Merge https://github.com/kubernetes-sigs/cluster-api:v1.13.2 (ebd807c) into main#298
Open
cloud-team-rebase-bot[bot] wants to merge 623 commits into
Open
Merge https://github.com/kubernetes-sigs/cluster-api:v1.13.2 (ebd807c) into main#298cloud-team-rebase-bot[bot] wants to merge 623 commits into
cloud-team-rebase-bot[bot] wants to merge 623 commits into
Conversation
…bot/go_modules/all-go-mod-patch-and-minor-2fc94a814f 🌱 Bump the all-go-mod-patch-and-minor group across 3 directories with 8 updates
…es-status-addresses-even-further 🌱 api: relax validation for Machine .status.addresses to maximum of 256 instead of 128 items
* Postpone date when we stop serving v1beta1 * Address comments
Signed-off-by: Stefan Büringer buringerst@vmware.com
* Add rolloutAfter to cluster.spec.topology * Address comments
…eout-unset 🌱 Avoid unsetting nodeDeletionTimeoutSeconds during Machine deletion
apiserver Signed-off-by: Stefan Büringer buringerst@vmware.com
Signed-off-by: Stefan Büringer buringerst@vmware.com
…per-no-up-safeguard 🌱 Add safeguard to patchHelper to avoid sending empty patches to the apiserver
…utafter-uptodate 🐛 Fix UpToDate calculation for rolloutAfter
…dget factor for cluster and clusterclass
- Stop streaming when pod or container has terminated, but ensure we stream the logs at least once. - Add containerHasTerminated helper with tests. The current behavior is to try again every 2 seconds for terminated containers. This becomes silly for init containers particularly, since we fetch the logs from the beginning for each retry so that we end up with logs repeated again and again. Signed-off-by: Lennart Jern <lennart.jern@est.tech>
Signed-off-by: Stefan Büringer buringerst@vmware.com
Signed-off-by: Stefan Büringer buringerst@vmware.com
…helper-flake 🐛 Fix patchHelper unit test flakes
Signed-off-by: Stefan Büringer buringerst@vmware.com
…he-optimization ✨ Optimize cache configuration of CABPK & standardize cache/client setup
… 1 update Bumps the all-go-mod-patch-and-minor group with 1 update in the / directory: [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Bumps the all-go-mod-patch-and-minor group with 1 update in the /hack/tools directory: [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Bumps the all-go-mod-patch-and-minor group with 1 update in the /test directory: [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) Updates `sigs.k8s.io/controller-runtime` from 0.23.1 to 0.23.3 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.1...v0.23.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-go-mod-patch-and-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…bot/go_modules/all-go-mod-patch-and-minor-f488d51061 🌱 Bump the all-go-mod-patch-and-minor group across 3 directories with 1 update
I should've just read the CAEP better, but this confounded me for a good few hours. Clarify that ClusterResourceSet is namespace-scoped and requires resources and clusters to be in the same namespace.
📖 ClusterResourceSet is namespace scoped
…bot/cherry-pick-13685-to-release-1.13 [release-1.13] 🌱 KCP cleanup etcd members not started after a machine is remediated
Squash follow-up OWNERS sync into the initial OpenShift-specific carry since it updates the same initial ownership surface. # Conflicts: # .github/workflows/pr-dependabot.yaml # .github/workflows/pr-golangci-lint.yaml # .github/workflows/pr-verify.yaml # OWNERS_ALIASES
Squash the OWNERS-only carries into a single update to keep ownership churn in one focused commit.
Squash adjacent changes that iterate on OpenShift manifest tooling and metadata sync behavior in the same Makefile-driven flow.
Squash adjacent Dockerfile updates that refine the 4.21 image carry and manager binary naming.
Squash adjacent toolchain updates touching openshift/tools so kustomize alignment and IPAM pinning are applied together.
