@@ -20,9 +20,10 @@ import (

 const NewProjectRecommendedName = "new-project"

 type NewProjectOptions struct {

-	ProjectName string

-	DisplayName string

-	Description string

+	ProjectName  string

+	DisplayName  string

+	Description  string

+	NodeSelector string

 	Client client.Interface

@@ -56,6 +57,7 @@ func NewCmdNewProject(name, fullName string, f *clientcmd.Factory, out io.Writer

 	cmd.Flags().StringVar(&options.AdminUser, "admin", "", "project admin username")

 	cmd.Flags().StringVar(&options.DisplayName, "display-name", "", "project display name")

 	cmd.Flags().StringVar(&options.Description, "description", "", "project description")

+	cmd.Flags().StringVar(&options.NodeSelector, "node-selector", "", "Restrict pods onto nodes matching given label selector. Format: '<key1>=<value1>, <key2>=<value2>...'")

 	return cmd

 }

@@ -83,6 +85,7 @@ func (o *NewProjectOptions) Run() error {

 	project.Annotations = make(map[string]string)

 	project.Annotations["description"] = o.Description

 	project.Annotations["displayName"] = o.DisplayName

+	project.Annotations["openshift.io/node-selector"] = o.NodeSelector

 	project, err := o.Client.Projects().Create(project)

 	if err != nil {

 		return err

@@ -18,9 +18,10 @@ import (

 )

 type NewProjectOptions struct {

-	ProjectName string

-	DisplayName string

-	Description string

+	ProjectName  string

+	DisplayName  string

+	Description  string

+	NodeSelector string

 	Client client.Interface

@@ -40,8 +41,8 @@ After your project is created you can switch to it using %[2]s <project name>.`

 	requestProject_example = `  // Create a new project with minimal information

   $ %[1]s web-team-dev

-  // Create a new project with a description

-  $ %[1]s web-team-dev --display-name="Web Team Development" --description="Development project for the web team."`

+  // Create a new project with a description and node selector

+  $ %[1]s web-team-dev --display-name="Web Team Development" --description="Development project for the web team." --node-selector="env=dev"`

 )

 func NewCmdRequestProject(name, fullName, oscLoginName, oscProjectName string, f *clientcmd.Factory, out io.Writer) *cobra.Command {

@@ -49,7 +50,7 @@ func NewCmdRequestProject(name, fullName, oscLoginName, oscProjectName string, f

 	options.Out = out

 	cmd := &cobra.Command{

-		Use:     fmt.Sprintf("%s NAME [--display-name=DISPLAYNAME] [--description=DESCRIPTION]", name),

+		Use:     fmt.Sprintf("%s NAME [--display-name=DISPLAYNAME] [--description=DESCRIPTION] [--node-selector=<label selector>]", name),

 		Short:   "Request a new project",

 		Long:    fmt.Sprintf(requestProject_long, oscLoginName, oscProjectName),

 		Example: fmt.Sprintf(requestProject_example, fullName),

@@ -71,6 +72,7 @@ func NewCmdRequestProject(name, fullName, oscLoginName, oscProjectName string, f

 	cmd.Flags().StringVar(&options.DisplayName, "display-name", "", "project display name")

 	cmd.Flags().StringVar(&options.Description, "description", "", "project description")

+	cmd.Flags().StringVar(&options.NodeSelector, "node-selector", "", "Restrict pods onto nodes matching given label selector. Format: '<key1>=<value1>, <key2>=<value2>...'")

 	return cmd

 }

@@ -105,6 +107,7 @@ func (o *NewProjectOptions) Run() error {

 	projectRequest.DisplayName = o.DisplayName

 	projectRequest.Annotations = make(map[string]string)

 	projectRequest.Annotations["description"] = o.Description

+	projectRequest.Annotations["openshift.io/node-selector"] = o.NodeSelector

 	project, err := o.Client.ProjectRequests().Create(projectRequest)

 	if err != nil {

@@ -454,11 +454,18 @@ func (d *ProjectDescriber) Describe(namespace, name string) (string, error) {

 	if err != nil {

 		return "", err

 	}

+	nodeSelector := ""

