fix: skip isRdma mutation for vfio-pci with InfiniBand linkType

[SchSeba]

The mutating webhook unconditionally set isRdma to true for policies with InfiniBand link type, even when deviceType was vfio-pci. This caused the validating webhook to reject the resource since deviceType vfio-pci conflicts with isRdma: true.

Check the deviceType before applying the InfiniBand isRdma patch and skip it when deviceType is vfio-pci.

Add unit tests for mutateSriovNetworkNodePolicy covering default values, InfiniBand with various device types, Ethernet, and preservation of user-specified fields.

[github-actions]

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

• /test-all: To run all tests for all vendors.
• /test-e2e-all: To run all E2E tests for all vendors.
• /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

• /skip-all: To skip all tests for all vendors.
• /skip-e2e-all: To skip all E2E tests for all vendors.
• /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
  Best regards.

[gemini-code-assist]

Summary of Changes

Hello @SchSeba, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug in the mutating webhook that incorrectly applied isRdma: true to InfiniBand policies configured with vfio-pci device types, leading to validation failures. The changes introduce a specific check to ensure isRdma is only set when compatible device types are present, thereby enhancing the robustness of policy validation. Additionally, a comprehensive suite of unit tests has been added to verify the correct behavior of the mutateSriovNetworkNodePolicy function across various configurations.

Highlights

• Conditional RDMA Mutation: Introduced a conditional check in the mutating webhook to prevent isRdma from being set to true for vfio-pci device types when the linkType is InfiniBand.
• Validation Conflict Resolution: Resolved an issue where the validating webhook would reject resources due to conflicts between vfio-pci device type and isRdma: true.
• Comprehensive Unit Testing: Added extensive unit tests for the mutateSriovNetworkNodePolicy function, covering default values, InfiniBand with netdevice and vfio-pci device types, Ethernet, and the preservation of existing user-defined fields.

Changelog

• pkg/webhook/mutate.go
  • Modified the logic for setting isRdma to true for InfiniBand linkType policies, adding a condition to skip this mutation if deviceType is vfio-pci.
• pkg/webhook/mutate_test.go
  • Added buildPolicyMap helper function.
  • Added patchesFromResponse helper function.
  • Added hasPatch helper function.
  • Added TestMutateSriovNetworkNodePolicy_DefaultPolicy test.
  • Added TestMutateSriovNetworkNodePolicy_DefaultValues test.
  • Added TestMutateSriovNetworkNodePolicy_InfiniBandSetsIsRdma test.
  • Added TestMutateSriovNetworkNodePolicy_InfiniBandNetdeviceSetsIsRdma test.
  • Added TestMutateSriovNetworkNodePolicy_InfiniBandVfioPciDoesNotSetIsRdma test.
  • Added TestMutateSriovNetworkNodePolicy_EthernetDoesNotSetIsRdma test.
  • Added TestMutateSriovNetworkNodePolicy_ExistingIsRdmaNotOverridden test.
  • Added TestMutateSriovNetworkNodePolicy_ExistingPriorityNotOverridden test.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively resolves a critical bug where the mutating webhook incorrectly applied the isRdma: true patch to policies with vfio-pci device types and InfiniBand link types, leading to validation failures. The introduced conditional check for deviceType before applying the isRdma patch correctly prevents this conflict, and comprehensive unit tests for mutateSriovNetworkNodePolicy significantly improve test coverage. However, a potential Denial of Service vulnerability was identified in the new code due to an unsafe type assertion on the 'spec' field. If a malformed or incomplete resource is submitted, the webhook could panic, affecting the availability of the admission process.

[gemini-code-assist]

The code performs a type assertion spec.(map[string]interface{}) without checking if spec is nil or of the expected type. If a user submits a SriovNetworkNodePolicy without a spec field, the webhook will panic. This can be used to cause a Denial of Service (DoS) for the admission controller. While this pattern exists elsewhere in the file, it is introduced here in the new code. It is recommended to use the comma-ok idiom for type assertions to safely handle cases where the 'spec' field might be missing or malformed.

Suggested change

	devType, _ := spec.(map[string]interface{})["deviceType"].(string)
	specMap, ok := spec.(map[string]interface{})
	if !ok {
	return &reviewResponse, nil
	}
	devType, _ := specMap["deviceType"].(string)

[SchSeba]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively resolves an issue where the mutating webhook incorrectly set isRdma: true for vfio-pci devices with an InfiniBand link type. The fix is correct and appropriately checks the deviceType before applying the mutation. The addition of a comprehensive unit test suite for mutateSriovNetworkNodePolicy is an excellent improvement that significantly enhances the robustness of this component. I have one minor suggestion to improve the explicitness of the logic in mutate.go.

[gemini-code-assist]

This logic can be made more robust and explicit by checking the ok value from the type assertion. This avoids relying on the zero value of a string to achieve the correct behavior when deviceType is not specified. The following suggestion refactors this block to be more idiomatic and clear.

		if devType, ok := specMap["deviceType"].(string); !ok || !strings.EqualFold(devType, constants.DeviceTypeVfioPci) {
			log.Log.V(2).Info("mutateSriovNetworkNodePolicy(): set isRdma to true for policy since ib link type is detected", "policy-name", name)
			patchs = append(patchs, InfiniBandIsRdmaPatch)
		}

[coveralls]

Pull Request Test Coverage Report for Build 22179241629

Details

• 12 of 12 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.2%) to 63.086%

---

Totals
Change from base Build 22144740276:	0.2%
Covered Lines:	9338
Relevant Lines:	14802

---

💛 - Coveralls