Skip to content

CMP-3930: Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xiaojiey wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CMP-3930: Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy #960

xiaojiey wants to merge 1 commit into from

Conversation

@xiaojiey
Copy link
Collaborator

@xiaojiey xiaojiey commented Nov 12, 2025
edited
Loading

  1. In newer OpenShift versions(4.21) have a ValidatingAdmissionPolicy that rejects MCPs without proper selectors. As a result it's no longer testable via e2e because you can't create such MCPs anymore due to ValidatingAdmissionPolicy enforcement.
% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0.nightly-2025-11-22-193140   True        False         5h48m   Cluster version is 4.21.0-0.nightly-2025-11-22-193140
% oc get ValidatingAdmissionPolicy custom-machine-config-pool-selector -o=jsonpath={.spec.validations} | jq -r
[
  {
    "expression": "( has(object.spec.machineConfigSelector.matchLabels) && ( (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"master\") || (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"worker\") || (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"arbiter\") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && ( (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == \"machineconfiguration.openshift.io/role\" && e.operator == \"In\" && \"worker\" in e.values) ) || (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == \"machineconfiguration.openshift.io/role\" && e.operator == \"NotIn\" && !(\"worker\" in e.values)) ) ) )",
    "message": "All custom MachineConfigPools must inherit from the worker pool and must have a machineConfigSelector that matches for a 'machineconfiguration.openshift.io/role: worker' label"
  }
]
  1. This PR means to include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy.
    Without this PR, for the make e2e-serial, you will get the below error:
creating Machine Config Pool e2e-invalid: machineconfigpools.machineconfiguration.openshift.io "e2e-invalid" is forbidden: ValidatingAdmissionPolicy 
'custom-machine-config-pool-selector' with binding 'custom-machine-config-pool-selector-binding' denied request: expression '( has(object.spec.machineConfigSelector.matchLabels) && ( 
(object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master") || (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker") 
|| (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && ( 
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "In" && "worker" in e.values) ) || 
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "NotIn" && !("worker" in e.values)) ) ) )' resulted in error: no such key: 
machineConfigSelector... retrying after 351.247769ms
  1. Solution: consider the backward compatibility, in this PR, it will check for the ValidatingAdmissionPolicy named "custom-machine-config-pool-selector" before creating the pool
  • If the policy exists: Adds minimal selectors (NodeSelector + MachineConfigSelector) to pass the validation
  • If the policy doesn't exist: Creates the pool without selectors (legacy mode for backward compatibility)

@xiaojiey xiaojiey changed the title Include the required selectors to machineconfig to pass the Validatin… Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy Nov 12, 2025
@xiaojiey xiaojiey changed the title Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy [NO-JIRA]Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy Nov 12, 2025
@github-actions
Copy link

github-actions bot commented Nov 12, 2025

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-eb093931238b7aaf6d4a39deb2326c298eeef881

@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Nov 12, 2025

/retest-required

@xiaojiey xiaojiey changed the title [NO-JIRA]Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy [CMP-3930]Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy Nov 12, 2025
@xiaojiey xiaojiey changed the title [CMP-3930]Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy CMP-3930: Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy Nov 12, 2025
@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Nov 12, 2025

@xiaojiey: This pull request references CMP-3930 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

This PR means to include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy.
Without this PR, for the make e2e-serial, you will get the below error:

creating Machine Config Pool e2e-invalid: machineconfigpools.machineconfiguration.openshift.io "e2e-invalid" is forbidden: ValidatingAdmissionPolicy 
'custom-machine-config-pool-selector' with binding 'custom-machine-config-pool-selector-binding' denied request: expression '( has(object.spec.machineConfigSelector.matchLabels) && ( 
(object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master") || (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker") 
|| (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && ( 
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "In" && "worker" in e.values) ) || 
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "NotIn" && !("worker" in e.values)) ) ) )' resulted in error: no such key: 
machineConfigSelector... retrying after 351.247769ms

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Nov 24, 2025

/test e2e-aws-serial

@xiaojiey xiaojiey requested a review from rhmdnd November 24, 2025 09:43
@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Nov 24, 2025
Merged
@xiaojiey xiaojiey mentioned this pull request Nov 25, 2025
Open
@taimurhafeez taimurhafeez mentioned this pull request Nov 25, 2025
Open
@xiaojiey xiaojiey mentioned this pull request Nov 28, 2025
Open
@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Dec 1, 2025
Open
rhmdnd
rhmdnd reviewed Dec 1, 2025
View reviewed changes
tests/e2e/framework/common.go Outdated
// This pool is still "invalid" for testing as no nodes match this selector
NodeSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"node-role.kubernetes.io/e2e-invalid": "",
Copy link
Collaborator

@rhmdnd rhmdnd Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vincent056 I think we need NodeSelector to be empty to exercise the additional logic you added in 4961d0f correct?

