Forbid creating VPA objects without targetRef.

kubernetes · Mar 12, 2019 · ac8288e · ac8288e
1 parent 9733fe0
commit ac8288e
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/vertical-pod-autoscaler/pkg/admission-controller/logic/server.go b/vertical-pod-autoscaler/pkg/admission-controller/logic/server.go
@@ -147,7 +147,7 @@ var (
 	}
 )
 
-func validateVPA(vpa *vpa_types.VerticalPodAutoscaler) error {
+func validateVPA(vpa *vpa_types.VerticalPodAutoscaler, isCreate bool) error {
 	if vpa.Spec.UpdatePolicy != nil {
 		mode := vpa.Spec.UpdatePolicy.UpdateMode
 		if mode == nil {
@@ -178,16 +178,22 @@ func validateVPA(vpa *vpa_types.VerticalPodAutoscaler) error {
 		}
 	}
 
+	if isCreate {
+		if vpa.Spec.TargetRef == nil {
+			return fmt.Errorf("TargetRef is required")
+		}
+	}
+
 	return nil
 }
 
-func getPatchesForVPADefaults(raw []byte) ([]patchRecord, error) {
+func getPatchesForVPADefaults(raw []byte, isCreate bool) ([]patchRecord, error) {
 	vpa, err := parseVPA(raw)
 	if err != nil {
 		return nil, err
 	}
 
-	err = validateVPA(vpa)
+	err = validateVPA(vpa, isCreate)
 	if err != nil {
 		return nil, err
 	}
@@ -228,7 +234,7 @@ func (s *AdmissionServer) admit(data []byte) (*v1beta1.AdmissionResponse, metric
 		patches, err = s.getPatchesForPodResourceRequest(ar.Request.Object.Raw, ar.Request.Namespace)
 		resource = metrics_admission.Pod
 	case vpaResource:
-		patches, err = getPatchesForVPADefaults(ar.Request.Object.Raw)
+		patches, err = getPatchesForVPADefaults(ar.Request.Object.Raw, ar.Request.Operation == v1beta1.Create)
 		resource = metrics_admission.Vpa
 		// we don't let in problematic VPA objects - late validation
 		if err != nil {