Remove validatePodSpecUpdate from the validating webhook. (#187)

* Remove `validatePodSpecUpdate` from the validating webhook.

Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>

---------

Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>

Author: renormalize

operator/client/go.sum

@@ -55,8 +55,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM=
 github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
-github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
-github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
+github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

operator/go.mod

@@ -6,7 +6,6 @@ require (
 	github.com/NVIDIA/grove/operator/api v0.0.0
 	github.com/NVIDIA/grove/scheduler/api v0.0.0
 	github.com/go-logr/logr v1.4.3
-	github.com/google/uuid v1.6.0
 	github.com/open-policy-agent/cert-controller v0.13.0
 	github.com/samber/lo v1.51.0
 	github.com/spf13/pflag v1.0.7
@@ -35,6 +34,7 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect

operator/internal/webhook/admission/pcs/validation/podcliqueset.go

@@ -18,7 +18,6 @@ package validation
 
 import (
 	"fmt"
-	"reflect"
 	"slices"
 	"strings"
 
@@ -579,54 +578,11 @@ func validatePodCliqueUpdate(newCliques, oldCliques []*grovecorev1alpha1.PodCliq
 		allErrs = append(allErrs, apivalidation.ValidateImmutableField(newClique.Spec.RoleName, oldIndexCliqueTuple.B.Spec.RoleName, cliqueFldPath.Child("roleName"))...)
 		allErrs = append(allErrs, apivalidation.ValidateImmutableField(newClique.Spec.MinAvailable, oldIndexCliqueTuple.B.Spec.MinAvailable, cliqueFldPath.Child("minAvailable"))...)
 		allErrs = append(allErrs, apivalidation.ValidateImmutableField(newClique.Spec.StartsAfter, oldIndexCliqueTuple.B.Spec.StartsAfter, cliqueFldPath.Child("startsAfter"))...)
-
-		allErrs = append(allErrs, validatePodSpecUpdate(&newClique.Spec.PodSpec, &oldIndexCliqueTuple.B.Spec.PodSpec, fldPath.Child("spec", "podSpec"))...)
-	}
-
-	return allErrs
-}
-
-func validatePodSpecUpdate(newSpec, oldSpec *corev1.PodSpec, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	// spec: Forbidden: pod updates may not change fields other than:
-	//  `spec.containers[*].image`,
-	//  `spec.initContainers[*].image`,
-	//  `spec.activeDeadlineSeconds`,
-	//  `spec.tolerations` (only additions to existing tolerations),
-	//  `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative)
-	if len(newSpec.Tolerations) < len(oldSpec.Tolerations) || !reflect.DeepEqual(oldSpec.Tolerations, newSpec.Tolerations[:len(oldSpec.Tolerations)]) {
-		allErrs = append(allErrs, field.Forbidden(fldPath.Child("tolerations"), "not allowed to change immutable pod fields"))
-	}
-	if oldSpec.TerminationGracePeriodSeconds != nil && *oldSpec.TerminationGracePeriodSeconds < 0 {
-		// The only change that is allowed is to set this value to 1. All other modifications should be rejected.
-		if newSpec.TerminationGracePeriodSeconds != nil && *newSpec.TerminationGracePeriodSeconds != 1 {
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("terminationGracePeriodSeconds"), "value can only be set to 1 if previously negative"))
-		}
 	}
-	// hide mutable fields
-	spec1 := newSpec.DeepCopy()
-	spec2 := oldSpec.DeepCopy()
-
-	clearContainerImages(spec1.Containers)
-	clearContainerImages(spec2.Containers)
-	clearContainerImages(spec1.InitContainers)
-	clearContainerImages(spec2.InitContainers)
-	spec1.ActiveDeadlineSeconds, spec2.ActiveDeadlineSeconds = nil, nil
-	spec1.Tolerations, spec2.Tolerations = []corev1.Toleration{}, []corev1.Toleration{}
-	spec1.TerminationGracePeriodSeconds, spec2.TerminationGracePeriodSeconds = nil, nil
-
-	allErrs = append(allErrs, apivalidation.ValidateImmutableField(spec1, spec2, fldPath)...)
 
 	return allErrs
 }
 
-func clearContainerImages(containers []corev1.Container) {
-	for i := range containers {
-		containers[i].Image = ""
-	}
-}
-
 // validatePodNameConstraints validates Grove pod name component constraints.
 // This function validates the constraints for component names that will be used
 // to construct pod names.

scheduler/api/go.sum

@@ -153,8 +153,6 @@ k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscgh
 k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
 k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4=
 k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
-k8s.io/code-generator v0.33.0 h1:B212FVl6EFqNmlgdOZYWNi77yBv+ed3QgQsMR8YQCw4=
-k8s.io/code-generator v0.33.0/go.mod h1:KnJRokGxjvbBQkSJkbVuBbu6z4B0rC7ynkpY5Aw6m9o=
 k8s.io/code-generator v0.33.1 h1:ZLzIRdMsh3Myfnx9BaooX6iQry29UJjVfVG+BuS+UMw=
 k8s.io/code-generator v0.33.1/go.mod h1:HUKT7Ubp6bOgIbbaPIs9lpd2Q02uqkMCMx9/GjDrWpY=
 k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 h1:2OX19X59HxDprNCVrWi6jb7LW1PoqTlYqEq5H2oetog=