updated admission policy to account for controller

NVIDIA · Dec 21, 2024 · 89abbec · 89abbec
1 parent 34d49b8
commit 89abbec
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml
@@ -21,11 +21,13 @@ spec:
   - name: objectNodeName
     expression: >-
       (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("")
+  - name: nodeSelectorValue
+    expression: >-
+      (request.operation == "DELETE" ? oldObject : object).spec.nodeSelector.nodeSelectorTerms[0].matchExpressions[0].values[0].orValue("")
   validations:
   - expression: variables.userNodeName != ""
     message: >-
       no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled
-  - expression: variables.userNodeName == variables.objectNodeName
+  - expression: variables.userNodeName == variables.objectNodeName || variables.nodeSelectorValue != ""
     messageExpression: >-
-      "this user running on node '"+variables.userNodeName+"' may not modify " +
-      (variables.objectNodeName == "" ?"cluster resourceslices" : "resourceslices on node '"+variables.objectNodeName+"'")
+      "this user running on node '"+variables.userNodeName+"' may not modify cluster or node resourceslices"