Improve RWX volumes with VM service VMs performace during validation in webhook.

Author: skogta

pkg/syncer/admissionhandler/validate_cnsfileaccessconfig.go

@@ -8,6 +8,7 @@ import (
 
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	cnsoperatorv1alpha1 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator"
 
@@ -42,6 +43,25 @@ func validateCreateCnsFileAccessConfig(ctx context.Context, clientConfig *rest.C
 		}
 	}
 
+	// This validation is not required for PVCSI service account.
+	isPvCSIServiceAccount, err := validatePvCSIServiceAccount(req.UserInfo.Username)
+	if err != nil {
+		// return AdmissionResponse result
+		return &admissionv1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Message: fmt.Sprintf("failed to validate user information: %v", err),
+			},
+		}
+	}
+
+	// If user is PVCSI service account, allow this request.
+	if isPvCSIServiceAccount {
+		return &admissionv1.AdmissionResponse{
+			Allowed: true,
+		}
+	}
+
 	vm := cnsFileAccessConfig.Spec.VMName
 	pvc := cnsFileAccessConfig.Spec.PvcName
 	namespace := cnsFileAccessConfig.Namespace
@@ -87,9 +107,14 @@ func cnsFileAccessConfigAlreadyExists(ctx context.Context, clientConfig *rest.Co
 		return "", err
 	}
 
+	// List only those CnsFileAccessConfig CRs which are not created by PVCSI.
+	labelSelector := labels.SelectorFromSet(labels.Set{devopsUserLabelKey: "true"})
 	// Get the list of all CnsFileAccessConfig CRs in the given namespace.
 	cnsFileAccessConfigList := &cnsfileaccessconfigv1alpha1.CnsFileAccessConfigList{}
-	err = cnsOperatorClient.List(ctx, cnsFileAccessConfigList, &client.ListOptions{Namespace: namespace})
+	err = cnsOperatorClient.List(ctx, cnsFileAccessConfigList, &client.ListOptions{
+		Namespace:     namespace,
+		LabelSelector: labelSelector,
+	})
 	if err != nil {
 		log.Errorf("failed to list CnsFileAccessConfigList CRs from %s namesapace. Error: %+v",
 			namespace, err)