本文整理汇总了Golang中github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors.IsForbidden函数的典型用法代码示例。如果您正苦于以下问题:Golang IsForbidden函数的具体用法?Golang IsForbidden怎么用?Golang IsForbidden使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了IsForbidden函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Golang代码示例。
示例1: TestAuthorizationRestrictedAccessForProjectAdmins
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}
开发者ID:cjnygard,项目名称:origin,代码行数:51,代码来源:authorization_test.go
示例2: doServiceAccountAPIRequests
func doServiceAccountAPIRequests(t *testing.T, c *client.Client, ns string, authenticated bool, canRead bool, canWrite bool) {
testSecret := &api.Secret{
ObjectMeta: api.ObjectMeta{Name: "testSecret"},
Data: map[string][]byte{"test": []byte("data")},
}
readOps := []testOperation{
func() error { _, err := c.Secrets(ns).List(labels.Everything(), fields.Everything()); return err },
func() error { _, err := c.Pods(ns).List(labels.Everything(), fields.Everything()); return err },
}
writeOps := []testOperation{
func() error { _, err := c.Secrets(ns).Create(testSecret); return err },
func() error { return c.Secrets(ns).Delete(testSecret.Name) },
}
for _, op := range readOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canRead && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canRead && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
for _, op := range writeOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canWrite && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canWrite && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
}
开发者ID:lubinc,项目名称:kubernetes,代码行数:49,代码来源:service_account_test.go
示例3: Resolve
// Resolve searches for a template and returns a match with the object representation
func (r TemplateResolver) Resolve(value string) (*ComponentMatch, error) {
checked := util.NewStringSet()
for _, namespace := range r.Namespaces {
if checked.Has(namespace) {
continue
}
checked.Insert(namespace)
glog.V(4).Infof("checking template %s/%s", namespace, value)
repo, err := r.Client.Templates(namespace).Get(value)
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
return &ComponentMatch{
Value: value,
Argument: fmt.Sprintf("--template=%q", value),
Name: value,
Description: fmt.Sprintf("Template %s in project %s", repo.Name, repo.Namespace),
Score: 0,
Template: repo,
}, nil
}
return nil, ErrNoMatch{value: value}
}
开发者ID:naheedmk,项目名称:origin,代码行数:31,代码来源:templatelookup.go
示例4: Resolve
// Resolve will attempt to find an imagestream with a name that matches the passed in value
func (r ImageStreamResolver) Resolve(value string) (*ComponentMatch, error) {
ref, err := imageapi.ParseDockerImageReference(value)
if err != nil || len(ref.Registry) != 0 {
return nil, fmt.Errorf("image repositories must be of the form [<namespace>/]<name>[:<tag>|@<digest>]")
}
namespaces := r.Namespaces
if len(ref.Namespace) != 0 {
namespaces = []string{ref.Namespace}
}
searchTag := ref.Tag
if len(searchTag) == 0 {
searchTag = imageapi.DefaultImageTag
}
for _, namespace := range namespaces {
glog.V(4).Infof("checking ImageStream %s/%s with ref %q", namespace, ref.Name, searchTag)
repo, err := r.Client.ImageStreams(namespace).Get(ref.Name)
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
ref.Namespace = namespace
latest := imageapi.LatestTaggedImage(repo, searchTag)
if latest == nil {
// continue searching in the next namespace
glog.V(2).Infof("no image recorded for %s/%s:%s", repo.Namespace, repo.Name, searchTag)
continue
}
imageStreamImage, err := r.ImageStreamImages.ImageStreamImages(namespace).Get(ref.Name, latest.Image)
if err != nil {
if errors.IsNotFound(err) {
// continue searching in the next namespace
glog.V(2).Infof("tag %q is set, but image %q has been removed", searchTag, latest.Image)
continue
}
return nil, err
}
imageData := imageStreamImage.Image
ref.Registry = ""
return &ComponentMatch{
Value: ref.String(),
Argument: fmt.Sprintf("--image=%q", ref.String()),
Name: ref.Name,
Description: fmt.Sprintf("Image repository %s (tag %q) in project %s, tracks %q", repo.Name, searchTag, repo.Namespace, repo.Status.DockerImageRepository),
