Overridden quantity must be below namespace Maximum

tkashem · tkashem · commit 856fe84fa6db · 2020-02-11T12:07:18.000-05:00
The overridden quantity must be below the namespace Maximum specified
via LimitRange object.

Currently the mutating admission webhook overrides a resource above
the namespace maximum and thus fails Pod creation, we see the
following error:
"pods "croe2e-f7c9h" is forbidden: maximum cpu usage per Container is 1, but limit is 2"

Query the Maximum limit for CPU and Memory resource specified in
LimitRange and ensure that the overridden resource quantity never
exceeds the namespace Maximum.
diff --git a/.dockerignore b/.dockerignore
@@ -1,5 +1,3 @@
-./bin/*
-
 manifests/art.yaml
 manifests/*/image-references
 
diff --git a/artifacts/deploy/200_rbac.yaml b/artifacts/deploy/200_rbac.yaml
@@ -96,11 +96,12 @@ rules:
     - list
     - watch
 
-  # to grant power to the operand to watch namespace(s)
+  # to grant power to the operand to watch Namespace(s) and LimitRange(s)
   - apiGroups:
     - ""
     resources:
     - namespaces
+    - limitranges
     verbs:
     - get
     - list
diff --git a/manifests/4.4/clusterresourceoverride-operator.v4.4.0.clusterserviceversion.yaml b/manifests/4.4/clusterresourceoverride-operator.v4.4.0.clusterserviceversion.yaml
@@ -223,11 +223,12 @@ spec:
             - list
             - watch
 
-        # to grant power to the operand to watch namespace(s)
+        # to grant power to the operand to watch Namespace(s) and LimitRange(s)
         - apiGroups:
             - ""
           resources:
             - namespaces
+            - limitranges
           verbs:
             - get
             - list
diff --git a/pkg/asset/rbac.go b/pkg/asset/rbac.go
@@ -135,12 +135,14 @@ func (s *rbac) New() []*RBACItem {
 							"watch",
 						},
 					},
+					// to give power to the operand to watch Namespace and LimitRange
 					{
 						APIGroups: []string{
 							"",
 						},
 						Resources: []string{
 							"namespaces",
+							"limitranges",
 						},
 						Verbs: []string{
 							"get",
diff --git a/pkg/asset/webhookconfiguration.go b/pkg/asset/webhookconfiguration.go
@@ -32,7 +32,7 @@ func (m *mutatingWebhookConfiguration) New() *admissionregistrationv1beta1.Mutat
 	namespaceMatchLabelKey := fmt.Sprintf("%s.%s/enabled", m.values.AdmissionAPIResource, m.values.AdmissionAPIGroup)
 	timeoutSeconds := int32(5)
 	sideEffects := admissionregistrationv1beta1.SideEffectClassNone
-
+	reinvoke := admissionregistrationv1beta1.IfNeededReinvocationPolicy
 	return &admissionregistrationv1beta1.MutatingWebhookConfiguration{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "MutatingWebhookConfiguration",
@@ -88,9 +88,10 @@ func (m *mutatingWebhookConfiguration) New() *admissionregistrationv1beta1.Mutat
 						},
 					},
 				},
-				FailurePolicy:  &policy,
-				TimeoutSeconds: &timeoutSeconds,
-				SideEffects:    &sideEffects,
+				FailurePolicy:      &policy,
+				TimeoutSeconds:     &timeoutSeconds,
+				SideEffects:        &sideEffects,
+				ReinvocationPolicy: &reinvoke,
 			},
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-./bin/*`
`2`		`-`
`3`	`1`	`manifests/art.yaml`
`4`	`2`	`manifests/*/image-references`
`5`	`3`