+	if len(project.ObjectMeta.Annotations) > 0 {

+		if ns, ok := project.ObjectMeta.Annotations["openshift.io/node-selector"]; ok {

+			nodeSelector = ns

+		}

+	}

 	return tabbedString(func(out *tabwriter.Writer) error {

 		formatMeta(out, project.ObjectMeta)

 		formatString(out, "Display Name", project.Annotations["displayName"])

 		formatString(out, "Status", project.Status.Phase)

+		formatString(out, "Node Selector", nodeSelector)

 		return nil

 	})

 }

@@ -105,6 +105,8 @@ func GetMasterFileReferences(config *MasterConfig) []*string {

 	refs = append(refs, &config.PolicyConfig.BootstrapPolicyFile)

+	refs = append(refs, &config.ProjectNodeSelector)

+

 	return refs

 }

@@ -85,6 +85,8 @@ type MasterConfig struct {

 	// PolicyConfig holds information about where to locate critical pieces of bootstrapping policy

 	PolicyConfig PolicyConfig

+	// ProjectNodeSelector holds default project node label selector

+	ProjectNodeSelector string `json:"projectNodeSelector,omitempty"`

 	// ProjectRequestConfig holds information about how to handle new project requests

 	ProjectRequestConfig ProjectRequestConfig

 }

@@ -81,6 +81,8 @@ type MasterConfig struct {

 	PolicyConfig PolicyConfig `json:"policyConfig"`

+	// ProjectNodeSelector holds default project node label selector

+	ProjectNodeSelector string `json:"projectNodeSelector,omitempty"`

 	// ProjectRequestConfig holds information about how to handle new project requests

 	ProjectRequestConfig ProjectRequestConfig `json:"projectRequestConfig"`

 }

@@ -9,6 +9,7 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util/fielderrors"

 	"github.com/openshift/origin/pkg/cmd/server/api"

+	"github.com/openshift/origin/pkg/util/labelselector"

 )

 func ValidateMasterConfig(config *api.MasterConfig) fielderrors.ValidationErrorList {

@@ -88,6 +89,8 @@ func ValidateMasterConfig(config *api.MasterConfig) fielderrors.ValidationErrorL

 		allErrs = append(allErrs, ValidateOAuthConfig(config.OAuthConfig).Prefix("oauthConfig")...)

 	}

+	allErrs = append(allErrs, ValidateProjectNodeSelector(config.ProjectNodeSelector)...)

+

 	allErrs = append(allErrs, ValidateServingInfo(config.ServingInfo).Prefix("servingInfo")...)

 	allErrs = append(allErrs, ValidateProjectRequestConfig(config.ProjectRequestConfig).Prefix("projectRequestConfig")...)

@@ -115,6 +118,19 @@ func ValidateEtcdStorageConfig(config api.EtcdStorageConfig) fielderrors.Validat

 	return allErrs

 }

+func ValidateProjectNodeSelector(nodeSelector string) fielderrors.ValidationErrorList {

+	allErrs := fielderrors.ValidationErrorList{}

+

+	if len(nodeSelector) > 0 {

+		_, err := labelselector.Parse(nodeSelector)

+		if err != nil {

+			allErrs = append(allErrs, fielderrors.NewFieldInvalid("projectNodeSelector", nodeSelector, "must be a valid label selector"))

+		}

+	}

+

+	return allErrs

+}

+

 func ValidateAssetConfig(config *api.AssetConfig) fielderrors.ValidationErrorList {

 	allErrs := fielderrors.ValidationErrorList{}

@@ -58,7 +58,8 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM

 	portalNet := net.IPNet(flagtypes.DefaultIPNet(options.KubernetesMasterConfig.ServicesSubnet))

 	// in-order list of plug-ins that should intercept admission decisions

-	admissionControlPluginNames := []string{"NamespaceExists", "NamespaceLifecycle", "LimitRanger", "ResourceQuota"}

