@@ -41,6 +41,7 @@ func NewReplicationController(g osgraph.Graph, rcNode *kubegraph.ReplicationCont

 	rcView := ReplicationController{}

 	rcView.RC = rcNode

+	rcView.ConflictingRCIDToPods = map[int][]*kubegraph.PodNode{}

 	for _, uncastPodNode := range g.PredecessorNodesByEdgeKind(rcNode, kubeedges.ManagedByRCEdgeKind) {

 		podNode := uncastPodNode.(*kubegraph.PodNode)

new file mode 100644

@@ -0,0 +1,96 @@

+package graph

+

+import (

+	"github.com/gonum/graph"

+)

+

+// Marker is a struct that describes something interesting on a Node

+type Marker struct {

+	// Node is the optional node that this message is attached to

+	Node graph.Node

+	// RelatedNodes is an optional list of other nodes that are involved in this marker.

+	RelatedNodes []graph.Node

+

+	// Severity indicates how important this problem is.

+	Severity Severity

+	// Key is a short string to identify this message

+	Key string

+	// Message is a human-readable string that describes what is interesting

+	Message string

+}

+

+// Severity indicates how important this problem is.

+type Severity string

+

+const (

+	// InfoSeverity is interesting

+	InfoSeverity Severity = "info"

+	// WarningSeverity is probably wrong, but we aren't certain

+	WarningSeverity Severity = "warning"

+	// ErrorSeverity is definitely wrong, this won't work

+	ErrorSeverity Severity = "error"

+)

+

+type Markers []Marker

+

+// MarkerScanner is a function for analyzing a graph and finding interesting things in it

+type MarkerScanner func(g Graph) []Marker

+

+func (m Markers) BySeverity(severity Severity) []Marker {

+	ret := []Marker{}

+	for i := range m {

+		if m[i].Severity == severity {

+			ret = append(ret, m[i])

+		}

+	}

+

+	return ret

+}

+

+type BySeverity []Marker

+

+func (m BySeverity) Len() int      { return len(m) }

+func (m BySeverity) Swap(i, j int) { m[i], m[j] = m[j], m[i] }

+func (m BySeverity) Less(i, j int) bool {

+	lhs := m[i]

+	rhs := m[j]

+

+	switch lhs.Severity {

+	case ErrorSeverity:

+		switch rhs.Severity {

+		case ErrorSeverity:

+			return false

+		}

+	case WarningSeverity:

+		switch rhs.Severity {

+		case ErrorSeverity, WarningSeverity:

+			return false

+		}

+	case InfoSeverity:

+		switch rhs.Severity {

+		case ErrorSeverity, WarningSeverity, InfoSeverity:

+			return false

+		}

+	}

+

+	return true

+}

+

+type ByNodeID []Marker

+

+func (m ByNodeID) Len() int      { return len(m) }

+func (m ByNodeID) Swap(i, j int) { m[i], m[j] = m[j], m[i] }

+func (m ByNodeID) Less(i, j int) bool {

+	if m[i].Node == nil {

+		return true

+	}

+	return m[i].Node.ID() < m[j].Node.ID()

+}

+

+type ByKey []Marker

+

+func (m ByKey) Len() int      { return len(m) }

+func (m ByKey) Swap(i, j int) { m[i], m[j] = m[j], m[i] }

+func (m ByKey) Less(i, j int) bool {

+	return m[i].Key < m[j].Key

+}

@@ -1,13 +1,88 @@

 package analysis

 import (

+	"fmt"

+

+	"github.com/gonum/graph"

+

 	osgraph "github.com/openshift/origin/pkg/api/graph"

 	kubeedges "github.com/openshift/origin/pkg/api/kubegraph"

 	kubegraph "github.com/openshift/origin/pkg/api/kubegraph/nodes"

 )

-// CheckMountedSecrets checks to be sure that all the referenced secrets are mountable (by service account) and present (not synthetic)

-func CheckMountedSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) ( /*unmountable secrets*/ []*kubegraph.SecretNode /*unresolved secrets*/, []*kubegraph.SecretNode) {

+const (

+	UnmountableSecretWarning = "UnmountableSecret"

+	MissingSecretWarning     = "MissingSecret"

+)

+

+// FindUnmountableSecrets inspects all PodSpecs for any Secret reference that isn't listed as mountable by the referenced ServiceAccount

