Adding validation to module toleration effect

TomerNewman · k8s-ci-robot · commit 936e0839df4c · 2025-01-27T00:59:22.000-08:00
Users can add a toleration to Module with
invalid effects (for example "blabla").
This commit adds a webhook validation
to the toleration effect value, ensuring only:
NoExecute,  NoSchedule, PreferNoSchedule
can be applied.
diff --git a/internal/webhook/module.go b/internal/webhook/module.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	corev1 "k8s.io/api/core/v1"
 	"regexp"
 	"strings"
 
@@ -109,6 +110,10 @@ func validateModule(mod *kmmv1beta1.Module) (admission.Warnings, error) {
 		return nil, fmt.Errorf("failed to validate kernel mappings: %v", err)
 	}
 
+	if err := validateModuleTolerarations(mod); err != nil {
+		return nil, fmt.Errorf("failed to validate Module's tolerations: %v", err)
+	}
+
 	return nil, validateModprobe(mod.Spec.ModuleLoader.Container.Modprobe)
 }
 
@@ -207,3 +212,14 @@ func validateModprobe(modprobe kmmv1beta1.ModprobeSpec) error {
 
 	return nil
 }
+func validateModuleTolerarations(mod *kmmv1beta1.Module) error {
+	for _, toleration := range mod.Spec.Tolerations {
+		switch toleration.Effect {
+		case corev1.TaintEffectNoSchedule, corev1.TaintEffectNoExecute, corev1.TaintEffectPreferNoSchedule:
+			continue
+		default:
+			return fmt.Errorf("invalid toleration effect %s. allowed values are NoSchedule, NoExecute, PreferNoSchedule", toleration.Effect)
+		}
+	}
+	return nil
+}
diff --git a/internal/webhook/module_test.go b/internal/webhook/module_test.go
@@ -18,6 +18,7 @@ package webhook
 
 import (
 	"context"
+	v1 "k8s.io/api/core/v1"
 	"strings"
 
 	kmmv1beta1 "github.com/kubernetes-sigs/kernel-module-management/api/v1beta1"
@@ -551,3 +552,32 @@ var _ = Describe("ValidateDelete", func() {
 		Expect(err).To(MatchError(NotImplemented))
 	})
 })
+
+var _ = Describe("validateModuleTolerarations", func() {
+	It("should fail when Module has an invalid toleration effect", func() {
+		mod := validModule
+		mod.Spec.Tolerations = []v1.Toleration{
+			{
+				Key: "Test-Key1", Operator: "Test-Equal1", Value: "Test-Value1", Effect: v1.TaintEffectPreferNoSchedule,
+			},
+			{
+				Key: "Test-Key2", Operator: "Test-Equal2", Value: "Test-Value2", Effect: "Test-Effect",
+			},
+		}
+
+		err := validateModuleTolerarations(&mod)
+		Expect(err).To(HaveOccurred())
+	})
+	It("should work when all tolerations have valid effects ", func() {
+		mod := validModule
+		mod.Spec.Tolerations = []v1.Toleration{
+			{
+				Key: "Test-Key", Operator: "Test-Equal", Value: "Test-Value", Effect: v1.TaintEffectPreferNoSchedule,
+			},
+		}
+
+		err := validateModuleTolerarations(&mod)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+})