+	// TODO: Push node environment support to upstream in future

+	admissionControlPluginNames := []string{"NamespaceExists", "NamespaceLifecycle", "OriginPodNodeEnvironment", "LimitRanger", "ResourceQuota"}

 	admissionController := admission.NewFromPlugins(kubeClient, admissionControlPluginNames, "")

 	_, portString, err := net.SplitHostPort(options.ServingInfo.BindAddress)

@@ -74,6 +74,7 @@ import (

 	clientetcd "github.com/openshift/origin/pkg/oauth/registry/oauthclient/etcd"

 	clientauthetcd "github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization/etcd"

 	projectapi "github.com/openshift/origin/pkg/project/api"

+	projectcache "github.com/openshift/origin/pkg/project/cache"

 	projectcontroller "github.com/openshift/origin/pkg/project/controller"

 	projectproxy "github.com/openshift/origin/pkg/project/registry/project/proxy"

 	projectrequeststorage "github.com/openshift/origin/pkg/project/registry/projectrequest/delegated"

@@ -768,6 +769,12 @@ func (c *MasterConfig) RunDNSServer() {

 	glog.Infof("OpenShift DNS listening at %s", c.Options.DNSConfig.BindAddress)

 }

+// RunProjectCache populates project cache, used by scheduler and project admission controller.

+func (c *MasterConfig) RunProjectCache() {

+	glog.Infof("Using default project node label selector: %s", c.Options.ProjectNodeSelector)

+	projectcache.RunProjectCache(c.PrivilegedLoopbackKubernetesClient, c.Options.ProjectNodeSelector)

+}

+

 // RunBuildController starts the build sync loop for builds and buildConfig processing.

 func (c *MasterConfig) RunBuildController() {

 	// initialize build controller

@@ -47,6 +47,7 @@ type MasterArgs struct {

 	KubeConnectionArgs *KubeConnectionArgs

 	SchedulerConfigFile string

+	ProjectNodeSelector string

 }

 // BindMasterArgs binds the options to the flags with prefix + default flag names

@@ -60,6 +61,7 @@ func BindMasterArgs(args *MasterArgs, flags *pflag.FlagSet, prefix string) {

 	flags.Var(&args.NodeList, prefix+"nodes", "The hostnames of each node. This currently must be specified up front. Comma delimited list")

 	flags.Var(&args.CORSAllowedOrigins, prefix+"cors-allowed-origins", "List of allowed origins for CORS, comma separated.  An allowed origin can be a regular expression to support subdomain matching.  CORS is enabled for localhost, 127.0.0.1, and the asset server by default.")

+	flags.StringVar(&args.ProjectNodeSelector, prefix+"project-node-selector", "", "Default node label selector for the project if not explicitly specified. Format: '<key1>=<value1>, <key2>=<value2...'")

 }

 // NewDefaultMasterArgs creates MasterArgs with sub-objects created and default values set.

@@ -197,6 +199,10 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 		},

 	}

+	if len(args.ProjectNodeSelector) > 0 {

+		config.ProjectNodeSelector = args.ProjectNodeSelector

+	}

+

 	if args.ListenArg.UseTLS() {

 		config.ServingInfo.ServerCert = admin.DefaultMasterServingCertInfo(args.ConfigDir.Value())

 		config.ServingInfo.ClientCA = admin.DefaultAPIClientCAFile(args.ConfigDir.Value())

@@ -8,5 +8,6 @@ import (

 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/exists"

 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/namespace/lifecycle"

 	_ "github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/resourcequota"

-	_ "github.com/openshift/origin/pkg/project/admission"

+	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"

+	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"

 )

@@ -311,8 +311,9 @@ func StartMaster(openshiftMasterConfig *configapi.MasterConfig) error {

 	if err != nil {

 		return err

 	}

-	//	 must start policy caching immediately

+	// Must start policy caching immediately

 	openshiftConfig.RunPolicyCache()

+	openshiftConfig.RunProjectCache()

 	unprotectedInstallers := []origin.APIInstaller{}

deleted file mode 100644

@@ -1,131 +0,0 @@

-/*

-Copyright 2014 Google Inc. All rights reserved.

