feat: auto tolerate daemonsets with MAP

Signed-off-by: pehlicd <furkanpehlivan34@gmail.com>

Author: pehlicd

config/admission-policy/binding.yaml

@@ -1,6 +1,6 @@
 ---
 # MutatingAdmissionPolicyBinding binds the policy to the ConfigMap parameter
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingAdmissionPolicyBinding
 metadata:
   name: inject-daemonset-readiness-tolerations-binding

config/admission-policy/policy.yaml

@@ -2,7 +2,7 @@
 # MutatingAdmissionPolicy for automatic DaemonSet toleration injection
 # Reads taint keys from a ConfigMap parameter resource
 # Requires: MutatingAdmissionPolicy feature enabled in the cluster
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingAdmissionPolicy
 metadata:
   name: inject-daemonset-readiness-tolerations

config/rbac/role.yaml

@@ -14,6 +14,14 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
   - nodes
   verbs:
   - create

docs/admission-policy.md

@@ -12,7 +12,7 @@ The MutatingAdmissionPolicy approach uses Kubernetes's native admission control
 > MutatingAdmissionPolicy is needed to be enabled in the cluster.
 
 - Feature gate: `MutatingAdmissionPolicy=true`
-- Runtime config: `admissionregistration.k8s.io/v1alpha1=true`
+- Runtime config: `admissionregistration.k8s.io/v1beta1=true`
 - `kubectl` configured to access your cluster
 - NodeReadinessRule CRDs installed
 

internal/controller/nodereadinessrule_controller.go

@@ -91,6 +91,8 @@ func (r *RuleReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager)
 // +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/finalizers,verbs=update
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;create;update;patch;delete
 
 func (r *RuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := ctrl.LoggerFrom(ctx)
@@ -180,6 +182,7 @@ func (r *RuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.
 // 1. Deletes the taints associated with the rule.
 // 2. Remove the rule from the cache.
 // 3. Remove the finalizer from the rule.
+// 4. Sync the Taints ConfigMap.
 func (r *RuleReconciler) reconcileDelete(ctx context.Context, rule *readinessv1alpha1.NodeReadinessRule) (ctrl.Result, error) {
 	log := ctrl.LoggerFrom(ctx)
 
@@ -203,6 +206,13 @@ func (r *RuleReconciler) reconcileDelete(ctx context.Context, rule *readinessv1a
 	if err != nil {
 		return ctrl.Result{}, err
 	}
+
+	// Sync taints to ConfigMap for MutatingAdmissionPolicy
+	if err := r.Controller.syncTaintsConfigMap(ctx); err != nil {
+		log.Error(err, "Failed to sync taints configmap", "rule", rule.Name)
+		// Don't fail reconciliation for this - log and continue
+	}
+
 	return ctrl.Result{}, nil
 }
 
@@ -697,6 +707,10 @@ func (r *RuleReadinessController) syncTaintsConfigMap(ctx context.Context) error
 	// Extract unique taint keys with readiness.k8s.io/ prefix and NoSchedule effect
 	taintKeysSet := make(map[string]struct{})
 	for _, rule := range ruleList.Items {
+		// Skip rules that are being deleted
+		if !rule.DeletionTimestamp.IsZero() {
+			continue
+		}
 		if rule.Spec.Taint.Key != "" &&
 			strings.HasPrefix(rule.Spec.Taint.Key, "readiness.k8s.io/") &&
 			rule.Spec.Taint.Effect == corev1.TaintEffectNoSchedule {
@@ -740,7 +754,7 @@ func (r *RuleReadinessController) syncTaintsConfigMap(ctx context.Context) error
 	} else {
 		// Update existing ConfigMap
 		log.V(1).Info("Updating readiness-taints ConfigMap", "taintCount", len(taintKeys))
-		patch := client.MergeFrom(existingCM)
+		patch := client.MergeFrom(existingCM.DeepCopy())
 		existingCM.Data = cm.Data
 		if err := r.Patch(ctx, existingCM, patch); err != nil {
 			return fmt.Errorf("failed to update configmap: %w", err)