[Fix] Remove the requirement for VAP (kubernetes-sigs#3908)

varshaprasad96 · ChristianZaccaria · commit c9a483e2506e · 2025-01-13T11:47:14.000Z
VAP is a default admission plugin enabled while
starting an API server for visibility. The Kueue
controller has additional permissions to watch those
GVKs even though it is not required. Disabling the plugin
from api server helps in keeping it minimal and maintaining
compatibility with previous versions of K8s.

Signed-off-by: Varsha Prasad Narsing &lt;varshaprasad96@gmail.com&gt;
diff --git a/charts/kueue/templates/rbac/role.yaml b/charts/kueue/templates/rbac/role.yaml
@@ -79,15 +79,6 @@ rules:
       - list
       - update
       - watch
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingadmissionpolicies
-      - validatingadmissionpolicybindings
-    verbs:
-      - get
-      - list
-      - watch
   - apiGroups:
       - apps
     resources:
diff --git a/cmd/kueue/main.go b/cmd/kueue/main.go
@@ -144,7 +144,7 @@ func main() {
 
 	features.LogFeatureGates(setupLog)
 
-	options, cfg, err := apply(configFile)
+	options, cfg, err = apply(configFile)
 	if err != nil {
 		setupLog.Error(err, "Unable to load the configuration")
 		os.Exit(1)
diff --git a/config/components/rbac/role.yaml b/config/components/rbac/role.yaml
@@ -78,15 +78,6 @@ rules:
   - list
   - update
   - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingadmissionpolicies
-  - validatingadmissionpolicybindings
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - apps
   resources:
diff --git a/pkg/util/cert/cert.go b/pkg/util/cert/cert.go
@@ -38,8 +38,6 @@ const (
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch
-// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicybindings,verbs=get;list;watch
 
 // ManageCerts creates all certs for webhooks. This function is called from main.go.
 func ManageCerts(mgr ctrl.Manager, cfg config.Configuration, setupFinished chan struct{}) error {
diff --git a/pkg/visibility/server.go b/pkg/visibility/server.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"strings"
 
+	validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
@@ -77,7 +78,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er
 	o.SecureServing.BindPort = 8082
 	// The directory where TLS certs will be created
 	o.SecureServing.ServerCert.CertDirectory = "/tmp"
-
+	o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName}
 	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)
 	}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go b/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/filters/filters.go