-

-Licensed under the Apache License, Version 2.0 (the "License");

-you may not use this file except in compliance with the License.

-You may obtain a copy of the License at

-

-    http://www.apache.org/licenses/LICENSE-2.0

-

-Unless required by applicable law or agreed to in writing, software

-distributed under the License is distributed on an "AS IS" BASIS,

-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-See the License for the specific language governing permissions and

-limitations under the License.

-*/

-

-package admission

-

-import (

-	"fmt"

-	"io"

-

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

-	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

-	apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/fields"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"

-	"github.com/openshift/origin/pkg/api/latest"

-)

-

-// TODO: modify the upstream plug-in so this can be collapsed

-// need ability to specify a RESTMapper on upstream version

-func init() {

-	admission.RegisterPlugin("OriginNamespaceLifecycle", func(client client.Interface, config io.Reader) (admission.Interface, error) {

-		return NewLifecycle(client), nil

-	})

-}

-

-type lifecycle struct {

-	client client.Interface

-	store  cache.Store

-}

-

-// Admit enforces that a namespace must exist in order to associate content with it.

-// Admit enforces that a namespace that is terminating cannot accept new content being associated with it.

-func (e *lifecycle) Admit(a admission.Attributes) (err error) {

-	defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource())

-	if err != nil {

-		return err

-	}

-	mapping, err := latest.RESTMapper.RESTMapping(kind, defaultVersion)

-	if err != nil {

-		return err

-	}

-	if mapping.Scope.Name() != meta.RESTScopeNameNamespace {

-		return nil

-	}

-

-	// we want to allow someone to delete something in case it was phantom created somehow

-	if a.GetOperation() == "DELETE" {

-		return nil

-	}

-

-	// check for namespace in the cache

-	namespaceObj, exists, err := e.store.Get(&kapi.Namespace{

-		ObjectMeta: kapi.ObjectMeta{

-			Name:      a.GetNamespace(),

-			Namespace: "",

-		},

-		Status: kapi.NamespaceStatus{},

-	})

-

-	if err != nil {

-		return err

-	}

-

-	name := "Unknown"

-	obj := a.GetObject()

-	if obj != nil {

-		name, _ = meta.NewAccessor().Name(obj)

-	}

-

-	var namespace *kapi.Namespace

-	if exists {

-		namespace = namespaceObj.(*kapi.Namespace)

-	} else {

-		// Our watch maybe latent, so we make a best effort to get the object, and only fail if not found

-		namespace, err = e.client.Namespaces().Get(a.GetNamespace())

-		// the namespace does not exist, so prevent create and update in that namespace

-		if err != nil {

-			return apierrors.NewForbidden(kind, name, fmt.Errorf("Namespace %s does not exist", a.GetNamespace()))

-		}

-	}

-

-	if a.GetOperation() != "CREATE" {

-		return nil

-	}

-

-	if namespace.Status.Phase != kapi.NamespaceTerminating {

-		return nil

-	}

-

-	return apierrors.NewForbidden(kind, name, fmt.Errorf("Namespace %s is terminating", a.GetNamespace()))

-}

-

-func NewLifecycle(c client.Interface) admission.Interface {

-	store := cache.NewStore(cache.MetaNamespaceKeyFunc)

-	reflector := cache.NewReflector(

-		&cache.ListWatch{

-			ListFunc: func() (runtime.Object, error) {

-				return c.Namespaces().List(labels.Everything(), fields.Everything())

-			},

-			WatchFunc: func(resourceVersion string) (watch.Interface, error) {

-				return c.Namespaces().Watch(labels.Everything(), fields.Everything(), resourceVersion)

-			},

-		},

-		&kapi.Namespace{},

-		store,

-		0,

-	)

-	reflector.Run()

-	return &lifecycle{

-		client: c,

-		store:  store,

-	}

-}

deleted file mode 100644

@@ -1,116 +0,0 @@

-package admission

-

-import (

-	"fmt"