+func FindUnmountableSecrets(g osgraph.Graph) []osgraph.Marker {

+	markers := []osgraph.Marker{}

+

+	for _, uncastPodSpecNode := range g.NodesByKind(kubegraph.PodSpecNodeKind) {

+		podSpecNode := uncastPodSpecNode.(*kubegraph.PodSpecNode)

+		unmountableSecrets := CheckForUnmountableSecrets(g, podSpecNode)

+

+		topLevelNode := osgraph.GetTopLevelContainerNode(g, podSpecNode)

+		topLevelString := g.Name(topLevelNode)

+		if resourceStringer, ok := topLevelNode.(osgraph.ResourceNode); ok {

+			topLevelString = resourceStringer.ResourceString()

+		}

+

+		saString := "MISSING_SA"

+		saNodes := g.SuccessorNodesByEdgeKind(podSpecNode, kubeedges.ReferencedServiceAccountEdgeKind)

+		if len(saNodes) > 0 {

+			saString = saNodes[0].(*kubegraph.ServiceAccountNode).ResourceString()

+		}

+

+		for _, unmountableSecret := range unmountableSecrets {

+			markers = append(markers, osgraph.Marker{

+				Node:         podSpecNode,

+				RelatedNodes: []graph.Node{unmountableSecret},

+

+				Severity: osgraph.WarningSeverity,

+				Key:      UnmountableSecretWarning,

+				Message: fmt.Sprintf("%s is attempting to mount a secret %s disallowed by %s",

+					topLevelString, unmountableSecret.ResourceString(), saString),

+			})

+		}

+	}

+

+	return markers

+}

+

+// FindMissingSecrets inspects all PodSpecs for any Secret reference that is a synthetic node (not a pre-existing node in the graph)

+func FindMissingSecrets(g osgraph.Graph) []osgraph.Marker {

+	markers := []osgraph.Marker{}

+

+	for _, uncastPodSpecNode := range g.NodesByKind(kubegraph.PodSpecNodeKind) {

+		podSpecNode := uncastPodSpecNode.(*kubegraph.PodSpecNode)

+		missingSecrets := CheckMissingMountedSecrets(g, podSpecNode)

+

+		topLevelNode := osgraph.GetTopLevelContainerNode(g, podSpecNode)

+		topLevelString := g.Name(topLevelNode)

+		if resourceStringer, ok := topLevelNode.(osgraph.ResourceNode); ok {

+			topLevelString = resourceStringer.ResourceString()

+		}

+

+		for _, missingSecret := range missingSecrets {

+			markers = append(markers, osgraph.Marker{

+				Node:         podSpecNode,

+				RelatedNodes: []graph.Node{missingSecret},

+

+				Severity: osgraph.WarningSeverity,

+				Key:      UnmountableSecretWarning,

+				Message: fmt.Sprintf("%s is attempting to mount a missing secret %s",

+					topLevelString, missingSecret.ResourceString()),

+			})

+		}

+	}

+

+	return markers

+}

+

+// CheckForUnmountableSecrets checks to be sure that all the referenced secrets are mountable (by service account)

+func CheckForUnmountableSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) []*kubegraph.SecretNode {

 	saNodes := g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.ServiceAccountNodeKind, kubeedges.ReferencedServiceAccountEdgeKind)

 	saMountableSecrets := []*kubegraph.SecretNode{}

@@ -19,13 +94,9 @@ func CheckMountedSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) (

 	}

 	unmountableSecrets := []*kubegraph.SecretNode{}

-	missingSecrets := []*kubegraph.SecretNode{}

 	for _, uncastMountedSecretNode := range g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.SecretNodeKind, kubeedges.MountedSecretEdgeKind) {

 		mountedSecretNode := uncastMountedSecretNode.(*kubegraph.SecretNode)

-		if !mountedSecretNode.Found() {

-			missingSecrets = append(missingSecrets, mountedSecretNode)

-		}

 		mountable := false

 		for _, mountableSecretNode := range saMountableSecrets {

@@ -41,5 +112,19 @@ func CheckMountedSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) (

 		}

 	}

-	return unmountableSecrets, missingSecrets

+	return unmountableSecrets

+}

+

+// CheckMissingMountedSecrets checks to be sure that all the referenced secrets are present (not synthetic)

