Cherry-pick #3908: Fix the requirement for VAP (#3977)

VAP is a default admission plugin enabled while
starting an API server for visibility. The Kueue
controller has additional permissions to watch those
GVKs even though it is not required. Disabling the plugin
from api server helps in keeping it minimal and maintaining
compatibility with previous versions of K8s.

Signed-off-by: Varsha Prasad Narsing <varshaprasad96@gmail.com>

Author: varshaprasad96

charts/kueue/templates/rbac/role.yaml

@@ -79,15 +79,6 @@ rules:
       - list
       - update
       - watch
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingadmissionpolicies
-      - validatingadmissionpolicybindings
-    verbs:
-      - get
-      - list
-      - watch
   - apiGroups:
       - autoscaling.x-k8s.io
     resources:

config/components/rbac/role.yaml

@@ -78,15 +78,6 @@ rules:
   - list
   - update
   - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingadmissionpolicies
-  - validatingadmissionpolicybindings
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - autoscaling.x-k8s.io
   resources:

pkg/util/cert/cert.go

@@ -38,8 +38,6 @@ const (
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicybindings,verbs=get;list;watch
 
 // ManageCerts creates all certs for webhooks. This function is called from main.go.
 func ManageCerts(mgr ctrl.Manager, cfg config.Configuration, setupFinished chan struct{}) error {

pkg/visibility/server.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"strings"
 
+	validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
@@ -81,6 +82,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er
 	o.SecureServing.BindPort = 8082
 	// The directory where TLS certs will be created
 	o.SecureServing.ServerCert.CertDirectory = "/tmp"
+	o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName}
 
 	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)