Merge pull request #90414 from sr1kar99/2104-sr-iov-update

maxwelldb · web-flow · commit f5907ca73fe3 · 2025-03-28T13:45:34.000-04:00
TELCODOCS#2104: Support for resourceInjectorMatchCondition feature
diff --git a/modules/nw-sriov-configuring-operator.adoc b/modules/nw-sriov-configuring-operator.adoc
@@ -108,8 +108,7 @@ include::snippets/technology-preview.adoc[]
 [id="about-network-resource-injector_{context}"]
 == About the Network Resources Injector
 
-The Network Resources Injector is a Kubernetes Dynamic Admission Controller
-application. It provides the following capabilities:
+The Network Resources Injector is a Kubernetes Dynamic Admission Controller application, which provides the following capabilities:
 
 * Mutation of resource requests and limits in a pod specification to add an SR-IOV resource name according to an SR-IOV network attachment definition annotation.
 * Mutation of a pod specification with a Downward API volume to expose pod annotations, labels, and huge pages requests and limits. Containers that run in the pod can access the exposed information as files under the `/etc/podnetinfo` path.
@@ -130,6 +129,29 @@ network-resources-injector-dwqpx          1/1     Running   0          10m
 network-resources-injector-lktz5          1/1     Running   0          10m
 ----
 
+By default, the `failurePolicy` field in the Network Resources Injector webhook is set to `Ignore`. This default setting prevents pod creation from being blocked if the webhook is unavailable.
+
+If you set the `failurePolicy` field to `Fail`, and the Network Resources Injector webhook is unavailable, the webhook attempts to mutate all pod creation and update requests. This behavior can block pod creation and disrupt normal cluster operations. To prevent such issues, you can enable the `featureGates.resourceInjectorMatchCondition` feature in the `SriovOperatorConfig` object to limit the scope of the Network Resources Injector webhook. If this feature is enabled, the webhook applies only to pods with the secondary network annotation `k8s.v1.cni.cncf.io/networks`.
+
+If you set the `failurePolicy` field to `Fail` after enabling the `resourceInjectorMatchCondition` feature, the webhook applies only to pods with the secondary network annotation `k8s.v1.cni.cncf.io/networks`. If the webhook is unavailable, pods without this annotation are still deployed, preventing unnecessary disruptions to cluster operations.
+
+The `featureGates.resourceInjectorMatchCondition` feature is disabled by default. To enable this feature, set the `featureGates.resourceInjectorMatchCondition` field to `true` in the `SriovOperatorConfig` object.
+
+.Example `SriovOperatorConfig` object configuration
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovOperatorConfig
+metadata:
+  name: default
+  namespace: sriov-network-operator
+spec:
+# ...
+  featureGates:
+    resourceInjectorMatchCondition: true
+# ...
+----
+
 [id="disable-enable-network-resource-injector_{context}"]
 == Disabling or enabling the Network Resources Injector
 