-	"testing"

-

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

-	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

-

-	buildapi "github.com/openshift/origin/pkg/build/api"

-)

-

-// TestAdmissionExists verifies you cannot create Origin content if namespace is not known

-func TestAdmissionExists(t *testing.T) {

-	store := cache.NewStore(cache.MetaNamespaceKeyFunc)

-	mockClient := &testclient.Fake{

-		Err: fmt.Errorf("DOES NOT EXIST"),

-	}

-	handler := &lifecycle{

-		client: mockClient,

-		store:  store,

-	}

-	build := &buildapi.Build{

-		ObjectMeta: kapi.ObjectMeta{Name: "buildid"},

-		Parameters: buildapi.BuildParameters{

-			Source: buildapi.BuildSource{

-				Type: buildapi.BuildSourceGit,

-				Git: &buildapi.GitBuildSource{

-					URI: "http://github.com/my/repository",

-				},

-				ContextDir: "context",

-			},

-			Strategy: buildapi.BuildStrategy{

-				Type:           buildapi.DockerBuildStrategyType,

-				DockerStrategy: &buildapi.DockerBuildStrategy{},

-			},

-			Output: buildapi.BuildOutput{

-				DockerImageReference: "repository/data",

-			},

-		},

-		Status: buildapi.BuildStatusNew,

-	}

-	err := handler.Admit(admission.NewAttributesRecord(build, "Build", "bogus-ns", "builds", "CREATE"))

-	if err == nil {

-		t.Errorf("Expected an error because namespace does not exist")

-	}

-}

-

-// TestAdmissionLifecycle verifies you cannot create Origin content if namespace is terminating

-func TestAdmissionLifecycle(t *testing.T) {

-	namespaceObj := &kapi.Namespace{

-		ObjectMeta: kapi.ObjectMeta{

-			Name:      "test",

-			Namespace: "",

-		},

-		Status: kapi.NamespaceStatus{

-			Phase: kapi.NamespaceActive,

-		},

-	}

-	store := cache.NewStore(cache.MetaNamespaceIndexFunc)

-	store.Add(namespaceObj)

-	mockClient := &testclient.Fake{}

-	handler := &lifecycle{

-		client: mockClient,

-		store:  store,

-	}

-	build := &buildapi.Build{

-		ObjectMeta: kapi.ObjectMeta{Name: "buildid"},

-		Parameters: buildapi.BuildParameters{

-			Source: buildapi.BuildSource{

-				Type: buildapi.BuildSourceGit,

-				Git: &buildapi.GitBuildSource{

-					URI: "http://github.com/my/repository",

-				},

-				ContextDir: "context",

-			},

-			Strategy: buildapi.BuildStrategy{

-				Type:           buildapi.DockerBuildStrategyType,

-				DockerStrategy: &buildapi.DockerBuildStrategy{},

-			},

-			Output: buildapi.BuildOutput{

-				DockerImageReference: "repository/data",

-			},

-		},

-		Status: buildapi.BuildStatusNew,

-	}

-	err := handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "CREATE"))

-	if err != nil {

-		t.Errorf("Unexpected error returned from admission handler: %v", err)

-	}

-

-	// change namespace state to terminating

-	namespaceObj.Status.Phase = kapi.NamespaceTerminating

-	store.Add(namespaceObj)

-

-	// verify create operations in the namespace cause an error

-	err = handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "CREATE"))

-	if err == nil {

-		t.Errorf("Expected error rejecting creates in a namespace when it is terminating")

-	}

-

-	// verify update operations in the namespace can proceed

-	err = handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "UPDATE"))

-	if err != nil {

-		t.Errorf("Unexpected error returned from admission handler: %v", err)

-	}

-

-	// verify delete operations in the namespace can proceed

-	err = handler.Admit(admission.NewAttributesRecord(nil, "Build", namespaceObj.Namespace, "builds", "DELETE"))

-	if err != nil {

-		t.Errorf("Unexpected error returned from admission handler: %v", err)

-	}

-

-}

new file mode 100644

@@ -0,0 +1,92 @@

+/*

+Copyright 2014 Google Inc. All rights reserved.

