Quota for priorityClasses not allowing critical pods to be created in namespaces other than "kube-*" #76308
Description
What happened:
Following the documentation at the https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default, I tried enabling quota for a namespace other than kube-system but I was still not able to create a pod with system-cluster-critical priorityClass in my namespace with following error:
Error from server (Forbidden): error when creating "test_pod.yaml": pods "memory-demo" is forbidden: pods with system-cluster-critical priorityClass is not permitted in my-namespace namespace
What you expected to happen:
Expected pod to be created with namespace where I allowed quota. I can see that both ResourceQuota and Priority Plugins are enabled from logs.
I0408 17:15:08.558389 29395 plugins.go:158] Loaded 8 mutating admission controller(s) successfully in the following order: NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook. I0408 17:15:08.558406 29395 plugins.go:161] Loaded 6 validating admission controller(s) successfully in the following order: LimitRanger,ServiceAccount,Priority,PersistentVolumeClaimResize,ValidatingAdmissionWebhook,ResourceQuota.
How to reproduce it (as minimally and precisely as possible):
Follow the steps at https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default
Anything else we need to know?:
I think, the issue is with priorityPlugin where we are rejecting instead of letting resourceQuota plugin to handle the admission when ResourceQuotaScopeSelectors is enabled.
Environment:
- Kubernetes version (use
kubectl version): - Cloud provider or hardware configuration:
- OS (e.g:
cat /etc/os-release): - Kernel (e.g.
uname -a): - Install tools:
- Others: