/* Copyright 2019 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package validation import ( "fmt" "strings" flowcontrolv1beta1 "k8s.io/api/flowcontrol/v1beta1" flowcontrolv1beta2 "k8s.io/api/flowcontrol/v1beta2" flowcontrolv1beta3 "k8s.io/api/flowcontrol/v1beta3" apiequality "k8s.io/apimachinery/pkg/api/equality" apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/util/shufflesharding" apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" "k8s.io/kubernetes/pkg/apis/flowcontrol" "k8s.io/kubernetes/pkg/apis/flowcontrol/internalbootstrap" ) // ValidateFlowSchemaName validates name for flow-schema. var ValidateFlowSchemaName = apimachineryvalidation.NameIsDNSSubdomain // ValidatePriorityLevelConfigurationName validates name for priority-level-configuration. var ValidatePriorityLevelConfigurationName = apimachineryvalidation.NameIsDNSSubdomain var supportedDistinguisherMethods = sets.NewString( string(flowcontrol.FlowDistinguisherMethodByNamespaceType), string(flowcontrol.FlowDistinguisherMethodByUserType), ) var priorityLevelConfigurationQueuingMaxQueues int32 = 10 * 1000 * 1000 // 10^7 var supportedVerbs = sets.NewString( "get", "list", "create", "update", "delete", "deletecollection", "patch", "watch", "proxy", ) var supportedSubjectKinds = sets.NewString( string(flowcontrol.SubjectKindServiceAccount), string(flowcontrol.SubjectKindGroup), string(flowcontrol.SubjectKindUser), ) var supportedPriorityLevelEnablement = sets.NewString( string(flowcontrol.PriorityLevelEnablementExempt), string(flowcontrol.PriorityLevelEnablementLimited), ) var supportedLimitResponseType = sets.NewString( string(flowcontrol.LimitResponseTypeQueue), string(flowcontrol.LimitResponseTypeReject), ) // PriorityLevelValidationOptions holds the validation options for a priority level object type PriorityLevelValidationOptions struct { // AllowZeroLimitedNominalConcurrencyShares, if true, indicates that we allow // a zero value for the 'nominalConcurrencyShares' field of the 'limited' // section of a priority level. AllowZeroLimitedNominalConcurrencyShares bool } // ValidateFlowSchema validates the content of flow-schema func ValidateFlowSchema(fs *flowcontrol.FlowSchema) field.ErrorList { allErrs := apivalidation.ValidateObjectMeta(&fs.ObjectMeta, false, ValidateFlowSchemaName, field.NewPath("metadata")) specPath := field.NewPath("spec") allErrs = append(allErrs, ValidateFlowSchemaSpec(fs.Name, &fs.Spec, specPath)...) if mand, ok := internalbootstrap.MandatoryFlowSchemas[fs.Name]; ok { // Check for almost exact equality. This is a pretty // strict test, and it is OK in this context because both // sides of this comparison are intended to ultimately // come from the same code. if !apiequality.Semantic.DeepEqual(fs.Spec, mand.Spec) { allErrs = append(allErrs, field.Invalid(specPath, fs.Spec, fmt.Sprintf("spec of '%s' must equal the fixed value", fs.Name))) } } allErrs = append(allErrs, ValidateFlowSchemaStatus(&fs.Status, field.NewPath("status"))...) return allErrs } // ValidateFlowSchemaUpdate validates the update of flow-schema func ValidateFlowSchemaUpdate(old, fs *flowcontrol.FlowSchema) field.ErrorList { return ValidateFlowSchema(fs) } // ValidateFlowSchemaSpec validates the content of flow-schema's spec func ValidateFlowSchemaSpec(fsName string, spec *flowcontrol.FlowSchemaSpec, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if spec.MatchingPrecedence <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, "must be a positive value")) } if spec.MatchingPrecedence > flowcontrol.FlowSchemaMaxMatchingPrecedence { allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, fmt.Sprintf("must not be greater than %v", flowcontrol.FlowSchemaMaxMatchingPrecedence))) } if (spec.MatchingPrecedence == 1) && (fsName != flowcontrol.FlowSchemaNameExempt) { allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, "only the schema named 'exempt' may have matchingPrecedence 1")) } if spec.DistinguisherMethod != nil { if !supportedDistinguisherMethods.Has(string(spec.DistinguisherMethod.Type)) { allErrs = append(allErrs, field.NotSupported(fldPath.Child("distinguisherMethod").Child("type"), spec.DistinguisherMethod, supportedDistinguisherMethods.List())) } } if