+func CheckMissingMountedSecrets(g osgraph.Graph, podSpecNode *kubegraph.PodSpecNode) []*kubegraph.SecretNode {

+	missingSecrets := []*kubegraph.SecretNode{}

+

+	for _, uncastMountedSecretNode := range g.SuccessorNodesByNodeAndEdgeKind(podSpecNode, kubegraph.SecretNodeKind, kubeedges.MountedSecretEdgeKind) {

+		mountedSecretNode := uncastMountedSecretNode.(*kubegraph.SecretNode)

+		if !mountedSecretNode.Found() {

+			missingSecrets = append(missingSecrets, mountedSecretNode)

+		}

+	}

+

+	return missingSecrets

 }

new file mode 100644

@@ -0,0 +1,83 @@

+package analysis

+

+import (

+	"testing"

+

+	osgraph "github.com/openshift/origin/pkg/api/graph"

+	osgraphtest "github.com/openshift/origin/pkg/api/graph/test"

+	kubeedges "github.com/openshift/origin/pkg/api/kubegraph"

+)

+

+func TestMissingSecrets(t *testing.T) {

+	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/bad_secret_refs.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

+	kubeedges.AddAllRequestedServiceAccountEdges(g)

+	kubeedges.AddAllMountableSecretEdges(g)

+	kubeedges.AddAllMountedSecretEdges(g)

+

+	markers := FindMissingSecrets(g)

+	if e, a := 1, len(markers); e != a {

+		t.Fatalf("expected %v, got %v", e, a)

+	}

+

+	actualDC := osgraph.GetTopLevelContainerNode(g, markers[0].Node)

+	expectedDC := g.Find(osgraph.UniqueName("DeploymentConfig|/docker-nfs-server"))

+	if e, a := expectedDC.ID(), actualDC.ID(); e != a {

+		t.Errorf("expected %v, got %v", e, a)

+	}

+

+	actualSecret := markers[0].RelatedNodes[0]

+	expectedSecret := g.Find(osgraph.UniqueName("Secret|/missing-secret"))

+	if e, a := expectedSecret.ID(), actualSecret.ID(); e != a {

+		t.Errorf("expected %v, got %v", e, a)

+

+	}

+}

+

+func TestUnmountableSecrets(t *testing.T) {

+	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/bad_secret_refs.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

+	kubeedges.AddAllRequestedServiceAccountEdges(g)

+	kubeedges.AddAllMountableSecretEdges(g)

+	kubeedges.AddAllMountedSecretEdges(g)

+

+	markers := FindUnmountableSecrets(g)

+	if e, a := 2, len(markers); e != a {

+		t.Errorf("expected %v, got %v", e, a)

+	}

+

+	expectedSecret1 := g.Find(osgraph.UniqueName("Secret|/missing-secret"))

+	expectedSecret2 := g.Find(osgraph.UniqueName("Secret|/unmountable-secret"))

+	found1 := false

+	found2 := false

+

+	for i := 0; i < 2; i++ {

+		actualDC := osgraph.GetTopLevelContainerNode(g, markers[i].Node)

+		expectedDC := g.Find(osgraph.UniqueName("DeploymentConfig|/docker-nfs-server"))

+		if e, a := expectedDC.ID(), actualDC.ID(); e != a {

+			t.Errorf("expected %v, got %v", e, a)

+		}

+

+		actualSecret := markers[i].RelatedNodes[0]

+		if e, a := expectedSecret1.ID(), actualSecret.ID(); e == a {

+			found1 = true

+		}

+		if e, a := expectedSecret2.ID(), actualSecret.ID(); e == a {

+			found2 = true

+		}

+	}

+

+	if !found1 {

+		t.Errorf("expected %v, got %v", expectedSecret1, markers)

+	}

+

+	if !found2 {

+		t.Errorf("expected %v, got %v", expectedSecret2, markers)

+	}

+}

new file mode 100644

@@ -0,0 +1,85 @@

+package analysis

+

+import (

+	"fmt"

+	"strings"

+

+	"github.com/gonum/graph"

+	"github.com/gonum/graph/topo"

+

+	osgraph "github.com/openshift/origin/pkg/api/graph"

+	buildedges "github.com/openshift/origin/pkg/build/graph"

+	buildgraph "github.com/openshift/origin/pkg/build/graph/nodes"

+	imageedges "github.com/openshift/origin/pkg/image/graph"

+	imagegraph "github.com/openshift/origin/pkg/image/graph/nodes"

+)

+

+const (

+	MissingRequiredRegistryWarning = "MissingRequiredRegistry"

+	CyclicBuildConfigWarning       = "CyclicBuildConfig"

+)

+

+// FindUnpushableBuildConfigs checks all build configs that will output to an IST backed by an ImageStream and checks to make sure their builds can push.

