From 17ac9be2b1c5a826cf6886e545fccaab9ee190e3 Mon Sep 17 00:00:00 2001
From: Michelle Au <msau@google.com>
Date: Mon, 5 Feb 2018 18:42:30 -0800
Subject: [PATCH] Volume node affinity enforcement

---
 pkg/volume/util/util.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go
index 88b82f1..b9d8629 100644
--- a/pkg/volume/util/util.go
+++ b/pkg/volume/util/util.go
@@ -237,6 +237,13 @@ func GetClassForVolume(kubeClient clientset.Interface, pv *v1.PersistentVolume)
 // CheckNodeAffinity looks at the PV node affinity, and checks if the node has the same corresponding labels
 // This ensures that we don't mount a volume that doesn't belong to this node
 func CheckNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
+	if err := checkAlphaNodeAffinity(pv, nodeLabels); err != nil {
+		return err
+	}
+	return checkVolumeNodeAffinity(pv, nodeLabels)
+}
+
+func checkAlphaNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
 	affinity, err := v1helper.GetStorageNodeAffinityFromAnnotation(pv.Annotations)
 	if err != nil {
 		return fmt.Errorf("Error getting storage node affinity: %v", err)
@@ -261,6 +268,27 @@ func CheckNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) er
 	return nil
 }
 
+func checkVolumeNodeAffinity(pv *v1.PersistentVolume, nodeLabels map[string]string) error {
+	if pv.Spec.NodeAffinity == nil {
+		return nil
+	}
+
+	if pv.Spec.NodeAffinity.Required != nil {
+		terms := pv.Spec.NodeAffinity.Required.NodeSelectorTerms
+		glog.V(10).Infof("Match for Required node selector terms %+v", terms)
+		for _, term := range terms {
+			selector, err := v1helper.NodeSelectorRequirementsAsSelector(term.MatchExpressions)
+			if err != nil {
+				return fmt.Errorf("Failed to parse MatchExpressions: %v", err)
+			}
+			if !selector.Matches(labels.Set(nodeLabels)) {
+				return fmt.Errorf("NodeSelectorTerm %+v does not match node labels", term.MatchExpressions)
+			}
+		}
+	}
+	return nil
+}
+
 // LoadPodFromFile will read, decode, and return a Pod from a file.
 func LoadPodFromFile(filePath string) (*v1.Pod, error) {
 	if filePath == "" {