From a5e286ac4e1ce203c0c67b77f4042b3cf8c46ba8 Mon Sep 17 00:00:00 2001
From: Chris O'Haver <cohaver@infoblox.com>
Date: Mon, 4 May 2020 04:17:26 -0400
Subject: [PATCH] plugin/kubernetes: Don't panic with metadata enabled and pods
 mode not verified (#3869)

* prevent panic in podWithIP

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

* add unit test, correct existing unit test

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

* unit tests make more sense this way

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
---
 plugin/kubernetes/autopath.go      |  3 +++
 plugin/kubernetes/metadata_test.go | 38 ++++++++++++++++++++++++++----
 2 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/plugin/kubernetes/autopath.go b/plugin/kubernetes/autopath.go
index 33bf401f5..6bca35d39 100644
--- a/plugin/kubernetes/autopath.go
+++ b/plugin/kubernetes/autopath.go
@@ -51,6 +51,9 @@ func (k *Kubernetes) AutoPath(state request.Request) []string {
 
 // podWithIP return the api.Pod for source IP. It returns nil if nothing can be found.
 func (k *Kubernetes) podWithIP(ip string) *object.Pod {
+	if k.podMode != podModeVerified {
+		return nil
+	}
 	ps := k.APIConn.PodIndex(ip)
 	if len(ps) == 0 {
 		return nil
diff --git a/plugin/kubernetes/metadata_test.go b/plugin/kubernetes/metadata_test.go
index 1e3d823bc..c55258335 100644
--- a/plugin/kubernetes/metadata_test.go
+++ b/plugin/kubernetes/metadata_test.go
@@ -32,8 +32,6 @@ var metadataCases = []struct {
 			"kubernetes/port-name":        "*",
 			"kubernetes/protocol":         "*",
 			"kubernetes/service":          "10-240-0-1",
-			"kubernetes/client-namespace": "podns",
-			"kubernetes/client-pod-name":  "foo",
 		},
 	},
 	{
@@ -45,8 +43,6 @@ var metadataCases = []struct {
 			"kubernetes/port-name":        "*",
 			"kubernetes/protocol":         "*",
 			"kubernetes/service":          "s",
-			"kubernetes/client-namespace": "podns",
-			"kubernetes/client-pod-name":  "foo",
 		},
 	},
 	{
@@ -124,3 +120,37 @@ func TestMetadata(t *testing.T) {
 		}
 	}
 }
+
+func TestMetadataPodsVerified(t *testing.T) {
+	k := New([]string{"cluster.local."})
+	k.podMode = podModeVerified
+	k.APIConn = &APIConnServeTest{}
+
+	ctx := metadata.ContextWithMetadata(context.Background())
+	state := request.Request{
+		Req:  &dns.Msg{Question: []dns.Question{{Name: "s.ns.svc.cluster.local.", Qtype: dns.TypeA}}},
+		Zone: ".",
+		W:    &test.ResponseWriter{},
+	}
+
+	k.Metadata(ctx, state)
+
+	expect := map[string]string{
+		"kubernetes/endpoint":  "",
+		"kubernetes/kind":      "svc",
+		"kubernetes/namespace": "ns",
+		"kubernetes/port-name": "*",
+		"kubernetes/protocol":  "*",
+		"kubernetes/service":   "s",
+		"kubernetes/client-namespace": "podns",
+		"kubernetes/client-pod-name":  "foo",
+	}
+
+	md := make(map[string]string)
+	for _, l := range metadata.Labels(ctx) {
+		md[l] = metadata.ValueFunc(ctx, l)()
+	}
+	if mapsDiffer(expect, md) {
+		t.Errorf("Expected metadata %v and got %v", expect, md)
+	}
+}