+

+Licensed under the Apache License, Version 2.0 (the "License");

+you may not use this file except in compliance with the License.

+You may obtain a copy of the License at

+

+    http://www.apache.org/licenses/LICENSE-2.0

+

+Unless required by applicable law or agreed to in writing, software

+distributed under the License is distributed on an "AS IS" BASIS,

+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+See the License for the specific language governing permissions and

+limitations under the License.

+*/

+

+package admission

+

+import (

+	"fmt"

+	"io"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+

+	"github.com/openshift/origin/pkg/api/latest"

+	"github.com/openshift/origin/pkg/project/cache"

+)

+

+// TODO: modify the upstream plug-in so this can be collapsed

+// need ability to specify a RESTMapper on upstream version

+func init() {

+	admission.RegisterPlugin("OriginNamespaceLifecycle", func(client client.Interface, config io.Reader) (admission.Interface, error) {

+		return NewLifecycle()

+	})

+}

+

+type lifecycle struct {

+}

+

+// Admit enforces that a namespace must exist in order to associate content with it.

+// Admit enforces that a namespace that is terminating cannot accept new content being associated with it.

+func (e *lifecycle) Admit(a admission.Attributes) (err error) {

+	defaultVersion, kind, err := latest.RESTMapper.VersionAndKindForResource(a.GetResource())

+	if err != nil {

+		return err

+	}

+	mapping, err := latest.RESTMapper.RESTMapping(kind, defaultVersion)

+	if err != nil {

+		return err

+	}

+	if mapping.Scope.Name() != meta.RESTScopeNameNamespace {

+		return nil

+	}

+

+	// we want to allow someone to delete something in case it was phantom created somehow

+	if a.GetOperation() == "DELETE" {

+		return nil

+	}

+

+	name := "Unknown"

+	obj := a.GetObject()

+	if obj != nil {

+		name, _ = meta.NewAccessor().Name(obj)

+	}

+

+	projects, err := cache.GetProjectCache()

+	if err != nil {

+		return err

+	}

+	namespace, err := projects.GetNamespaceObject(a.GetNamespace())

+	if err != nil {

+		return apierrors.NewForbidden(kind, name, err)

+	}

+

+	if a.GetOperation() != "CREATE" {

+		return nil

+	}

+

+	if namespace.Status.Phase != kapi.NamespaceTerminating {

+		return nil

+	}

+

+	return apierrors.NewForbidden(kind, name, fmt.Errorf("Namespace %s is terminating", a.GetNamespace()))

+}

+

+func NewLifecycle() (admission.Interface, error) {

+	return &lifecycle{}, nil

+}

new file mode 100644

@@ -0,0 +1,112 @@

+package admission

+

+import (

+	"fmt"

+	"testing"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

+

+	buildapi "github.com/openshift/origin/pkg/build/api"

+	projectcache "github.com/openshift/origin/pkg/project/cache"

+)

+

+// TestAdmissionExists verifies you cannot create Origin content if namespace is not known

+func TestAdmissionExists(t *testing.T) {

+	mockClient := &testclient.Fake{

+		Err: fmt.Errorf("DOES NOT EXIST"),

+	}

+	projectcache.FakeProjectCache(mockClient, cache.NewStore(cache.MetaNamespaceKeyFunc), "")

+	handler := &lifecycle{}

+	build := &buildapi.Build{

+		ObjectMeta: kapi.ObjectMeta{Name: "buildid"},

+		Parameters: buildapi.BuildParameters{

+			Source: buildapi.BuildSource{

+				Type: buildapi.BuildSourceGit,

+				Git: &buildapi.GitBuildSource{

+					URI: "http://github.com/my/repository",

+				},

+				ContextDir: "context",

+			},

+			Strategy: buildapi.BuildStrategy{

+				Type:           buildapi.DockerBuildStrategyType,

+				DockerStrategy: &buildapi.DockerBuildStrategy{},

+			},

+			Output: buildapi.BuildOutput{

+				DockerImageReference: "repository/data",

+			},

+		},

+		Status: buildapi.BuildStatusNew,

+	}

+	err := handler.Admit(admission.NewAttributesRecord(build, "Build", "bogus-ns", "builds", "CREATE"))

