From 35bea6c18fcc34421cb1d36352fb5ec728d9c0bb Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 16 Jul 2024 18:09:40 +0300 Subject: [PATCH] cdi-device-injector: test hack to check scope of Role-based namespace access. Signed-off-by: Krisztian Litkey --- cmd/plugins/cdi-device-injector/cdi-device-injector.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cmd/plugins/cdi-device-injector/cdi-device-injector.go b/cmd/plugins/cdi-device-injector/cdi-device-injector.go index 8d6ec5279..80da9caaf 100644 --- a/cmd/plugins/cdi-device-injector/cdi-device-injector.go +++ b/cmd/plugins/cdi-device-injector/cdi-device-injector.go @@ -54,6 +54,7 @@ type plugin struct { cdiCache *cdiCache namespace string client *client.Client + testHack bool } // CreateContainer handles container creation requests. @@ -110,6 +111,11 @@ func (p *plugin) setupDevicePattern() { } log.Infof("using namespace %q", p.namespace) + if p.testHack { + p.namespace = p.namespace + "1" + log.Infof("TEST_HACK: using namespace %q instead", p.namespace) + } + var ( ctx = context.Background() opts = metav1.GetOptions{} @@ -202,6 +208,7 @@ func main() { kubeConfig string opts []stub.Option clientOpts []client.Option + testHack bool err error ) @@ -215,6 +222,7 @@ func main() { flag.StringVar(&defaultCDIDevicePattern, "default-cdi-device-pattern", "*", "default glob pattern for allowed CDI device names if namespace is not annotated with "+allowPatternKey) flag.StringVar(&kubeConfig, "kubeconfig", "", "kubeconfig file to use") flag.BoolVar(&verbose, "verbose", false, "enable (more) verbose logging") + flag.BoolVar(&testHack, "verbose", false, "test hack to try access ${POD_NAMESPACE}1 instead") flag.Parse() if pluginName != "" { @@ -242,6 +250,7 @@ func main() { // TODO: We should allow this to be configured Cache: cdi.GetDefaultCache(), }, + testHack: testHack, } p.setupDevicePattern()