skip reconcile for unchanged Spec

for ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
2025-07-23 11:50:44 +00:00 · 2023-03-06 09:29:57 -08:00 · 2023-03-06 09:29:57 -08:00 · bb00707548
commit bb00707548
parent 0270fc75d0
1 changed files with 13 additions and 0 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
@ -25,6 +25,7 @@ import (
 	v1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/api/admissionregistration/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -174,6 +175,12 @@ func (c *policyController) reconcilePolicyDefinition(namespace, name string, def
 		celmetrics.Metrics.ObserveDefinition(context.TODO(), "active", "deny")
 	}

+	// Skip reconcile if the spec of the definition is unchanged
+	if info.lastReconciledValue != nil && definition != nil &&
+		apiequality.Semantic.DeepEqual(info.lastReconciledValue.Spec, definition.Spec) {
+		return nil
+	}
+
 	var paramSource *v1alpha1.ParamKind
 	if definition != nil {
 		paramSource = definition.Spec.ParamKind
@ -360,6 +367,12 @@ func (c *policyController) reconcilePolicyBinding(namespace, name string, bindin
 		c.bindingInfos[nn] = info
 	}

+	// Skip if the spec of the binding is unchanged.
+	if info.lastReconciledValue != nil && binding != nil &&
+		apiequality.Semantic.DeepEqual(info.lastReconciledValue.Spec, binding.Spec) {
+		return nil
+	}
+
 	var oldNamespacedDefinitionName namespacedName
 	if info.lastReconciledValue != nil {
 		// All validating policies are cluster-scoped so have empty namespace