From 81ec4ac9dae21492abea37838c26dd544a057ba7 Mon Sep 17 00:00:00 2001 From: Varsha Prasad Narsing Date: Mon, 23 Dec 2024 11:49:38 -0800 Subject: [PATCH] [Fix] Remove the requirement for VAP VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing --- charts/kueue/templates/rbac/role.yaml | 9 --------- config/components/rbac/role.yaml | 9 --------- pkg/util/cert/cert.go | 2 -- pkg/visibility/server.go | 3 ++- 4 files changed, 2 insertions(+), 21 deletions(-) diff --git a/charts/kueue/templates/rbac/role.yaml b/charts/kueue/templates/rbac/role.yaml index 6a27740947..cf5aaf7061 100644 --- a/charts/kueue/templates/rbac/role.yaml +++ b/charts/kueue/templates/rbac/role.yaml @@ -79,15 +79,6 @@ rules: - list - update - watch - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingadmissionpolicies - - validatingadmissionpolicybindings - verbs: - - get - - list - - watch - apiGroups: - apps resources: diff --git a/config/components/rbac/role.yaml b/config/components/rbac/role.yaml index 9d971bf309..a44e88c535 100644 --- a/config/components/rbac/role.yaml +++ b/config/components/rbac/role.yaml @@ -78,15 +78,6 @@ rules: - list - update - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingadmissionpolicies - - validatingadmissionpolicybindings - verbs: - - get - - list - - watch - apiGroups: - apps resources: diff --git a/pkg/util/cert/cert.go b/pkg/util/cert/cert.go index 3c3ee16d57..d63a3d6529 100644 --- a/pkg/util/cert/cert.go +++ b/pkg/util/cert/cert.go @@ -38,8 +38,6 @@ const ( // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update -// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch -// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicybindings,verbs=get;list;watch // ManageCerts creates all certs for webhooks. This function is called from main.go. func ManageCerts(mgr ctrl.Manager, cfg config.Configuration, setupFinished chan struct{}) error { diff --git a/pkg/visibility/server.go b/pkg/visibility/server.go index 94f3b0db49..4fc5635f01 100644 --- a/pkg/visibility/server.go +++ b/pkg/visibility/server.go @@ -23,6 +23,7 @@ import ( "os" "strings" + validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating" openapinamer "k8s.io/apiserver/pkg/endpoints/openapi" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" @@ -77,7 +78,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er o.SecureServing.BindPort = 8082 // The directory where TLS certs will be created o.SecureServing.ServerCert.CertDirectory = "/tmp" - + o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName} if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil { return fmt.Errorf("error creating self-signed certificates: %v", err) }