Remove kubernetes.io/hostname label copying, skip overriding, and support direct spec.nodeName changes.

Author: munnerz

pkg/registry/core/pod/storage/storage.go

@@ -205,10 +205,10 @@ func (r *BindingREST) PreserveRequestObjectMetaSystemFieldsOnSubresourceCreate()
 	return true
 }
 
-// setPodHostAndAnnotations sets the given pod's host to 'machine' if and only if
-// the pod is unassigned and merges the provided annotations with those of the pod.
+// setPodNodeAndMetadata sets the given pod's nodeName to 'machine' if and only if
+// the pod is unassigned, and merges the provided annotations and labels with those of the pod.
 // Returns the current state of the pod, or an error.
-func (r *BindingREST) setPodHostAndAnnotations(ctx context.Context, podUID types.UID, podResourceVersion, podID, machine string, annotations, labels map[string]string, dryRun bool) (finalPod *api.Pod, err error) {
+func (r *BindingREST) setPodNodeAndMetadata(ctx context.Context, podUID types.UID, podResourceVersion, podID, machine string, annotations, labels map[string]string, dryRun bool) (finalPod *api.Pod, err error) {
 	podKey, err := r.store.KeyFunc(ctx, podID)
 	if err != nil {
 		return nil, err
@@ -284,7 +284,7 @@ func copyLabelsWithoutOverwriting(pod *api.Pod, labels map[string]string) {
 
 // assignPod assigns the given pod to the given machine.
 func (r *BindingREST) assignPod(ctx context.Context, podUID types.UID, podResourceVersion, podID string, machine string, annotations, labels map[string]string, dryRun bool) (err error) {
-	if _, err = r.setPodHostAndAnnotations(ctx, podUID, podResourceVersion, podID, machine, annotations, labels, dryRun); err != nil {
+	if _, err = r.setPodNodeAndMetadata(ctx, podUID, podResourceVersion, podID, machine, annotations, labels, dryRun); err != nil {
 		err = storeerr.InterpretGetError(err, api.Resource("pods"), podID)
 		err = storeerr.InterpretUpdateError(err, api.Resource("pods"), podID)
 		if _, ok := err.(*errors.StatusError); !ok {

pkg/registry/core/pod/storage/storage_test.go

@@ -34,7 +34,6 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/version"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
@@ -680,7 +679,6 @@ func TestEtcdCreateWithContainersNotFound(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 
-	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33"))
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.PodTopologyLabelsAdmission, true)
 	// Suddenly, a wild scheduler appears:
 	_, err = bindingStorage.Create(ctx, "foo", &api.Binding{

plugin/pkg/admission/podtopologylabels/admission.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"strings"
 
 	"k8s.io/klog/v2"
 
@@ -39,7 +38,7 @@ import (
 const PluginName = "PodTopologyLabels"
 
 // defaultConfig is the configuration used for the default instantiation of the plugin.
-// This is the configured used by kube-apiserver.
+// This configuration is used by kube-apiserver.
 // It is not exported to avoid any chance of accidentally mutating the variable.
 var defaultConfig = Config{
 	Labels: []string{"topology.k8s.io/zone", "topology.k8s.io/region", "kubernetes.io/hostname"},
@@ -60,27 +59,13 @@ type Config struct {
 	// Labels is set of explicit label keys to be copied from the Node object onto
 	// pod Binding objects during admission.
 	Labels []string
-	// Domains is a set of label key prefixes used to copy across label values
-	// for all labels with a given domain prefix.
-	// For example, `example.com` would match all labels matching `example.com/*`.
-	// Keys without a domain portion (i.e. those not containing a /) will never match.
-	Domains []string
-	// Suffixes is a set of label key domain suffixes used to copy label values for
-	// all labels of a given subdomain.
-	// This acts as a suffix match on the domain portion of label keys.
-	// If a suffix does not have a leading '.', one will be prepended to avoid
-	// programmer errors with values like `example.com` matching `notexample.com`.
-	// Keys without a domain portion (i.e. those not containing a /) will never match.
-	Suffixes []string
 }
 
 // NewPodTopologyPlugin initializes a Plugin
 func NewPodTopologyPlugin(c Config) *Plugin {
 	return &Plugin{
-		Handler:  admission.NewHandler(admission.Create),
-		labels:   sets.New(c.Labels...),
-		domains:  sets.New(c.Domains...),
-		suffixes: sets.New(c.Suffixes...),
+		Handler: admission.NewHandler(admission.Create),
+		labels:  sets.New(c.Labels...),
 	}
 }
 
@@ -89,9 +74,8 @@ type Plugin struct {
 
 	nodeLister corev1listers.NodeLister
 
-	// explicit labels, list of domains or a list of domain
-	// suffixes to be copies to Pod objects being bound.
-	labels, domains, suffixes sets.Set[string]
+	// explicit labels to be copied to Pod objects being bound.
+	labels sets.Set[string]
 
 	enabled, inspectedFeatureGates bool
 }
@@ -126,105 +110,137 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
 	if !p.enabled {
 		return nil
 	}
-	if shouldIgnore(a) {
-		return nil
+	// check whether the request is for a Binding or a Pod spec update.
+	shouldAdmit, doAdmit, err := p.shouldAdmit(a)
+	if !shouldAdmit || err != nil {
+		// error is either nil and admit == false, or err is non-nil and should be returned.
+		return err
 	}
 	// we need to wait for our caches to warm
 	if !p.WaitForReady() {
 		return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request"))
 	}
+	// run type specific admission
+	return doAdmit(ctx, a, o)
+}
 