len(spec.PriorityLevelConfiguration.Name) > 0 { for _, msg := range ValidatePriorityLevelConfigurationName(spec.PriorityLevelConfiguration.Name, false) { allErrs = append(allErrs, field.Invalid(fldPath.Child("priorityLevelConfiguration").Child("name"), spec.PriorityLevelConfiguration.Name, msg)) } } else { allErrs = append(allErrs, field.Required(fldPath.Child("priorityLevelConfiguration").Child("name"), "must reference a priority level")) } for i, rule := range spec.Rules { allErrs = append(allErrs, ValidateFlowSchemaPolicyRulesWithSubjects(&rule, fldPath.Child("rules").Index(i))...) } return allErrs } // ValidateFlowSchemaPolicyRulesWithSubjects validates policy-rule-with-subjects object. func ValidateFlowSchemaPolicyRulesWithSubjects(rule *flowcontrol.PolicyRulesWithSubjects, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if len(rule.Subjects) > 0 { for i, subject := range rule.Subjects { allErrs = append(allErrs, ValidateFlowSchemaSubject(&subject, fldPath.Child("subjects").Index(i))...) } } else { allErrs = append(allErrs, field.Required(fldPath.Child("subjects"), "subjects must contain at least one value")) } if len(rule.ResourceRules) == 0 && len(rule.NonResourceRules) == 0 { allErrs = append(allErrs, field.Required(fldPath, "at least one of resourceRules and nonResourceRules has to be non-empty")) } for i, resourceRule := range rule.ResourceRules { allErrs = append(allErrs, ValidateFlowSchemaResourcePolicyRule(&resourceRule, fldPath.Child("resourceRules").Index(i))...) } for i, nonResourceRule := range rule.NonResourceRules { allErrs = append(allErrs, ValidateFlowSchemaNonResourcePolicyRule(&nonResourceRule, fldPath.Child("nonResourceRules").Index(i))...) } return allErrs } // ValidateFlowSchemaSubject validates flow-schema's subject object. func ValidateFlowSchemaSubject(subject *flowcontrol.Subject, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList switch subject.Kind { case flowcontrol.SubjectKindServiceAccount: allErrs = append(allErrs, ValidateServiceAccountSubject(subject.ServiceAccount, fldPath.Child("serviceAccount"))...) if subject.User != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("user"), "user is forbidden when subject kind is not 'User'")) } if subject.Group != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("group"), "group is forbidden when subject kind is not 'Group'")) } case flowcontrol.SubjectKindUser: allErrs = append(allErrs, ValidateUserSubject(subject.User, fldPath.Child("user"))...) if subject.ServiceAccount != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("serviceAccount"), "serviceAccount is forbidden when subject kind is not 'ServiceAccount'")) } if subject.Group != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("group"), "group is forbidden when subject kind is not 'Group'")) } case flowcontrol.SubjectKindGroup: allErrs = append(allErrs, ValidateGroupSubject(subject.Group, fldPath.Child("group"))...) if subject.ServiceAccount != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("serviceAccount"), "serviceAccount is forbidden when subject kind is not 'ServiceAccount'")) } if subject.User != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("user"), "user is forbidden when subject kind is not 'User'")) } default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("kind"), subject.Kind, supportedSubjectKinds.List())) } return allErrs } // ValidateServiceAccountSubject validates subject of "ServiceAccount" kind func ValidateServiceAccountSubject(subject *flowcontrol.ServiceAccountSubject, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if subject == nil { return append(allErrs, field.Required(fldPath, "serviceAccount is required when subject kind is 'ServiceAccount'")) } if len(subject.Name) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } else if subject.Name != flowcontrol.NameAll { for _, msg := range apimachineryvalidation.ValidateServiceAccountName(subject.Name, false) { allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, msg)) } } if len(subject.Namespace) > 0 { for _, msg := range apimachineryvalidation.ValidateNamespaceName(subject.Namespace, false) { allErrs = append(allErrs, field.Invalid(fldPath.Child("namespace"), subject.Namespace, msg)) } } else { allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), "must specify namespace for service account")) } return allErrs } // ValidateUserSubject validates subject of "User" kind func ValidateUserSubject(subject *flowcontrol.UserSubject, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if subject == nil { return append(allErrs, field.Required(fldPath, "user is required when subject kind is 'User'")) } if len(subject.Name) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } return allErrs } // ValidateGroupSubject validates subject of "Group" kind func ValidateGroupSubject(subject *flowcontrol.GroupSubject, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if subject == nil { return append(allErrs, field.Required(fldPath, "group is required when subject kind is 'Group'")) } if len(subject.Name) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } return allErrs } // ValidateFlowSchemaNonResourcePolicyRule validates non-resource policy-rule in the flow-schema. func ValidateFlowSchemaNonResourcePolicyRule(rule *flowcontrol.NonResourcePolicyRule, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if len(rule.Verbs) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("verbs"), "verbs must contain at least one value")) } else if hasWildcard(rule.Verbs) { if len(rule.Verbs) > 1 { allErrs = append(allErrs, field.Invalid(fldPath.Child("verbs"), rule.Verbs, "if '*' is present, must not specify other verbs")) } } else if !supportedVerbs.IsSuperset(sets.NewString(rule.Verbs...)) { // only supported verbs are allowed allErrs = append(allErrs, field.NotSupported(fldPath.Child("verbs"), rule.Verbs, supportedVerbs.List())) } if len(rule.NonResourceURLs) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("nonResourceURLs"), "nonResourceURLs must contain at least one value")) } else if hasWildcard(rule.NonResourceURLs) { if len(rule.NonResourceURLs) > 1 { allErrs = append(allErrs, field.Invalid(fldPath.Child("nonResourceURLs"), rule.NonResourceURLs, "if '*' is present, must not specify other non-resource URLs")) } } else { for i, nonResourceURL := range rule.NonResourceURLs { if err := ValidateNonResourceURLPath(nonResourceURL, fldPath.Child("nonResourceURLs").Index(i)); err != nil { allErrs = append(allErrs, err) } } } return allErrs } // ValidateFlowSchemaResourcePolicyRule validates resource policy-rule in the flow-schema. func ValidateFlowSchemaResourcePolicyRule(rule *flowcontrol.ResourcePolicyRule, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if len(rule.Verbs) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("verbs"), "verbs must contain at least one value")) } else if hasWildcard(rule.Verbs) { if len(rule.Verbs) > 1 { allErrs = append(allErrs, field.Invalid(fldPath.Child("verbs"), rule.Verbs, "if '*' is present, must not specify other verbs")) } } else if !supportedVerbs.IsSuperset(sets.NewString(rule.Verbs...)) { // only supported verbs are allowed allErrs = append(allErrs, field.NotSupported(fldPath.Child("verbs"), rule.Verbs, supportedVerbs.List())) } if len(rule.APIGroups) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("apiGroups"), "resource rules must supply at least one api group")) } else if len(rule.APIGroups) > 1 && hasWildcard(rule.APIGroups) { allErrs = append(allErrs, field.Invalid(fldPath.Child("apiGroups"), rule.APIGroups, "if '*' is present, must not specify other api groups")) } if len(rule.Resources) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("resources"), "resource rules must supply at least one resource")) } else if len(rule.Resources) > 1 && hasWildcard(rule.Resources) { allErrs = append(allErrs, field.Invalid(fldPath.Child("resources"), rule.Resources, "if '*' is present, must not specify other resources")) } if len(rule.Namespaces) == 0 && !rule.ClusterScope { allErrs = append(allErrs, field.Required(fldPath.Child("namespaces"), "resource rules that are not cluster scoped must supply at least one namespace")) } else if hasWildcard(rule.Namespaces) { if len(rule.Namespaces) > 1 { allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces"), rule.Namespaces, "if '*' is present, must not specify other namespaces")) } } else { for idx, tgtNS := range rule.Namespaces { for _, msg := range