Skip to content

Block ResourcePoolClaim spec mutation after allocation to prevent quota overscheduling#1980

Draft
oliverbaehler with Copilot wants to merge 1 commit into
mainfrom
copilot/bug-1977-fix-overscheduling
Draft

Block ResourcePoolClaim spec mutation after allocation to prevent quota overscheduling#1980
oliverbaehler with Copilot wants to merge 1 commit into
mainfrom
copilot/bug-1977-fix-overscheduling

Conversation

Copilot AI commented Jun 23, 2026

Copy link
Copy Markdown

ResourcePool claims could be resized after allocation when Bound=false but status.pool was still set, allowing total claimed quota to exceed pool limits. This change tightens update validation to treat allocation state (not bound-state alone) as immutable for claim spec.

  • Admission guard: allocation-aware immutability

    • Updated ResourcePoolClaim update validation to deny changes to spec.pool and spec.claim whenever the claim is already allocated to a pool (status.pool.uid != "").
    • This closes the gap where “allocated but currently unused” claims were still mutable.
  • E2E behavior: assert denied mutations while allocated

    • Updated pool_resourcepoolclaim_test expectations so allocated-but-unused claims cannot:
      • increase requested resources,
      • decrease requested resources,
      • change target pool.
    • Existing release/disassociation flows remain the path to regain mutability.
// before: mutation blocked only when BoundCondition=true
if oldClaim.IsBoundInResourcePool() { ... }

// now: mutation blocked for any allocated claim
if oldClaim.Status.Pool.UID != "" {
    if oldClaim.Spec.Pool != newClaim.Spec.Pool ||
       !reflect.DeepEqual(oldClaim.Spec.ResourceClaims, newClaim.Spec.ResourceClaims) {
        return ad.Denyf("cannot change the requested resources while claim is allocated to a resourcepool %s", oldClaim.Status.Pool.Name)
    }
}

@oliverbaehler

oliverbaehler commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Change makes sense, as Bound is no longer enough to tell if a claim can be mutated. Because Bound can also befalse, in case it's unused. Allowing the exploit shown in #1977. Checking the UID might be the best indication for now. An additional Condition may make sense in the future.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 11.71%. Comparing base (4e9e529) to head (14fa3bb).
⚠️ Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
internal/webhook/resourcepool/claim_validating.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1980   +/-   ##
=======================================
  Coverage   11.70%   11.71%           
=======================================
  Files         362      362           
  Lines       20096    20096           
=======================================
+ Hits         2353     2355    +2     
+ Misses      17665    17664    -1     
+ Partials       78       77    -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants