From c3a3561cb8d246fb1ba54b201b81508be0011e9a Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 25 Jul 2023 17:27:51 +0300 Subject: [PATCH] webhooks: stop handling Pod updates FPGA and SGX webhooks mutate container resources which are immutable. Therefore, stop processing pod updates and act on creation only. Signed-off-by: Mikko Ylinen --- deployments/fpga_admissionwebhook/webhook/manifests.yaml | 1 - deployments/operator/webhook/manifests.yaml | 2 -- deployments/sgx_admissionwebhook/webhook/manifests.yaml | 1 - pkg/fpgacontroller/patcher/patchermanager.go | 2 +- pkg/webhooks/sgx/sgx.go | 2 +- 5 files changed, 2 insertions(+), 6 deletions(-) diff --git a/deployments/fpga_admissionwebhook/webhook/manifests.yaml b/deployments/fpga_admissionwebhook/webhook/manifests.yaml index 552b355b8..de62ad6f1 100644 --- a/deployments/fpga_admissionwebhook/webhook/manifests.yaml +++ b/deployments/fpga_admissionwebhook/webhook/manifests.yaml @@ -20,7 +20,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None diff --git a/deployments/operator/webhook/manifests.yaml b/deployments/operator/webhook/manifests.yaml index a45c27943..ab2701641 100644 --- a/deployments/operator/webhook/manifests.yaml +++ b/deployments/operator/webhook/manifests.yaml @@ -161,7 +161,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None @@ -182,7 +181,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None diff --git a/deployments/sgx_admissionwebhook/webhook/manifests.yaml b/deployments/sgx_admissionwebhook/webhook/manifests.yaml index 685d40289..7e9fee0c6 100644 --- a/deployments/sgx_admissionwebhook/webhook/manifests.yaml +++ b/deployments/sgx_admissionwebhook/webhook/manifests.yaml @@ -21,7 +21,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None diff --git a/pkg/fpgacontroller/patcher/patchermanager.go b/pkg/fpgacontroller/patcher/patchermanager.go index d10977888..9662c3cee 100644 --- a/pkg/fpgacontroller/patcher/patchermanager.go +++ b/pkg/fpgacontroller/patcher/patchermanager.go @@ -71,7 +71,7 @@ func (pm *Manager) GetPodMutator() func(ctx context.Context, req webhook.Admissi return pm.mutate } -// +kubebuilder:webhook:verbs=create;update,path=/pods,mutating=true,failurePolicy=Ignore,groups="",resources=pods,versions=v1,name=fpga.mutator.webhooks.intel.com,sideEffects=None,admissionReviewVersions=v1 +// +kubebuilder:webhook:verbs=create,path=/pods,mutating=true,failurePolicy=Ignore,groups="",resources=pods,versions=v1,name=fpga.mutator.webhooks.intel.com,sideEffects=None,admissionReviewVersions=v1 func (pm *Manager) mutate(ctx context.Context, req webhook.AdmissionRequest) webhook.AdmissionResponse { podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"} diff --git a/pkg/webhooks/sgx/sgx.go b/pkg/webhooks/sgx/sgx.go index a9c96da0f..ee0a8f449 100644 --- a/pkg/webhooks/sgx/sgx.go +++ b/pkg/webhooks/sgx/sgx.go @@ -29,7 +29,7 @@ import ( var ErrObjectType = errors.New("invalid runtime object type") -// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create;update,versions=v1,name=sgx.mutator.webhooks.intel.com,sideEffects=None,admissionReviewVersions=v1,reinvocationPolicy=IfNeeded +// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create,versions=v1,name=sgx.mutator.webhooks.intel.com,sideEffects=None,admissionReviewVersions=v1,reinvocationPolicy=IfNeeded // Mutator annotates Pods. type Mutator struct{}