From 556fe48ac3fa8d903a3886b1773954f3f0055a26 Mon Sep 17 00:00:00 2001 From: Dan Mace Date: Fri, 8 Sep 2017 09:01:19 -0400 Subject: [PATCH] UPSTREAM: 52092: Fix resource quota controller panic (Drop in 1.8) The pod evaluator used by the resource quota controller made direct calls to an unsafe pod conversion function which mutates the pod argument. With multiple resource quota controller workers, concurrent processing of the same pod from a shared informer can result in a panic when the conversion code attempts to write to a map field in the pod. Swap out the direct conversion function call to Scheme.ConvertToVersion, which copies the input before conversion. --- .../kubernetes/pkg/quota/evaluator/core/pods.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/vendor/k8s.io/kubernetes/pkg/quota/evaluator/core/pods.go b/vendor/k8s.io/kubernetes/pkg/quota/evaluator/core/pods.go index 85ca0279bea9..c9ea8aff2ee2 100644 --- a/vendor/k8s.io/kubernetes/pkg/quota/evaluator/core/pods.go +++ b/vendor/k8s.io/kubernetes/pkg/quota/evaluator/core/pods.go @@ -194,18 +194,22 @@ func podUsageHelper(requests api.ResourceList, limits api.ResourceList) api.Reso } func toInternalPodOrError(obj runtime.Object) (*api.Pod, error) { - pod := &api.Pod{} switch t := obj.(type) { case *v1.Pod: - if err := v1.Convert_v1_Pod_To_api_Pod(t, pod, nil); err != nil { + converted, err := api.Scheme.ConvertToVersion(obj, api.SchemeGroupVersion) + if err != nil { return nil, err } + if pod, ok := converted.(*api.Pod); ok { + return pod, nil + } else { + return nil, fmt.Errorf("expect *api.Pod, got %v", converted) + } case *api.Pod: - pod = t + return t, nil default: return nil, fmt.Errorf("expect *api.Pod or *v1.Pod, got %v", t) } - return pod, nil } // podMatchesScopeFunc is a function that knows how to evaluate if a pod matches a scope