Description of problem: For online env, User should not be able to target a specific node for pod scheduling. should enable "PodNodeConstraints". private user story link: https://trello.com/c/cGz8l1zD/504-3-user-should-not-be-able-to-target-a-specific-node-for-pod-scheduling Version-Release number of selected component (if applicable): dev-preview-int How reproducible: Always Steps to Reproduce: 1.Create a pod with nodeName or nodeSelector $ cat pod.yaml apiVersion: v1 kind: Pod metadata: name: hello-openshift labels: name: hello-openshift spec: nodeSelector: foo: foo dma: dma containers: - name: hello-openshift image: openshift/hello-openshift imagePullPolicy: Always ports: - containerPort: 8080 $ oc create -f pod.yaml Actual results: 1.Create pod successfully Expected results: 2. Should be failed and notify user should not be able to target a specific nodeName Additional info: 1.example config: kubernetesMasterConfig: admissionConfig: pluginConfig: PodNodeConstraints: configuration: apiVersion: v1 kind: PodNodeConstraintsConfig nodeSelectorLabelBlacklist: - kubernetes.io/hostname - foo
(In reply to DeShuai Ma from comment #0) > Additional info: > 1.example config: > kubernetesMasterConfig: > admissionConfig: > pluginConfig: > PodNodeConstraints: > configuration: > apiVersion: v1 > kind: PodNodeConstraintsConfig > nodeSelectorLabelBlacklist: > - kubernetes.io/hostname > - foo Did you set the admissionConfig section for the origin config as well? From https://github.com/openshift/origin/blob/master/pkg/scheduler/admission/podnodeconstraints/doc.go : admissionConfig: pluginConfig: PodNodeConstraints: configuration: apiVersion: v1 kind: PodNodeConstraintsConfig nodeSelectorLabelBlacklist: - label1 - label2 ... kubernetesMasterConfig: admissionConfig: pluginConfig: PodNodeConstraints: configuration: apiVersion: v1 kind: PodNodeConstraintsConfig nodeSelectorLabelBlacklist: - label1 - label2 I'll try to reproduce this in my VM
This feature has been picked up in the latest INT rebuild and the configuration has been applied as well.
Test on latest dev-preview-int env. verify this bug. [root@dhcp-128-7 tmp]# oc create -f pod.yaml Error from server: error when creating "pod.yaml": pods "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role [root@dhcp-128-7 tmp]# vim pod.yaml [root@dhcp-128-7 tmp]# vim dc.yaml [root@dhcp-128-7 tmp]# oc create -f dc.yaml Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role
In latest online env, user can't use nodeName in pod, but user can still using nodeName in DeploymentConfig. Need restrict it too. reopen this bug. Steps to Reproduce: 1. Create a dc with nodeName $ cat dc.yaml apiVersion: v1 kind: DeploymentConfig metadata: labels: run: hello-openshift name: hello-openshift spec: replicas: 1 selector: run: hello-openshift strategy: type: Recreate template: metadata: creationTimestamp: null labels: run: hello-openshift spec: nodeName: ip-172-18-11-147.ec2.internal containers: - image: openshift/hello-openshift imagePullPolicy: Always name: hello-openshift ports: - containerPort: 8080 protocol: tcp resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi terminationMessagePath: /dev/termination-log dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 $ oc create -f dc.yaml Actual results: 1.[root@dhcp-128-7 dma]# oc create -f dc.yaml deploymentconfig "hello-openshift" created Expected results: [root@dhcp-128-7 tmp]# oc create -f dc.yaml Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role
This was mis-configured in the last INT rebuild and hence the regression. This has now been fixed.
Verify this bug. [root@dhcp-128-7 dma]# oc create -f dc.yaml Error from server: error when creating "dc.yaml": deploymentconfigs "hello-openshift" is forbidden: node selection by nodeName is prohibited by policy for your role