-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
None
-
None
-
None
The machine-api-machine-set-vap and cluster-api-machine-set-vap ValidatingAdmissionPolicies only match resources: ["machinesets"] in their
matchConstraints.resourceRules. This means requests to the machinesets/scale subresource bypass the VAPs entirely.
A user can scale a non-authoritative MachineSet via the scale subresource (e.g. kubectl scale) without being blocked at admission. The sync
controller will revert the change, but there is a window where the scale goes through and could cause unintended machine creation or deletion before
being corrected.
This is a known issue, the subresource handler does not directly call the admission chain (and therefore the VAPs) for the resource being scaled
https://github.com/kubernetes/kubernetes/issues/84530
Given the scale subresource has a different structure, we likely want entirely separate VAPs for this.
Affected VAPs:
- machine-api-machine-set-vap (manifests/0000_30_cluster-api_09_admission-policies.yaml, line ~192)
- cluster-api-machine-set-vap (same file, line ~428)
Consideration:
The scale subresource passes a Scale object (not a MachineSet), so the existing validation expressions that reference object.spec would evaluate
against Scale.spec (which contains replicas and selector), not MachineSet.spec. The VAP expressions would need to be adapted or a separate rule added
for the scale subresource.
Acceptance criteria:
- Scaling a non-authoritative MachineSet via the scale subresource is rejected at admission
- E2e tests added to verify scale subresource rejection
- is related to
-
OCPCLOUD-3262 Prevent changes to non-authoritative MAPI/CAPI MachineSets except from sync controller
-
- Review
-