rancher · jferrazbr · Nov 7, 2025 · Nov 10, 2025 · Nov 25, 2025 · Nov 25, 2025
@@ -664,6 +664,17 @@ The only exception to this check is if the existing cluster already has a `NO_PR
 
 Prevent the update of objects if the secret specified in `.spec.rkeConfig.etcd.s3.cloudCredentialName` does not exist.
 
+##### ETCD Snapshot Restore
+
+Validation for `spec.rkeConfig.etcdSnapshotRestore` is only triggered when this field is changed to a new, non-empty value. This check is intentionally skipped if the field is unchanged, which prevents blocking unrelated cluster updates (e.g., node scaling) if the referenced snapshot is deleted *after* a successful restore.
+
+When triggered, the following checks are performed:
+
+* The referenced snapshot in `etcdSnapshotRestore.name` must exist in the same namespace as the cluster.
+* The `etcdSnapshotRestore.restoreRKEConfig` field must be a supported mode (`"none"`, `"kubernetesVersion"`, or `"all"`).
+* If `restoreRKEConfig` is **`"kubernetesVersion"`**, the snapshot's metadata must be parsable and contain a `kubernetesVersion`.
+* If `restoreRKEConfig` is **`"all"`**, the snapshot's metadata must be parsable and contain both `kubernetesVersion` and `rkeConfig`.
+
 ### Mutation Checks
 
 #### On Create

@@ -8,6 +8,8 @@ import (
 	managementv3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
 	"github.com/rancher/webhook/pkg/generated/controllers/provisioning.cattle.io"
 	provv1 "github.com/rancher/webhook/pkg/generated/controllers/provisioning.cattle.io/v1"
+	"github.com/rancher/webhook/pkg/generated/controllers/rke.cattle.io"
+	rkev1 "github.com/rancher/webhook/pkg/generated/controllers/rke.cattle.io/v1"
 	"github.com/rancher/wrangler/v3/pkg/clients"
 	"github.com/rancher/wrangler/v3/pkg/schemes"
 	v1 "k8s.io/api/admissionregistration/v1"
@@ -21,6 +23,7 @@ type Clients struct {
 	MultiClusterManagement bool
 	Management             managementv3.Interface
 	Provisioning           provv1.Interface
+	RKE                    rkev1.Interface
 	RoleTemplateResolver   *auth.RoleTemplateResolver
 	GlobalRoleResolver     *auth.GlobalRoleResolver
 	DefaultResolver        validation.AuthorizationRuleResolver
@@ -46,6 +49,11 @@ func New(ctx context.Context, rest *rest.Config, mcmEnabled bool) (*Clients, err
 		return nil, err
 	}
 
+	rke, err := rke.NewFactoryFromConfigWithOptions(rest, clients.FactoryOptions)
+	if err != nil {
+		return nil, err
+	}
+
 	if err = mgmt.Start(ctx, 5); err != nil {
 		return nil, err
 	}
@@ -61,6 +69,7 @@ func New(ctx context.Context, rest *rest.Config, mcmEnabled bool) (*Clients, err
 		Clients:                *clients,
 		Management:             mgmt.Management().V3(),
 		Provisioning:           prov.Provisioning().V1(),
+		RKE:                    rke.Rke().V1(),
 		MultiClusterManagement: mcmEnabled,
 		DefaultResolver:        validation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter),
 	}

@@ -13,6 +13,7 @@ import (
 	catalogv1 "github.com/rancher/rancher/pkg/apis/catalog.cattle.io/v1"
 	v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v1 "github.com/rancher/rancher/pkg/apis/provisioning.cattle.io/v1"
+	rkev1 "github.com/rancher/rancher/pkg/apis/rke.cattle.io/v1"
 	controllergen "github.com/rancher/wrangler/v3/pkg/controller-gen"
 	"github.com/rancher/wrangler/v3/pkg/controller-gen/args"
 	"golang.org/x/tools/imports"
@@ -63,6 +64,11 @@ func main() {
 					&catalogv1.ClusterRepo{},
 				},
 			},
+			"rke.cattle.io": {
+				Types: []interface{}{
+					&rkev1.ETCDSnapshot{},
+				},
+			},
 		},
 	})
 
@@ -116,6 +122,11 @@ func main() {
 				&auditlogv1.AuditPolicy{},
 			},
 		},
+		"rke.cattle.io": {
+			Types: []interface{}{
+				&rkev1.ETCDSnapshot{},
+			},
+		},
 	}); err != nil {
 		fmt.Printf("ERROR: %v\n", err)
 	}