From 75aee526a97664be1f2f24d46c9f8b6704f597f1 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Wed, 29 Nov 2023 01:34:36 +0000
Subject: [PATCH] genpolicy: add topologySpreadConstraints support

Allow genpolicy to process Pod YAML files including
topologySpreadConstraints.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/tools/genpolicy/src/pod.rs                | 26 +++++++++++++++++++
 .../k8s-policy-pod.yaml                       |  4 +++
 2 files changed, 30 insertions(+)

diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
index 737a3ca91b..403ae845fd 100644
--- a/src/tools/genpolicy/src/pod.rs
+++ b/src/tools/genpolicy/src/pod.rs
@@ -89,6 +89,9 @@ pub struct PodSpec {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     dnsPolicy: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,
 }
 
 /// See Reference / Kubernetes API / Workload Resources / Pod.
@@ -503,6 +506,29 @@ struct PodDNSConfigOption {
     value: Option<String>,
 }
 
+/// See Reference / Kubernetes API / Workload Resources / Pod.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+struct TopologySpreadConstraint {
+    maxSkew: i32,
+    topologyKey: String,
+    whenUnsatisfiable: String,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    labelSelector: Option<yaml::LabelSelector>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    matchLabelKeys: Option<Vec<String>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    minDomains: Option<i32>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    nodeAffinityPolicy: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    nodeTaintsPolicy: Option<String>,
+}
+
 impl Container {
     pub async fn init(&mut self, config: &Config) {
         // Load container image properties from the registry.
diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
index 3fa203b854..ac47bc98e2 100644
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
@@ -27,3 +27,7 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+  topologySpreadConstraints:
+    - maxSkew: 2
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
\ No newline at end of file