@@ -26,7 +26,7 @@ This command launches an instance of the Kubernetes apiserver (kube\-apiserver).

 .PP

 \fB\-\-admission\-control\fP="AlwaysAdmit"

-    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, BuildDefaults, BuildOverrides, ClusterResourceOverride, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, InitialResources, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, PersistentVolumeLabel, PodNodeConstraints, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount, openshift.io/ClusterResourceQuota, openshift.io/ImageLimitRange, openshift.io/ImagePolicy, openshift.io/JenkinsBootstrapper, openshift.io/OriginResourceQuota, openshift.io/RestrictedEndpointsAdmission

+    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, BuildDefaults, BuildOverrides, ClusterResourceOverride, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, InitialResources, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, PersistentVolumeLabel, PodNodeConstraints, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount, openshift.io/ClusterResourceQuota, openshift.io/ImageLimitRange, openshift.io/ImagePolicy, openshift.io/JenkinsBootstrapper, openshift.io/OriginResourceQuota, openshift.io/OwnerReference, openshift.io/RestrictedEndpointsAdmission

 .PP

 \fB\-\-admission\-control\-config\-file\fP=""

@@ -122,6 +122,7 @@ func TestExampleObjectSchemas(t *testing.T) {

 			"test-image-stream-mapping":           nil, // skip &imageapi.ImageStreamMapping{},

 			"test-route":                          &routeapi.Route{},

 			"test-service":                        &kapi.Service{},

+			"test-service-with-finalizer":         &kapi.Service{},

 			"test-buildcli":                       &kapi.List{},

 			"test-buildcli-beta2":                 &kapi.List{},

 		},

new file mode 100644

@@ -0,0 +1,51 @@

+package ownerref

+

+import (

+	"fmt"

+	"io"

+

+	"k8s.io/kubernetes/pkg/admission"

+	"k8s.io/kubernetes/pkg/api/meta"

+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"

+)

+

+func init() {

+	admission.RegisterPlugin("openshift.io/OwnerReference",

+		func(client clientset.Interface, config io.Reader) (admission.Interface, error) {

+			return NewOwnerReferenceBlocker()

+		})

+}

+

+// ownerReferenceAdmission implements an admission controller that stops anyone from setting owner references

+// TODO enforce this check based on the level of access allowed.  If you can delete the object, you can add an

+// owner reference.  We need to make sure the upstream controller works before allowing this.

+type ownerReferenceAdmission struct {

+	*admission.Handler

+}

+

+func NewOwnerReferenceBlocker() (admission.Interface, error) {

+	return &ownerReferenceAdmission{

+		Handler: admission.NewHandler(admission.Create, admission.Update),

+	}, nil

+}

+

+// Admit makes admission decisions while enforcing ownerReference

+func (q *ownerReferenceAdmission) Admit(a admission.Attributes) (err error) {

+	metadata, err := meta.Accessor(a.GetObject())

+	if err != nil {

+		// if we don't have object meta, we don't have fields we're trying to control

+		return nil

+	}

+

+	// TODO if we have an old object, only consider new owner references and finalizers

+	// this is critical when doing an actual authz check.

+

+	if ownerRefs := metadata.GetOwnerReferences(); len(ownerRefs) > 0 {

+		return admission.NewForbidden(a, fmt.Errorf("ownerReferences are disabled: %v", ownerRefs))

+	}

+	if finalizers := metadata.GetFinalizers(); len(finalizers) > 0 {

+		return admission.NewForbidden(a, fmt.Errorf("finalizers are disabled: %v", finalizers))

+	}

+

+	return nil

+}

new file mode 100644

@@ -0,0 +1,53 @@

+package ownerref

+

+import (

+	"testing"

+

+	"k8s.io/kubernetes/pkg/admission"

+	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/api/unversioned"

+)

+

+func TestAdmission(t *testing.T) {

+	testCases := []struct {

+		name          string

+		attributes    admission.Attributes

+		expectFailure bool

+	}{

+		{

+			name: "reject ownerref",

+			attributes: admission.NewAttributesRecord(&kapi.Pod{ObjectMeta: kapi.ObjectMeta{OwnerReferences: []kapi.OwnerReference{{}}}},

+				nil, unversioned.GroupVersionKind{}, "", "", unversioned.GroupVersionResource{}, "", admission.Create, nil),

