From ab14caa3cc763c630e4235869f4dd7c48cc53df7 Mon Sep 17 00:00:00 2001 From: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com> Date: Sat, 2 Nov 2024 10:38:51 +0300 Subject: [PATCH] refactor(core): add replace expressions for validating admission policy patch (#489) add replace expressions for validating admission policy patch Signed-off-by: yaroslavborbat --- ...ions-for-validating-admission-policy.patch | 36 +++++++++++++++++++ images/virt-artifact/patches/README.md | 5 +++ 2 files changed, 41 insertions(+) create mode 100644 images/virt-artifact/patches/023-replace-expressions-for-validating-admission-policy.patch diff --git a/images/virt-artifact/patches/023-replace-expressions-for-validating-admission-policy.patch b/images/virt-artifact/patches/023-replace-expressions-for-validating-admission-policy.patch new file mode 100644 index 000000000..1dde13eb0 --- /dev/null +++ b/images/virt-artifact/patches/023-replace-expressions-for-validating-admission-policy.patch @@ -0,0 +1,36 @@ +diff --git a/pkg/virt-operator/resource/generate/components/validatingadmissionpolicy.go b/pkg/virt-operator/resource/generate/components/validatingadmissionpolicy.go +index 5fefec2304..20914e8bf6 100644 +--- a/pkg/virt-operator/resource/generate/components/validatingadmissionpolicy.go ++++ b/pkg/virt-operator/resource/generate/components/validatingadmissionpolicy.go +@@ -117,7 +117,7 @@ func NewHandlerV1ValidatingAdmissionPolicy(virtHandlerServiceAccount string) *ad + Variables: []admissionregistrationv1.Variable{ + { + Name: "oldNonKubevirtLabels", +- Expression: `oldObject.metadata.labels.filter(k, !k.contains("kubevirt.io") && k != "cpumanager")`, ++ Expression: `oldObject.metadata.labels.filter(k, !k.contains("kubevirt") && k != "cpumanager")`, + }, + { + Name: "oldLabels", +@@ -125,7 +125,7 @@ func NewHandlerV1ValidatingAdmissionPolicy(virtHandlerServiceAccount string) *ad + }, + { + Name: "newNonKubevirtLabels", +- Expression: `object.metadata.labels.filter(k, !k.contains("kubevirt.io") && k != "cpumanager")`, ++ Expression: `object.metadata.labels.filter(k, !k.contains("kubevirt") && k != "cpumanager")`, + }, + { + Name: "newLabels", +@@ -133,11 +133,11 @@ func NewHandlerV1ValidatingAdmissionPolicy(virtHandlerServiceAccount string) *ad + }, + { + Name: "oldNonKubevirtAnnotations", +- Expression: `oldObject.metadata.annotations.filter(k, !k.contains("kubevirt.io"))`, ++ Expression: `oldObject.metadata.annotations.filter(k, !k.contains("kubevirt"))`, + }, + { + Name: "newNonKubevirtAnnotations", +- Expression: `object.metadata.annotations.filter(k, !k.contains("kubevirt.io"))`, ++ Expression: `object.metadata.annotations.filter(k, !k.contains("kubevirt"))`, + }, + { + Name: "oldAnnotations", diff --git a/images/virt-artifact/patches/README.md b/images/virt-artifact/patches/README.md index 0a030cec6..4ae99e60c 100644 --- a/images/virt-artifact/patches/README.md +++ b/images/virt-artifact/patches/README.md @@ -78,3 +78,8 @@ Cleanup stale Pods owned by the VMI, keep only last 3 in the Failed phase. Why we need it? Unsuccessful migrations may leave a lot of Pods. These huge lists reduce performance on virtualization-controller and cdi-deployment restarts. + +#### `023-replace-expressions-for-validating-admission-policy.patch` + +Replace the expressions for the ValidatingAdmissionPolicy kubevirt-node-restriction-policy. +This is necessary because of the kube-api-rewriter that changes the labels.