refactor: remove auto-injected affinity, add independent affinity config

Remove the controller's auto-injected pod anti-affinity logic
(mergeAffinityWithHostNetworkAntiAffinity, portsOverlap,
computeHostNetworkConflicts) and the associated controller port fields
that were only used for port-conflict detection.

Users are now responsible for configuring affinity/anti-affinity rules
independently for the controller and the default PolicyServer through
their respective Helm charts. Each chart provides a dedicated 'affinity'
key that takes precedence over 'global.affinity' for backward
compatibility.

The --host-network flag and CRD port fields (webhookPort,
readinessProbePort, metricsPort) are preserved unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jvanz

charts/kubewarden-controller/templates/_helpers.tpl

@@ -184,38 +184,16 @@ are configured.
 
 {{/*
 Compute the effective affinity for the controller deployment.
-When hostNetwork is enabled, a required podAntiAffinity rule is injected to
-forbid multiple controller pods from being scheduled on the same node, avoiding
-host-port conflicts between controller replicas. The rule matches only
-controller pods using the chart's selector labels.
+Uses the controller-specific affinity if set, otherwise falls back to
+global.affinity for backward compatibility.
 
-PolicyServer anti-affinity (same-PS replicas, cross-PS conflicts, and
-controller-PS port overlap) is managed separately by the controller reconciler
-at runtime, not by this helper.
-
-When global.affinity is provided by the user:
-  - podAntiAffinity fully replaces the auto-generated rule.
-  - podAffinity and nodeAffinity are carried through unchanged.
-When hostNetwork is disabled, global.affinity is passed through as-is.
+NOTE: When hostNetwork is enabled, users are responsible for setting
+appropriate podAntiAffinity rules to prevent host-port conflicts between
+controller replicas on the same node.
 */}}
 {{- define "kubewarden-controller.effectiveAffinity" -}}
-{{- if .Values.hostNetwork -}}
-  {{- $matchLabels := (include "kubewarden-controller.selectorLabels" . | fromYaml) -}}
-  {{- $affinityTerm := dict "labelSelector" (dict "matchLabels" $matchLabels) "topologyKey" "kubernetes.io/hostname" -}}
-  {{- $autoAntiAffinity := dict "requiredDuringSchedulingIgnoredDuringExecution" (list $affinityTerm) -}}
-  {{- $affinity := dict "podAntiAffinity" $autoAntiAffinity -}}
-  {{- if .Values.global.affinity -}}
-    {{- if hasKey .Values.global.affinity "podAntiAffinity" -}}
-      {{- $_ := set $affinity "podAntiAffinity" .Values.global.affinity.podAntiAffinity -}}
-    {{- end -}}
-    {{- if hasKey .Values.global.affinity "podAffinity" -}}
-      {{- $_ := set $affinity "podAffinity" .Values.global.affinity.podAffinity -}}
-    {{- end -}}
-    {{- if hasKey .Values.global.affinity "nodeAffinity" -}}
-      {{- $_ := set $affinity "nodeAffinity" .Values.global.affinity.nodeAffinity -}}
-    {{- end -}}
-  {{- end -}}
-  {{- toYaml $affinity -}}
+{{- if .Values.affinity -}}
+  {{- toYaml .Values.affinity -}}
 {{- else if .Values.global.affinity -}}
   {{- toYaml .Values.global.affinity -}}
 {{- end -}}

charts/kubewarden-controller/tests/host_network_test.yaml

@@ -27,23 +27,50 @@ tests:
           path: spec.template.spec.containers[0].args
           content: "--host-network"
 
-  - it: "should inject required podAntiAffinity using controller selector labels when hostNetwork is true"
+  - it: "should not set affinity when hostNetwork is true and no affinity is configured"
     set:
       hostNetwork: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.affinity
+
+  - it: "should not set affinity when hostNetwork is false and no affinity is set"
+    asserts:
+      - notExists:
+          path: spec.template.spec.affinity
+
+  - it: "should use controller-specific affinity when set"
+    set:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: kubewarden-controller
+            topologyKey: kubernetes.io/hostname
     asserts:
       - equal:
           path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey
           value: kubernetes.io/hostname
       - equal:
           path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["app.kubernetes.io/name"]
           value: kubewarden-controller
-      - exists:
-          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["app.kubernetes.io/instance"]
 
