Merge pull request #404 from tnierman/SREP-1770

openshift-merge-bot[bot] · web-flow · commit 2f9ad36a1931 · 2025-09-10T17:49:42.000Z
SREP-1770 - Allow nvidia-gpu-operator to label unprotected namespaces with `openshift.io/cluster-monitoring: "true"`
diff --git a/pkg/webhooks/namespace/namespace.go b/pkg/webhooks/namespace/namespace.go
@@ -49,6 +49,8 @@ var (
 	removableProtectedLabels = []string{
 		"openshift.io/cluster-monitoring",
 	}
+	// https://issues.redhat.com/browse/SREP-1770 - nvidia-gpu-operator should be allowed to label namespaces
+	labelUserExceptions = []string{"system:serviceaccount:nvidia-gpu-operator:gpu-operator"}
 
 	log = logf.Log.WithName(WebhookName)
 
@@ -230,6 +232,14 @@ func (s *NamespaceWebhook) authorized(request admissionctl.Request) admissionctl
 		ret.UID = request.AdmissionRequest.UID
 		return ret
 	}
+
+	// If the user making the request has a specific exception, allow them to change labels on non-platform and non-protected namespaces
+	if allowLabelChanges(request) {
+		ret = admissionctl.Allowed("User allowed to modify namespace labels")
+		ret.UID = request.AdmissionRequest.UID
+		return ret
+	}
+
 	// Unprivileged users cannot modify certain labels on unprivileged namespaces
 	unauthorized, err := s.unauthorizedLabelChanges(request)
 	if unauthorized {
@@ -363,3 +373,10 @@ func amIAdmin(request admissionctl.Request) bool {
 
 	return false
 }
+
+func allowLabelChanges(request admissionctl.Request) bool {
+	if slices.Contains(labelUserExceptions, request.UserInfo.Username) {
+		return true
+	}
+	return false
+}
diff --git a/pkg/webhooks/namespace/namespace_test.go b/pkg/webhooks/namespace/namespace_test.go
@@ -1102,6 +1102,41 @@ func TestLabellingUpdates(t *testing.T) {
 			labels:          map[string]string{},
 			shouldBeAllowed: true,
 		},
+		// https://issues.redhat.com/browse/SREP-1770 - test explicit exception for nvidia-gpu-operator
+		{
+			testID:          "nvidia-gpu-operator-can-add-label-to-unprotected-ns",
+			targetNamespace: "nvidia-gpu-operator",
+			username:        "system:serviceaccount:nvidia-gpu-operator:gpu-operator",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth"},
+			operation:       admissionv1.Update,
+			oldObject:       createOldObject("nvidia-gpu-operator", "nvidia-gpu-operato-can-add-label-to-unprotected-ns", map[string]string{}),
+			labels:          map[string]string{"openshift.io/cluster-monitoring": "true"},
+			shouldBeAllowed: true,
+		},
+		{
+			testID:          "nvidia-gpu-operator-can-remove-label-from-unprotected-ns",
+			targetNamespace: "nvidia-gpu-operator",
+			username:        "system:serviceaccount:nvidia-gpu-operator:gpu-operator",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth"},
+			operation:       admissionv1.Update,
+			oldObject: createOldObject("nvidia-gpu-operator", "nvidia-gpu-operato-can-remove-label-from-unprotected-ns", map[string]string{
+				"openshift.io/cluster-monitoring": "true",
+			}),
+			labels:          map[string]string{},
+			shouldBeAllowed: true,
+		},
+		{
+			testID:          "nvidia-gpu-operator-cannot-remove-label-from-protected-ns",
+			targetNamespace: "nvidia-gpu-operator",
+			username:        "system:serviceaccount:nvidia-gpu-operator:gpu-operator",
+			userGroups:      []string{"system:authenticated", "system:authenticated:oauth"},
+			operation:       admissionv1.Update,
+			oldObject: createOldObject("openshift-kube-apiserver", "nvidia-gpu-operato-cannot-remove-label-from-protected-ns", map[string]string{
+				"openshift.io/cluster-monitoring": "true",
+			}),
+			labels:          map[string]string{},
+			shouldBeAllowed: false,
+		},
 	}
 	runNamespaceTests(t, tests)
 }