…olicy: Ignore Add functions to set the failurePolicy to Ignore for both mutating and validating webhooks handling IPAM resources. During bootstrap, the bootstrap node's Kube API Server receives IPAM create requests but is unable to reach the webhooks in the Cluster API namespace. This is because the bootstrap node doesn't have a route to the pods as it doesn't have access to the pod networks. If failurePolicy is set to Fail, the KAS cannot reach the webhook endpoints and the request fails, preventing creation of IPAddress and IPAddressClaim resources. This causes a chicken-and-egg problem as it prevents IPAM provisioning for the workers which won't start without their IP addresses being allocated. Setting failurePolicy to Ignore allows the resources to be created even when the webhooks are unreachable during bootstrap, matching what Machine API also does. More context: https://redhat-internal.slack.com/archives/C0A2M43S199/p1765540108488539
Squash ART image consistency updates into a single carry commit.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Squash adjacent carries that iterate over OpenShift manifests generation, IPAM kustomization, and Dockerfile image consistency.
… upstream rebase Squash the post-rebase regeneration steps into a single carry commit so the PR keeps one coherent update for generated manifests and dependency vendoring.
Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @cloud-team-rebase-bot[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
WalkthroughConsolidates API/CRD updates (taints, rollouts, health checks), conversions, kubeadm controllers/webhooks, cluster cache behavior, clusterctl provider/image handling, CI/workflows, and build/test tooling versions; repins webhooks to v1, removes legacy versions/exclusions, adds tests, and updates Docker/Makefile/Tilt. ChangesCAPI 1.12/1.13 stabilization: APIs, webhooks, tooling, and ops
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120+ minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cloud-team-rebase-bot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go`:
- Around line 800-807: KubeadmConfigSpec.Validate in v1beta1 does not enforce
that the sum of percentages in DiskLayout (slice of PartitionSpec) is <= 100;
add validation inside KubeadmConfigSpec.Validate to iterate over
spec.DiskLayout, sum the PartitionSpec percentage field (e.g.,
PartitionSpec.Percentage or the actual field name used) and return a validation
error (matching existing API validation style) when the total > 100; ensure the
check runs only when DiskLayout is present/len>0 and include the same logic for
any other similar fields mentioned (lines 809-826) so invalid configs are
rejected at admission time.
In `@api/controlplane/kubeadm/v1beta1/conversion.go`:
- Around line 420-427: The conversion currently appends taints into
out.Spec.Taints which can retain stale entries when `out` is reused; change the
logic to build the slice from scratch by resetting `out.Spec.Taints` (e.g.,
assign a new slice with len 0 or make with proper length) before iterating over
`in.Taints`, then append each clusterv1.MachineTaint (Key, Value, Effect,
Propagation) — follow the same overwrite pattern used in the `ReadinessGates`
conversion above; apply this exact fix to the three other reverse/template
conversion blocks that handle taints as well (the similar append loops at the
other noted locations).
In `@api/core/v1beta1/common_types.go`:
- Around line 376-382: The MachineTaint.Value field currently has a
+kubebuilder:validation:MinLength=1 which prohibits empty-string taint values;
remove that MinLength tag on the Value string field in
api/core/v1beta1/common_types.go (the Value field on the MachineTaint struct) so
empty "" values are allowed while keeping the existing MaxLength and Pattern
annotations.
In `@CHANGELOG/v1.12.2.md`:
- Line 16: In the changelog entry replace the double-space typo in the text
"client cert/key" with a single space so it reads "client cert/key" (update the
exact string in CHANGELOG/v1.12.2.md, locating the line containing "Runtime SDK:
Improve client cert/key rotation of the RuntimeSDK client (`#13217`)" and change
"client cert/key" → "client cert/key").
In `@CHANGELOG/v1.13.0-beta.0.md`:
- Line 81: There's a double-space typo in the changelog bullet "Runtime SDK:
Improve client cert/key rotation of the RuntimeSDK client (`#13213`)"; update
that line (the bullet text) to "Runtime SDK: Improve client cert/key rotation of
the RuntimeSDK client (`#13213`)" by removing the extra space between "client" and
"cert/key".
In `@CHANGELOG/v1.13.0-beta.1.md`:
- Line 148: Update the Runtime SDK bullet in the changelog to fix the
double-space typo: replace "client cert/key" with "client cert/key" in the
Runtime SDK line ("Runtime SDK: Improve client cert/key rotation of the
RuntimeSDK client (`#13213`)") so the entry reads "Runtime SDK: Improve client
cert/key rotation of the RuntimeSDK client (`#13213`)".
