fix(kubevirt): fix vm_lifecycle pause/unpause blocked by REST mapper#884
fix(kubevirt): fix vm_lifecycle pause/unpause blocked by REST mapper#884lyarwood wants to merge 2 commits intocontainers:mainfrom
Conversation
|
@lyarwood can you please regenerate README? |
lyarwood
force-pushed
the
kubevirt-pause
branch
from
37fb030 to
a17a4c9
Compare
The vm_lifecycle tool only supported start, stop, and restart actions. This meant AI agents could not pause/unpause VMs, causing them to fall back to stopping VMs instead (which is a fundamentally different operation). Add pause and unpause actions that use the KubeVirt subresource API (subresources.kubevirt.io/v1) to suspend and resume running VMIs in-place. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
The AccessControlRoundTripper was returning a RESOURCE_NOT_FOUND error for any resource not found in the REST mapper. This blocked requests to valid API endpoints like KubeVirt's subresources.kubevirt.io group, which serves pause/unpause endpoints but isn't discoverable via the REST mapper. Instead of blocking, pass the request through to the API server which is the source of truth for what resources exist. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
lyarwood
force-pushed
the
kubevirt-pause
branch
from
a17a4c9 to
38a2339
Compare
| // Some API groups (e.g. subresources.kubevirt.io) serve valid | ||
| // endpoints that are not discoverable via the REST mapper. | ||
| // Let the API server decide whether the resource exists. | ||
| klog.V(4).Infof("Resource %s not found in REST mapper, passing through to API server", api.FormatResourceName(&gvr)) | ||
| return rt.delegate.RoundTrip(req) |
There was a problem hiding this comment.
@lyarwood I get why you need this change for kubevirt, but the original behavior was actually a requirement we were given.
I believe the AccessControlRoundTripperConfig already contains a DiscoveryProvider which should contain all the API groups (including subresources). Would that work for your use case?
If not we can discuss moving forwards with the proposed change, I would just prefer to find a way to keep the existing behaviour for actual invalid groups
There was a problem hiding this comment.
AccessControlRoundTripper SHOULD NOT be made.
If certain API groups need exceptions, we'll need to find a proper way to handle those via the toolset API, and make it clear and explicit that certain routes are being allowed regardless of the security enforcements.
4 participants
Summary
vm_lifecycletool using KubeVirt's subresource APIAccessControlRoundTripperblocking requests to API groups not in the REST mapper (e.g.subresources.kubevirt.io), which prevented pause/unpause from working