Merge pull request kubernetes#95179 from stevenshuang/master

Replace AreLabelsInWhiteList with IsSubset
samuel-lee-msft · Oct 5, 2020 · c905130 · c905130
2 parents 0ef3707 + f0ea540
commit c905130
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 20 deletions.
diff --git a/plugin/pkg/admission/podnodeselector/admission.go b/plugin/pkg/admission/podnodeselector/admission.go
@@ -148,7 +148,7 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
 	if err != nil {
 		return err
 	}
-	if !labels.AreLabelsInWhiteList(pod.Spec.NodeSelector, whitelist) {
+	if !isSubset(pod.Spec.NodeSelector, whitelist) {
 		return errors.NewForbidden(resource, pod.Name, fmt.Errorf("pod node label selector labels conflict with its namespace whitelist"))
 	}
 
@@ -259,3 +259,20 @@ func (p *Plugin) getNodeSelectorMap(namespace *corev1.Namespace) (labels.Set, er
 	}
 	return selector, nil
 }
+
+func isSubset(subSet, superSet labels.Set) bool {
+	if len(superSet) == 0 {
+		return true
+	}
+
+	for k, v := range subSet {
+		value, ok := superSet[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/labels/labels.go b/staging/src/k8s.io/apimachinery/pkg/labels/labels.go
@@ -141,25 +141,6 @@ func Equals(labels1, labels2 Set) bool {
 	return true
 }
 
-// AreLabelsInWhiteList verifies if the provided label list
-// is in the provided whitelist and returns true, otherwise false.
-func AreLabelsInWhiteList(labels, whitelist Set) bool {
-	if len(whitelist) == 0 {
-		return true
-	}
-
-	for k, v := range labels {
-		value, ok := whitelist[k]
-		if !ok {
-			return false
-		}
-		if value != v {
-			return false
-		}
-	}
-	return true
-}
-
 // ConvertSelectorToLabelsMap converts selector string to labels map
 // and validates keys and values
 func ConvertSelectorToLabelsMap(selector string) (Set, error) {