In `@config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml`:
- Around line 551-613: The key property on MachineTaint currently only enforces
overall length (maxLength: 317) which allows a long name segment after
'/'—restore the per-segment validation by adding an x-kubernetes-validations
rule on properties.key (the MachineTaint schema) that enforces the segment after
an optional prefix slash is max 63 characters (and the optional prefix remains
within its 253 limit), i.e. add a validation regex/rule that checks "(optional
prefix/)?nameSegment" and requires nameSegment length <=63; apply the same
x-kubernetes-validations to the corresponding MachinePool/shared taint schema so
both CRDs stay aligned.
In `@controllers/clustercache/cluster_cache.go`:
- Around line 63-67: The cluster filter Option (Options.ClusterFilter) is never
wired into the clusterCache, leaving cc.clusterFilter nil so the filter branch
in Reconcile never runs; update the SetupWithManager code that constructs
clusterCache to pass Options.ClusterFilter into the clusterCache initialization
(set cc.clusterFilter = opts.ClusterFilter or provide it as a constructor
parameter) so clusterCache.clusterFilter is populated and Reconcile can evaluate
the filter.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: dbb01f75-4b28-4c2f-a3f4-07e3767856cb
⛔ Files ignored due to path filters (29)
api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.gois excluded by!**/zz_generated*api/bootstrap/kubeadm/v1beta1/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/controlplane/kubeadm/v1beta1/zz_generated.conversion.gois excluded by!**/zz_generated*api/controlplane/kubeadm/v1beta1/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/controlplane/kubeadm/v1beta2/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/core/v1beta1/zz_generated.conversion.gois excluded by!**/zz_generated*api/core/v1beta1/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/core/v1beta1/zz_generated.openapi.gois excluded by!**/zz_generated*api/core/v1beta2/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/core/v1beta2/zz_generated.openapi.gois excluded by!**/zz_generated*api/runtime/hooks/v1alpha1/zz_generated.deepcopy.gois excluded by!**/zz_generated*api/runtime/hooks/v1alpha1/zz_generated.openapi.gois excluded by!**/zz_generated*docs/book/src/images/clusterclass-crd-relationships.svgis excluded by!**/*.svgdocs/book/src/images/kubeadm-control-plane-machines-resources.pngis excluded by!**/*.pngdocs/book/src/images/worker-machines-resources.pngis excluded by!**/*.pnggo.sumis excluded by!**/*.sumhack/tools/go.sumis excluded by!**/*.sumhack/tools/vendor/cloud.google.com/go/auth/CHANGES.mdis excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/credentials/detect.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/credentials/filetypes.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/grpctransport/grpctransport.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/httptransport/httptransport.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/httptransport/transport.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/filetype.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/parse.gois excluded by!**/vendor/**hack/tools/vendor/cloud.google.com/go/auth/internal/internal.gois excluded by!**/vendor/**
📒 Files selected for processing (271)
