Tighten VAP ServiceAccount check and remove policy stubs#431
Open
MikeSpreitzer wants to merge 1 commit intollm-d-incubation:mainfrom
Open
Tighten VAP ServiceAccount check and remove policy stubs#431MikeSpreitzer wants to merge 1 commit intollm-d-incubation:mainfrom
MikeSpreitzer wants to merge 1 commit intollm-d-incubation:mainfrom
Conversation
…ation#308) Tighten the ServiceAccount name regex in ValidatingAdmissionPolicy objects to require the `-fma-controllers` suffix instead of the broader `-controllers`, now that PR 297 has been adopted. Also delete the stub files in charts/fma-controllers/templates/policies/ that existed only for git archaeology. Closes llm-d-incubation#308 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the cluster-level ValidatingAdmissionPolicy CEL expressions to more strictly identify FMA controller ServiceAccounts (now requiring the -fma-controllers suffix) and removes obsolete Helm chart policy stub templates introduced for transition/archaeology after PR #297.
Changes:
- Tighten the ServiceAccount username regex in
fma-immutable-fieldsandfma-bound-serverreqpodpolicies to require*-fma-controllers. - Remove now-obsolete “relaxed pattern” NOTE comments from those policies.
- Delete Helm chart
templates/policies/*stub files that no longer serve an active purpose.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| config/validating-admission-policies/fma-immutable-fields.yaml | Tightens controller ServiceAccount username match to *-fma-controllers. |
| config/validating-admission-policies/fma-bound-serverreqpod.yaml | Tightens controller ServiceAccount username match to *-fma-controllers. |
| charts/fma-controllers/templates/policies/validating-admission-policy-immutable-fields.yaml | Removes deprecated Helm stub (policies no longer chart-managed). |
| charts/fma-controllers/templates/policies/validating-admission-policy-bound-serverReqPod.yaml | Removes deprecated Helm stub (policies no longer chart-managed). |
| charts/fma-controllers/templates/policies/validating-admission-policy-binding-serverReqPod.yaml | Removes deprecated Helm stub (policies no longer chart-managed). |
| charts/fma-controllers/templates/policies/validating-admission-policy-binding-fields.yaml | Removes deprecated Helm stub (policies no longer chart-managed). |
Collaborator
Author
|
/ok-to-test |
|
🚀 E2E tests triggered by /ok-to-test |
Collaborator
Author
|
The E2E test on OpenShift passed (failed first try due to #422, succeeded second try). |
MikeSpreitzer
added this to the
3 - System with model swapping and sleep/wake milestone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fma-immutable-fieldsandfma-bound-serverreqpodValidatingAdmissionPolicy objects to require the-fma-controllerssuffix instead of the broader-controllers, now that PR ✨ New management for ValidatingAdmissionPolicy[Binding] objects #297 has been adoptedcharts/fma-controllers/templates/policies/that existed only for Git archaeology purposesCloses #308
Test plan
-fma-controllers-controllers(but not-fma-controllers)🤖 Generated with Claude Code