Builder: IsBuilderImage(&imageData.DockerImageMetadata),
Score: 0,
ImageStream: repo,
Image: &imageData.DockerImageMetadata,
ImageTag: searchTag,
}, nil
}
return nil, ErrNoMatch{value: value}
}
开发者ID:pombredanne,项目名称:atomic-enterprise,代码行数:57,代码来源:imagelookup.go
示例5: MakeGraph
func (d *ProjectStatusDescriber) MakeGraph(namespace string) (osgraph.Graph, util.StringSet, error) {
g := osgraph.New()
loaders := []GraphLoader{
&serviceLoader{namespace: namespace, lister: d.K},
&serviceAccountLoader{namespace: namespace, lister: d.K},
&secretLoader{namespace: namespace, lister: d.K},
&rcLoader{namespace: namespace, lister: d.K},
&podLoader{namespace: namespace, lister: d.K},
&bcLoader{namespace: namespace, lister: d.C},
&buildLoader{namespace: namespace, lister: d.C},
&isLoader{namespace: namespace, lister: d.C},
&dcLoader{namespace: namespace, lister: d.C},
}
loadingFuncs := []func() error{}
for _, loader := range loaders {
loadingFuncs = append(loadingFuncs, loader.Load)
}
forbiddenResources := util.StringSet{}
if errs := parallel.Run(loadingFuncs...); len(errs) > 0 {
actualErrors := []error{}
for _, err := range errs {
if kapierrors.IsForbidden(err) {
forbiddenErr := err.(*kapierrors.StatusError)
if (forbiddenErr.Status().Details != nil) && (len(forbiddenErr.Status().Details.Kind) > 0) {
forbiddenResources.Insert(forbiddenErr.Status().Details.Kind)
}
continue
}
actualErrors = append(actualErrors, err)
}
if len(actualErrors) > 0 {
return g, forbiddenResources, utilerrors.NewAggregate(actualErrors)
}
}
for _, loader := range loaders {
loader.AddToGraph(g)
}
kubeedges.AddAllExposedPodTemplateSpecEdges(g)
kubeedges.AddAllExposedPodEdges(g)
kubeedges.AddAllManagedByRCPodEdges(g)
kubeedges.AddAllRequestedServiceAccountEdges(g)
kubeedges.AddAllMountableSecretEdges(g)
kubeedges.AddAllMountedSecretEdges(g)
buildedges.AddAllInputOutputEdges(g)
buildedges.AddAllBuildEdges(g)
deployedges.AddAllTriggerEdges(g)
deployedges.AddAllDeploymentEdges(g)
imageedges.AddAllImageStreamRefEdges(g)
return g, forbiddenResources, nil
}
开发者ID:dustintownsend,项目名称:origin,代码行数:56,代码来源:projectstatus.go
示例6: verifyOpenShiftUser
func verifyOpenShiftUser(client *client.Client) error {
if _, err := client.Users().Get("~"); err != nil {
log.Errorf("Get user failed with error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
return nil
}
开发者ID:pombredanne,项目名称:atomic-enterprise,代码行数:11,代码来源:auth.go
示例7: TestBootstrapPolicyOverwritePolicyCommand
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {
masterConfig, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil {
t.Errorf("unexpected error: %v", err)
}
// after the policy is deleted, we must wait for it to be cleared from the policy cache
err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) {
_, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything())
if err == nil {
return false, nil
}
if !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
return true, nil
})
if err != nil {
t.Errorf("timeout: %v", err)
}
etcdClient, err := etcd.GetAndTestEtcdClient(masterConfig.EtcdClientInfo)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
etcdHelper, err := origin.NewEtcdStorage(etcdClient, masterConfig.EtcdStorageConfig.OpenShiftStorageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := admin.OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
}
开发者ID:dustintownsend,项目名称:origin,代码行数:48,代码来源:bootstrap_policy_test.go
示例8: TestErrors
func TestErrors(t *testing.T) {
o := testclient.NewObjects(kapi.Scheme, kapi.Scheme)
o.Add(&kapi.List{
Items: []runtime.Object{
&(errors.NewNotFound("DeploymentConfigList", "").(*errors.StatusError).ErrStatus),
&(errors.NewForbidden("DeploymentConfigList", "", nil).(*errors.StatusError).ErrStatus),
},
})
oc, _ := NewFixtureClients(o)
_, err := oc.DeploymentConfigs("test").List(labels.Everything(), fields.Everything())
if !errors.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
t.Logf("error: %#v", err.(*errors.StatusError).Status())
_, err = oc.DeploymentConfigs("test").List(labels.Everything(), fields.Everything())
if !errors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
}
开发者ID:cjnygard,项目名称:origin,代码行数:19,代码来源:testclient_test.go
示例9: verifyPruneAccess
func verifyPruneAccess(client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Verb: "delete",
Resource: "images",
}
response, err := client.ClusterSubjectAccessReviews().Create(&sar)
if err != nil {
log.Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
log.Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}
开发者ID:pombredanne,项目名称:atomic-enterprise,代码行数:19,代码来源:auth.go
示例10: verifyImageStreamAccess
func verifyImageStreamAccess(namespace, imageRepo, verb string, client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Verb: verb,
Resource: "imagestreams/layers",
ResourceName: imageRepo,
}
response, err := client.SubjectAccessReviews(namespace).Create(&sar)
if err != nil {
log.Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
log.Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}
开发者ID:pombredanne,项目名称:atomic-enterprise,代码行数:20,代码来源:auth.go
示例11: TestErrors
func TestErrors(t *testing.T) {
o := NewObjects(api.Scheme, api.Scheme)
o.Add(&api.List{
Items: []runtime.Object{
// This first call to List will return this error
&(errors.NewNotFound("ServiceList", "").(*errors.StatusError).ErrStatus),
// The second call to List will return this error
&(errors.NewForbidden("ServiceList", "", nil).(*errors.StatusError).ErrStatus),
},
})
client := &Fake{ReactFn: ObjectReaction(o, latest.RESTMapper)}
_, err := client.Services("test").List(labels.Everything())
if !errors.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
t.Logf("error: %#v", err.(*errors.StatusError).Status())
_, err = client.Services("test").List(labels.Everything())
if !errors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
}
开发者ID:mbforbes,项目名称:kubernetes,代码行数:21,代码来源:testclient_test.go
示例12: Search
// Search searches for a template and returns matches with the object representation
func (r TemplateSearcher) Search(terms ...string) (ComponentMatches, error) {
matches := ComponentMatches{}
for _, term := range terms {
checkedNamespaces := util.NewStringSet()
for _, namespace := range r.Namespaces {
if checkedNamespaces.Has(namespace) {
continue
}
checkedNamespaces.Insert(namespace)
glog.V(4).Infof("checking template %s/%s", namespace, term)
templates, err := r.Client.Templates(namespace).List(labels.Everything(), fields.Everything())
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
for i := range templates.Items {
template := &templates.Items[i]
if score, scored := templateScorer(*template, term); scored {
matches = append(matches, &ComponentMatch{
Value: term,
Argument: fmt.Sprintf("--template=%q", template.Name),
Name: template.Name,
Description: fmt.Sprintf("Template %q in project %q", template.Name, template.Namespace),
Score: score,
Template: template,
})
}
}
}
}
return matches, nil
}
开发者ID:klpauba,项目名称:origin,代码行数:41,代码来源:templatelookup.go
示例13: NewForbidden
// NewForbidden is a utility function to return a well-formatted admission control error response
func NewForbidden(a Attributes, internalError error) error {
// do not double wrap an error of same type
if apierrors.IsForbidden(internalError) {
return internalError
}
name := "Unknown"
kind := a.GetKind()
obj := a.GetObject()
if obj != nil {
objectMeta, err := api.ObjectMetaFor(obj)
if err != nil {
return apierrors.NewForbidden(kind, name, internalError)
}
// this is necessary because name object name generation has not occurred yet
if len(objectMeta.Name) > 0 {
name = objectMeta.Name
} else if len(objectMeta.GenerateName) > 0 {
name = objectMeta.GenerateName
}
}
return apierrors.NewForbidden(kind, name, internalError)
}
开发者ID:chenzhen411,项目名称:kubernetes,代码行数:25,代码来源:errors.go
示例14: Search
// Search will attempt to find imagestreams with names that matches the passed in value
func (r ImageStreamSearcher) Search(terms ...string) (ComponentMatches, error) {
componentMatches := ComponentMatches{}
for _, term := range terms {
ref, err := imageapi.ParseDockerImageReference(term)
if err != nil || len(ref.Registry) != 0 {
return nil, fmt.Errorf("image streams must be of the form [<namespace>/]<name>[:<tag>|@<digest>]")
}
namespaces := r.Namespaces
if len(ref.Namespace) != 0 {
namespaces = []string{ref.Namespace}
}
searchTag := ref.Tag
if len(searchTag) == 0 {
searchTag = imageapi.DefaultImageTag
}
for _, namespace := range namespaces {
glog.V(4).Infof("checking ImageStreams %s/%s with ref %q", namespace, ref.Name, searchTag)
streams, err := r.Client.ImageStreams(namespace).List(labels.Everything(), fields.Everything())
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
ref.Namespace = namespace
for i := 0; i < len(streams.Items); i++ {
stream := streams.Items[i]
score, scored := imageStreamScorer(stream, ref.Name)
if scored {
imageref, _ := imageapi.ParseDockerImageReference(term)
imageref.Name = stream.Name
latest := imageapi.LatestTaggedImage(&stream, searchTag)
if latest == nil {
glog.V(2).Infof("no image recorded for %s/%s:%s", stream.Namespace, stream.Name, searchTag)
componentMatches = append(componentMatches, &ComponentMatch{
Value: imageref.String(),
Argument: fmt.Sprintf("--image-stream=%q", imageref.String()),
Name: imageref.Name,
Description: fmt.Sprintf("Image stream %s in project %s, tracks %q", stream.Name, stream.Namespace, stream.Status.DockerImageRepository),
Score: 0.5 + score,
ImageStream: &stream,
ImageTag: searchTag,
})
continue
}
imageStreamImage, err := r.ImageStreamImages.ImageStreamImages(namespace).Get(stream.Name, latest.Image)
if err != nil {
if errors.IsNotFound(err) {
// continue searching
glog.V(2).Infof("tag %q is set, but image %q has been removed", searchTag, latest.Image)
continue
}
return nil, err
}
imageData := imageStreamImage.Image
imageref.Registry = ""
componentMatches = append(componentMatches, &ComponentMatch{
Value: imageref.String(),
Argument: fmt.Sprintf("--image-stream=%q", imageref.String()),
Name: imageref.Name,
Description: fmt.Sprintf("Image stream %q (tag %q) in project %q, tracks %q", stream.Name, searchTag, stream.Namespace, stream.Status.DockerImageRepository),
Builder: IsBuilderImage(&imageData.DockerImageMetadata),
Score: score,
ImageStream: &stream,
Image: &imageData.DockerImageMetadata,
ImageTag: searchTag,
})
}
}
}
}
return componentMatches, nil
}
开发者ID:nstrug,项目名称:origin,代码行数:77,代码来源:imagestreamlookup.go
示例15: TestBuildAdmission
func TestBuildAdmission(t *testing.T) {
tests := []struct {
name string
kind string
resource string
object runtime.Object
reviewResponse *authorizationapi.SubjectAccessReviewResponse
expectedResource string
expectAccept bool
}{
{
name: "allowed source build",
object: testBuild(buildapi.SourceBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(true, ""),
expectedResource: authorizationapi.SourceBuildResource,
expectAccept: true,
},
{
name: "denied docker build",
object: testBuild(buildapi.DockerBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(false, "cannot create build of type docker build"),
expectAccept: false,
expectedResource: authorizationapi.DockerBuildResource,
},
{
name: "allowed custom build",
object: testBuild(buildapi.CustomBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(true, ""),
expectedResource: authorizationapi.CustomBuildResource,
expectAccept: true,
},
{
name: "allowed build config",
object: testBuildConfig(buildapi.DockerBuildStrategyType),
kind: "BuildConfig",
resource: buildConfigsResource,
reviewResponse: reviewResponse(true, ""),
expectAccept: true,
expectedResource: authorizationapi.DockerBuildResource,
},
{
name: "forbidden build config",
object: testBuildConfig(buildapi.CustomBuildStrategyType),
kind: "BuildConfig",
resource: buildConfigsResource,
reviewResponse: reviewResponse(false, ""),
expectAccept: false,
expectedResource: authorizationapi.CustomBuildResource,
},
}
for _, test := range tests {
c := NewBuildByStrategy(fakeClient(test.expectedResource, test.reviewResponse))
attrs := admission.NewAttributesRecord(test.object, test.kind, "default", "name", test.resource, "" /*subresource*/, admission.Create, fakeUser())
err := c.Admit(attrs)