-  - it: "should not inject podAntiAffinity when hostNetwork is false and no affinity is set"
+  - it: "should fall back to global.affinity when controller-specific affinity is not set"
+    set:
+      global.affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
     asserts:
-      - notExists:
-          path: spec.template.spec.affinity
+      - equal:
+          path: spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key
+          value: kubernetes.io/os
 
   - it: "should use custom ports when overridden in values"
     set:

charts/kubewarden-controller/values.schema.json

@@ -14,6 +14,10 @@
         "alwaysAcceptAdmissionReviewsOnDeploymentsNamespace": {
             "type": "boolean"
         },
+        "affinity": {
+            "type": "object",
+            "description": "Affinity rules for the controller pod. Takes precedence over global.affinity."
+        },
         "auditScanner": {
             "type": "object",
             "properties": {

charts/kubewarden-controller/values.yaml

@@ -151,6 +151,18 @@ preDeleteHook:
 # evaluations that could interfere with the Kubewarden stack running in the
 # admission controller namespace.
 alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
+# affinity configures affinity rules for the controller pod.
+# This takes precedence over global.affinity when set.
+# When hostNetwork is enabled, users should set appropriate podAntiAffinity
+# rules here to prevent host-port conflicts between controller replicas.
+# affinity:
+#   podAntiAffinity:
+#     requiredDuringSchedulingIgnoredDuringExecution:
+#     - labelSelector:
+#         matchLabels:
+#           app.kubernetes.io/name: kubewarden-controller
+#       topologyKey: kubernetes.io/hostname
+affinity: {}
 # hostNetwork enables host network mode for the controller pod and all
 # PolicyServer pods managed by this controller.
 # WARNING: enabling this increases the attack surface by exposing webhook

charts/kubewarden-defaults/templates/policyserver-default.yaml

@@ -20,7 +20,9 @@ spec:
   {{- if .Values.policyServer.maxUnavailable }}
   maxUnavailable: {{ .Values.policyServer.maxUnavailable  }}
   {{- end }}
-  {{- if .Values.global.affinity }}
+  {{- if .Values.policyServer.affinity }}
+  affinity: {{ .Values.policyServer.affinity | toYaml | nindent 4 }}
+  {{- else if .Values.global.affinity }}
   affinity: {{ .Values.global.affinity | toYaml | nindent 4 }}
   {{- end }}
   {{- if .Values.global.tolerations }}

charts/kubewarden-defaults/tests/host_network_test.yaml

@@ -50,3 +50,41 @@ tests:
       - equal:
           path: spec.metricsPort
           value: 9080
+
+  - it: "should not set affinity by default"
+    asserts:
+      - notExists:
+          path: spec.affinity
+
+  - it: "should use policyServer.affinity when set"
+    set:
+      policyServer.affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                kubewarden/policy-server: default
+            topologyKey: kubernetes.io/hostname
+    asserts:
+      - equal:
+          path: spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey
+          value: kubernetes.io/hostname
+      - equal:
+          path: spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["kubewarden/policy-server"]
+          value: default
+
+  - it: "should fall back to global.affinity when policyServer.affinity is not set"
+    set:
+      global.affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+    asserts:
+      - equal:
+          path: spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key
+          value: kubernetes.io/os

charts/kubewarden-defaults/values.schema.json

@@ -30,6 +30,10 @@
           "minimum": 1,
           "maximum": 65535,
           "description": "Port for the PolicyServer metrics endpoint. When omitted, the controller uses the default (8080)."
+        },
+        "affinity": {
+          "type": "object",
+          "description": "Affinity rules for the default PolicyServer. Takes precedence over global.affinity."
         }
       },
       "anyOf": [

charts/kubewarden-defaults/values.yaml

@@ -199,6 +199,18 @@ policyServer:
   # webhookPort: 9443
   # readinessProbePort: 9081
   # metricsPort: 9080
+  # affinity configures affinity rules for the default PolicyServer.
+  # This takes precedence over global.affinity when set.
+  # When hostNetwork is enabled, users should set appropriate podAntiAffinity
+  # rules here to prevent host-port conflicts between PolicyServer replicas.
+  # affinity:
+  #   podAntiAffinity:
+  #     requiredDuringSchedulingIgnoredDuringExecution:
+  #     - labelSelector:
+  #         matchLabels:
+  #           kubewarden/policy-server: default
+  #       topologyKey: kubernetes.io/hostname
+  affinity: {}
 crdVersion: "policies.kubewarden.io/v1"
 recommendedPolicies:
   enabled: False

