, User should not be able to target a specific node for pod scheduling. should enable "PodNodeConstraints".
private user story link: https://trello.com/c/cGz8l1zD/504-3-user-should-not-be-able-to-target-a-specific-node-for-pod-scheduling

Version-Release number of selected component (if applicable):
dev-preview-int

How reproducible:
Always

Steps to Reproduce:
1.Create a pod with nodeName or nodeSelector
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hello-openshift
labels:
  name: hello-openshift
spec:
 nodeSelector:
  foo: foo
  dma: dma
 containers:
  - name: hello-openshift
    image: openshift/hello-openshift
    imagePullPolicy: Always
    ports:
    - containerPort: 8080
$ oc create -f pod.yaml

Actual results:
1.Create pod successfully

Expected results:
2. Should be failed and notify user should not be able to target a specific nodeName

Additional info:
1.example config:
kubernetesMasterConfig:
  admissionConfig:
    pluginConfig:
      PodNodeConstraints:
        configuration:
          apiVersion: v1
          kind: PodNodeConstraintsConfig
          nodeSelectorLabelBlacklist:
            - kubernetes.io/hostname
            - foo

Comment 2 John W. Lamb 2016-03-18 17:44:31 UTC

(In reply to DeShuai Ma from comment #0)
> Additional info:
> 1.example config:
> kubernetesMasterConfig:
>   admissionConfig:
>     pluginConfig:
>       PodNodeConstraints:
>         configuration:
>           apiVersion: v1
>           kind: PodNodeConstraintsConfig
>           nodeSelectorLabelBlacklist:
>             - kubernetes.io/hostname
>             - foo

Did you set the admissionConfig section for the origin config as well? From https://github.com/openshift/origin/blob/master/pkg/scheduler/admission/podnodeconstraints/doc.go :

admissionConfig:
  pluginConfig:
    PodNodeConstraints:
      configuration:
        apiVersion: v1
        kind: PodNodeConstraintsConfig
        nodeSelectorLabelBlacklist:
          - label1
          - label2
...
kubernetesMasterConfig:
  admissionConfig:
    pluginConfig:
      PodNodeConstraints:
        configuration:
          apiVersion: v1
          kind: PodNodeConstraintsConfig
          nodeSelectorLabelBlacklist:
            - label1
            - label2

I'll try to reproduce this in my VM

Comment 6 Abhishek Gupta 2016-03-29 00:33:15 UTC

This feature has been picked up in the latest INT rebuild and the configuration has been applied as well.

Comment 7 DeShuai Ma 2016-03-29 08:27:52 UTC

Test on latest dev-preview-int env. verify this bug.
[root@dhcp-128-7 tmp]# oc create -f pod.yaml 
Error from server: error when creating "pod.yaml": pods "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role
[root@dhcp-128-7 tmp]# vim pod.yaml 
[root@dhcp-128-7 tmp]# vim dc.yaml
[root@dhcp-128-7 tmp]# oc create -f dc.yaml 
Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role

Comment 8 DeShuai Ma 2016-04-06 08:03:42 UTC

In latest online env, user can't use nodeName in pod, but user can still using nodeName in DeploymentConfig. Need restrict it too. reopen this bug.

Steps to Reproduce:
1. Create a dc with nodeName
$ cat dc.yaml
apiVersion: v1
kind: DeploymentConfig
metadata:
  labels:
    run: hello-openshift
  name: hello-openshift
spec:
  replicas: 1
  selector:
    run: hello-openshift
  strategy:
    type: Recreate
  template:
    metadata:
      creationTimestamp: null
      labels:
        run: hello-openshift
    spec:
      nodeName: ip-172-18-11-147.ec2.internal
      containers:
      - image: openshift/hello-openshift
        imagePullPolicy: Always
        name: hello-openshift
        ports:
        - containerPort: 8080
          protocol: tcp
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
        terminationMessagePath: /dev/termination-log
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      securityContext: {}
      terminationGracePeriodSeconds: 30
$ oc create -f dc.yaml

Actual results:
1.[root@dhcp-128-7 dma]# oc create -f dc.yaml 
deploymentconfig "hello-openshift" created

Expected results:
[root@dhcp-128-7 tmp]# oc create -f dc.yaml
Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role

Comment 9 Abhishek Gupta 2016-04-06 21:42:36 UTC

This was mis-configured in the last INT rebuild and hence the regression. This has now been fixed.

Comment 10 DeShuai Ma 2016-04-07 02:55:21 UTC

Verify this bug.
[root@dhcp-128-7 dma]# oc create -f dc.yaml 
Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role

Note You need to log in before you can comment on or make changes to this bug.