+func FindUnpushableBuildConfigs(g osgraph.Graph) []osgraph.Marker {

+	markers := []osgraph.Marker{}

+

+bc:

+	for _, bcNode := range g.NodesByKind(buildgraph.BuildConfigNodeKind) {

+		for _, istNode := range g.SuccessorNodesByEdgeKind(bcNode, buildedges.BuildOutputEdgeKind) {

+			for _, uncastImageStreamNode := range g.SuccessorNodesByEdgeKind(istNode, imageedges.ReferencedImageStreamGraphEdgeKind) {

+				imageStreamNode := uncastImageStreamNode.(*imagegraph.ImageStreamNode)

+

+				if len(imageStreamNode.Status.DockerImageRepository) == 0 {

+					markers = append(markers, osgraph.Marker{

+						Node:         bcNode,

+						RelatedNodes: []graph.Node{istNode},

+

+						Severity: osgraph.WarningSeverity,

+						Key:      MissingRequiredRegistryWarning,

+						Message: fmt.Sprintf("%s is pushing to %s that is using %s, but the administrator has not configured the integrated Docker registry.  (oadm registry)",

+							bcNode.(*buildgraph.BuildConfigNode).ResourceString(), istNode.(*imagegraph.ImageStreamTagNode).ResourceString(), imageStreamNode.ResourceString()),

+					})

+

+					continue bc

+				}

+			}

+		}

+	}

+

+	return markers

+}

+

+// FindCircularBuilds checks all build configs for cycles

+func FindCircularBuilds(g osgraph.Graph) []osgraph.Marker {

+	// Filter out all but ImageStreamTag and BuildConfig nodes

+	nodeFn := osgraph.NodesOfKind(imagegraph.ImageStreamTagNodeKind, buildgraph.BuildConfigNodeKind)

+	// Filter out all but BuildInputImage and BuildOutput edges

+	edgeFn := osgraph.EdgesOfKind(buildedges.BuildInputImageEdgeKind, buildedges.BuildOutputEdgeKind)

+

+	// Create desired subgraph

+	sub := g.Subgraph(nodeFn, edgeFn)

+

+	markers := []osgraph.Marker{}

+

+	// Check for cycles

+	for _, cycle := range topo.CyclesIn(sub) {

+		nodeNames := []string{}

+		for _, node := range cycle {

+			if resourceStringer, ok := node.(osgraph.ResourceNode); ok {

+				nodeNames = append(nodeNames, resourceStringer.ResourceString())

+			}

+		}

+

+		markers = append(markers, osgraph.Marker{

+			Node:         cycle[0],

+			RelatedNodes: cycle,

+

+			Severity: osgraph.WarningSeverity,

+			Key:      CyclicBuildConfigWarning,

+			Message:  fmt.Sprintf("Cycle detected in build configurations: %s", strings.Join(nodeNames, " -> ")),

+		})

+

+	}

+

+	return markers

+}

new file mode 100644

@@ -0,0 +1,75 @@

+package analysis

+

+import (

+	"testing"

+

+	osgraph "github.com/openshift/origin/pkg/api/graph"

+	osgraphtest "github.com/openshift/origin/pkg/api/graph/test"

+	buildedges "github.com/openshift/origin/pkg/build/graph"

+	imageedges "github.com/openshift/origin/pkg/image/graph"

+)

+

+func TestUnpushableBuild(t *testing.T) {

+	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/unpushable-build.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

+	buildedges.AddAllInputOutputEdges(g)

+	imageedges.AddAllImageStreamRefEdges(g)

+

+	markers := FindUnpushableBuildConfigs(g)

+	if e, a := 1, len(markers); e != a {

+		t.Fatalf("expected %v, got %v", e, a)

+	}

+

+	actualBC := osgraph.GetTopLevelContainerNode(g, markers[0].Node)

+	expectedBC := g.Find(osgraph.UniqueName("BuildConfig|/ruby-hello-world"))

