From d439b78b180d2b84ea85ddd5bb1109d651c3ed7c Mon Sep 17 00:00:00 2001
From: Dorothy <dorodbarma@gmail.com>
Date: Thu, 14 May 2026 13:54:00 +0530
Subject: [PATCH 1/3] fix:webhook fails closed when rule listing errors

---
 internal/webhook/nodereadinessgaterule_webhook.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/webhook/nodereadinessgaterule_webhook.go b/internal/webhook/nodereadinessgaterule_webhook.go
index 4481f82..564ebaf 100644
--- a/internal/webhook/nodereadinessgaterule_webhook.go
+++ b/internal/webhook/nodereadinessgaterule_webhook.go
@@ -80,9 +80,12 @@ func (w *NodeReadinessRuleWebhook) validateTaintConflicts(ctx context.Context, r
 	// List all existing rules
 	ruleList := &readinessv1alpha1.NodeReadinessRuleList{}
 	if err := w.List(ctx, ruleList); err != nil {
-		// If we can't list rules, allow the operation but log the issue
-		ctrl.Log.Error(err, "Failed to list rules for conflict validation")
-		return allErrs
+		// Fail closed: if we can't list rules, we cannot safely validate
+		// for conflicts. Reject the request so the client can retry.
+		return append(allErrs, field.InternalError(
+			field.NewPath("spec", "taint", "key"),
+			fmt.Errorf("unable to validate taint conflicts, please retry: %w", err),
+		))
 	}
 
 	taintField := field.NewPath("spec", "taint", "key")

From c58fe57ef99045f0174ff9499a3467d10c5808b5 Mon Sep 17 00:00:00 2001
From: Dorothy <dorodbarma@gmail.com>
Date: Sun, 24 May 2026 10:21:16 +0530
Subject: [PATCH 2/3] use nil field path in InternalError for list failure

---
 internal/webhook/nodereadinessgaterule_webhook.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/webhook/nodereadinessgaterule_webhook.go b/internal/webhook/nodereadinessgaterule_webhook.go
index 564ebaf..c2f0a96 100644
--- a/internal/webhook/nodereadinessgaterule_webhook.go
+++ b/internal/webhook/nodereadinessgaterule_webhook.go
@@ -83,7 +83,7 @@ func (w *NodeReadinessRuleWebhook) validateTaintConflicts(ctx context.Context, r
 		// Fail closed: if we can't list rules, we cannot safely validate
 		// for conflicts. Reject the request so the client can retry.
 		return append(allErrs, field.InternalError(
-			field.NewPath("spec", "taint", "key"),
+			nil,
 			fmt.Errorf("unable to validate taint conflicts, please retry: %w", err),
 		))
 	}

From c39ddb42064c013d1370a21d3edccec9695d8c4c Mon Sep 17 00:00:00 2001
From: Dorothy <dorodbarma@gmail.com>
Date: Wed, 27 May 2026 23:07:37 +0530
Subject: [PATCH 3/3] restore taint key path and log line in list error handler

---
 internal/webhook/nodereadinessgaterule_webhook.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/internal/webhook/nodereadinessgaterule_webhook.go b/internal/webhook/nodereadinessgaterule_webhook.go
index c2f0a96..4e8692b 100644
--- a/internal/webhook/nodereadinessgaterule_webhook.go
+++ b/internal/webhook/nodereadinessgaterule_webhook.go
@@ -82,9 +82,10 @@ func (w *NodeReadinessRuleWebhook) validateTaintConflicts(ctx context.Context, r
 	if err := w.List(ctx, ruleList); err != nil {
 		// Fail closed: if we can't list rules, we cannot safely validate
 		// for conflicts. Reject the request so the client can retry.
+		ctrl.Log.Error(err, "Failed to list rules for conflict validation")
 		return append(allErrs, field.InternalError(
-			nil,
-			fmt.Errorf("unable to validate taint conflicts, please retry: %w", err),
+			field.NewPath("spec", "taint", "key"),
+			fmt.Errorf("failed to validate taint %q against existing rules: %w", rule.Spec.Taint.Key, err),
 		))
 	}