kubefleet-dev
diff --git a/‎charts/hub-agent/README.md‎
Lines changed: 2 additions & 1 deletion b/‎charts/hub-agent/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎charts/hub-agent/templates/deployment.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/hub-agent/templates/deployment.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎charts/hub-agent/values.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/hub-agent/values.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cmd/hubagent/main.go‎
Lines changed: 3 additions & 3 deletions b/‎cmd/hubagent/main.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cmd/hubagent/options/options.go‎
Lines changed: 4 additions & 0 deletions b/‎cmd/hubagent/options/options.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/utils/common.go‎
Lines changed: 14 additions & 0 deletions b/‎pkg/utils/common.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎pkg/utils/common_test.go‎
Lines changed: 148 additions & 0 deletions b/‎pkg/utils/common_test.go‎
Lines changed: 148 additions & 0 deletions
@@ -40,4 +40,5 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | `logFileMaxSize`                          | Max log file size before rotation                                                          | `1000000`                                        |
 | `MaxFleetSizeSupported`                   | Max number of member clusters supported                                                    | `100`                                            |
 | `resourceSnapshotCreationMinimumInterval` | The minimum interval at which resource snapshots could be created.                         | `30s`                                            |
-| `resourceChangesCollectionDuration`       | The duration for collecting resource changes into one snapshot.                            | `15s`                                            |
+| `resourceChangesCollectionDuration`       | The duration for collecting resource changes into one snapshot.                            | `15s`                                            |
+| `enableWorkload`                          | Enable kubernetes builtin workload to run in hub cluster.                           | `false`                                          |
@@ -24,6 +24,7 @@ spec:
             - --enable-webhook={{ .Values.enableWebhook }}
             - --webhook-service-name={{ .Values.webhookServiceName }}
             - --enable-guard-rail={{ .Values.enableGuardRail }}
+            - --enable-workload={{ .Values.enableWorkload }}
             - --whitelisted-users=system:serviceaccount:fleet-system:hub-agent-sa
             - --webhook-client-connection-type={{.Values.webhookClientConnectionType}}
             - --v={{ .Values.logVerbosity }}
 
@@ -16,6 +16,7 @@ enableWebhook: true
 webhookServiceName: fleetwebhook
 enableGuardRail: true
 webhookClientConnectionType: service
+enableWorkload: false
 forceDeleteWaitTime: 15m0s
 clusterUnhealthyThreshold: 3m0s
 resourceSnapshotCreationMinimumInterval: 30s
 
@@ -156,7 +156,7 @@ func main() {
 
 	if opts.EnableWebhook {
 		whiteListedUsers := strings.Split(opts.WhiteListedUsers, ",")
-		if err := SetupWebhook(mgr, options.WebhookClientConnectionType(opts.WebhookClientConnectionType), opts.WebhookServiceName, whiteListedUsers, opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels); err != nil {
+		if err := SetupWebhook(mgr, options.WebhookClientConnectionType(opts.WebhookClientConnectionType), opts.WebhookServiceName, whiteListedUsers, opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels, opts.EnableWorkload); err != nil {
 			klog.ErrorS(err, "unable to set up webhook")
 			exitWithErrorFunc()
 		}
@@ -188,9 +188,9 @@ func main() {
 }
 
 // SetupWebhook generates the webhook cert and then set up the webhook configurator.
-func SetupWebhook(mgr manager.Manager, webhookClientConnectionType options.WebhookClientConnectionType, webhookServiceName string, whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool) error {
+func SetupWebhook(mgr manager.Manager, webhookClientConnectionType options.WebhookClientConnectionType, webhookServiceName string, whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool, enableWorkload bool) error {
 	// Generate self-signed key and crt files in FleetWebhookCertDir for the webhook server to start.
-	w, err := webhook.NewWebhookConfig(mgr, webhookServiceName, FleetWebhookPort, &webhookClientConnectionType, FleetWebhookCertDir, enableGuardRail, denyModifyMemberClusterLabels)
+	w, err := webhook.NewWebhookConfig(mgr, webhookServiceName, FleetWebhookPort, &webhookClientConnectionType, FleetWebhookCertDir, enableGuardRail, denyModifyMemberClusterLabels, enableWorkload)
 	if err != nil {
 		klog.ErrorS(err, "fail to generate WebhookConfig")
 		return err
 
@@ -107,6 +107,9 @@ type Options struct {
 	PprofPort int
 	// DenyModifyMemberClusterLabels indicates if the member cluster labels cannot be modified by groups (excluding system:masters)
 	DenyModifyMemberClusterLabels bool
+	// EnableWorkload enables workload resources (pods and replicasets) to be created in the hub cluster.
+	// When set to true, the pod and replicaset validating webhooks are disabled.
+	EnableWorkload bool
 	// ResourceSnapshotCreationMinimumInterval is the minimum interval at which resource snapshots could be created.
 	// Whether the resource snapshot is created or not depends on the both ResourceSnapshotCreationMinimumInterval and ResourceChangesCollectionDuration.
 	ResourceSnapshotCreationMinimumInterval time.Duration
@@ -181,6 +184,7 @@ func (o *Options) AddFlags(flags *flag.FlagSet) {
 	flags.BoolVar(&o.EnablePprof, "enable-pprof", false, "If set, the pprof profiling is enabled.")
 	flags.IntVar(&o.PprofPort, "pprof-port", 6065, "The port for pprof profiling.")
 	flags.BoolVar(&o.DenyModifyMemberClusterLabels, "deny-modify-member-cluster-labels", false, "If set, users not in the system:masters cannot modify member cluster labels.")
+	flags.BoolVar(&o.EnableWorkload, "enable-workload", false, "If set, workloads (pods and replicasets) can be created in the hub cluster. This disables the pod and replicaset validating webhooks.")
 	flags.DurationVar(&o.ResourceSnapshotCreationMinimumInterval, "resource-snapshot-creation-minimum-interval", 30*time.Second, "The minimum interval at which resource snapshots could be created.")
 	flags.DurationVar(&o.ResourceChangesCollectionDuration, "resource-changes-collection-duration", 15*time.Second,
 		"The duration for collecting resource changes into one snapshot. The default is 15 seconds, which means that the controller will collect resource changes for 15 seconds before creating a resource snapshot.")
 