+	if e, a := expectedBC.ID(), actualBC.ID(); e != a {

+		t.Errorf("expected %v, got %v", e, a)

+	}

+

+	actualIST := markers[0].RelatedNodes[0]

+	expectedIST := g.Find(osgraph.UniqueName("ImageStreamTag|/ruby-hello-world:latest"))

+	if e, a := expectedIST.ID(), actualIST.ID(); e != a {

+		t.Errorf("expected %v, got %v: \n%v", e, a, g)

+	}

+

+}

+

+func TestPushableBuild(t *testing.T) {

+	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/pushable-build.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

+	buildedges.AddAllInputOutputEdges(g)

+	imageedges.AddAllImageStreamRefEdges(g)

+

+	if e, a := 0, len(FindUnpushableBuildConfigs(g)); e != a {

+		t.Errorf("expected %v, got %v", e, a)

+	}

+}

+

+func TestCircularDeps(t *testing.T) {

+	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/circular.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	buildedges.AddAllInputOutputEdges(g)

+

+	if len(FindCircularBuilds(g)) != 1 {

+		t.Fatalf("expected having circular dependencies")

+	}

+

+	not, _, err := osgraphtest.BuildGraph("../../../api/graph/test/circular-not.yaml")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	buildedges.AddAllInputOutputEdges(not)

+

+	if len(FindCircularBuilds(not)) != 0 {

+		t.Fatalf("expected not having circular dependencies")

+	}

+

+}

@@ -3,6 +3,7 @@ package describe

 import (

 	"fmt"

 	"io"

+	"sort"

 	"strings"

 	"text/tabwriter"

@@ -12,7 +13,6 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

 	utilerrors "github.com/GoogleCloudPlatform/kubernetes/pkg/util/errors"

-	"github.com/gonum/graph/topo"

 	osgraph "github.com/openshift/origin/pkg/api/graph"

 	"github.com/openshift/origin/pkg/api/graph/graphview"

@@ -21,6 +21,7 @@ import (

 	kubegraph "github.com/openshift/origin/pkg/api/kubegraph/nodes"

 	buildapi "github.com/openshift/origin/pkg/build/api"

 	buildedges "github.com/openshift/origin/pkg/build/graph"

+	buildanalysis "github.com/openshift/origin/pkg/build/graph/analysis"

 	buildgraph "github.com/openshift/origin/pkg/build/graph/nodes"

 	"github.com/openshift/origin/pkg/client"

 	deployapi "github.com/openshift/origin/pkg/deploy/api"

@@ -161,14 +162,23 @@ func (d *ProjectStatusDescriber) Describe(namespace, name string) (string, error

 		// always output warnings

 		fmt.Fprintln(out)

-		if hasUnresolvedImageStreamTag(g) {

-			fmt.Fprintln(out, "Warning: Some of your builds are pointing to image streams, but the administrator has not configured the integrated Docker registry (oadm registry).")

+		allMarkers := osgraph.Markers{}

+		for _, scanner := range getMarkerScanners() {

+			allMarkers = append(allMarkers, scanner(g)...)

 		}

-		if hasCircularDependencies(g) {

-			fmt.Fprintln(out, "Warning: Some of your build configurations have circular dependencies.")

+		sort.Stable(osgraph.ByKey(allMarkers))

+		sort.Stable(osgraph.ByNodeID(allMarkers))

+		if errorMarkers := allMarkers.BySeverity(osgraph.ErrorSeverity); len(errorMarkers) > 0 {

+			fmt.Fprintln(out, "Errors:")

+			for _, marker := range errorMarkers {

+				fmt.Fprintln(out, indent+marker.Message)

+			}

 		}

-		if lines, _ := describeBadPodSpecs(out, g); len(lines) > 0 {

-			fmt.Fprintln(out, strings.Join(lines, "\n"))

+		if warningMarkers := allMarkers.BySeverity(osgraph.WarningSeverity); len(warningMarkers) > 0 {

+			fmt.Fprintln(out, "Warnings:")

+			for _, marker := range warningMarkers {

+				fmt.Fprintln(out, indent+marker.Message)

+			}

 		}

 		if (len(services) == 0) && (len(standaloneDCs) == 0) && (len(standaloneImages) == 0) {

@@ -184,77 +194,13 @@ func (d *ProjectStatusDescriber) Describe(namespace, name string) (string, error

 	})

 }

-// hasUnresolvedImageStreamTag checks all build configs that will output to an IST backed by an ImageStream and checks to make sure their builds can push.

