Skip to content

Commit

Permalink
ensure users do not abuse limits
Browse files Browse the repository at this point in the history 
setting a max 10x difference for now, to prevent users requesing silly things like
0.1 cpu and 99 cpu limit

also allow <0.1 to take up to 1 cpu since users can set requests to 0
  • Loading branch information
@grosser
grosser committed Dec 21, 2017
1 parent 72c63ef commit 6b2a71f
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 2 deletions.
1 change: 1 addition & 0 deletions plugins/kubernetes/app/controllers/kubernetes/deploy_group_roles_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ def update
if @deploy_group_role.save
redirect_back fallback_location: @deploy_group_role
else
puts @deploy_group_role.errors.full_messages
render :edit, status: 422
end
end
Expand Down
13 changes: 13 additions & 0 deletions plugins/kubernetes/app/models/kubernetes/deploy_group_role.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# frozen_string_literal: true
module Kubernetes
class DeployGroupRole < ActiveRecord::Base
MAX_LIMITS_TO_REQUESTS_RATIO = 10

self.table_name = 'kubernetes_deploy_group_roles'

audited
Expand All @@ -14,6 +16,7 @@ class DeployGroupRole < ActiveRecord::Base
validates :limits_cpu, numericality: { greater_than: 0 }
validates :requests_memory, :limits_memory, numericality: { greater_than_or_equal_to: 4 }
validate :requests_below_limits
validate :limits_close_to_requests
validate :requests_below_usage_limits

# The matrix is a list of deploy group and its roles + deploy-group-roles
Expand Down Expand Up @@ -94,6 +97,16 @@ def requests_below_limits
end
end

def limits_close_to_requests
minimum_requested_cpu = [requests_cpu.to_f, 1.0 / MAX_LIMITS_TO_REQUESTS_RATIO].max
if limits_cpu && limits_cpu > minimum_requested_cpu * MAX_LIMITS_TO_REQUESTS_RATIO
errors.add :limits_cpu, "must be less than #{MAX_LIMITS_TO_REQUESTS_RATIO}x requested cpu"
end
if limits_memory && limits_memory > requests_memory * MAX_LIMITS_TO_REQUESTS_RATIO
errors.add :limits_memory, "must be less than #{MAX_LIMITS_TO_REQUESTS_RATIO}x requested memory"
end
end

def requests_below_usage_limits
return unless limit = UsageLimit.most_specific(project, deploy_group)
message = "must be less than or equal to kubernetes usage limit"
Expand Down
4 changes: 2 additions & 2 deletions plugins/kubernetes/test/controllers/kubernetes/deploy_group_roles_controller_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,11 @@
end

describe "#update" do
let(:valid_params) { {id: deploy_group_role.id, kubernetes_deploy_group_role: {limits_cpu: 3.1}} }
let(:valid_params) { {id: deploy_group_role.id, kubernetes_deploy_group_role: {limits_cpu: 0.7}} }

it "updates" do
put :update, params: valid_params
deploy_group_role.reload.limits_cpu.must_equal 3.1
deploy_group_role.reload.limits_cpu.must_equal 0.7
assert_redirected_to deploy_group_role
end

Expand Down
24 changes: 24 additions & 0 deletions plugins/kubernetes/test/models/kubernetes/deploy_group_role_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,30 @@ def seed!
end
end

describe "#limits_close_to_requests" do
it "shows no error when limits are ok" do
assert_valid deploy_group_role
end

it "allows 0 with up to 1 cpu" do
deploy_group_role.requests_cpu = 0
deploy_group_role.limits_cpu = 1.0
assert_valid deploy_group_role
end

it "shows an error if the limits are more than 10x the requests" do
deploy_group_role.limits_cpu = 2.0
deploy_group_role.limits_memory = 2048
refute_valid deploy_group_role
deploy_group_role.errors.full_messages.must_equal(
[
"Limits cpu must be less than 10x requested cpu",
"Limits memory must be less than 10x requested memory"
]
)
end
end

describe "#requests_below_usage_limits" do
before { usage_limit }

Expand Down

0 comments on commit 6b2a71f

Please sign in to comment.