deckhouse · loktev-d · Aug 26, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 7, 2025
@@ -46,6 +46,10 @@ const (
 	TypeNeedsEvict Type = "NeedsEvict"
 	// TypeNetworkReady indicates the state of additional network interfaces inside the virtual machine pod
 	TypeNetworkReady Type = "NetworkReady"
+
+	// TypeMaintenance indicates that the VirtualMachine is in maintenance mode.
+	// During this condition, the VM remains stopped and no changes are allowed.
+	TypeMaintenance Type = "Maintenance"
 )
 
 type Reason string
@@ -132,4 +136,7 @@ const (
 	ReasonNetworkNotReady Reason = "NetworkNotReady"
 	// ReasonSDNModuleDisable indicates that the SDN module is disabled, which may prevent network interfaces from becoming ready.
 	ReasonSDNModuleDisable Reason = "SDNModuleDisable"
+
+	// ReasonMaintenanceRestore indicates that the VirtualMachine is in maintenance mode for restore operation.
+	ReasonMaintenanceRestore Reason = "RestoreInProgress"
 )
@@ -31,6 +31,8 @@ import (
 	"github.com/deckhouse/virtualization-controller/pkg/logger"
 )
 
+var ErrStopHandlerChain = errors.New("stop handler chain execution")
+
 type Handler[T client.Object] interface {
 	Handle(ctx context.Context, obj T) (reconcile.Result, error)
 	Name() string
@@ -77,12 +79,17 @@ func (r *BaseReconciler[H]) Reconcile(ctx context.Context) (reconcile.Result, er
 	var result reconcile.Result
 	var errs error
 
+handlersLoop:
 	for _, h := range r.handlers {
 		log := logger.FromContext(ctx).With(logger.SlogHandler(reflect.TypeOf(h).Elem().Name()))
 
 		res, err := r.execute(ctx, h)
 		switch {
 		case err == nil: // OK.
+		case errors.Is(err, ErrStopHandlerChain):
+			log.Debug("Handler chain execution stopped")
+			result = MergeResults(result, res)
+			break handlersLoop
 		case k8serrors.IsConflict(err):
 			log.Debug("Conflict occurred during handler execution", logger.SlogErr(err))
 			result.RequeueAfter = 100 * time.Microsecond

@@ -0,0 +1,115 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internal
+
+import (
+	"context"
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	"github.com/deckhouse/virtualization-controller/pkg/common/object"
+	"github.com/deckhouse/virtualization-controller/pkg/controller/conditions"
+	"github.com/deckhouse/virtualization-controller/pkg/controller/reconciler"
+	"github.com/deckhouse/virtualization-controller/pkg/controller/vm/internal/state"
+	"github.com/deckhouse/virtualization-controller/pkg/logger"
+	"github.com/deckhouse/virtualization/api/core/v1alpha2/vmcondition"
+)
+
+const nameMaintenanceHandler = "MaintenanceHandler"
+
+type MaintenanceHandler struct {
+	client client.Client
+}
+
+func NewMaintenanceHandler(client client.Client) *MaintenanceHandler {
+	return &MaintenanceHandler{
+		client: client,
+	}
+}
+
+func (h *MaintenanceHandler) Handle(ctx context.Context, s state.VirtualMachineState) (reconcile.Result, error) {
+	log := logger.FromContext(ctx)
+
+	if s.VirtualMachine().IsEmpty() {
+		return reconcile.Result{}, nil
+	}
+	changed := s.VirtualMachine().Changed()
+
+	maintenance, _ := conditions.GetCondition(vmcondition.TypeMaintenance, changed.Status.Conditions)
+
+	if maintenance.Status == metav1.ConditionFalse {
+		conditions.RemoveCondition(vmcondition.TypeMaintenance, &changed.Status.Conditions)
+		return reconcile.Result{}, nil
+	}
+
+	if maintenance.Status != metav1.ConditionTrue {
+		return reconcile.Result{}, nil
+	}
+
+	log.Info("Reconcile observe a VirtualMachine in maintenance mode")
+
+	kvvmi, err := s.KVVMI(ctx)
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("get KVVMI: %w", err)
+	}
+
+	// If VM is not stopped yet, wait for it to stop (SyncPowerStateHandler will handle stopping)
+	if kvvmi != nil {
+		log.Info("VM is still running, waiting for shutdown in maintenance mode")
+		return reconcile.Result{}, nil
+	}
+
+	// Hide all other conditions when in maintenance mode
+	changed.Status.Conditions = []metav1.Condition{maintenance}
+
+	log.Info("VM is stopped, cleaning up resources if any for maintenance mode")
+
+	kvvm, err := s.KVVM(ctx)
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("%w: get KVVM: %w", reconciler.ErrStopHandlerChain, err)
+	}
+	if kvvm != nil {
+		log.Info("Deleting KVVM for maintenance mode")
+		err = object.CleanupObject(ctx, h.client, kvvm)
+		if err != nil {
+			return reconcile.Result{}, fmt.Errorf("%w: delete KVVM: %w", reconciler.ErrStopHandlerChain, err)
+		}
+	}
+
+	pods, err := s.Pods(ctx)
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("%w: get pods: %w", reconciler.ErrStopHandlerChain, err)
+	}
+	if pods != nil && len(pods.Items) > 0 {
+		log.Info("Deleting pods for maintenance mode")
+		for i := range pods.Items {
+			err = object.CleanupObject(ctx, h.client, &pods.Items[i])
+			if err != nil {
+				return reconcile.Result{}, fmt.Errorf("%w: delete pod: %w", reconciler.ErrStopHandlerChain, err)
+			}
+		}
+	}
+
+	return reconcile.Result{}, reconciler.ErrStopHandlerChain
+}
+
+func (h *MaintenanceHandler) Name() string {
+	return nameMaintenanceHandler
+}
@@ -126,23 +126,30 @@ func (h *SyncPowerStateHandler) syncPowerState(
 		shutdownInfo = s.ShutdownInfo
 	})
 
