Ignore pods marked for deletion

proofpoint · Mar 19, 2018 · 8a6e5cd · 8a6e5cd
1 parent 4256916
commit 8a6e5cd
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 10 deletions.
diff --git a/inspectors/altnamesforpod/altnamesforpod.go b/inspectors/altnamesforpod/altnamesforpod.go
@@ -54,13 +54,17 @@ func (a *altnamesforpod) Inspect(client kubernetes.Interface, request *certifica
 
 	filtered := make([]v1.Pod, 0, 1)
 	for _, pod := range podList.Items {
-		if pod.Status.Phase == v1.PodPending || pod.Status.Phase == v1.PodRunning {
-			filtered = append(filtered, pod)
+		if pod.DeletionTimestamp != nil {
+			continue
+		}
+		if pod.Status.Phase != v1.PodPending && pod.Status.Phase != v1.PodRunning {
+			continue
 		}
+		filtered = append(filtered, pod)
 	}
 
 	if len(filtered) == 0 {
-		return fmt.Sprintf("No running POD in namespace %q with IP %q", namespace, podIp), nil
+		return fmt.Sprintf("No pending or running POD in namespace %q with IP %q", namespace, podIp), nil
 	}
 	if len(filtered) > 1 {
 		logrus.Warnf("Altnamesforpod found multiple pods for IP %q", podIp)

diff --git a/inspectors/altnamesforpod/altnamesforpod_test.go b/inspectors/altnamesforpod/altnamesforpod_test.go
@@ -24,6 +24,8 @@ func TestInspect(t *testing.T) {
 	key, err := rsa.GenerateKey(rand.Reader, 1024)
 	require.NoError(t, err, "Generate the private key")
 
+	nowTime := metaV1.Now()
+
 	for _, testcase := range []struct {
 		name            string
 		inspectorConfig string
@@ -130,12 +132,12 @@ func TestInspect(t *testing.T) {
 		// https://github.com/kubernetes/client-go/issues/326
 		//{
 		//	name:          "WrongPodIp",
-		//	expectMessage: "No running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
+		//	expectMessage: "No pending or running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
 		//	podIp:         "172.1.0.36",
 		//},
 		{
 			name:          "WrongPodNamespace",
-			expectMessage: "No running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
+			expectMessage: "No pending or running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
 			podNamespace:  "other",
 		},
 		{
@@ -278,6 +280,70 @@ func TestInspect(t *testing.T) {
 				request.IPAddresses = makeIps("172.1.0.3", "10.0.0.1", "10.1.2.3", "10.1.2.4")
 			},
 		},
+		{
+			name:            "IgnoresPodMarkedForDeletion",
+			inspectorConfig: "example.com",
+			objects: []runtime.Object{
+				&v1.Pod{
+					TypeMeta: metaV1.TypeMeta{
+						Kind:       "Pod",
+						APIVersion: "v1",
+					},
+					ObjectMeta: metaV1.ObjectMeta{
+						Name:      "wrong-app-579f7cd745-wrong",
+						Namespace: "somenamespace",
+						DeletionTimestamp: &nowTime,
+						Labels: map[string]string{
+							"app": "wrong-app",
+						},
+					},
+					Status: v1.PodStatus{
+						Phase: v1.PodRunning,
+						PodIP: "172.1.0.3",
+					},
+				},
+				&v1.Pod{
+					TypeMeta: metaV1.TypeMeta{
+						Kind:       "Pod",
+						APIVersion: "v1",
+					},
+					ObjectMeta: metaV1.ObjectMeta{
+						Name:      "tls-app-579f7cd745-t6fdg",
+						Namespace: "somenamespace",
+						Labels: map[string]string{
+							"app": "some-app",
+						},
+					},
+					Status: v1.PodStatus{
+						Phase: v1.PodRunning,
+						PodIP: "172.1.0.3",
+					},
+				},
+				&v1.Service{
+					ObjectMeta: metaV1.ObjectMeta{
+						Name:      "tls-service",
+						Namespace: "somenamespace",
+						Labels: map[string]string{
+							"app": "some-service",
+						},
+					},
+					Spec: v1.ServiceSpec{
+						Selector:    map[string]string{"app": "some-app"},
+						ClusterIP:   "10.0.0.1",
+						Type:        v1.ServiceTypeLoadBalancer,
+						ExternalIPs: []string{"10.1.2.3", "10.1.2.4"},
+					},
+				},
+			},
+			setupRequest: func(request *x509.CertificateRequest) {
+				request.Subject.CommonName = "172-1-0-3.somenamespace.pod.example.com"
+				request.DNSNames = []string{
+					"172-1-0-3.somenamespace.pod.example.com",
+					"tls-service.somenamespace.svc.example.com",
+				}
+				request.IPAddresses = makeIps("172.1.0.3", "10.0.0.1", "10.1.2.3", "10.1.2.4")
+			},
+		},
 	} {
 		t.Run(testcase.name, func(t *testing.T) {
 			inspector, exists := inspectors.Get("altnamesforpod")

diff --git a/inspectors/subjectispodforuser/subjectispodforuser.go b/inspectors/subjectispodforuser/subjectispodforuser.go
@@ -46,13 +46,17 @@ func (s *subjectispodforuser) Inspect(client kubernetes.Interface, request *cert
 
 	filtered := make([]v1.Pod, 0, 1)
 	for _, pod := range podList.Items {
-		if pod.Status.Phase == v1.PodPending || pod.Status.Phase == v1.PodRunning {
-			filtered = append(filtered, pod)
+		if pod.DeletionTimestamp != nil {
+			continue
 		}
+		if pod.Status.Phase != v1.PodPending && pod.Status.Phase != v1.PodRunning {
+			continue
+		}
+		filtered = append(filtered, pod)
 	}
 
 	if len(filtered) == 0 {
-		return fmt.Sprintf("No running POD in namespace %q with IP %q", namespace, podIp), nil
+		return fmt.Sprintf("No pending or running POD in namespace %q with IP %q", namespace, podIp), nil
 	}
 	if len(filtered) > 1 {
 		logrus.Warnf("Subjectispodforuser found multiple pods for IP %q", podIp)

diff --git a/inspectors/subjectispodforuser/subjectispodforuser_test.go b/inspectors/subjectispodforuser/subjectispodforuser_test.go
@@ -23,6 +23,8 @@ func TestInspect(t *testing.T) {
 	key, err := rsa.GenerateKey(rand.Reader, 1024)
 	require.NoError(t, err, "Generate the private key")
 
+	nowTime := metaV1.Now()
+
 	for _, testcase := range []struct {
 		name            string
 		inspectorConfig string
@@ -129,13 +131,13 @@ func TestInspect(t *testing.T) {
 		// https://github.com/kubernetes/client-go/issues/326
 		//{
 		//	name:          "WrongPodIp",
-		//	expectMessage: "No running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
+		//	expectMessage: "No pending or running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
 		//	podNamespace:  "somenamespace",
 		//	podIp:         "172.1.0.36",
 		//},
 		{
 			name:          "WrongPodNamespace",
-			expectMessage: "No running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
+			expectMessage: "No pending or running POD in namespace \"somenamespace\" with IP \"172.1.0.3\"",
 			podNamespace:  "other",
 		},
 		{
@@ -201,6 +203,52 @@ func TestInspect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "IgnoresPodMarkedForDeletion",
+			objects: []runtime.Object{
+				&v1.Pod{
+					TypeMeta: metaV1.TypeMeta{
+						Kind:       "Pod",
+						APIVersion: "v1",
+					},
+					ObjectMeta: metaV1.ObjectMeta{
+						Name:              "tls-app-579f7cd745-wrong",
+						Namespace:         "somenamespace",
+						DeletionTimestamp: &nowTime,
+						Labels: map[string]string{
+							"tag": "",
+						},
+					},
+					Spec: v1.PodSpec{
+						ServiceAccountName: "wrongserviceaccount",
+					},
+					Status: v1.PodStatus{
+						Phase: v1.PodRunning,
+						PodIP: "172.1.0.3",
+					},
+				},
+				&v1.Pod{
+					TypeMeta: metaV1.TypeMeta{
+						Kind:       "Pod",
+						APIVersion: "v1",
+					},
+					ObjectMeta: metaV1.ObjectMeta{
+						Name:      "tls-app-579f7cd745-t6fdg",
+						Namespace: "somenamespace",
+						Labels: map[string]string{
+							"tag": "",
+						},
+					},
+					Spec: v1.PodSpec{
+						ServiceAccountName: "someserviceaccount",
+					},
+					Status: v1.PodStatus{
+						Phase: v1.PodRunning,
+						PodIP: "172.1.0.3",
+					},
+				},
+			},
+		},
 		{
 			name:            "ConfiguredNotInClusterDomain",
 			inspectorConfig: "example.com",