+			expectFailure: true,

+		},

+		{

+			name: "reject finalizer",

+			attributes: admission.NewAttributesRecord(&kapi.Pod{ObjectMeta: kapi.ObjectMeta{Finalizers: []string{""}}},

+				nil, unversioned.GroupVersionKind{}, "", "", unversioned.GroupVersionResource{}, "", admission.Create, nil),

+			expectFailure: true,

+		},

+		{

+			name: "allow",

+			attributes: admission.NewAttributesRecord(&kapi.Pod{},

+				nil, unversioned.GroupVersionKind{}, "", "", unversioned.GroupVersionResource{}, "", admission.Create, nil),

+		},

+	}

+

+	for _, tc := range testCases {

+		admission, err := NewOwnerReferenceBlocker()

+		if err != nil {

+			t.Errorf("%v: unexpected error: %v", tc.name, err)

+			continue

+		}

+

+		admissionErr := admission.Admit(tc.attributes)

+		if admissionErr == nil && tc.expectFailure {

+			t.Errorf("%v: missing error", tc.name)

+			continue

+		}

+		if admissionErr != nil && !tc.expectFailure {

+			t.Errorf("%v: unexpected error: %v", tc.name, admissionErr)

+			continue

+		}

+	}

+}

@@ -315,6 +315,7 @@ var (

 		"openshift.io/JenkinsBootstrapper",

 		"BuildByStrategy",

 		imageadmission.PluginName,

+		"openshift.io/OwnerReference",

 		quotaadmission.PluginName,

 	}

@@ -337,6 +338,7 @@ var (

 		"LimitPodHardAntiAffinityTopology",

 		"SCCExecRestrictions",

 		"PersistentVolumeLabel",

+		"openshift.io/OwnerReference",

 		// NOTE: quotaadmission and ClusterResourceQuota must be the last 2 plugins.

 		// DO NOT ADD ANY PLUGINS AFTER THIS LINE!

 		quotaadmission.PluginName,

@@ -370,6 +372,7 @@ var (

 		"LimitPodHardAntiAffinityTopology",

 		"SCCExecRestrictions",

 		"PersistentVolumeLabel",

+		"openshift.io/OwnerReference",

 		// NOTE: quotaadmission and ClusterResourceQuota must be the last 2 plugins.

 		// DO NOT ADD ANY PLUGINS AFTER THIS LINE!

 		quotaadmission.PluginName,

@@ -9,6 +9,7 @@ import (

 	"k8s.io/kubernetes/pkg/util/sets"

 	// Admission control plug-ins used by OpenShift

+	_ "github.com/openshift/origin/pkg/api/admission/ownerref"

 	_ "github.com/openshift/origin/pkg/build/admission/defaults"

 	_ "github.com/openshift/origin/pkg/build/admission/jenkinsbootstrapper"

 	_ "github.com/openshift/origin/pkg/build/admission/overrides"

@@ -60,6 +61,7 @@ var (

 		"LimitPodHardAntiAffinityTopology",

 		"SCCExecRestrictions",

 		"PersistentVolumeLabel",

+		"openshift.io/OwnerReference",

 		quotaadmission.PluginName,

 		"openshift.io/ClusterResourceQuota",

 	)

@@ -129,6 +129,7 @@ os::test::junit::declare_suite_start "cmd/basicresources/services"

 os::cmd::expect_success 'oc get services'

 os::cmd::expect_success 'oc create -f test/integration/testdata/test-service.json'

 os::cmd::expect_success 'oc delete services frontend'

+os::cmd::expect_failure_and_text 'oc create -f test/integration/testdata/test-service-with-finalizer.json' "finalizers are disabled"

 echo "services: ok"

 os::test::junit::declare_suite_end

new file mode 100644

@@ -0,0 +1,31 @@

+{

+  "kind": "Service",

+  "apiVersion": "v1",

+  "metadata": {

+    "name": "frontend",

+    "creationTimestamp": null,

+    "labels": {

+      "name": "frontend"

+    },

+    "finalizers": ["fake/one"]

+  },

+  "spec": {

+    "ports": [

+      {

+        "protocol": "TCP",

+        "port": 9998,

+        "targetPort": 9998,

+        "nodePort": 0

+      }

+    ],

+    "selector": {

+      "name": "frontend"

+    },

+    "portalIP": "",

+    "type": "ClusterIP",

+    "sessionAffinity": "None"

+  },

+  "status": {

+    "loadBalancer": {}

+  }

+}

\ No newline at end of file