.dockerignore.github/workflows/pr-gh-workflow-approve.yaml.github/workflows/pr-md-link-check.yaml.github/workflows/release.yaml.github/workflows/weekly-md-link-check.yaml.github/workflows/weekly-security-scan.yaml.github/workflows/weekly-test-release.yaml.golangci-kal.yml.golangci.yml.trivyignoreCHANGELOG/v1.10.10.mdCHANGELOG/v1.10.9.mdCHANGELOG/v1.11.4.mdCHANGELOG/v1.11.5.mdCHANGELOG/v1.11.6.mdCHANGELOG/v1.11.7.mdCHANGELOG/v1.12.0-rc.1.mdCHANGELOG/v1.12.0.mdCHANGELOG/v1.12.1.mdCHANGELOG/v1.12.2.mdCHANGELOG/v1.12.3.mdCHANGELOG/v1.12.4.mdCHANGELOG/v1.13.0-beta.0.mdCHANGELOG/v1.13.0-beta.1.mdCHANGELOG/v1.13.0-rc.0.mdCONTRIBUTING.mdDockerfileMakefileTiltfileapi/bootstrap/kubeadm/v1beta1/conversion.goapi/bootstrap/kubeadm/v1beta1/kubeadm_types.goapi/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.goapi/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.goapi/controlplane/kubeadm/v1beta1/conversion.goapi/controlplane/kubeadm/v1beta1/kubeadm_control_plane_types.goapi/controlplane/kubeadm/v1beta1/kubeadmcontrolplanetemplate_types.goapi/controlplane/kubeadm/v1beta2/kubeadm_control_plane_types.goapi/controlplane/kubeadm/v1beta2/kubeadmcontrolplanetemplate_types.goapi/core/v1beta1/cluster_types.goapi/core/v1beta1/clusterclass_types.goapi/core/v1beta1/common_types.goapi/core/v1beta1/conversion.goapi/core/v1beta1/conversion_test.goapi/core/v1beta1/machine_types.goapi/core/v1beta1/machinehealthcheck_types.goapi/core/v1beta2/cluster_types.goapi/core/v1beta2/clusterclass_types.goapi/core/v1beta2/common_types.goapi/core/v1beta2/condition_types.goapi/core/v1beta2/machine_types.goapi/ipam/v1alpha1/conversion.goapi/runtime/hooks/v1alpha1/common_types.goapi/runtime/hooks/v1alpha1/lifecyclehooks_types.goapi/runtime/hooks/v1alpha1/topologymutation_types.goapi/runtime/hooks/v1alpha1/topologymutation_variable_types.gobootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yamlbootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yamlbootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yamlbootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigtemplates.yamlbootstrap/kubeadm/config/manager/manager.yamlbootstrap/kubeadm/config/webhook/manifests.yamlbootstrap/kubeadm/internal/cloudinit/cloudinit_test.gobootstrap/kubeadm/internal/cloudinit/disk_setup.gobootstrap/kubeadm/internal/cloudinit/utils.gobootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.gobootstrap/kubeadm/internal/controllers/suite_test.gobootstrap/kubeadm/internal/locking/control_plane_init_mutex.gobootstrap/kubeadm/internal/setup/setup.gobootstrap/kubeadm/internal/webhooks/kubeadmconfig.gobootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.gobootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate.gobootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate_test.gobootstrap/kubeadm/main.gobootstrap/util/configowner_test.gobootstrap/util/suite_test.gocmd/clusterctl/Dockerfilecmd/clusterctl/client/cluster/cert_manager.gocmd/clusterctl/client/cluster/cert_manager_test.gocmd/clusterctl/client/cluster/mover.gocmd/clusterctl/client/cluster/template.gocmd/clusterctl/client/cluster/template_test.gocmd/clusterctl/client/cluster/upgrader.gocmd/clusterctl/client/cluster/upgrader_test.gocmd/clusterctl/client/config/imagemeta_client.gocmd/clusterctl/client/config/imagemeta_client_test.gocmd/clusterctl/client/config/providers_client.gocmd/clusterctl/client/config_test.gocmd/clusterctl/client/repository/repository_github.gocmd/clusterctl/client/repository/repository_github_test.gocmd/clusterctl/client/upgrade.gocmd/clusterctl/cmd/config_repositories_test.gocmd/clusterctl/cmd/describe_cluster.gocmd/clusterctl/cmd/upgrade_apply.gocmd/clusterctl/cmd/version_checker.gocmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_metadata.yamlcmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_providers.yamlcmd/clusterctl/config/manifest/clusterctl-api.yamlcmd/clusterctl/hack/create-local-repository.pycmd/clusterctl/internal/test/fake_github.gocmd/clusterctl/internal/test/fake_reader.goconfig/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yamlconfig/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yamlconfig/crd/bases/cluster.x-k8s.io_clusterclasses.yamlconfig/crd/bases/cluster.x-k8s.io_clusters.yamlconfig/crd/bases/cluster.x-k8s.io_machinedeployments.yamlconfig/crd/bases/cluster.x-k8s.io_machinedrainrules.yamlconfig/crd/bases/cluster.x-k8s.io_machinehealthchecks.yamlconfig/crd/bases/cluster.