API-1894: Ignore updates related to Scheduling Gates #128
Conversation
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @Barakmor1. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The admission should pass just as it did the first time the pod was created. Is this just a minor performance improvement, then? |
openshift-merge-robot
added
the
needs-rebase
When the pod is created, it passes validation because it is created by an authorized Controller/Admin. The schedulingGates are typically added with a mutating webhook during admission, which doesn't perform an API call. This is why the validation passes on creation. The schedulingGates are typically removed with an API call by a different Controller which is not associated with the same SCC as the creator and this is when the API call fails. |
Barakmor1
force-pushed
the
considerSchedulingGates
branch
from
faed836 to
79d9a40
Compare
openshift-merge-robot
removed
the
needs-rebase
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@Barakmor1: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/remove-lifecycle rotten |
openshift-ci
bot
removed
the
lifecycle/rotten
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/lgtm cancel |
sjenning
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@Barakmor1: This pull request references API-1894 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
Barakmor1
force-pushed
the
considerSchedulingGates
branch
from
ebdbf84 to
8d3674c
Compare
|
@kannon92 won't this cause problems with Kueue as well? |
Barakmor1
force-pushed
the
considerSchedulingGates
branch
2 times, most recently
from
e326fa1 to
a9b901c
Compare
| // - update operations that only change fields like SchedulingGates or non-critical metadata. | ||
| // If the request is malformed (e.g., object can't be cast to a Pod), it fails closed to avoid | ||
| // bypassing security enforcement unintentionally. | ||
| func shouldSkipSCCEvaluation(a admission.Attributes) (bool, error) { |
There was a problem hiding this comment.
Please also rename the respective unit test (TestShouldIgnore()) accordingly.
There was a problem hiding this comment.
Also, how about adding a test in this unit that the original pod hasn't been mutated? (since we should only be mutating copies)
to allow the installation of external operators that manage pod scheduling. Scheduling Gates don't affect pod privileges, so there's no need to block them through SCC admission. Signed-off-by: bmordeha <[email protected]>
Barakmor1
force-pushed
the
considerSchedulingGates
branch
from
a9b901c to
07c3a15
Compare
|
LGTM; will hold for @ibihim to have a look as well. /lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
@Barakmor1: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Barakmor1, ibihim, liouk, sjenning The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
Ignore updates related to Scheduling Gates to allow the installation of external operators that manage pod scheduling. Scheduling Gates don't affect pod privileges, so there's no need to block them through SCC admission.
@vladikr