apimachineryvalidation.ValidateNamespaceName(tgtNS, false) { allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces").Index(idx), tgtNS, nsErrIntro+msg)) } } } return allErrs } const nsErrIntro = "each member of this list must be '*' or a DNS-1123 label; " // ValidateFlowSchemaStatus validates status for the flow-schema. func ValidateFlowSchemaStatus(status *flowcontrol.FlowSchemaStatus, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList keys := sets.NewString() for i, condition := range status.Conditions { if keys.Has(string(condition.Type)) { allErrs = append(allErrs, field.Duplicate(fldPath.Child("conditions").Index(i).Child("type"), condition.Type)) } keys.Insert(string(condition.Type)) allErrs = append(allErrs, ValidateFlowSchemaCondition(&condition, fldPath.Child("conditions").Index(i))...) } return allErrs } // ValidateFlowSchemaStatusUpdate validates the update of status for the flow-schema. func ValidateFlowSchemaStatusUpdate(old, fs *flowcontrol.FlowSchema) field.ErrorList { return ValidateFlowSchemaStatus(&fs.Status, field.NewPath("status")) } // ValidateFlowSchemaCondition validates condition in the flow-schema's status. func ValidateFlowSchemaCondition(condition *flowcontrol.FlowSchemaCondition, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if len(condition.Type) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("type"), "must not be empty")) } return allErrs } // ValidatePriorityLevelConfiguration validates priority-level-configuration. func ValidatePriorityLevelConfiguration(pl *flowcontrol.PriorityLevelConfiguration, requestGV schema.GroupVersion, opts PriorityLevelValidationOptions) field.ErrorList { allErrs := apivalidation.ValidateObjectMeta(&pl.ObjectMeta, false, ValidatePriorityLevelConfigurationName, field.NewPath("metadata")) // the roundtrip annotation is only for use in v1beta3, and after // conversion, the internal object should not have the roundtrip // annotation, so we should forbid it, if it's set. if _, ok := pl.ObjectMeta.Annotations[flowcontrolv1beta3.PriorityLevelPreserveZeroConcurrencySharesKey]; ok { allErrs = append(allErrs, field.Forbidden(field.NewPath("metadata").Child("annotations"), fmt.Sprintf("annotation '%s' is forbidden", flowcontrolv1beta3.PriorityLevelPreserveZeroConcurrencySharesKey))) } specPath := field.NewPath("spec") allErrs = append(allErrs, ValidatePriorityLevelConfigurationSpec(&pl.Spec, requestGV, pl.Name, specPath, opts)...) allErrs = append(allErrs, ValidateIfMandatoryPriorityLevelConfigurationObject(pl, specPath)...) allErrs = append(allErrs, ValidatePriorityLevelConfigurationStatus(&pl.Status, field.NewPath("status"))...) return allErrs } func ValidateIfMandatoryPriorityLevelConfigurationObject(pl *flowcontrol.PriorityLevelConfiguration, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList mand, ok := internalbootstrap.MandatoryPriorityLevelConfigurations[pl.Name] if !ok { return allErrs } if pl.Name == flowcontrol.PriorityLevelConfigurationNameExempt { // we allow the admin to change the contents of the 'Exempt' field of // the singleton 'exempt' priority level object, every other fields of // the Spec should not be allowed to change. want := &mand.Spec have := pl.Spec.DeepCopy() have.Exempt = want.Exempt if !apiequality.Semantic.DeepEqual(want, have) { allErrs = append(allErrs, field.Invalid(fldPath, pl.Spec, fmt.Sprintf("spec of '%s' except the 'spec.exempt' field must equal the fixed value", pl.Name))) } return allErrs } // Check for almost exact equality. This is a pretty // strict test, and it is OK in this context because both // sides of this comparison are intended to ultimately // come from the same code. if !apiequality.Semantic.DeepEqual(pl.Spec, mand.Spec) { allErrs = append(allErrs, field.Invalid(fldPath, pl.Spec, fmt.Sprintf("spec of '%s' must equal the fixed value", pl.Name))) } return allErrs } // ValidatePriorityLevelConfigurationSpec validates priority-level-configuration's spec. func ValidatePriorityLevelConfigurationSpec(spec *flowcontrol.PriorityLevelConfigurationSpec, requestGV schema.GroupVersion, name string, fldPath *field.Path, opts PriorityLevelValidationOptions) field.ErrorList { var allErrs field.ErrorList if (name == flowcontrol.PriorityLevelConfigurationNameExempt) != (spec.Type == flowcontrol.PriorityLevelEnablementExempt) { allErrs = append(allErrs, field.Invalid(fldPath.Child("type"), spec.Type, "type must be 'Exempt' if and only if name is 'exempt'")) } switch spec.Type { case flowcontrol.PriorityLevelEnablementExempt: if spec.Limited != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("limited"), "must be nil if the type is not Limited")) } if spec.Exempt != nil { allErrs = append(allErrs, ValidateExemptPriorityLevelConfiguration(spec.Exempt, fldPath.Child("exempt"))...) } case flowcontrol.PriorityLevelEnablementLimited: if spec.Exempt != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("exempt"), "must be nil if the type is Limited")) } if spec.Limited == nil { allErrs = append(allErrs, field.Required(fldPath.Child("limited"), "must not be empty when type is Limited")) } else { allErrs = append(allErrs, ValidateLimitedPriorityLevelConfiguration(spec.Limited, requestGV, fldPath.Child("limited"), opts)...) } default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), spec.Type, supportedPriorityLevelEnablement.List())) } return allErrs } // ValidateLimitedPriorityLevelConfiguration validates the configuration for an execution-limited priority level func ValidateLimitedPriorityLevelConfiguration(lplc *flowcontrol.LimitedPriorityLevelConfiguration, requestGV schema.GroupVersion, fldPath *field.Path, opts PriorityLevelValidationOptions) field.ErrorList { var allErrs field.ErrorList if opts.AllowZeroLimitedNominalConcurrencyShares { if lplc.NominalConcurrencyShares < 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child(getVersionedFieldNameForConcurrencyShares(requestGV)), lplc.NominalConcurrencyShares, "must be a non-negative integer")) } } else { if lplc.NominalConcurrencyShares <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child(getVersionedFieldNameForConcurrencyShares(requestGV)), lplc.NominalConcurrencyShares, "must be positive")) } } allErrs = append(allErrs, ValidateLimitResponse(lplc.LimitResponse, fldPath.Child("limitResponse"))...) if lplc.LendablePercent != nil && !(*lplc.LendablePercent >= 0 && *lplc.LendablePercent <= 100) { allErrs = append(allErrs, field.Invalid(fldPath.Child("lendablePercent"), *lplc.LendablePercent, "must be between 0 and 100, inclusive")) } if lplc.BorrowingLimitPercent != nil && *lplc.BorrowingLimitPercent < 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("borrowingLimitPercent"), *lplc.BorrowingLimitPercent, "if specified, must be a non-negative integer")) } return allErrs } func ValidateExemptPriorityLevelConfiguration(eplc *flowcontrol.ExemptPriorityLevelConfiguration, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if eplc.NominalConcurrencyShares != nil && *eplc.NominalConcurrencyShares < 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("nominalConcurrencyShares"), *eplc.NominalConcurrencyShares, "must be a non-negative integer")) } if eplc.LendablePercent != nil && !(*eplc.LendablePercent >= 0 && *eplc.LendablePercent <= 100) { allErrs = append(allErrs, field.Invalid(fldPath.Child("lendablePercent"), *eplc.LendablePercent, "must be between 0 and 100, inclusive")) } return allErrs } func getVersionedFieldNameForConcurrencyShares(requestGV schema.GroupVersion) string { switch { case requestGV == flowcontrolv1beta1.SchemeGroupVersion || requestGV == flowcontrolv1beta2.SchemeGroupVersion: return "assuredConcurrencyShares" default: return "nominalConcurrencyShares" } } // ValidateLimitResponse validates a LimitResponse func ValidateLimitResponse(lr flowcontrol.LimitResponse, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList switch lr.Type { case flowcontrol.LimitResponseTypeReject: if lr.Queuing != nil { allErrs = append(allErrs, field.Forbidden(fldPath.Child("queuing"), "must be nil if limited.limitResponse.type is not Limited")) } case flowcontrol.LimitResponseTypeQueue: if lr.Queuing == nil { allErrs = append(allErrs, field.Required(fldPath.Child("queuing"), "must not be empty if limited.limitResponse.type is Limited")) } else { allErrs = append(allErrs, ValidatePriorityLevelQueuingConfiguration(lr.Queuing, fldPath.Child("queuing"))...) } default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("type"), lr.Type, supportedLimitResponseType.List())) } return