-func hasUnresolvedImageStreamTag(g osgraph.Graph) bool {

-	for _, bcNode := range g.NodesByKind(buildgraph.BuildConfigNodeKind) {

-		for _, istNode := range g.SuccessorNodesByEdgeKind(bcNode, buildedges.BuildOutputEdgeKind) {

-			for _, uncastImageStreamNode := range g.SuccessorNodesByEdgeKind(istNode, imageedges.ReferencedImageStreamGraphEdgeKind) {

-				imageStreamNode := uncastImageStreamNode.(*imagegraph.ImageStreamNode)

-				if len(imageStreamNode.Status.DockerImageRepository) == 0 {

-					return true

-				}

-			}

-		}

+func getMarkerScanners() []osgraph.MarkerScanner {

+	return []osgraph.MarkerScanner{

+		kubeanalysis.FindUnmountableSecrets,

+		kubeanalysis.FindMissingSecrets,

+		buildanalysis.FindUnpushableBuildConfigs,

+		buildanalysis.FindCircularBuilds,

 	}

-

-	return false

-}

-

-func hasCircularDependencies(g osgraph.Graph) bool {

-	// Filter out all but ImageStreamTag and BuildConfig nodes

-	nodeFn := osgraph.NodesOfKind(imagegraph.ImageStreamTagNodeKind, buildgraph.BuildConfigNodeKind)

-	// Filter out all but BuildInputImage and BuildOutput edges

-	edgeFn := osgraph.EdgesOfKind(buildedges.BuildInputImageEdgeKind, buildedges.BuildOutputEdgeKind)

-

-	// Create desired subgraph

-	sub := g.Subgraph(nodeFn, edgeFn)

-

-	// Check for cycles

-	return len(topo.CyclesIn(sub)) != 0

-}

-

-func describeBadPodSpecs(out io.Writer, g osgraph.Graph) ([]string, []*kubegraph.SecretNode) {

-	allMissingSecrets := []*kubegraph.SecretNode{}

-	lines := []string{}

-

-	for _, uncastPodSpec := range g.NodesByKind(kubegraph.PodSpecNodeKind) {

-		podSpecNode := uncastPodSpec.(*kubegraph.PodSpecNode)

-		unmountableSecrets, missingSecrets := kubeanalysis.CheckMountedSecrets(g, podSpecNode)

-		containingNode := osgraph.GetTopLevelContainerNode(g, podSpecNode)

-

-		allMissingSecrets = append(allMissingSecrets, missingSecrets...)

-

-		unmountableNames := []string{}

-		for _, secret := range unmountableSecrets {

-			unmountableNames = append(unmountableNames, secret.ResourceString())

-		}

-

-		missingNames := []string{}

-		for _, secret := range missingSecrets {

-			missingNames = append(missingNames, secret.ResourceString())

-		}

-

-		containingNodeName := g.GraphDescriber.Name(containingNode)

-		if resourceNode, ok := containingNode.(osgraph.ResourceNode); ok {

-			containingNodeName = resourceNode.ResourceString()

-		}

-

-		switch {

-		case len(unmountableSecrets) > 0 && len(missingSecrets) > 0:

-			lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s and wants to mount these missing secrets %s", containingNodeName, strings.Join(unmountableNames, ","), strings.Join(missingNames, ",")))

-		case len(unmountableSecrets) > 0:

-			lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s", containingNodeName, strings.Join(unmountableNames, ",")))

-		case len(unmountableSecrets) > 0 && len(missingSecrets) > 0:

-			lines = append(lines, fmt.Sprintf("\t%s wants to mount these missing secrets %s", containingNodeName, strings.Join(missingNames, ",")))

-		}

-	}

-

-	// if we had any failures, prepend the warning line

-	if len(lines) > 0 {

-		return append([]string{"Warning: some requested secrets are not allowed:"}, lines...), allMissingSecrets

-	}

-

-	return []string{}, allMissingSecrets

 }

 func printLines(out io.Writer, indent string, depth int, lines ...string) {

@@ -10,10 +10,7 @@ import (

 	ktestclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

-	osgraphtest "github.com/openshift/origin/pkg/api/graph/test"

