From fdd1f3766ba7a3a65725cfe43e0e6a3f2a115ae0 Mon Sep 17 00:00:00 2001
From: Min Jin <minkimzz@amazon.com>
Date: Sun, 4 Feb 2024 21:53:38 -0800
Subject: [PATCH] fail admission check upon nil/empty overhead map

Signed-off-by: Min Jin <minkimzz@amazon.com>
---
 plugin/pkg/admission/runtimeclass/admission.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/pkg/admission/runtimeclass/admission.go b/plugin/pkg/admission/runtimeclass/admission.go
index ed2e8b1343f..885385f03af 100644
--- a/plugin/pkg/admission/runtimeclass/admission.go
+++ b/plugin/pkg/admission/runtimeclass/admission.go
@@ -175,7 +175,7 @@ func setOverhead(a admission.Attributes, pod *api.Pod, runtimeClass *nodev1.Runt
 	}
 
 	// reject pod if Overhead is already set that differs from what is defined in RuntimeClass
-	if pod.Spec.Overhead != nil && !apiequality.Semantic.DeepEqual(nodeOverhead.PodFixed, pod.Spec.Overhead) {
+	if len(pod.Spec.Overhead) > 0 && !apiequality.Semantic.DeepEqual(nodeOverhead.PodFixed, pod.Spec.Overhead) {
 		return admission.NewForbidden(a, fmt.Errorf("pod rejected: Pod's Overhead doesn't match RuntimeClass's defined Overhead"))
 	}