From 08271370cf1c4ca835034a062338944601413a8b Mon Sep 17 00:00:00 2001
From: Orel Misan <omisan@redhat.com>
Date: Mon, 18 Mar 2024 12:14:24 +0200
Subject: [PATCH] Eviction admitter: Extract isVirtLauncher function

Currently, it is not possible to filter eviction requests
by pod label [1][2], thus unfortunately the admitter intercepts
all eviction requests in the cluster - including for pods that
are not virt-launchers.

The admitter checks whether an evicted pod is a virt-launcher
by checking the the existence and value of the `kubevirt.io` label.

Rename the `launcher` to `pod` in order to emphesize that it could
be any pod.

Extract this logic into a function for better
readability.

The value of the `kubevirt.io/domain` annotation on
the virt-launcher pod, represents the name of
its controlling VMI.
Rename the `domainName` variable to `vmiName`
in order to better describe its purpose.

[1] https://github.com/kubernetes/kubernetes/issues/110169#issuecomment-1140512056
[2] https://kubernetes.slack.com/archives/C0EG7JC6T/p1707054818877809

Signed-off-by: Orel Misan <omisan@redhat.com>
---
 .../admitters/pod-eviction-admitter.go            | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/pod-eviction-admitter.go b/pkg/virt-api/webhooks/validating-webhook/admitters/pod-eviction-admitter.go
index 7c9727fbff42..30a31b7f597b 100644
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/pod-eviction-admitter.go
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/pod-eviction-admitter.go
@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	admissionv1 "k8s.io/api/admission/v1"
+	k8scorev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	virtv1 "kubevirt.io/api/core/v1"
@@ -24,21 +25,21 @@ type PodEvictionAdmitter struct {
 }
 
 func (admitter *PodEvictionAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
-	launcher, err := admitter.VirtClient.CoreV1().Pods(ar.Request.Namespace).Get(context.Background(), ar.Request.Name, metav1.GetOptions{})
+	pod, err := admitter.VirtClient.CoreV1().Pods(ar.Request.Namespace).Get(context.Background(), ar.Request.Name, metav1.GetOptions{})
 	if err != nil {
 		return validating_webhooks.NewPassingAdmissionResponse()
 	}
 
-	if value, exists := launcher.GetLabels()[virtv1.AppLabel]; !exists || value != "virt-launcher" {
+	if !isVirtLauncher(pod) {
 		return validating_webhooks.NewPassingAdmissionResponse()
 	}
 
-	domainName, exists := launcher.GetAnnotations()[virtv1.DomainAnnotation]
+	vmiName, exists := pod.GetAnnotations()[virtv1.DomainAnnotation]
 	if !exists {
 		return validating_webhooks.NewPassingAdmissionResponse()
 	}
 
-	vmi, err := admitter.VirtClient.VirtualMachineInstance(ar.Request.Namespace).Get(context.Background(), domainName, metav1.GetOptions{})
+	vmi, err := admitter.VirtClient.VirtualMachineInstance(ar.Request.Namespace).Get(context.Background(), vmiName, metav1.GetOptions{})
 	if err != nil {
 		return denied(fmt.Sprintf("kubevirt failed getting the vmi: %s", err.Error()))
 	}
@@ -65,7 +66,7 @@ func (admitter *PodEvictionAdmitter) Admit(ar *admissionv1.AdmissionReview) *adm
 		markForEviction = true
 	}
 
-	if markForEviction && !vmi.IsMarkedForEviction() && vmi.Status.NodeName == launcher.Spec.NodeName {
+	if markForEviction && !vmi.IsMarkedForEviction() && vmi.Status.NodeName == pod.Spec.NodeName {
 		dryRun := ar.Request.DryRun != nil && *ar.Request.DryRun == true
 		err := admitter.markVMI(ar, vmi.Name, vmi.Status.NodeName, dryRun)
 		if err != nil {
@@ -105,3 +106,7 @@ func denied(message string) *admissionv1.AdmissionResponse {
 		},
 	}
 }
+
+func isVirtLauncher(pod *k8scorev1.Pod) bool {
+	return pod.Labels[virtv1.AppLabel] == "virt-launcher"
+}