@@ -79,6 +79,8 @@ const (
 	ServiceKind     = "Service"
 	NamespaceKind   = "Namespace"
 	JobKind         = "Job"
+	ReplicaSetKind  = "ReplicaSet"
+	PodKind         = "Pod"
 )
 
 const (
@@ -507,6 +509,18 @@ func CheckCRDInstalled(discoveryClient discovery.DiscoveryInterface, gvk schema.
 func ShouldPropagateObj(informerManager informer.Manager, uObj *unstructured.Unstructured) (bool, error) {
 	// TODO:  add more special handling for different resource kind
 	switch uObj.GroupVersionKind() {
+	case appv1.SchemeGroupVersion.WithKind(ReplicaSetKind):
+		// Skip ReplicaSets if they are managed by Deployments (have owner references)
+		// Standalone ReplicaSets (without owners) can be propagated
+		if len(uObj.GetOwnerReferences()) > 0 {
+			return false, nil
+		}
+	case appv1.SchemeGroupVersion.WithKind("ControllerRevision"):
+		// Skip ControllerRevisions if they are managed by DaemonSets/StatefulSets (have owner references)
+		// These are automatically created by controllers and will be recreated on member clusters
+		if len(uObj.GetOwnerReferences()) > 0 {
+			return false, nil
+		}
 	case corev1.SchemeGroupVersion.WithKind(ConfigMapKind):
 		// Skip the built-in custom CA certificate created in the namespace
 		if uObj.GetName() == "kube-root-ca.crt" {
 
@@ -6,6 +6,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/ptr"
 
 	fleetv1beta1 "github.com/kubefleet-dev/kubefleet/apis/placement/v1beta1"
@@ -1189,3 +1190,150 @@ func TestIsDiffedResourcePlacementEqual(t *testing.T) {
 		})
 	}
 }
+
+func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
+	tests := []struct {
+		name            string
+		obj             map[string]interface{}
+		ownerReferences []metav1.OwnerReference
+		want            bool
+	}{
+		{
+			name: "standalone replicaset without ownerReferences should propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ReplicaSet",
+				"metadata": map[string]interface{}{
+					"name":      "standalone-rs",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: nil,
+			want:            true,
+		},
+		{
+			name: "standalone pod without ownerReferences should propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"name":      "standalone-pod",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: nil,
+			want:            true,
+		},
+		{
+			name: "replicaset with deployment owner should NOT propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ReplicaSet",
+				"metadata": map[string]interface{}{
+					"name":      "test-deploy-abc123",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "apps/v1",
+					Kind:       "Deployment",
+					Name:       "test-deploy",
+					UID:        "12345",
+				},
+			},
+			want: false,
+		},
+		{
+			name: "pod owned by replicaset - passes ShouldPropagateObj but filtered by resource config",
+			obj: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "Pod",
+				"metadata": map[string]interface{}{
+					"name":      "test-deploy-abc123-xyz",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "apps/v1",
+					Kind:       "ReplicaSet",
+					Name:       "test-deploy-abc123",
+					UID:        "67890",
+				},
+			},
+			want: true, // ShouldPropagateObj doesn't filter Pods - they're filtered by NewResourceConfig
+		},
+		{
+			name: "controllerrevision owned by daemonset should NOT propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ControllerRevision",
+				"metadata": map[string]interface{}{
+					"name":      "test-ds-7b9848797f",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "apps/v1",
+					Kind:       "DaemonSet",
+					Name:       "test-ds",
+					UID:        "abcdef",
+				},
+			},
+			want: false,
+		},
+		{
+			name: "controllerrevision owned by statefulset should NOT propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ControllerRevision",
+				"metadata": map[string]interface{}{
+					"name":      "test-ss-7878b4b446",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "apps/v1",
+					Kind:       "StatefulSet",
+					Name:       "test-ss",
+					UID:        "fedcba",
+				},
+			},
+			want: false,
+		},
+		{
+			name: "standalone controllerrevision without owner should propagate",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ControllerRevision",
+				"metadata": map[string]interface{}{
+					"name":      "custom-revision",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: nil,
+			want:            true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			uObj := &unstructured.Unstructured{Object: tt.obj}
+			if tt.ownerReferences != nil {
+				uObj.SetOwnerReferences(tt.ownerReferences)
+			}
+
+			got, err := ShouldPropagateObj(nil, uObj)
+			if err != nil {
+				t.Errorf("ShouldPropagateObj() error = %v", err)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("ShouldPropagateObj() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}