x-k8s.io_machinepools.yamlconfig/crd/bases/cluster.x-k8s.io_machines.yamlconfig/crd/bases/cluster.x-k8s.io_machinesets.yamlconfig/crd/bases/ipam.cluster.x-k8s.io_ipaddressclaims.yamlconfig/crd/bases/ipam.cluster.x-k8s.io_ipaddresses.yamlconfig/crd/bases/runtime.cluster.x-k8s.io_extensionconfigs.yamlconfig/crd/patches/webhook_in_clusterclasses.yamlconfig/crd/patches/webhook_in_clusterresourcesetbindings.yamlconfig/crd/patches/webhook_in_clusterresourcesets.yamlconfig/crd/patches/webhook_in_clusters.yamlconfig/crd/patches/webhook_in_extensionconfigs.yamlconfig/crd/patches/webhook_in_ipaddressclaims.yamlconfig/crd/patches/webhook_in_ipaddresses.yamlconfig/crd/patches/webhook_in_machinedeployments.yamlconfig/crd/patches/webhook_in_machinedrainrules.yamlconfig/crd/patches/webhook_in_machinehealthchecks.yamlconfig/crd/patches/webhook_in_machinepools.yamlconfig/crd/patches/webhook_in_machines.yamlconfig/crd/patches/webhook_in_machinesets.yamlconfig/manager/manager.yamlconfig/metrics/crd-metrics-config.yamlconfig/webhook/manifests.yamlcontrollers/clustercache/cluster_accessor.gocontrollers/clustercache/cluster_accessor_client.gocontrollers/clustercache/cluster_accessor_test.gocontrollers/clustercache/cluster_cache.gocontrollers/clustercache/cluster_cache_test.gocontrollers/crdmigrator/crd_migrator.gocontrollers/crdmigrator/test/t1/crd/test.cluster.x-k8s.io_testclusters.yamlcontrollers/crdmigrator/test/t2/crd/test.cluster.x-k8s.io_testclusters.yamlcontrollers/crdmigrator/test/t3/crd/test.cluster.x-k8s.io_testclusters.yamlcontrollers/crdmigrator/test/t4/crd/test.cluster.x-k8s.io_testclusters.yamlcontrolplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yamlcontrolplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yamlcontrolplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanes.yamlcontrolplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanetemplates.yamlcontrolplane/kubeadm/config/manager/manager.yamlcontrolplane/kubeadm/config/webhook/manifests.yamlcontrolplane/kubeadm/internal/cluster.gocontrolplane/kubeadm/internal/cluster_test.gocontrolplane/kubeadm/internal/clustercache_utils.gocontrolplane/kubeadm/internal/control_plane.gocontrolplane/kubeadm/internal/control_plane_test.gocontrolplane/kubeadm/internal/controllers/controller.gocontrolplane/kubeadm/internal/controllers/controller_test.gocontrolplane/kubeadm/internal/controllers/fakes_test.gocontrolplane/kubeadm/internal/controllers/helpers.gocontrolplane/kubeadm/internal/controllers/inplace.gocontrolplane/kubeadm/internal/controllers/inplace_canupdatemachine.gocontrolplane/kubeadm/internal/controllers/inplace_canupdatemachine_test.gocontrolplane/kubeadm/internal/controllers/inplace_trigger.gocontrolplane/kubeadm/internal/controllers/remediation.gocontrolplane/kubeadm/internal/controllers/remediation_test.gocontrolplane/kubeadm/internal/controllers/scale.gocontrolplane/kubeadm/internal/controllers/scale_test.gocontrolplane/kubeadm/internal/controllers/status.gocontrolplane/kubeadm/internal/controllers/status_test.gocontrolplane/kubeadm/internal/controllers/suite_test.gocontrolplane/kubeadm/internal/controllers/update.gocontrolplane/kubeadm/internal/controllers/update_test.gocontrolplane/kubeadm/internal/desiredstate/desired_state.gocontrolplane/kubeadm/internal/desiredstate/desired_state_test.gocontrolplane/kubeadm/internal/etcd/etcd_test.gocontrolplane/kubeadm/internal/etcd/fake/client.gocontrolplane/kubeadm/internal/setup/setup.gocontrolplane/kubeadm/internal/suite_test.gocontrolplane/kubeadm/internal/webhooks/kubeadmcontrolplane.gocontrolplane/kubeadm/internal/webhooks/kubeadmcontrolplane_test.gocontrolplane/kubeadm/internal/webhooks/kubeadmcontrolplanetemplate.gocontrolplane/kubeadm/internal/webhooks/scale.gocontrolplane/kubeadm/internal/workload_cluster.gocontrolplane/kubeadm/internal/workload_cluster_conditions.gocontrolplane/kubeadm/internal/workload_cluster