PSP admission plugin: extract name to a constant and a couple minor i…

…mprovements.
openshift · Dec 18, 2017 · 7109512 · 7109512
1 parent 1c24d18
commit 7109512
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 9 deletions.
diff --git a/pkg/cmd/server/origin/admission/chain_builder.go b/pkg/cmd/server/origin/admission/chain_builder.go
@@ -24,6 +24,7 @@ import (
 	imagepolicy "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 	ingressadmission "github.com/openshift/origin/pkg/ingress/admission"
 	overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
+	sccadmission "github.com/openshift/origin/pkg/security/admission"
 	serviceadmit "github.com/openshift/origin/pkg/service/admission"
 )
 
@@ -61,7 +62,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		sccadmission.PluginName,
 		storageclassdefaultadmission.PluginName,
 		"AlwaysPullImages",
 		"LimitPodHardAntiAffinityTopology",
@@ -107,7 +108,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		sccadmission.PluginName,
 		storageclassdefaultadmission.PluginName,
 		"AlwaysPullImages",
 		"LimitPodHardAntiAffinityTopology",

diff --git a/pkg/cmd/server/origin/admission/config_test.go b/pkg/cmd/server/origin/admission/config_test.go
@@ -11,6 +11,7 @@ import (
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	overrideapi "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api"
+	sccadmission "github.com/openshift/origin/pkg/security/admission"
 	serviceadmit "github.com/openshift/origin/pkg/service/admission"
 )
 
@@ -66,7 +67,7 @@ var legacyOpenshiftAdmissionPlugins = sets.NewString(
 	"OriginPodNodeEnvironment",
 	overrideapi.PluginName,
 	serviceadmit.ExternalIPPluginName,
-	"SecurityContextConstraint",
+	sccadmission.PluginName,
 	"SCCExecRestrictions",
 	"ResourceQuota",
 )

diff --git a/pkg/cmd/server/origin/admission/register.go b/pkg/cmd/server/origin/admission/register.go
@@ -85,7 +85,7 @@ var (
 		"LimitRanger",
 		"ServiceAccount",
 		noderestriction.PluginName,
-		"SecurityContextConstraint",
+		securityadmission.PluginName,
 		"SCCExecRestrictions",
 		"PersistentVolumeLabel",
 		"DefaultStorageClass",

diff --git a/pkg/security/admission/admission.go b/pkg/security/admission/admission.go
@@ -24,8 +24,10 @@ import (
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
 
+const PluginName = "SecurityContextConstraint"
+
 func Register(plugins *admission.Plugins) {
-	plugins.Register("SecurityContextConstraint",
+	plugins.Register(PluginName,
 		func(config io.Reader) (admission.Interface, error) {
 			return NewConstraint(), nil
 		})
@@ -137,8 +139,7 @@ func (c *constraint) Admit(a admission.Attributes) error {
 	return admission.NewForbidden(a, fmt.Errorf("unable to validate against any security context constraint: %v", validationErrs))
 }
 
-// SetInformers implements WantsInformers interface for constraint.
-
+// SetSecurityInformers implements WantsSecurityInformer interface for constraint.
 func (c *constraint) SetSecurityInformers(informers securityinformer.SharedInformerFactory) {
 	c.sccLister = informers.Security().InternalVersion().SecurityContextConstraints().Lister()
 }
@@ -147,10 +148,13 @@ func (c *constraint) SetInternalKubeClientSet(client kclientset.Interface) {
 	c.client = client
 }
 
-// Validate defines actions to vallidate security admission
+// ValidateInitialization implements InitializationValidator interface for constraint.
 func (c *constraint) ValidateInitialization() error {
 	if c.sccLister == nil {
-		return fmt.Errorf("sccLister not initialized")
+		return fmt.Errorf("%s requires an sccLister", PluginName)
+	}
+	if c.client == nil {
+		return fmt.Errorf("%s requires a client", PluginName)
 	}
 	return nil
 }