webhook: improve nodeSelectorsOverlap to detect subset overlaps

Shreya2005-2005 · Shreya2005-2005 · commit 5aae821246b0 · 2026-05-05T04:05:33.000Z
Previously, nodeSelectorsOverlap only detected identical selectors
using string equality. This missed partial overlaps where one selector
is a subset of another, allowing conflicting rules to be created.

Fix by using sel.Matches() to check if one selector's matchLabels
satisfies the other selector, catching subset overlap cases.

Signed-off-by: Shreya2005-2005 &lt;bhakatmistu2005@gmail.com&gt;
diff --git a/internal/webhook/nodereadinessgaterule_webhook.go b/internal/webhook/nodereadinessgaterule_webhook.go
@@ -22,6 +22,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -122,9 +123,12 @@ func (w *NodeReadinessRuleWebhook) nodeSelectorsOverlap(selector1, selector2 met
 		return true
 	}
 
-	// Simple heuristic: if selectors are identical, they definitely overlap
-	// For more complex overlap detection, we'd need to analyze the label requirements
-	return sel1.String() == sel2.String()
+	// Check overlap: if one selector's matchLabels is a subset of the other,
+	// a node could match both selectors, causing a conflict.
+	if sel1.Matches(labels.Set(selector2.MatchLabels)) {
+		return true
+	}
+	return sel2.Matches(labels.Set(selector1.MatchLabels))
 }
 
 // generateNoExecuteWarnings generates admission warnings for NoExecute taint usage.
diff --git a/internal/webhook/nodereadinessgaterule_webhook_test.go b/internal/webhook/nodereadinessgaterule_webhook_test.go
@@ -283,18 +283,18 @@ var _ = Describe("NodeReadinessRule Validation Webhook", func() {
 			Expect(overlaps).To(BeTrue()) // Both nil = both match all nodes
 		})
 
-		It("should not overlap when one selector is nil", func() {
+		It("should overlap when one selector is empty (matches all nodes)", func() {
 			selector := metav1.LabelSelector{
 				MatchLabels: map[string]string{
 					"node-role.kubernetes.io/worker": "",
 				},
 			}
 
 			overlaps := webhook.nodeSelectorsOverlap(metav1.LabelSelector{}, selector)
-			Expect(overlaps).To(BeFalse())
+			Expect(overlaps).To(BeTrue())
 
 			overlaps = webhook.nodeSelectorsOverlap(selector, metav1.LabelSelector{})
-			Expect(overlaps).To(BeFalse())
+			Expect(overlaps).To(BeTrue())
 		})
 
 		It("should detect identical selectors as overlapping", func() {