if err != nil && test.expectAccept {
t.Errorf("%s: unexpected error: %v", test.name, err)
}
if (err == nil || !apierrors.IsForbidden(err)) && !test.expectAccept {
t.Errorf("%s: expecting reject error", test.name)
}
}
}
开发者ID:Risar,项目名称:origin,代码行数:69,代码来源:admission_test.go
示例16: RunPortForward
func RunPortForward(f *cmdutil.Factory, cmd *cobra.Command, args []string, fw portForwarder) error {
podName := cmdutil.GetFlagString(cmd, "pod")
if len(podName) == 0 {
return cmdutil.UsageError(cmd, "POD is required for exec")
}
if len(args) < 1 {
return cmdutil.UsageError(cmd, "at least 1 PORT is required for port-forward")
}
namespace, _, err := f.DefaultNamespace()
if err != nil {
return err
}
client, err := f.Client()
if err != nil {
return err
}
pod, err := client.Pods(namespace).Get(podName)
if err != nil {
return err
}
if pod.Status.Phase != api.PodRunning {
glog.Fatalf("Unable to execute command because pod is not running. Current status=%v", pod.Status.Phase)
}
config, err := f.ClientConfig()
if err != nil {
return err
}
signals := make(chan os.Signal, 1)
signal.Notify(signals, os.Interrupt)
defer signal.Stop(signals)
stopCh := make(chan struct{}, 1)
go func() {
<-signals
close(stopCh)
}()
req := client.RESTClient.Post().
Resource("pods").
Namespace(namespace).
Name(pod.Name).
SubResource("portforward")
postErr := fw.ForwardPorts(req, config, args, stopCh)
// if we don't have an error, return. If we did get an error, try a GET because v3.0.0 shipped with port-forward running as a GET.
if postErr == nil {
return nil
}
// only try the get if the error is either a forbidden or method not supported, otherwise trying with a GET probably won't help
if !apierrors.IsForbidden(postErr) && !apierrors.IsMethodNotSupported(postErr) {
return postErr
}
getReq := client.RESTClient.Get().
Resource("pods").
Namespace(namespace).
Name(pod.Name).
SubResource("portforward")
getErr := fw.ForwardPorts(getReq, config, args, stopCh)
if getErr == nil {
return nil
}
// if we got a getErr, return the postErr because it's more likely to be correct. GET is legacy
return postErr
}
开发者ID:nstrug,项目名称:origin,代码行数:74,代码来源:portforward.go
示例17: TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
开发者ID:dustintownsend,项目名称:origin,代码行数:54,代码来源:bootstrap_policy_test.go
示例18: TestDNS
func TestDNS(t *testing.T) {
masterConfig, clientFile, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
localIP := net.ParseIP("127.0.0.1")
var masterIP net.IP
// verify service DNS entry is visible
stop := make(chan struct{})
util.Until(func() {
m1 := &dns.Msg{
MsgHdr: dns.MsgHdr{Id: dns.Id(), RecursionDesired: false},
Question: []dns.Question{{"kubernetes.default.svc.cluster.local.", dns.TypeA, dns.ClassINET}},
}
in, err := dns.Exchange(m1, masterConfig.DNSConfig.BindAddress)
if err != nil {
t.Logf("unexpected error: %v", err)
return
}
if len(in.Answer) != 1 {
t.Logf("unexpected answer: %#v", in)
return
}
if a, ok := in.Answer[0].(*dns.A); ok {
if a.A == nil {
t.Fatalf("expected an A record with an IP: %#v", a)
}
masterIP = a.A
} else {
t.Fatalf("expected an A record: %#v", in)
}
t.Log(in)
close(stop)
}, 50*time.Millisecond, stop)
client, err := testutil.GetClusterAdminKubeClient(clientFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
for {
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Spec: kapi.ServiceSpec{
PortalIP: kapi.PortalIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
if errors.IsForbidden(err) {
t.Logf("forbidden, sleeping: %v", err)
time.Sleep(100 * time.Millisecond)
continue
}
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.1"}},
Ports: []kapi.EndpointPort{
{Port: 2345},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
break
}
headlessIP := net.ParseIP("172.0.0.1")
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Spec: kapi.ServiceSpec{
PortalIP: kapi.PortalIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.2"}},
Ports: []kapi.EndpointPort{
{Port: 2345, Name: "other"},
{Port: 2346, Name: "http"},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
headless2IP := net.ParseIP("172.0.0.2")
//.........这里部分代码省略.........
