fix: skip quota enforcement for resources outside project context

zachsmith1 · claude · zachsmith1 · commit 099943447527 · 2026-03-20T10:05:48.000-07:00
The admission plugin now skips ResourceClaim creation when no consumer
(project) context can be determined. Quota is enforced per-project, so
resources created in the root control plane are not subject to quota.

Previously, creating Notes, ConfigMaps, or Secrets outside a project
control plane would fail with "Insufficient quota" because the claim
had no consumerRef and couldn't match any AllowanceBucket.

Also add test-specific ResourceGrants to the note-multicluster-subject
and clusternote-multicluster-subject e2e tests so they have quota
allocated in their project control planes.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/quota/admission/plugin.go b/internal/quota/admission/plugin.go
@@ -704,6 +704,17 @@ func (p *ResourceQuotaEnforcementPlugin) createResourceClaim(ctx context.Context
 		}
 	}
 
+	// Skip claim creation when no consumer can be determined. Quota is
+	// enforced per-project, so resources created outside a project context
+	// (e.g. in the root control plane) are not subject to quota.
+	if claim.Spec.ConsumerRef.Kind == "" || claim.Spec.ConsumerRef.Name == "" {
+		p.logger.V(2).Info("Skipping ResourceClaim creation: no consumer context (not in a project control plane)",
+			"claimName", claimName,
+			"namespace", namespace,
+			"resourceName", attrs.GetName())
+		return nil
+	}
+
 	if claim.Labels == nil {
 		claim.Labels = make(map[string]string)
 	}
diff --git a/test/notes/clusternote-multicluster-subject/chainsaw-test.yaml b/test/notes/clusternote-multicluster-subject/chainsaw-test.yaml
@@ -53,6 +53,23 @@ spec:
                 name: Ready
                 value: 'true'
 
+    - name: setup-quota-grant
+      description: Provision quota for the project so resources can be created
+      cluster: project
+      try:
+        - apply:
+            file: test-data/quota-grant.yaml
+        - wait:
+            apiVersion: quota.miloapis.com/v1alpha1
+            kind: ResourceGrant
+            name: test-clusternotes-quota-grant
+            namespace: milo-system
+            timeout: 30s
+            for:
+              condition:
+                name: Active
+                value: 'True'
+
     - name: create-namespace-in-project
       description: Create cluster-scoped Namespace in project control plane
       cluster: project
diff --git a/test/notes/clusternote-multicluster-subject/test-data/quota-grant.yaml b/test/notes/clusternote-multicluster-subject/test-data/quota-grant.yaml
@@ -0,0 +1,20 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ResourceGrant
+metadata:
+  name: test-clusternotes-quota-grant
+  namespace: milo-system
+spec:
+  consumerRef:
+    apiGroup: resourcemanager.miloapis.com
+    kind: Project
+    name: cn-mc-test-project-1
+  allowances:
+    - resourceType: notes.miloapis.com/notes
+      buckets:
+        - amount: 100
+    - resourceType: core.miloapis.com/configmaps
+      buckets:
+        - amount: 100
+    - resourceType: core.miloapis.com/secrets
+      buckets:
+        - amount: 100
diff --git a/test/notes/note-multicluster-subject/chainsaw-test.yaml b/test/notes/note-multicluster-subject/chainsaw-test.yaml
@@ -52,6 +52,23 @@ spec:
                 name: Ready
                 value: 'true'
 
+    - name: setup-quota-grant
+      description: Provision quota for the project so resources can be created
+      cluster: project
+      try:
+        - apply:
+            file: test-data/quota-grant.yaml
+        - wait:
+            apiVersion: quota.miloapis.com/v1alpha1
+            kind: ResourceGrant
+            name: test-notes-quota-grant
+            namespace: milo-system
+            timeout: 30s
+            for:
+              condition:
+                name: Active
+                value: 'True'
+
     - name: create-configmap-in-project
       description: Create ConfigMap resource in project control plane
       cluster: project
diff --git a/test/notes/note-multicluster-subject/test-data/quota-grant.yaml b/test/notes/note-multicluster-subject/test-data/quota-grant.yaml
@@ -0,0 +1,20 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ResourceGrant
+metadata:
+  name: test-notes-quota-grant
+  namespace: milo-system
+spec:
+  consumerRef:
+    apiGroup: resourcemanager.miloapis.com
+    kind: Project
+    name: note-mc-test-project-1
+  allowances:
+    - resourceType: notes.miloapis.com/notes
+      buckets:
+        - amount: 100
+    - resourceType: core.miloapis.com/configmaps
+      buckets:
+        - amount: 100
+    - resourceType: core.miloapis.com/secrets
+      buckets:
+        - amount: 100

Original file line number	Diff line number	Diff line change
`@@ -704,6 +704,17 @@ func (p *ResourceQuotaEnforcementPlugin) createResourceClaim(ctx context.Context`
`704`	`704`	`}`
`705`	`705`	`}`
`706`	`706`
	`707`	`+ // Skip claim creation when no consumer can be determined. Quota is`
	`708`	`+ // enforced per-project, so resources created outside a project context`
	`709`	`+ // (e.g. in the root control plane) are not subject to quota.`
	`710`	`+ if claim.Spec.ConsumerRef.Kind == "" \|\| claim.Spec.ConsumerRef.Name == "" {`
	`711`	`+ p.logger.V(2).Info("Skipping ResourceClaim creation: no consumer context (not in a project control plane)",`
	`712`	`+ "claimName", claimName,`
	`713`	`+ "namespace", namespace,`
	`714`	`+ "resourceName", attrs.GetName())`
	`715`	`+ return nil`
	`716`	`+ }`
	`717`	`+`
`707`	`718`	`if claim.Labels == nil {`
`708`	`719`	`claim.Labels = make(map[string]string)`
`709`	`720`	`}`