cmd/controller/main.go

@@ -21,10 +21,8 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -90,16 +88,6 @@ type Configuration struct {
 	// the Kubernetes API server cannot reach pod-network webhook endpoints
 	// (e.g. clusters using a non-VPC CNI with NAT).
 	HostNetwork bool
-	// WebhookServerPort is the port the controller webhook server listens on.
-	WebhookServerPort int
-	// ProbeAddr is the address the probe endpoint binds to (e.g. ":8081").
-	ProbeAddr string
-	// MetricsAddr is the address the metrics endpoint binds to (e.g. ":8088").
-	MetricsAddr string
-	// ControllerHealthProbePort is the parsed port from ProbeAddr.
-	ControllerHealthProbePort int32
-	// ControllerMetricsPort is the parsed port from MetricsAddr.
-	ControllerMetricsPort int32
 }
 
 func init() {
@@ -167,29 +155,8 @@ func main() {
 	flag.Parse()
 	mgrOpts.EnableMutualTLS = config.ClientCAConfigMapName != ""
 	config.ImagePullSecrets = parseImagePullSecrets(imagePullSecretsFlag)
-	config.WebhookServerPort = mgrOpts.WebhookServerPort
-	config.ProbeAddr = mgrOpts.ProbeAddr
-	config.MetricsAddr = mgrOpts.MetricsAddr
-	config.ControllerHealthProbePort = parsePortFromAddress(mgrOpts.ProbeAddr)
-	config.ControllerMetricsPort = parsePortFromAddress(mgrOpts.MetricsAddr)
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	if config.ControllerHealthProbePort == 0 {
-		setupLog.Error(fmt.Errorf("cannot extract port from %q", mgrOpts.ProbeAddr), "invalid --health-probe-bind-address")
-		retcode = 1
-		return
-	}
-	if config.ControllerMetricsPort == 0 {
-		setupLog.Error(fmt.Errorf("cannot extract port from %q", mgrOpts.MetricsAddr), "invalid --metrics-bind-address")
-		retcode = 1
-		return
-	}
-	if config.WebhookServerPort < 1 || config.WebhookServerPort > 65535 {
-		setupLog.Error(fmt.Errorf("port %d is out of range 1-65535", config.WebhookServerPort), "invalid --webhook-server-port")
-		retcode = 1
-		return
-	}
-
 	if enableMetrics {
 		shutdown, err := metrics.New()
 		if err != nil {
@@ -358,9 +325,6 @@ func setupReconcilers(mgr ctrl.Manager,
 		ClientCAConfigMapName:                              config.ClientCAConfigMapName,
 		ImagePullSecrets:                                   config.ImagePullSecrets,
 		HostNetwork:                                        config.HostNetwork,
-		ControllerWebhookPort:                              int32(config.WebhookServerPort), //nolint:gosec // validated above: 1-65535
-		ControllerHealthProbePort:                          config.ControllerHealthProbePort,
-		ControllerMetricsPort:                              config.ControllerMetricsPort,
 	}).SetupWithManager(mgr); err != nil {
 		return errors.Join(errors.New("unable to create PolicyServer controller"), err)
 	}
@@ -453,17 +417,3 @@ func parseImagePullSecrets(s string) []corev1.LocalObjectReference {
 	}
 	return refs
 }
-
-// parsePortFromAddress extracts the port number from an address string like
-// ":8081" or "0.0.0.0:8088". Returns 0 if parsing fails.
-func parsePortFromAddress(addr string) int32 {
-	_, portStr, err := net.SplitHostPort(addr)
-	if err != nil {
-		return 0
-	}
-	port, err := strconv.ParseInt(portStr, 10, 32)
-	if err != nil {
-		return 0
-	}
-	return int32(port)
-}

internal/controller/policyserver_controller.go

@@ -71,13 +71,6 @@ type PolicyServerReconciler struct {
 	// When true, the controller also sets dnsPolicy to ClusterFirstWithHostNet
 	// so that in-cluster DNS resolution keeps working.
 	HostNetwork bool
-	// ControllerWebhookPort is the port the controller webhook server listens on.
-	// Used for port-conflict detection when injecting anti-affinity.
-	ControllerWebhookPort int32
-	// ControllerHealthProbePort is the port the controller health probe binds to.
-	ControllerHealthProbePort int32
-	// ControllerMetricsPort is the port the controller metrics endpoint binds to.
-	ControllerMetricsPort int32
 }
 
 // TelemetryConfiguration is a struct that contains the configuration for the