+	if err == nil {

+		t.Errorf("Expected an error because namespace does not exist")

+	}

+}

+

+// TestAdmissionLifecycle verifies you cannot create Origin content if namespace is terminating

+func TestAdmissionLifecycle(t *testing.T) {

+	namespaceObj := &kapi.Namespace{

+		ObjectMeta: kapi.ObjectMeta{

+			Name:      "test",

+			Namespace: "",

+		},

+		Status: kapi.NamespaceStatus{

+			Phase: kapi.NamespaceActive,

+		},

+	}

+	store := cache.NewStore(cache.MetaNamespaceIndexFunc)

+	store.Add(namespaceObj)

+	mockClient := &testclient.Fake{}

+	projectcache.FakeProjectCache(mockClient, store, "")

+	handler := &lifecycle{}

+	build := &buildapi.Build{

+		ObjectMeta: kapi.ObjectMeta{Name: "buildid"},

+		Parameters: buildapi.BuildParameters{

+			Source: buildapi.BuildSource{

+				Type: buildapi.BuildSourceGit,

+				Git: &buildapi.GitBuildSource{

+					URI: "http://github.com/my/repository",

+				},

+				ContextDir: "context",

+			},

+			Strategy: buildapi.BuildStrategy{

+				Type:           buildapi.DockerBuildStrategyType,

+				DockerStrategy: &buildapi.DockerBuildStrategy{},

+			},

+			Output: buildapi.BuildOutput{

+				DockerImageReference: "repository/data",

+			},

+		},

+		Status: buildapi.BuildStatusNew,

+	}

+	err := handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "CREATE"))

+	if err != nil {

+		t.Errorf("Unexpected error returned from admission handler: %v", err)

+	}

+

+	// change namespace state to terminating

+	namespaceObj.Status.Phase = kapi.NamespaceTerminating

+	store.Add(namespaceObj)

+

+	// verify create operations in the namespace cause an error

+	err = handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "CREATE"))

+	if err == nil {

+		t.Errorf("Expected error rejecting creates in a namespace when it is terminating")

+	}

+

+	// verify update operations in the namespace can proceed

+	err = handler.Admit(admission.NewAttributesRecord(build, "Build", namespaceObj.Namespace, "builds", "UPDATE"))

+	if err != nil {

+		t.Errorf("Unexpected error returned from admission handler: %v", err)

+	}

+

+	// verify delete operations in the namespace can proceed

+	err = handler.Admit(admission.NewAttributesRecord(nil, "Build", namespaceObj.Namespace, "builds", "DELETE"))

+	if err != nil {

+		t.Errorf("Unexpected error returned from admission handler: %v", err)

+	}

+

+}

new file mode 100644

@@ -0,0 +1,74 @@

+package admission

+

+import (

+	"fmt"

+	"io"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"

+

+	projectcache "github.com/openshift/origin/pkg/project/cache"

+	"github.com/openshift/origin/pkg/util/labelselector"

+)

+

+func init() {

+	admission.RegisterPlugin("OriginPodNodeEnvironment", func(client client.Interface, config io.Reader) (admission.Interface, error) {

+		return NewPodNodeEnvironment(client)

+	})

+}

+

+// podNodeEnvironment is an implementation of admission.Interface.

+type podNodeEnvironment struct {

+	client client.Interface

+}

+

+// Admit enforces that pod and its project node label selectors matches at least a node in the cluster.

