From a0394f4bef6d0fc6480d38d0c6c4e417ad146b2d Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 21 Feb 2026 23:11:35 +0000
Subject: [PATCH] [ci skip] Fix Kyverno priority injection to remove default
 priority/preemptionPolicy

The priority injection policy was setting priorityClassName on pods but
Kubernetes had already defaulted priority=0 and preemptionPolicy=PreemptLowerPriority
on those pods, causing admission controller to reject the mismatch.

Switch from patchStrategicMerge to patchesJson6902 to explicitly remove
the priority and preemptionPolicy fields before setting priorityClassName.
---
 .../kubernetes/kyverno/resource-governance.tf  | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/kubernetes/kyverno/resource-governance.tf b/modules/kubernetes/kyverno/resource-governance.tf
index c2a1d5e5..fb81a3ae 100644
--- a/modules/kubernetes/kyverno/resource-governance.tf
+++ b/modules/kubernetes/kyverno/resource-governance.tf
@@ -719,11 +719,21 @@ resource "kubernetes_manifest" "mutate_priority_from_tier" {
             ]
           }
           mutate = {
-            patchStrategicMerge = {
-              spec = {
-                priorityClassName = "tier-{{tierLabel}}"
+            patchesJson6902 = yamlencode([
+              {
+                op    = "remove"
+                path  = "/spec/priority"
+              },
+              {
+                op    = "remove"
+                path  = "/spec/preemptionPolicy"
+              },
+              {
+                op    = "add"
+                path  = "/spec/priorityClassName"
+                value = "tier-{{tierLabel}}"
               }
-            }
+            ])
           }
         }
       ]