-	buildedges "github.com/openshift/origin/pkg/build/graph"

 	"github.com/openshift/origin/pkg/client/testclient"

-	imageedges "github.com/openshift/origin/pkg/image/graph"

 	projectapi "github.com/openshift/origin/pkg/project/api"

 )

@@ -25,57 +22,6 @@ func mustParseTime(t string) time.Time {

 	return out

 }

-func TestUnpushableBuild(t *testing.T) {

-	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/unpushable-build.yaml")

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-

-	buildedges.AddAllInputOutputEdges(g)

-	imageedges.AddAllImageStreamRefEdges(g)

-

-	if e, a := true, hasUnresolvedImageStreamTag(g); e != a {

-		t.Errorf("expected %v, got %v", e, a)

-	}

-}

-

-func TestPushableBuild(t *testing.T) {

-	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/pushable-build.yaml")

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-

-	buildedges.AddAllInputOutputEdges(g)

-	imageedges.AddAllImageStreamRefEdges(g)

-

-	if e, a := false, hasUnresolvedImageStreamTag(g); e != a {

-		t.Errorf("expected %v, got %v", e, a)

-	}

-}

-

-func TestCircularDeps(t *testing.T) {

-	g, _, err := osgraphtest.BuildGraph("../../../api/graph/test/circular.yaml")

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	buildedges.AddAllInputOutputEdges(g)

-

-	if !hasCircularDependencies(g) {

-		t.Fatalf("expected having circular dependencies")

-	}

-

-	not, _, err := osgraphtest.BuildGraph("../../../api/graph/test/circular-not.yaml")

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-	buildedges.AddAllInputOutputEdges(not)

-

-	if hasCircularDependencies(not) {

-		t.Fatalf("expected not having circular dependencies")

-	}

-

-}

-

 func TestProjectStatus(t *testing.T) {

 	testCases := map[string]struct {

 		Path     string

@@ -148,8 +94,9 @@ func TestProjectStatus(t *testing.T) {

 				"In project example\n",

 				"rc/my-rc runs openshift/mysql-55-centos7",

 				"0/1 pods growing to 1",

-				"is not allowed to mount secret/existing-secret",

-				"these missing secrets secret/dne",

+				"rc/my-rc is attempting to mount a secret secret/existing-secret disallowed by sa/default",

+				"rc/my-rc is attempting to mount a secret secret/dne disallowed by sa/default",

+				"rc/my-rc is attempting to mount a missing secret secret/dne",

 			},

 		},

 		"service with pod": {

@@ -199,6 +146,30 @@ func TestProjectStatus(t *testing.T) {

 				"To see more, use",

 			},

 		},

+		"unpushable build": {

+			Path: "../../../../pkg/api/graph/test/unpushable-build.yaml",

+			Extra: []runtime.Object{

+				&projectapi.Project{

+					ObjectMeta: kapi.ObjectMeta{Name: "example", Namespace: ""},

+				},

+			},

+			ErrFn: func(err error) bool { return err == nil },

+			Contains: []string{

+				"bc/ruby-hello-world is pushing to imagestreamtag/ruby-hello-world:latest that is using is/ruby-hello-world, but the administrator has not configured the integrated Docker registry.",

+			},

+		},

+		"cyclical build": {

+			Path: "../../../../pkg/api/graph/test/circular.yaml",

+			Extra: []runtime.Object{

+				&projectapi.Project{

+					ObjectMeta: kapi.ObjectMeta{Name: "example", Namespace: ""},

+				},

+			},

+			ErrFn: func(err error) bool { return err == nil },

+			Contains: []string{

+				"Cycle detected in build configurations:",

+			},

+		},

 		"running build": {

 			Path: "../../../../test/fixtures/app-scenarios/new-project-one-build.yaml",

 			Extra: []runtime.Object{

@@ -294,6 +265,5 @@ func TestProjectStatus(t *testing.T) {

 				t.Errorf("%s: did not have %q:\n%s\n---", k, s, out)

 			}

 		}

-		t.Logf("\n%s", out)

 	}

 }

deleted file mode 100644

@@ -1,54 +0,0 @@

-package analysis

-

-import (

-	"github.com/gonum/graph"

-

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

-

-	osgraph "github.com/openshift/origin/pkg/api/graph"

-	"github.com/openshift/origin/pkg/api/graph/graphview"

