fix: use JSON patches to preserve unknown pod fields#19
Open
LoneExile wants to merge 1 commit into
Open
Conversation
Member
|
Please ensure that the DCO is signed of. |
Replace kubewebhook framework with direct admission/v1 API and JSON patches. The old approach deserializes pods into typed Go structs (k8s.io/api v0.25.6) which silently drops fields added in newer K8s versions — notably initContainers[].restartPolicy (native sidecars, added in K8s 1.28). This caused KubeVirt VMs to get stuck at Init:0/1 when the guest-console-log sidecar's restartPolicy was stripped. The new approach reads the pod for decision-making but returns a targeted JSON patch that only modifies schedulerName, never touching fields we didn't explicitly set. Signed-off-by: Apinant U-suwantim <Hello@Apinant.dev>
LoneExile
force-pushed
the
fix/update-k8s-api-sidecar-containers
branch
from
5d0fec3 to
a7a01b5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The admission webhook silently strips
restartPolicy: Alwaysfrom init containers, breaking Kubernetes native sidecar containers (GA since K8s 1.33). This causes KubeVirt VMs to get stuck atInit:0/1because theguest-console-logsidecar never transitions to running mode.Environment
k8s.io/api v0.25.6)Root Cause
The webhook uses
kubewebhook/v2which deserializes every pod into a typedcorev1.Podstruct compiled againstk8s.io/api v0.25.6(K8s 1.25). TherestartPolicyfield onContainerwas added ink8s.io/api v0.28.0(K8s 1.28). During the deserialize → mutate → re-serialize cycle, allfields unknown to the old types are silently dropped — even when the webhook makes no changes to those fields.
Since the webhook has no
namespaceSelectororobjectSelector, it intercepts all pod CREATEs cluster-wide, strippingrestartPolicyfrom every pod's init containers.Fix
Replaced the
kubewebhook/v2framework with directadmission/v1API usage and targeted JSON patches.Before: Webhook deserializes pod → modifies
schedulerName→ re-serializes entire pod → framework diffs to produce patch (patch includes removal of unknown fields)After: Webhook deserializes pod for reading only (to check volumes/PVCs) → returns a targeted JSON Patch (RFC 6902) that only sets
/spec/schedulerName→ unknown fields are never touchedThis approach:
k8s.io/api v0.25.6kubewebhook/v2dependency entirelyChanges
cmd/linstor-scheduler-admission/linstor-scheduler-admission.go— Rewritten to useadmission/v1API with JSON patch responsesgo.mod/go.sum— Removedgithub.com/slok/kubewebhook/v2and transitive depsTesting
Tested on a cluster (K8s v1.35.0, KubeVirt v1.7.1, 11 nodes):
restartPolicy: Alwayson an init container → preserved (was stripped before)2/2 Runningwithguest-console-logsidecar working correctly (was stuck atInit:0/1before)Related Issues
init stage"
restartPolicy)