Ignore updates related to Scheduling Gates

to allow the installation of external
operators that manage pod scheduling.
Scheduling Gates don't affect pod privileges,
so there's no need to block them through SCC admission.

Signed-off-by: bmordeha <[email protected]>

Author: Barakmor1

pkg/securitycontextconstraints/sccadmission/admission.go

@@ -448,24 +448,27 @@ func shouldIgnore(a admission.Attributes) (bool, error) {
 			return false, admission.NewForbidden(a, fmt.Errorf("object was marked as kind pod but was unable to be converted: %v", a.GetOldObject()))
 		}
 
-		// never ignore any spec changes
-		if !kapihelper.Semantic.DeepEqual(pod.Spec, oldPod.Spec) {
+		// Create deep copies to avoid mutating the original objects
+		podCopy := pod.DeepCopy()
+		// Skip SchedulingGates when comparing specs
+		podCopy.Spec.SchedulingGates = oldPod.Spec.SchedulingGates
+		if !kapihelper.Semantic.DeepEqual(podCopy.Spec, oldPod.Spec) {
 			return false, nil
 		}
 
 		// see if we are only doing meta changes that should be ignored during admission
 		// for example, the OVN controller adds informative networking annotations that shouldn't cause the pod to go through admission again
-		if shouldIgnoreMetaChanges(pod, oldPod) {
+		if shouldIgnoreMetaChanges(podCopy, oldPod) {
 			return true, nil
 		}
 	}
 
 	return false, nil
 }
 
-func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
+func shouldIgnoreMetaChanges(newPodCopy, oldPod *coreapi.Pod) bool {
 	// check if we're adding or changing only annotations from the ignore list
-	for key, newVal := range newPod.ObjectMeta.Annotations {
+	for key, newVal := range newPodCopy.ObjectMeta.Annotations {
 		if oldVal, ok := oldPod.ObjectMeta.Annotations[key]; ok && newVal == oldVal {
 			continue
 		}
@@ -477,7 +480,7 @@ func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
 
 	// check if we're removing only annotations from the ignore list
 	for key := range oldPod.ObjectMeta.Annotations {
-		if _, ok := newPod.ObjectMeta.Annotations[key]; ok {
+		if _, ok := newPodCopy.ObjectMeta.Annotations[key]; ok {
 			continue
 		}
 
@@ -486,7 +489,6 @@ func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
 		}
 	}
 
-	newPodCopy := newPod.DeepCopyObject()
 	newPodCopyMeta, err := meta.Accessor(newPodCopy)
 	if err != nil {
 		return false

pkg/securitycontextconstraints/sccadmission/admission_test.go

@@ -268,6 +268,15 @@ func TestShouldIgnore(t *testing.T) {
 			shouldIgnore:        true,
 			admissionAttributes: withStatusUpdate(goodPod()),
 		},
+		{
+			description:  "schedulingGates updates should be ignored",
+			shouldIgnore: true,
+			admissionAttributes: withUpdate(schedulingGatePod(), "",
+				func(p *coreapi.Pod) *coreapi.Pod {
+					p.Spec.SchedulingGates = []coreapi.PodSchedulingGate{}
+					return p
+				}),
+		},
 		{
 			description:  "don't ignore normal updates",
 			shouldIgnore: false,
@@ -2008,6 +2017,14 @@ func goodPod() *coreapi.Pod {
 	}
 }
 
+// schedulingGatePod is empty pod with scheduling gate. schedulingGates modifications
+// should be safely ignored.
+func schedulingGatePod() *coreapi.Pod {
+	p := goodPod()
+	p.Spec.SchedulingGates = []coreapi.PodSchedulingGate{{Name: "testGate"}}
+	return p
+}
+
 // windowsPod returns windows pod without any SCCs which are specific to Linux. The admission of Windows pod
 // should be safely ignored.
 func windowsPod() *coreapi.Pod {