From f0312df2beeb0509f35500d083d8b3378f16c9e3 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 15 Mar 2026 19:11:44 +0000
Subject: [PATCH] fix gpu-workload Kyverno policy: use replace with explicit
 priority value

The API server doesn't re-resolve priority from PriorityClassName after
webhook mutation. Changed from remove+add to replace with explicit
priority=1200000 and preemptionPolicy=PreemptLowerPriority.
---
 .../modules/kyverno/resource-governance.tf    | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/stacks/platform/modules/kyverno/resource-governance.tf b/stacks/platform/modules/kyverno/resource-governance.tf
index 5aff16ae..19d42bfb 100644
--- a/stacks/platform/modules/kyverno/resource-governance.tf
+++ b/stacks/platform/modules/kyverno/resource-governance.tf
@@ -927,17 +927,19 @@ resource "kubernetes_manifest" "mutate_gpu_priority" {
           mutate = {
             patchesJson6902 = yamlencode([
               {
-                op   = "remove"
-                path = "/spec/priority"
-              },
-              {
-                op   = "remove"
-                path = "/spec/preemptionPolicy"
-              },
-              {
-                op    = "add"
+                op    = "replace"
                 path  = "/spec/priorityClassName"
                 value = "gpu-workload"
+              },
+              {
+                op    = "replace"
+                path  = "/spec/priority"
+                value = 1200000
+              },
+              {
+                op    = "replace"
+                path  = "/spec/preemptionPolicy"
+                value = "PreemptLowerPriority"
               }
             ])
           }