开发者ID:cjnygard,项目名称:origin,代码行数:101,代码来源:dns_test.go
示例19: TestPolicyBasedRestrictionOfBuildStrategies
func TestPolicyBasedRestrictionOfBuildStrategies(t *testing.T) {
const namespace = "hammer"
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
joeClient, err := testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, haroldClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(joeClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Error(err)
}
// by default admins and editors can create all type of builds
_, err = createDockerBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createDockerBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createSourceBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createSourceBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createCustomBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createCustomBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// remove resources from role so that certain build strategies are forbidden
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.EditRoleName)
if err := testutil.WaitForPolicyUpdate(joeClient, namespace, "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.AdminRoleName)
if err := testutil.WaitForPolicyUpdate(haroldClient, namespace, "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
// make sure builds are rejected
if _, err = createDockerBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createDockerBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createSourceBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createSourceBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createCustomBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createCustomBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
}
开发者ID:Risar,项目名称:origin,代码行数:99,代码来源:build_admission_test.go
示例20: RunExec
func RunExec(f *cmdutil.Factory, cmd *cobra.Command, cmdIn io.Reader, cmdOut, cmdErr io.Writer, p *execParams, argsIn []string, re remoteExecutor) error {
podName, containerName, args, err := extractPodAndContainer(cmd, argsIn, p)
namespace, _, err := f.DefaultNamespace()
if err != nil {
return err
}
client, err := f.Client()
if err != nil {
return err
}
pod, err := client.Pods(namespace).Get(podName)
if err != nil {
return err
}
if pod.Status.Phase != api.PodRunning {
glog.Fatalf("Unable to execute command because pod %s is not running. Current status=%v", podName, pod.Status.Phase)
}
if len(containerName) == 0 {
glog.V(4).Infof("defaulting container name to %s", pod.Spec.Containers[0].Name)
containerName = pod.Spec.Containers[0].Name
}
var stdin io.Reader
tty := p.tty
if p.stdin {
stdin = cmdIn
if tty {
if file, ok := cmdIn.(*os.File); ok {
inFd := file.Fd()
if term.IsTerminal(inFd) {
oldState, err := term.SetRawTerminal(inFd)
if err != nil {
glog.Fatal(err)
}
// this handles a clean exit, where the command finished
defer term.RestoreTerminal(inFd, oldState)
// SIGINT is handled by term.SetRawTerminal (it runs a goroutine that listens
// for SIGINT and restores the terminal before exiting)
// this handles SIGTERM
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, syscall.SIGTERM)
go func() {
<-sigChan
term.RestoreTerminal(inFd, oldState)
os.Exit(0)
}()
} else {
glog.Warning("Stdin is not a terminal")
}
} else {
tty = false
glog.Warning("Unable to use a TTY")
}
}
}
config, err := f.ClientConfig()
if err != nil {
return err
}
req := client.RESTClient.Post().
Resource("pods").
Name(pod.Name).
Namespace(namespace).
SubResource("exec").
Param("container", containerName)
postErr := re.Execute(req, config, args, stdin, cmdOut, cmdErr, tty)
// if we don't have an error, return. If we did get an error, try a GET because v3.0.0 shipped with exec running as a GET.
if postErr == nil {
return nil
}
// only try the get if the error is either a forbidden or method not supported, otherwise trying with a GET probably won't help
if !apierrors.IsForbidden(postErr) && !apierrors.IsMethodNotSupported(postErr) {
return postErr
}
getReq := client.RESTClient.Get().
Resource("pods").
Name(pod.Name).
Namespace(namespace).
SubResource("exec").
Param("container", containerName)
getErr := re.Execute(getReq, config, args, stdin, cmdOut, cmdErr, tty)
if getErr == nil {
return nil
}
// if we got a getErr, return the postErr because it's more likely to be correct. GET is legacy
return postErr
}
开发者ID:nstrug,项目名称:origin,代码行数:100,代码来源:exec.go
注:本文中的github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors.IsForbidden函数示例整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论