_conditions_test.gocontrolplane/kubeadm/internal/workload_cluster_coredns.gocontrolplane/kubeadm/internal/workload_cluster_etcd.gocontrolplane/kubeadm/internal/workload_cluster_etcd_test.gocontrolplane/kubeadm/internal/workload_cluster_rbac.gocontrolplane/kubeadm/internal/workload_cluster_rbac_test.gocontrolplane/kubeadm/internal/workload_cluster_test.gocontrolplane/kubeadm/main.godocs/book/src/SUMMARY.mddocs/book/src/clusterctl/configuration.mddocs/book/src/developer/core/logging.mddocs/book/src/developer/core/tilt.mddocs/book/src/developer/providers/contracts/bootstrap-config.mddocs/book/src/developer/providers/contracts/clusterctl.mddocs/book/src/developer/providers/contracts/control-plane.mddocs/book/src/developer/providers/contracts/infra-cluster.mddocs/book/src/developer/providers/contracts/infra-machine.mddocs/book/src/developer/providers/contracts/infra-machinepool.mddocs/book/src/developer/providers/getting-started/webhooks.mddocs/book/src/developer/providers/migrations/v1.10-to-v1.11.mddocs/book/src/developer/providers/migrations/v1.12-to-v1.13.mddocs/book/src/developer/providers/migrations/v1.9-to-v1.10.mddocs/book/src/images/kubeadm-control-plane-machines-resources.plantumldocs/book/src/images/worker-machines-resources.plantumldocs/book/src/introduction.mddocs/book/src/reference/api/crd-api-reference-v1beta1.mddocs/book/src/reference/api/crd-api-reference.mddocs/book/src/reference/api/crd-relationships.mddocs/book/src/reference/api/reference.mddocs/book/src/reference/versions.mddocs/book/src/tasks/automated-machine-management/healthchecking.mddocs/book/src/tasks/automated-machine-management/scaling.mddocs/book/src/tasks/cluster-resource-set.mddocs/book/src/tasks/diagnostics.mddocs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.mddocs/book/src/tasks/experimental-features/experimental-features.mddocs/book/src/tasks/experimental-features/machine-pools.mddocs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.mddocs/book/src/tasks/experimental-features/runtime-sdk/index.mddocs/book/src/tasks/external-etcd.mddocs/book/src/tasks/using-kustomize.mddocs/book/src/user/quick-start.mddocs/proposals/20200506-conditions.mddocs/proposals/20210310-opt-in-autoscaling-from-zero.mddocs/proposals/20220330-topology-mutation-hook.mddocs/proposals/20240916-improve-status-in-CAPI-resources.mddocs/proposals/20250124-From CAPD(docker) to CAPD(dev) .mddocs/release/releases/release-1.13.mddocs/release/role-handbooks/ci-signal/README.mddocs/release/role-handbooks/release-lead/README.mdexp/topology/desiredstate/desired_state.goexp/topology/desiredstate/desired_state_test.goexp/topology/desiredstate/lifecycle_hooks.goexp/topology/desiredstate/lifecycle_hooks_test.goexp/topology/desiredstate/upgrade_plan.goexp/topology/desiredstate/upgrade_plan_test.gofeature/feature.gogo.modhack/crd-ref-docs-config-v1beta1.yamlhack/crd-ref-docs-config-v1beta2.yamlhack/ensure-go.shhack/gogcflags.shhack/kind-install.shhack/observability/alloy/kustomization.yamlhack/observability/grafana/chart/kustomization.yamlhack/observability/grafana/dashboards/cluster-api-mgmt-apiserver-requests.jsonhack/observability/grafana/dashboards/cluster-api-performance.jsonhack/observability/grafana/dashboards/cluster-api-state.jsonhack/observability/grafana/dashboards/cluster-api-wl-apiserver-requests.jsonhack/observability/grafana/dashboards/controller-runtime.jsonhack/observability/grafana/dashboards/runtime-extensions.jsonhack/observability/kube-state-metrics/crd-sidecar-patch.yamlhack/observability/kube-state-metrics/kustomization.yamlhack/observability/loki/kustomization.yamlhack/observability/loki/values.yamlhack/observability/metrics-server/kustomization.yamlhack/observability/parca/values.yamlhack/observability/prometheus/kustomization.yamlhack/observability/prometheus/values.yamlhack/observability/tempo/kustomization.yamlhack/observability/visualizer/kustomization.yamlhack/tools/go.modhack/tools/govulncheck/.gitignorehack/tools/govulncheck/govulncheck.patchhack/tools/internal/tilt-prepare/main.gohack/tools/prowjob-gen/config.gohack/tools/prowjob-gen/test/test-configuration.yamlhack/tools/prowjob-gen/test/test-main.yaml.goldenhack/tools/prowjob-gen/test/test.yaml.tplhack/tools/release/internal/update_providers/provider_issues.gohack/tools/release/weekly/main.gohack/tools/runtime-openapi-gen/main.go