+func (p *podNodeEnvironment) Admit(a admission.Attributes) (err error) {

+	// ignore deletes

+	if a.GetOperation() == "DELETE" {

+		return nil

+	}

+

+	resource := a.GetResource()

+	if resource != "pods" {

+		return nil

+	}

+

+	obj := a.GetObject()

+	name := "Unknown"

+	if obj != nil {

+		name, _ = meta.NewAccessor().Name(obj)

+	}

+	pod := obj.(*kapi.Pod)

+

+	projects, err := projectcache.GetProjectCache()

+	if err != nil {

+		return err

+	}

+	namespace, err := projects.GetNamespaceObject(a.GetNamespace())

+	if err != nil {

+		return apierrors.NewForbidden(resource, name, err)

+	}

+	projectNodeSelector, err := projects.GetNodeSelectorMap(namespace)

+	if err != nil {

+		return err

+	}

+

+	if labelselector.Conflicts(projectNodeSelector, pod.Spec.NodeSelector) {

+		return apierrors.NewForbidden(resource, name, fmt.Errorf("Pod node label selector conflicts with its project node label selector"))

+	}

+

+	// modify pod node selector = project node selector + current pod node selector

+	pod.Spec.NodeSelector = labelselector.Merge(projectNodeSelector, pod.Spec.NodeSelector)

+

+	return nil

+}

+

+func NewPodNodeEnvironment(client client.Interface) (admission.Interface, error) {

+	return &podNodeEnvironment{

+		client: client,

+	}, nil

+}

new file mode 100644

@@ -0,0 +1,113 @@

+package admission

+

+import (

+	"testing"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/admission"

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/testclient"

+

+	projectcache "github.com/openshift/origin/pkg/project/cache"

+	"github.com/openshift/origin/pkg/util/labelselector"

+)

+

+// TestPodAdmission verifies various scenarios involving pod/project/global node label selectors

+func TestPodAdmission(t *testing.T) {

+	mockClient := &testclient.Fake{}

+	project := &kapi.Namespace{

+		ObjectMeta: kapi.ObjectMeta{

+			Name:      "testProject",

+			Namespace: "",

+		},

+	}

+	projectStore := cache.NewStore(cache.MetaNamespaceIndexFunc)

+	projectStore.Add(project)

+

+	handler := &podNodeEnvironment{client: mockClient}

+	pod := &kapi.Pod{

+		ObjectMeta: kapi.ObjectMeta{Name: "testPod"},

+	}

+

+	tests := []struct {

+		defaultNodeSelector string

+		projectNodeSelector string

+		podNodeSelector     map[string]string

+		mergedNodeSelector  map[string]string

+		admit               bool

+		testName            string

+	}{

+		{

+			defaultNodeSelector: "",

+			projectNodeSelector: "",

+			podNodeSelector:     map[string]string{},

+			mergedNodeSelector:  map[string]string{},

+			admit:               true,

+			testName:            "No node selectors",

+		},

+		{

+			defaultNodeSelector: "infra = false",

+			projectNodeSelector: "",

+			podNodeSelector:     map[string]string{},

+			mergedNodeSelector:  map[string]string{"infra": "false"},

+			admit:               true,

+			testName:            "Default node selector and no conflicts",

+		},

+		{

+			defaultNodeSelector: "",

+			projectNodeSelector: "infra = false",

+			podNodeSelector:     map[string]string{},

+			mergedNodeSelector:  map[string]string{"infra": "false"},

+			admit:               true,

+			testName:            "Project node selector and no conflicts",

+		},

+		{

+			defaultNodeSelector: "infra = false",

+			projectNodeSelector: "infra=true",

+			podNodeSelector:     map[string]string{},

+			mergedNodeSelector:  map[string]string{"infra": "true"},

+			admit:               true,

+			testName:            "Default and project node selector, no conflicts",

+		},

+		{

+			defaultNodeSelector: "infra = false",

+			projectNodeSelector: "infra=true",

+			podNodeSelector:     map[string]string{"env": "test"},

+			mergedNodeSelector:  map[string]string{"infra": "true", "env": "test"},

+			admit:               true,

+			testName:            "Project and pod node selector, no conflicts",

+		},

+		{