allErrs } // ValidatePriorityLevelQueuingConfiguration validates queuing-configuration for a priority-level func ValidatePriorityLevelQueuingConfiguration(queuing *flowcontrol.QueuingConfiguration, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if queuing.QueueLengthLimit <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("queueLengthLimit"), queuing.QueueLengthLimit, "must be positive")) } // validate input arguments for shuffle-sharding if queuing.Queues <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("queues"), queuing.Queues, "must be positive")) } else if queuing.Queues > priorityLevelConfigurationQueuingMaxQueues { allErrs = append(allErrs, field.Invalid(fldPath.Child("queues"), queuing.Queues, fmt.Sprintf("must not be greater than %d", priorityLevelConfigurationQueuingMaxQueues))) } if queuing.HandSize <= 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("handSize"), queuing.HandSize, "must be positive")) } else if queuing.HandSize > queuing.Queues { allErrs = append(allErrs, field.Invalid(fldPath.Child("handSize"), queuing.HandSize, fmt.Sprintf("should not be greater than queues (%d)", queuing.Queues))) } else if entropy := shufflesharding.RequiredEntropyBits(int(queuing.Queues), int(queuing.HandSize)); entropy > shufflesharding.MaxHashBits { allErrs = append(allErrs, field.Invalid(fldPath.Child("handSize"), queuing.HandSize, fmt.Sprintf("required entropy bits of deckSize %d and handSize %d should not be greater than %d", queuing.Queues, queuing.HandSize, shufflesharding.MaxHashBits))) } return allErrs } // ValidatePriorityLevelConfigurationStatus validates priority-level-configuration's status. func ValidatePriorityLevelConfigurationStatus(status *flowcontrol.PriorityLevelConfigurationStatus, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList keys := sets.NewString() for i, condition := range status.Conditions { if keys.Has(string(condition.Type)) { allErrs = append(allErrs, field.Duplicate(fldPath.Child("conditions").Index(i).Child("type"), condition.Type)) } keys.Insert(string(condition.Type)) allErrs = append(allErrs, ValidatePriorityLevelConfigurationCondition(&condition, fldPath.Child("conditions").Index(i))...) } return allErrs } // ValidatePriorityLevelConfigurationStatusUpdate validates the update of priority-level-configuration's status. func ValidatePriorityLevelConfigurationStatusUpdate(old, pl *flowcontrol.PriorityLevelConfiguration) field.ErrorList { return ValidatePriorityLevelConfigurationStatus(&pl.Status, field.NewPath("status")) } // ValidatePriorityLevelConfigurationCondition validates condition in priority-level-configuration's status. func ValidatePriorityLevelConfigurationCondition(condition *flowcontrol.PriorityLevelConfigurationCondition, fldPath *field.Path) field.ErrorList { var allErrs field.ErrorList if len(condition.Type) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("type"), "must not be empty")) } return allErrs } // ValidateNonResourceURLPath validates non-resource-url path by following rules: // 1. Slash must be the leading character of the path // 2. White-space is forbidden in the path // 3. Continuous/double slash is forbidden in the path // 4. Wildcard "*" should only do suffix glob matching. Note that wildcard also matches slashes. func ValidateNonResourceURLPath(path string, fldPath *field.Path) *field.Error { if len(path) == 0 { return field.Invalid(fldPath, path, "must not be empty") } if path == "/" { // root path return nil } if !strings.HasPrefix(path, "/") { return field.Invalid(fldPath, path, "must start with slash") } if strings.Contains(path, " ") { return field.Invalid(fldPath, path, "must not contain white-space") } if strings.Contains(path, "//") { return field.Invalid(fldPath, path, "must not contain double slash") } wildcardCount := strings.Count(path, "*") if wildcardCount > 1 || (wildcardCount == 1 && path[len(path)-2:] != "/*") { return field.Invalid(fldPath, path, "wildcard can only do suffix matching") } return nil } func hasWildcard(operations []string) bool { return memberInList("*", operations...) } func memberInList(seek string, a ...string) bool { for _, ai := range a { if ai == seek { return true } } return false }