💤 Files with no reviewable changes (7)
- .github/workflows/pr-gh-workflow-approve.yaml
- .trivyignore
- bootstrap/kubeadm/config/webhook/manifests.yaml
- controllers/clustercache/cluster_accessor_test.go
- cmd/clusterctl/client/cluster/upgrader_test.go
- config/webhook/manifests.yaml
- bootstrap/util/suite_test.go
Comment on lines
+800
to
+807
| // diskLayout specifies an ordered list of partitions, where each item defines the | ||
| // percentage of disk space and optional partition type for that partition. | ||
| // The sum of all partition percentages must not be greater than 100. | ||
| // +optional | ||
| // +kubebuilder:validation:MinItems=1 | ||
| // +kubebuilder:validation:MaxItems=100 | ||
| DiskLayout []PartitionSpec `json:"diskLayout,omitempty"` | ||
| } |
There was a problem hiding this comment.
Enforce diskLayout total percentage limit in v1beta1 validation.
Partition.DiskLayout documents that total percentage must be <= 100, but KubeadmConfigSpec.Validate does not currently check this in v1beta1. Invalid specs can pass admission and fail later at bootstrap time.
🔧 Proposed fix
func (c *KubeadmConfigSpec) Validate(pathPrefix *field.Path) field.ErrorList {
var allErrs field.ErrorList
allErrs = append(allErrs, c.validateFiles(pathPrefix)...)
allErrs = append(allErrs, c.validateUsers(pathPrefix)...)
allErrs = append(allErrs, c.validateIgnition(pathPrefix)...)
+ allErrs = append(allErrs, c.validateDiskSetup(pathPrefix)...)
// Validate JoinConfiguration.
if c.JoinConfiguration != nil {
...
}
return allErrs
}
+
+func (c *KubeadmConfigSpec) validateDiskSetup(pathPrefix *field.Path) field.ErrorList {
+ var allErrs field.ErrorList
+ if c.DiskSetup == nil {
+ return allErrs
+ }
+ for i, partition := range c.DiskSetup.Partitions {
+ var total int32
+ for _, p := range partition.DiskLayout {
+ total += p.Percentage
+ }
+ if total > 100 {
+ allErrs = append(allErrs, field.Invalid(
+ pathPrefix.Child("diskSetup", "partitions").Index(i).Child("diskLayout"),
+ total,
+ "the sum of all partition percentages must not be greater than 100",
+ ))
+ }
+ }
+ return allErrs
+}Also applies to: 809-826
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go` around lines 800 - 807,
KubeadmConfigSpec.Validate in v1beta1 does not enforce that the sum of
percentages in DiskLayout (slice of PartitionSpec) is <= 100; add validation
inside KubeadmConfigSpec.Validate to iterate over spec.DiskLayout, sum the
PartitionSpec percentage field (e.g., PartitionSpec.Percentage or the actual
field name used) and return a validation error (matching existing API validation
style) when the total > 100; ensure the check runs only when DiskLayout is
present/len>0 and include the same logic for any other similar fields mentioned
(lines 809-826) so invalid configs are rejected at admission time.
Comment on lines
+420
to
+427
| for _, c := range in.Taints { | ||
| out.Spec.Taints = append(out.Spec.Taints, clusterv1.MachineTaint{ | ||
| Key: c.Key, | ||
| Value: c.Value, | ||
| Effect: c.Effect, | ||
| Propagation: clusterv1.MachineTaintPropagation(c.Propagation), | ||
| }) | ||
| } |
There was a problem hiding this comment.
Overwrite taints instead of appending during conversion.
These helpers append into the destination slice without resetting it first. If out is reused, stale taints get retained and the converted object can accumulate duplicates. Build the slice from scratch, like the ReadinessGates conversion right above.
