From c9a483e2506e40d8ab50da928306bd25d83b1f67 Mon Sep 17 00:00:00 2001
From: Varsha <varshaprasad96@gmail.com>
Date: Tue, 31 Dec 2024 13:08:19 -0800
Subject: [PATCH] [Fix] Remove the requirement for VAP (#3908)

VAP is a default admission plugin enabled while
starting an API server for visibility. The Kueue
controller has additional permissions to watch those
GVKs even though it is not required. Disabling the plugin
from api server helps in keeping it minimal and maintaining
compatibility with previous versions of K8s.

Signed-off-by: Varsha Prasad Narsing <varshaprasad96@gmail.com>
---
 charts/kueue/templates/rbac/role.yaml                    | 9 ---------
 cmd/kueue/main.go                                        | 2 +-
 config/components/rbac/role.yaml                         | 9 ---------
 pkg/util/cert/cert.go                                    | 2 --
 pkg/visibility/server.go                                 | 3 ++-
 .../controller-runtime/pkg/metrics/filters/filters.go    | 3 ++-
 6 files changed, 5 insertions(+), 23 deletions(-)

diff --git a/charts/kueue/templates/rbac/role.yaml b/charts/kueue/templates/rbac/role.yaml
index 6a27740947..cf5aaf7061 100644
--- a/charts/kueue/templates/rbac/role.yaml
+++ b/charts/kueue/templates/rbac/role.yaml
@@ -79,15 +79,6 @@ rules:
       - list
       - update
       - watch
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingadmissionpolicies
-      - validatingadmissionpolicybindings
-    verbs:
-      - get
-      - list
-      - watch
   - apiGroups:
       - apps
     resources:
diff --git a/cmd/kueue/main.go b/cmd/kueue/main.go
index 7ae9a38e54..b54233eeef 100644
--- a/cmd/kueue/main.go
+++ b/cmd/kueue/main.go
@@ -144,7 +144,7 @@ func main() {
 
 	features.LogFeatureGates(setupLog)
 
-	options, cfg, err := apply(configFile)
+	options, cfg, err = apply(configFile)
 	if err != nil {
 		setupLog.Error(err, "Unable to load the configuration")
 		os.Exit(1)
diff --git a/config/components/rbac/role.yaml b/config/components/rbac/role.yaml
index 9d971bf309..a44e88c535 100644
--- a/config/components/rbac/role.yaml
+++ b/config/components/rbac/role.yaml
@@ -78,15 +78,6 @@ rules:
   - list
   - update
   - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingadmissionpolicies
-  - validatingadmissionpolicybindings
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - apps
   resources:
diff --git a/pkg/util/cert/cert.go b/pkg/util/cert/cert.go
index 3c3ee16d57..d63a3d6529 100644
--- a/pkg/util/cert/cert.go
+++ b/pkg/util/cert/cert.go
@@ -38,8 +38,6 @@ const (
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicybindings,verbs=get;list;watch
 
 // ManageCerts creates all certs for webhooks. This function is called from main.go.
 func ManageCerts(mgr ctrl.Manager, cfg config.Configuration, setupFinished chan struct{}) error {
diff --git a/pkg/visibility/server.go b/pkg/visibility/server.go
index 94f3b0db49..4fc5635f01 100644
--- a/pkg/visibility/server.go
+++ b/pkg/visibility/server.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"strings"
 
+	validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
@@ -77,7 +78,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er
 	o.SecureServing.BindPort = 8082
 	// The directory where TLS certs will be created
 	o.SecureServing.ServerCert.CertDirectory = "/tmp"
-
+	o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName}
 	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)
 	}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go b/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go
index ef88f4f0ad..1659502bcf 100644
--- a/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -43,7 +44,7 @@ func WithAuthenticationAndAuthorization(config *rest.Config, httpClient *http.Cl
 	}
 
 	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
-		Anonymous:                false, // Require authentication.
+		Anonymous:                &apiserver.AnonymousAuthConfig{Enabled: false}, // Require authentication.
 		CacheTTL:                 1 * time.Minute,
 		TokenAccessReviewClient:  authenticationV1Client,
 		TokenAccessReviewTimeout: 10 * time.Second,