Copy link
Collaborator Author

@xiaojiey xiaojiey Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. In newer OpenShift versions(4.21) have a ValidatingAdmissionPolicy that rejects MCPs without proper selectors. As a result it's no longer testable via e2e because you can't create such MCPs anymore due to ValidatingAdmissionPolicy enforcement.
% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0.nightly-2025-11-22-193140   True        False         5h48m   Cluster version is 4.21.0-0.nightly-2025-11-22-193140
% oc get ValidatingAdmissionPolicy custom-machine-config-pool-selector -o=jsonpath={.spec.validations} | jq -r
[
  {
    "expression": "( has(object.spec.machineConfigSelector.matchLabels) && ( (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"master\") || (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"worker\") || (object.spec.machineConfigSelector.matchLabels[\"machineconfiguration.openshift.io/role\"] == \"arbiter\") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && ( (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == \"machineconfiguration.openshift.io/role\" && e.operator == \"In\" && \"worker\" in e.values) ) || (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == \"machineconfiguration.openshift.io/role\" && e.operator == \"NotIn\" && !(\"worker\" in e.values)) ) ) )",
    "message": "All custom MachineConfigPools must inherit from the worker pool and must have a machineConfigSelector that matches for a 'machineconfiguration.openshift.io/role: worker' label"
  }
]
  1. The logic from commit 4961d0f is still valuable for production environments where legacy/invalid MCPs without selectors might exist.

Copy link
Collaborator Author

@xiaojiey xiaojiey Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we check whether ValidatingAdmissionPolicy exists or not, If not exists, use the legacy way without selectors; if exists use the minimal selectors.

Copy link
Collaborator

@rhmdnd rhmdnd Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we check whether ValidatingAdmissionPolicy exists or not, If not exists, use the legacy way without selectors; if exists use the minimal selectors.

That seems like the best option.

@taimurhafeez taimurhafeez mentioned this pull request Dec 2, 2025
Open
@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Dec 2, 2025
Closed
@github-actions
Copy link

github-actions bot commented Dec 3, 2025

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-5ad04b70337f58cfb96024b8fe35b949e60bc8e7

@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Dec 3, 2025

/test e2e-aws-serial

@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Dec 3, 2025
Closed
@rhmdnd
Copy link
Collaborator

rhmdnd commented Dec 4, 2025

Cluster provisioning failed.

/test e2e-aws-serial

@rhmdnd
Copy link
Collaborator

rhmdnd commented Dec 4, 2025

Looks like this worked as expected on a 4.17 cluster in CI:

2025/12/03 03:18:36 e2e Machine Config Pool has not updated... retrying
2025/12/03 03:18:46 successfully created Machine Config Pool e2e
2025/12/03 03:18:46 ValidatingAdmissionPolicy 'custom-machine-config-pool-selector' not found, creating MachineConfigPool e2e-invalid without selectors (legacy mode)
=== RUN   TestProfileVersion
=== PAUSE TestProfileVersion
=== RUN   TestProfileModification

rhmdnd
rhmdnd approved these changes Dec 4, 2025
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Dec 4, 2025
@taimurhafeez taimurhafeez mentioned this pull request Dec 8, 2025
Open
@rhmdnd
Copy link
Collaborator

rhmdnd commented Dec 8, 2025

The profile bundle problem is affecting these test results, but we're chasing that down in a separate PR.

#1019

@rhmdnd rhmdnd added this to the 1.9.0 milestone Dec 8, 2025
rhmdnd
rhmdnd approved these changes Dec 8, 2025
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link

openshift-ci bot commented Dec 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, xiaojiey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Dec 9, 2025

/test e2e-aws-serial

@xiaojiey
Include the required selectors to machineconfig to pass the Validatin…
a1c0b1d 
…gAdmissionPolicy

Creates the pool with the appropriate selectors based on whether the validation policy exists

Add ValidatingAdmissionPolicy scheme registration
@openshift-ci openshift-ci bot removed the lgtm label Dec 9, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 9, 2025

New changes are detected. LGTM label has been removed.

@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Dec 9, 2025

/retest-required

@github-actions
Copy link

github-actions bot commented Dec 9, 2025

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-a1c0b1dd2e7c757df27fa1d5371a46f1b2c5b145

@taimurhafeez taimurhafeez mentioned this pull request Dec 10, 2025
Open
@xiaojiey
Copy link
Collaborator Author

xiaojiey commented Dec 25, 2025

/retest

@openshift-ci
Copy link

openshift-ci bot commented Dec 25, 2025

@xiaojiey: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa a1c0b1d link true /test e2e-rosa
ci/prow/e2e-aws-serial a1c0b1d link true /test e2e-aws-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@mrogers950 mrogers950 Awaiting requested review from mrogers950

@Vincent056 Vincent056 Awaiting requested review from Vincent056

Assignees

@rhmdnd rhmdnd

Labels

approved docs-approved jira/valid-reference qe-approved

Projects

None yet

Milestone

1.9.0

Development

Successfully merging this pull request may close these issues.

3 participants

@xiaojiey @openshift-ci-robot @rhmdnd