Ignore updates related to Scheduling Gates

to allow the installation of external
operators that manage pod scheduling.
Scheduling Gates don't affect pod privileges,
so there's no need to block them through SCC admission.

Signed-off-by: bmordeha <[email protected]>

Author: Barakmor1

pkg/securitycontextconstraints/sccadmission/admission.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"k8s.io/apimachinery/pkg/conversion"
 	"sort"
 	"strings"
 	"time"
@@ -552,8 +553,7 @@ func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
 	// see if we are only updating the ownerRef. Garbage collection does this
 	// and we should allow it in general, since you had the power to update and the power to delete.
 	// The worst that happens is that you delete something, but you aren't controlling the privileged object itself
-	res := rbacregistry.IsOnlyMutatingGCFields(newPodCopy, oldPod, kapihelper.Semantic)
-
+	res := IsOnlyMutatingGCFieldsOrSchedulingGates(newPod, oldPod, kapihelper.Semantic)
 	return res
 }
 
@@ -602,3 +602,9 @@ func logProviders(pod *coreapi.Pod, providers []sccmatching.SecurityContextConst
 		klog.V(2).Infof("provider creation error: %v", err)
 	}
 }
+
+func IsOnlyMutatingGCFieldsOrSchedulingGates(pod, oldPod *coreapi.Pod, equalities conversion.Equalities) bool {
+	pod.Spec.SchedulingGates = []coreapi.PodSchedulingGate{}
+	oldPod.Spec.SchedulingGates = []coreapi.PodSchedulingGate{}
+	return rbacregistry.IsOnlyMutatingGCFields(pod, oldPod, equalities)
+}

pkg/securitycontextconstraints/sccadmission/admission_test.go

@@ -268,6 +268,15 @@ func TestShouldIgnore(t *testing.T) {
 			shouldIgnore:        true,
 			admissionAttributes: withStatusUpdate(goodPod()),
 		},
+		{
+			description:  "schedulingGates updates should be ignored",
+			shouldIgnore: true,
+			admissionAttributes: withUpdate(schedulingGatePod(), "",
+				func(p *coreapi.Pod) *coreapi.Pod {
+					p.Spec.SchedulingGates = []coreapi.PodSchedulingGate{}
+					return p
+				}),
+		},
 		{
 			description:  "don't ignore normal updates",
 			shouldIgnore: false,
@@ -1724,6 +1733,14 @@ func goodPod() *coreapi.Pod {
 	}
 }
 
+// schedulingGatePod is empty pod with scheduling gate. schedulingGates modifications
+// should be safely ignored.
+func schedulingGatePod() *coreapi.Pod {
+	p := goodPod()
+	p.Spec.SchedulingGates = []coreapi.PodSchedulingGate{{"testGate"}}
+	return p
+}
+
 // windowsPod returns windows pod without any SCCs which are specific to Linux. The admission of Windows pod
 // should be safely ignored.
 func windowsPod() *coreapi.Pod {