+func (p *Plugin) admitBinding(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
 	binding := a.GetObject().(*api.Binding)
 	// other fields are not set by the default scheduler for the binding target, so only check the Kind.
 	if binding.Target.Kind != "Node" {
 		klog.V(6).Info("Skipping Pod being bound to non-Node object type", "target", binding.Target.GroupVersionKind())
 		return nil
 	}
 
-	node, err := p.nodeLister.Get(binding.Target.Name)
+	labelsToCopy, err := p.topologyLabelsForNodeName(binding.Target.Name)
 	if err != nil {
-		// Ignore NotFound errors to avoid risking breaking compatibility/behaviour.
-		if apierrors.IsNotFound(err) {
-			return nil
-		}
 		return err
 	}
-
-	// fast-path/short circuit if the node has no labels
-	if node.Labels == nil {
+	if len(labelsToCopy) == 0 {
+		// fast-path/short circuit if the node has no topology labels
 		return nil
 	}
 
-	labelsToCopy := make(map[string]string)
-	for k, v := range node.Labels {
-		if !p.isTopologyLabel(k) {
-			continue
-		}
-		labelsToCopy[k] = v
+	// copy the topology labels into the Binding's labels, as these are copied from the Binding
+	// to the Pod object being bound within the podBinding registry/store.
+	if binding.Labels == nil {
+		binding.Labels = make(map[string]string)
+	}
+	mergeLabels(binding.Labels, labelsToCopy)
+
+	return nil
+}
+
+func (p *Plugin) admitPod(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
+	pod := a.GetObject().(*api.Pod)
+	if pod.Spec.NodeName == "" {
+		// pod has not been scheduled yet
+		return nil
 	}
 
+	// Determine the topology labels from the assigned node to be copied.
+	labelsToCopy, err := p.topologyLabelsForNodeName(pod.Spec.NodeName)
+	if err != nil {
+		return err
+	}
 	if len(labelsToCopy) == 0 {
 		// fast-path/short circuit if the node has no topology labels
 		return nil
 	}
 
-	// copy the topology labels into the Binding's labels, as these are copied from the Binding
-	// to the Pod object being bound within the podBinding registry/store.
-	if binding.Labels == nil {
-		binding.Labels = make(map[string]string)
+	// copy the topology labels into the Pod's labels.
+	if pod.Labels == nil {
+		pod.Labels = make(map[string]string)
+	}
+	// avoid overwriting any existing labels on the Pod.
+	mergeLabels(pod.Labels, labelsToCopy)
+
+	return nil
+}
+
+func (p *Plugin) topologyLabelsForNodeName(nodeName string) (map[string]string, error) {
+	labels := make(map[string]string)
+	node, err := p.nodeLister.Get(nodeName)
+	if err != nil {
+		// Ignore NotFound errors to avoid risking breaking compatibility/behaviour.
+		if apierrors.IsNotFound(err) {
+			return labels, nil
+		}
+		return nil, err
 	}
-	for k, v := range labelsToCopy {
-		if _, exists := binding.Labels[k]; exists {
-			// Don't overwrite labels on Binding resources as this could lead to unexpected
-			// behaviour if any schedulers rely on being able to explicitly set values themselves.
+
+	for k, v := range node.Labels {
+		if !p.isTopologyLabel(k) {
 			continue
 		}
-		binding.Labels[k] = v
+		labels[k] = v
 	}
 
-	return nil
+	return labels, nil
+}
+
+// mergeLabels merges new into existing, without overwriting existing keys.
+func mergeLabels(existing, new map[string]string) {
+	for k, v := range new {
+		if _, exists := existing[k]; exists {
+			continue
+		}
+		existing[k] = v
+	}
 }
 
 func (p *Plugin) isTopologyLabel(key string) bool {
 	// First check explicit label keys.
 	if p.labels.Has(key) {
 		return true
 	}
-	// Check the domain portion of the label key, if present
-	domain, _, hasDomain := strings.Cut(key, "/")
-	if !hasDomain {
-		// fast-path if there is no / separator
-		return false
-	}
-	if p.domains.Has(domain) {
-		// check for explicit domains to copy
-		return true
-	}
-	for _, suffix := range p.suffixes.UnsortedList() {
-		// check if the domain has one of the suffixes that are to be copied
-		if strings.HasSuffix(domain, suffix) {
-			return true
-		}
-	}
 	return false
 }
 
-func shouldIgnore(a admission.Attributes) bool {
-	resource := a.GetResource().GroupResource()
-	if resource != api.Resource("pods") {
-		return true
-	}
-	if a.GetSubresource() != "binding" {
-		// only run the checks below on the binding subresource
-		return true
-	}
+type admitFunc func(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
 
-	obj := a.GetObject()
-	_, ok := obj.(*api.Binding)
-	if !ok {
-		klog.Errorf("expected Binding but got %s", a.GetKind().Kind)
-		return true
+// shouldAdmit inspects the provided adminssion attributes to determine whether the request
+// requires admittance through this plugin.
+func (p *Plugin) shouldAdmit(a admission.Attributes) (bool, admitFunc, error) {
+	if a.GetResource().GroupResource() != api.Resource("pods") {
+		return false, nil, nil
 	}
 
-	return false
+	switch a.GetSubresource() {
+	case "": // regular Pod endpoint
+		_, ok := a.GetObject().(*api.Pod)
+		if !ok {
+			return false, nil, fmt.Errorf("expected Pod but got %T", a.GetObject())
+		}
+		return true, p.admitPod, nil
+	case "binding":
+		_, ok := a.GetObject().(*api.Binding)
+		if !ok {
+			return false, nil, fmt.Errorf("expected Binding but got %s", a.GetKind().Kind)
+		}
+		return true, p.admitBinding, nil
+	default:
+		// Ignore all other sub-resources.
+		return false, nil, nil
+	}
 }