Skip to content

Commit 5c36a8a

Browse files
Cherry-pick #3908: Fix the requirement for VAP (#3977)
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <varshaprasad96@gmail.com>
1 parent 521f94e commit 5c36a8a

File tree

4 files changed

+2
-20
lines changed

4 files changed

+2
-20
lines changed

charts/kueue/templates/rbac/role.yaml

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -79,15 +79,6 @@ rules:
7979
- list
8080
- update
8181
- watch
82-
- apiGroups:
83-
- admissionregistration.k8s.io
84-
resources:
85-
- validatingadmissionpolicies
86-
- validatingadmissionpolicybindings
87-
verbs:
88-
- get
89-
- list
90-
- watch
9182
- apiGroups:
9283
- autoscaling.x-k8s.io
9384
resources:

config/components/rbac/role.yaml

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -78,15 +78,6 @@ rules:
7878
- list
7979
- update
8080
- watch
81-
- apiGroups:
82-
- admissionregistration.k8s.io
83-
resources:
84-
- validatingadmissionpolicies
85-
- validatingadmissionpolicybindings
86-
verbs:
87-
- get
88-
- list
89-
- watch
9081
- apiGroups:
9182
- autoscaling.x-k8s.io
9283
resources:

pkg/util/cert/cert.go

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,6 @@ const (
3838
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
3939
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
4040
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
41-
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch
42-
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicybindings,verbs=get;list;watch
4341

4442
// ManageCerts creates all certs for webhooks. This function is called from main.go.
4543
func ManageCerts(mgr ctrl.Manager, cfg config.Configuration, setupFinished chan struct{}) error {

pkg/visibility/server.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import (
2323
"os"
2424
"strings"
2525

26+
validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
2627
openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
2728
genericapiserver "k8s.io/apiserver/pkg/server"
2829
genericoptions "k8s.io/apiserver/pkg/server/options"
@@ -81,6 +82,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er
8182
o.SecureServing.BindPort = 8082
8283
// The directory where TLS certs will be created
8384
o.SecureServing.ServerCert.CertDirectory = "/tmp"
85+
o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName}
8486

8587
if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
8688
return fmt.Errorf("error creating self-signed certificates: %v", err)

0 commit comments

Comments
 (0)