From 973b3f4c548cfb568a6794b6236fc00ddb247f30 Mon Sep 17 00:00:00 2001 From: Spencer Sharkey Date: Thu, 13 Aug 2020 14:27:13 +0000 Subject: [PATCH 1/2] Fix reference to loop variables in doks admission controllers --- .../admission_controller_webhook_replacement.go | 15 ++++++++++----- .../doks/admission_controller_webhook_timeout.go | 12 ++++++++---- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/checks/doks/admission_controller_webhook_replacement.go b/checks/doks/admission_controller_webhook_replacement.go index a15f54e..8094761 100644 --- a/checks/doks/admission_controller_webhook_replacement.go +++ b/checks/doks/admission_controller_webhook_replacement.go @@ -53,8 +53,10 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti var diagnostics []checks.Diagnostic - for _, config := range objects.ValidatingWebhookConfigurations.Items { - for _, wh := range config.Webhooks { + for i := range objects.ValidatingWebhookConfigurations.Items { + config := objects.ValidatingWebhookConfigurations.Items[i] + for k := range config.Webhooks { + wh := config.Webhooks[k] if *wh.FailurePolicy == ar.Ignore { // Webhooks with failurePolicy: Ignore are fine. continue @@ -73,7 +75,8 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti continue } var svcNamespace *v1.Namespace - for _, ns := range objects.Namespaces.Items { + for i := range objects.Namespaces.Items { + ns := objects.Namespaces.Items[i] if ns.Name == wh.ClientConfig.Service.Namespace { svcNamespace = &ns } @@ -102,8 +105,10 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti } } - for _, config := range objects.MutatingWebhookConfigurations.Items { - for _, wh := range config.Webhooks { + for i := range objects.MutatingWebhookConfigurations.Items { + config := objects.MutatingWebhookConfigurations.Items[i] + for k := range config.Webhooks { + wh := config.Webhooks[k] if *wh.FailurePolicy == ar.Ignore { // Webhooks with failurePolicy: Ignore are fine. continue diff --git a/checks/doks/admission_controller_webhook_timeout.go b/checks/doks/admission_controller_webhook_timeout.go index b94be8a..3f304f4 100644 --- a/checks/doks/admission_controller_webhook_timeout.go +++ b/checks/doks/admission_controller_webhook_timeout.go @@ -47,8 +47,10 @@ func (w *webhookTimeoutCheck) Description() string { func (w *webhookTimeoutCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) { var diagnostics []checks.Diagnostic - for _, config := range objects.ValidatingWebhookConfigurations.Items { - for _, wh := range config.Webhooks { + for i := range objects.ValidatingWebhookConfigurations.Items { + config := objects.ValidatingWebhookConfigurations.Items[i] + for k := range config.Webhooks { + wh := config.Webhooks[k] if wh.TimeoutSeconds == nil { // TimeoutSeconds value should be set to a non-nil value (greater than or equal to 1 and less than 30). // If the TimeoutSeconds value is set to nil and the cluster version is 1.13.*, users are @@ -69,8 +71,10 @@ func (w *webhookTimeoutCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, e } } - for _, config := range objects.MutatingWebhookConfigurations.Items { - for _, wh := range config.Webhooks { + for i := range objects.MutatingWebhookConfigurations.Items { + config := objects.MutatingWebhookConfigurations.Items[i] + for k := range config.Webhooks { + wh := config.Webhooks[k] if wh.TimeoutSeconds == nil { // TimeoutSeconds value should be set to a non-nil value (greater than or equal to 1 and less than 30). // If the TimeoutSeconds value is set to nil and the cluster version is 1.13.*, users are From 99bb81f3675955963f3b17ec89b3ef6b6abecbb6 Mon Sep 17 00:00:00 2001 From: Spencer Date: Thu, 13 Aug 2020 19:52:35 +0000 Subject: [PATCH 2/2] change approach --- ...dmission_controller_webhook_replacement.go | 21 ++++++++++--------- .../admission_controller_webhook_timeout.go | 16 +++++++------- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/checks/doks/admission_controller_webhook_replacement.go b/checks/doks/admission_controller_webhook_replacement.go index 8094761..fc93928 100644 --- a/checks/doks/admission_controller_webhook_replacement.go +++ b/checks/doks/admission_controller_webhook_replacement.go @@ -53,10 +53,10 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti var diagnostics []checks.Diagnostic - for i := range objects.ValidatingWebhookConfigurations.Items { - config := objects.ValidatingWebhookConfigurations.Items[i] - for k := range config.Webhooks { - wh := config.Webhooks[k] + for _, config := range objects.ValidatingWebhookConfigurations.Items { + config := config + for _, wh := range config.Webhooks { + wh := wh if *wh.FailurePolicy == ar.Ignore { // Webhooks with failurePolicy: Ignore are fine. continue @@ -75,8 +75,8 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti continue } var svcNamespace *v1.Namespace - for i := range objects.Namespaces.Items { - ns := objects.Namespaces.Items[i] + for _, ns := range objects.Namespaces.Items { + ns := ns if ns.Name == wh.ClientConfig.Service.Namespace { svcNamespace = &ns } @@ -105,10 +105,10 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti } } - for i := range objects.MutatingWebhookConfigurations.Items { - config := objects.MutatingWebhookConfigurations.Items[i] - for k := range config.Webhooks { - wh := config.Webhooks[k] + for _, config := range objects.MutatingWebhookConfigurations.Items { + config := config + for _, wh := range config.Webhooks { + wh := wh if *wh.FailurePolicy == ar.Ignore { // Webhooks with failurePolicy: Ignore are fine. continue @@ -128,6 +128,7 @@ func (w *webhookReplacementCheck) Run(objects *kube.Objects) ([]checks.Diagnosti } var svcNamespace *v1.Namespace for _, ns := range objects.Namespaces.Items { + ns := ns if ns.Name == wh.ClientConfig.Service.Namespace { svcNamespace = &ns } diff --git a/checks/doks/admission_controller_webhook_timeout.go b/checks/doks/admission_controller_webhook_timeout.go index 3f304f4..18656a0 100644 --- a/checks/doks/admission_controller_webhook_timeout.go +++ b/checks/doks/admission_controller_webhook_timeout.go @@ -47,10 +47,10 @@ func (w *webhookTimeoutCheck) Description() string { func (w *webhookTimeoutCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) { var diagnostics []checks.Diagnostic - for i := range objects.ValidatingWebhookConfigurations.Items { - config := objects.ValidatingWebhookConfigurations.Items[i] - for k := range config.Webhooks { - wh := config.Webhooks[k] + for _, config := range objects.ValidatingWebhookConfigurations.Items { + config := config + for _, wh := range config.Webhooks { + wh := wh if wh.TimeoutSeconds == nil { // TimeoutSeconds value should be set to a non-nil value (greater than or equal to 1 and less than 30). // If the TimeoutSeconds value is set to nil and the cluster version is 1.13.*, users are @@ -71,10 +71,10 @@ func (w *webhookTimeoutCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, e } } - for i := range objects.MutatingWebhookConfigurations.Items { - config := objects.MutatingWebhookConfigurations.Items[i] - for k := range config.Webhooks { - wh := config.Webhooks[k] + for _, config := range objects.MutatingWebhookConfigurations.Items { + config := config + for _, wh := range config.Webhooks { + wh := wh if wh.TimeoutSeconds == nil { // TimeoutSeconds value should be set to a non-nil value (greater than or equal to 1 and less than 30). // If the TimeoutSeconds value is set to nil and the cluster version is 1.13.*, users are