-	kubeanalysis "github.com/openshift/origin/pkg/api/kubegraph/analysis"

-	kubegraph "github.com/openshift/origin/pkg/api/kubegraph/nodes"

-	deploygraph "github.com/openshift/origin/pkg/deploy/graph/nodes"

-)

-

-// DescendentNodesByNodeKind starts at the root navigates down the root.  Every edge is checked against the edgeChecker

-// to determine whether or not to follow it.  The nodes at the tail end of every chased edge are then checked against the

-// the targetNodeKind.  Matches are added to the return and every checked node then has its edges checked: lather, rinse, repeat

-func DescendentNodesByNodeKind(g osgraph.Graph, visitedNodes graphview.IntSet, node graph.Node, targetNodeKind string, edgeChecker osgraph.EdgeFunc) []graph.Node {

-	if visitedNodes.Has(node.ID()) {

-		return []graph.Node{}

-	}

-	visitedNodes.Insert(node.ID())

-

-	ret := []graph.Node{}

-	for _, successor := range g.From(node) {

-		edge := g.Edge(node, successor)

-

-		if edgeChecker(osgraph.New(), node, successor, g.EdgeKinds(edge)) {

-			if g.Kind(successor) == targetNodeKind {

-				ret = append(ret, successor)

-			}

-

-			ret = append(ret, DescendentNodesByNodeKind(g, visitedNodes, successor, targetNodeKind, edgeChecker)...)

-		}

-	}

-

-	return ret

-}

-

-// CheckMountedSecrets checks to be sure that all the referenced secrets are mountable (by service account) and present (not synthetic)

-func CheckMountedSecrets(g osgraph.Graph, dcNode *deploygraph.DeploymentConfigNode) ( /*unmountable secrets*/ []*kubegraph.SecretNode /*unresolved secrets*/, []*kubegraph.SecretNode) {

-	podSpecs := DescendentNodesByNodeKind(g, graphview.IntSet{}, dcNode, kubegraph.PodSpecNodeKind, func(g osgraph.Interface, head, tail graph.Node, edgeKinds util.StringSet) bool {

-		if edgeKinds.Has(osgraph.ContainsEdgeKind) {

-			return true

-		}

-		return false

-	})

-

-	if len(podSpecs) > 0 {

-		return kubeanalysis.CheckMountedSecrets(g, podSpecs[0].(*kubegraph.PodSpecNode))

-	}

-

-	return []*kubegraph.SecretNode{}, []*kubegraph.SecretNode{}

-}

deleted file mode 100644

@@ -1,45 +0,0 @@

-package analysis

-

-import (

-	"testing"

-

-	osgraphtest "github.com/openshift/origin/pkg/api/graph/test"

-	kubeedges "github.com/openshift/origin/pkg/api/kubegraph"

-	deployapi "github.com/openshift/origin/pkg/deploy/api"

-	deploygraph "github.com/openshift/origin/pkg/deploy/graph/nodes"

-)

-

-func TestCheckMountedSecrets(t *testing.T) {

-	g, objs, err := osgraphtest.BuildGraph("../../../api/graph/test/bad_secret_refs.yaml")

-	if err != nil {

-		t.Fatalf("unexpected error: %v", err)

-	}

-

-	var dc *deployapi.DeploymentConfig

-	for _, obj := range objs {

-		if currDC, ok := obj.(*deployapi.DeploymentConfig); ok {

-			if dc != nil {

-				t.Errorf("got more than one dc: %v", currDC)

-			}

-			dc = currDC

-		}

-	}

-

-	kubeedges.AddAllRequestedServiceAccountEdges(g)

-	kubeedges.AddAllMountableSecretEdges(g)

-	kubeedges.AddAllMountedSecretEdges(g)

-

-	dcNode := g.Find(deploygraph.DeploymentConfigNodeName(dc))

-	unmountable, missing := CheckMountedSecrets(g, dcNode.(*deploygraph.DeploymentConfigNode))

-

-	if e, a := 2, len(unmountable); e != a {

-		t.Fatalf("expected %v, got %v", e, a)

-	}

-

-	if e, a := 1, len(missing); e != a {

-		t.Fatalf("expected %v, got %v", e, a)

-	}

-	if e, a := "missing-secret", missing[0].Name; e != a {

-		t.Fatalf("expected %v, got %v", e, a)

-	}

-}