-	isConfigurationApplied := checkVirtualMachineConfiguration(s.VirtualMachine().Changed())
+	changed := s.VirtualMachine().Changed()
+	isConfigurationApplied := checkVirtualMachineConfiguration(changed)
+	maintenance, _ := conditions.GetCondition(vmcondition.TypeMaintenance, changed.Status.Conditions)
+
 	var vmAction VMAction
-	switch runPolicy {
-	case virtv2.AlwaysOffPolicy:
-		vmAction = h.handleAlwaysOffPolicy(ctx, s, kvvmi)
-	case virtv2.AlwaysOnPolicy:
-		vmAction, err = h.handleAlwaysOnPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
-		if err != nil {
-			return err
-		}
-	case virtv2.AlwaysOnUnlessStoppedManually:
-		vmAction, err = h.handleAlwaysOnUnlessStoppedManuallyPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
-		if err != nil {
-			return err
+	if maintenance.Status != metav1.ConditionTrue {
+		switch runPolicy {
+		case virtv2.AlwaysOffPolicy:
+			vmAction = h.handleAlwaysOffPolicy(ctx, s, kvvmi)
+		case virtv2.AlwaysOnPolicy:
+			vmAction, err = h.handleAlwaysOnPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
+			if err != nil {
+				return err
+			}
+		case virtv2.AlwaysOnUnlessStoppedManually:
+			vmAction, err = h.handleAlwaysOnUnlessStoppedManuallyPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
+			if err != nil {
+				return err
+			}
+		case virtv2.ManualPolicy:
+			vmAction = h.handleManualPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
 		}
-	case virtv2.ManualPolicy:
-		vmAction = h.handleManualPolicy(ctx, s, kvvm, kvvmi, isConfigurationApplied, shutdownInfo)
+	} else {
+		vmAction = Stop
 	}
 
 	switch vmAction {

@@ -0,0 +1,54 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validators
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/deckhouse/virtualization-controller/pkg/controller/conditions"
+	virtv2 "github.com/deckhouse/virtualization/api/core/v1alpha2"
+	"github.com/deckhouse/virtualization/api/core/v1alpha2/vmcondition"
+)
+
+type MaintenanceValidator struct{}
+
+func NewMaintenanceValidator() *MaintenanceValidator {
+	return &MaintenanceValidator{}
+}
+
+func (v *MaintenanceValidator) ValidateCreate(_ context.Context, _ *virtv2.VirtualMachine) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (v *MaintenanceValidator) ValidateUpdate(_ context.Context, oldVM, newVM *virtv2.VirtualMachine) (admission.Warnings, error) {
+	maintenance, _ := conditions.GetCondition(vmcondition.TypeMaintenance, oldVM.Status.Conditions)
+
+	if maintenance.Status != metav1.ConditionTrue {
+		return nil, nil
+	}
+
+	if !reflect.DeepEqual(oldVM.Spec, newVM.Spec) {
+		return nil, fmt.Errorf("spec changes are not allowed while VirtualMachine is in maintenance mode")
+	}
+
+	return nil, nil
+}
@@ -55,6 +55,7 @@ func SetupController(
 	blockDeviceService := service.NewBlockDeviceService(client)
 	vmClassService := service.NewVirtualMachineClassService(client)
 	handlers := []Handler{
+		internal.NewMaintenanceHandler(client),
 		internal.NewDeletionHandler(client),
 		internal.NewClassHandler(client, recorder),
 		internal.NewIPAMHandler(netmanager.NewIPAM(), client, recorder),
@@ -94,7 +95,7 @@ func SetupController(
 
 	if err = builder.WebhookManagedBy(mgr).
 		For(&v1alpha2.VirtualMachine{}).
-		WithValidator(NewValidator(netmanager.NewIPAM(), client, blockDeviceService, log)).
+		WithValidator(NewValidator(client, blockDeviceService, log)).
 		WithDefaulter(NewDefaulter(client, vmClassService, log)).
 		Complete(); err != nil {
 		return err

@@ -26,7 +26,6 @@ import (
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"github.com/deckhouse/virtualization-controller/pkg/controller/service"
-	"github.com/deckhouse/virtualization-controller/pkg/controller/vm/internal"
 	"github.com/deckhouse/virtualization-controller/pkg/controller/vm/internal/defaulter"
 	"github.com/deckhouse/virtualization-controller/pkg/controller/vm/internal/validators"
 	virtv2 "github.com/deckhouse/virtualization/api/core/v1alpha2"
@@ -42,9 +41,10 @@ type Validator struct {
 	log        *log.Logger
 }
 
-func NewValidator(ipam internal.IPAM, client client.Client, service *service.BlockDeviceService, log *log.Logger) *Validator {
+func NewValidator(client client.Client, service *service.BlockDeviceService, log *log.Logger) *Validator {
 	return &Validator{
 		validators: []VirtualMachineValidator{
+			validators.NewMaintenanceValidator(),
 			validators.NewMetaValidator(client),
 			validators.NewIPAMValidator(client),
 			validators.NewBlockDeviceSpecRefsValidator(),