VPA: Allow admission-controller to validate in-place spec

Only allow VPA objects with InPlaceOrRecreate update mode to be created if InPlaceOrRecreate feature gate is enabled. If a VPA object already exists with this mode on, and the feature gate is disabled, this prevents further objects to be created with InPlaceOrRecreate, but this does not prevent the existing InPlaceOrRecreate VPA objects with from being modified.

Signed-off-by: Max Cao <[email protected]>

Author: maxcao13

vertical-pod-autoscaler/deploy/admission-controller-deployment.yaml

@@ -21,7 +21,7 @@ spec:
       containers:
         - name: admission-controller
           image: registry.k8s.io/autoscaling/vpa-admission-controller:1.3.0
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           env:
             - name: NAMESPACE
               valueFrom:

vertical-pod-autoscaler/deploy/recommender-deployment.yaml

@@ -21,7 +21,7 @@ spec:
       containers:
       - name: recommender
         image: registry.k8s.io/autoscaling/vpa-recommender:1.3.0
-        imagePullPolicy: IfNotPresent
+        imagePullPolicy: Always
         resources:
           limits:
             cpu: 200m

vertical-pod-autoscaler/deploy/updater-deployment.yaml

@@ -21,7 +21,7 @@ spec:
       containers:
         - name: updater
           image: registry.k8s.io/autoscaling/vpa-updater:1.3.0
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           env:
             - name: NAMESPACE
               valueFrom:

vertical-pod-autoscaler/pkg/admission-controller/resource/vpa/handler.go

@@ -30,15 +30,17 @@ import (
 
 	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource"
 	vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/features"
 	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/metrics/admission"
 )
 
 var (
 	possibleUpdateModes = map[vpa_types.UpdateMode]interface{}{
-		vpa_types.UpdateModeOff:      struct{}{},
-		vpa_types.UpdateModeInitial:  struct{}{},
-		vpa_types.UpdateModeRecreate: struct{}{},
-		vpa_types.UpdateModeAuto:     struct{}{},
+		vpa_types.UpdateModeOff:               struct{}{},
+		vpa_types.UpdateModeInitial:           struct{}{},
+		vpa_types.UpdateModeRecreate:          struct{}{},
+		vpa_types.UpdateModeAuto:              struct{}{},
+		vpa_types.UpdateModeInPlaceOrRecreate: struct{}{},
 	}
 
 	possibleScalingModes = map[vpa_types.ContainerScalingMode]interface{}{
@@ -121,6 +123,9 @@ func ValidateVPA(vpa *vpa_types.VerticalPodAutoscaler, isCreate bool) error {
 		if _, found := possibleUpdateModes[*mode]; !found {
 			return fmt.Errorf("unexpected UpdateMode value %s", *mode)
 		}
+		if (*mode == vpa_types.UpdateModeInPlaceOrRecreate) && !features.Enabled(features.InPlaceOrRecreate) && isCreate {
+			return fmt.Errorf("in order to use UpdateMode %s, you must enable feature gate %s in the admission-controller args", vpa_types.UpdateModeInPlaceOrRecreate, features.InPlaceOrRecreate)
+		}
 
 		if minReplicas := vpa.Spec.UpdatePolicy.MinReplicas; minReplicas != nil && *minReplicas <= 0 {
 			return fmt.Errorf("MinReplicas has to be positive, got %v", *minReplicas)

vertical-pod-autoscaler/pkg/admission-controller/resource/vpa/handler_test.go

@@ -18,13 +18,17 @@ package vpa
 
 import (
 	"fmt"
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+
 	vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/features"
 )
 
 const (
@@ -42,6 +46,11 @@ func TestValidateVPA(t *testing.T) {
 	validScalingMode := vpa_types.ContainerScalingModeAuto
 	scalingModeOff := vpa_types.ContainerScalingModeOff
 	controlledValuesRequestsAndLimits := vpa_types.ContainerControlledValuesRequestsAndLimits
+	inPlaceOrRecreateUpdateMode := vpa_types.UpdateModeInPlaceOrRecreate
+	inPlaceOrRecreateDisabledTestNames := []string{
+		"creating VPA with InPlaceOrRecreate update mode not enabled by feature gate",
+		"updating VPA with InPlaceOrRecreate update mode allowed with disabled feature gate",
+	}
 	tests := []struct {
 		name        string
 		vpa         vpa_types.VerticalPodAutoscaler
@@ -78,6 +87,40 @@ func TestValidateVPA(t *testing.T) {
 			},
 			expectError: fmt.Errorf("unexpected UpdateMode value bad"),
 		},
+		{
+			name: inPlaceOrRecreateDisabledTestNames[0],
+			vpa: vpa_types.VerticalPodAutoscaler{
+				Spec: vpa_types.VerticalPodAutoscalerSpec{
+					UpdatePolicy: &vpa_types.PodUpdatePolicy{
+						UpdateMode: &inPlaceOrRecreateUpdateMode,
+					},
+				},
+			},
+			isCreate:    true,
+			expectError: fmt.Errorf("in order to use UpdateMode %s, you must enable feature gate %s in the admission-controller args", vpa_types.UpdateModeInPlaceOrRecreate, features.InPlaceOrRecreate),
+		},
+		{
+			name: inPlaceOrRecreateDisabledTestNames[1],
+			vpa: vpa_types.VerticalPodAutoscaler{
+				Spec: vpa_types.VerticalPodAutoscalerSpec{
+					UpdatePolicy: &vpa_types.PodUpdatePolicy{
+						UpdateMode: &inPlaceOrRecreateUpdateMode,
+					},
+				},
+			},
+			isCreate:    false,
+			expectError: nil,
+		},
+		{
+			name: "InPlaceOrRecreate update mode enabled by feature gate",
+			vpa: vpa_types.VerticalPodAutoscaler{
+				Spec: vpa_types.VerticalPodAutoscalerSpec{
+					UpdatePolicy: &vpa_types.PodUpdatePolicy{
+						UpdateMode: &inPlaceOrRecreateUpdateMode,
+					},
+				},
+			},
+		},
 		{
 			name: "zero minReplicas",
 			vpa: vpa_types.VerticalPodAutoscaler{
@@ -282,6 +325,9 @@ func TestValidateVPA(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(fmt.Sprintf("test case: %s", tc.name), func(t *testing.T) {
+			if !slices.Contains(inPlaceOrRecreateDisabledTestNames, tc.name) {
+				featuregatetesting.SetFeatureGateDuringTest(t, features.MutableFeatureGate, features.InPlaceOrRecreate, true)
+			}
 			err := ValidateVPA(&tc.vpa, tc.isCreate)
 			if tc.expectError == nil {
 				assert.NoError(t, err)