Proposed fix
- for _, c := range in.Taints {
- out.Spec.Taints = append(out.Spec.Taints, clusterv1.MachineTaint{
- Key: c.Key,
- Value: c.Value,
- Effect: c.Effect,
- Propagation: clusterv1.MachineTaintPropagation(c.Propagation),
- })
- }
+ if len(in.Taints) > 0 {
+ out.Spec.Taints = make([]clusterv1.MachineTaint, len(in.Taints))
+ for i := range in.Taints {
+ c := in.Taints[i]
+ out.Spec.Taints[i] = clusterv1.MachineTaint{
+ Key: c.Key,
+ Value: c.Value,
+ Effect: c.Effect,
+ Propagation: clusterv1.MachineTaintPropagation(c.Propagation),
+ }
+ }
+ } else {
+ out.Spec.Taints = nil
+ }Apply the same overwrite pattern to the three reverse/template conversion blocks as well.
Also applies to: 446-453, 464-471, 482-489
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/controlplane/kubeadm/v1beta1/conversion.go` around lines 420 - 427, The
conversion currently appends taints into out.Spec.Taints which can retain stale
entries when `out` is reused; change the logic to build the slice from scratch
by resetting `out.Spec.Taints` (e.g., assign a new slice with len 0 or make with
proper length) before iterating over `in.Taints`, then append each
clusterv1.MachineTaint (Key, Value, Effect, Propagation) — follow the same
overwrite pattern used in the `ReadinessGates` conversion above; apply this
exact fix to the three other reverse/template conversion blocks that handle
taints as well (the similar append loops at the other noted locations).
Comment on lines
+376
to
+382
| // value is the taint value corresponding to the taint key. | ||
| // It must be a valid label value of maximum size 63 characters. | ||
| // +optional | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=63 | ||
| // +kubebuilder:validation:Pattern=^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ | ||
| Value string `json:"value,omitempty"` |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Kubernetes core/v1 Taint API validation: is an empty string allowed for Taint.value, and does a valid label value permit the empty string?
💡 Result:
In Kubernetes core/v1, Taint.value: 1) Is an empty string allowed for Taint.value? Yes. The API validation only checks Taint.value with label-value validation when taint.Value is non-empty. If taint.Value == "" then the value validation is skipped, so an empty string is accepted by this validation path. [1] 2) Does a valid label value permit the empty string? No. A “valid label value” is a specific non-empty string pattern validated by Kubernetes’ label validation; there is no rule here that says a valid label value includes (or permits) the empty string. The empty string is accepted only because Kubernetes skips label-value validation when the taint value is empty. [1] Notes/implications: - When Taint.value is empty, Kubernetes will not enforce the label-value format for it (it passes validation). [1] - When Taint.value is non-empty, Kubernetes enforces label-value validity via validation.IsValidLabelValue(taint.Value); invalid non-empty values are rejected. [1]
Citations:
Allow MachineTaint.value: "" to match Kubernetes taint semantics.
MachineTaint is documented as corev1.Taint-compatible, but +kubebuilder:validation:MinLength=1 rejects an explicit empty string. Kubernetes accepts empty taint values by skipping label-value validation when taint.Value == "", so this change makes the CRD stricter without gain.
Proposed fix
// value is the taint value corresponding to the taint key.
// It must be a valid label value of maximum size 63 characters.
// +optional
- // +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=63
// +kubebuilder:validation:Pattern=^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
Value string `json:"value,omitempty"`📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| // value is the taint value corresponding to the taint key. | |
| // It must be a valid label value of maximum size 63 characters. | |
| // +optional | |
| // +kubebuilder:validation:MinLength=1 | |
| // +kubebuilder:validation:MaxLength=63 | |
| // +kubebuilder:validation:Pattern=^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ | |
| Value string `json:"value,omitempty"` | |
| // value is the taint value corresponding to the taint key. | |
| // It must be a valid label value of maximum size 63 characters. | |
| // +optional | |
| // +kubebuilder:validation:MaxLength=63 | |
| // +kubebuilder:validation:Pattern=^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ | |
| Value string `json:"value,omitempty"` |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/core/v1beta1/common_types.go` around lines 376 - 382, The
MachineTaint.Value field currently has a +kubebuilder:validation:MinLength=1
which prohibits empty-string taint values; remove that MinLength tag on the
Value string field in api/core/v1beta1/common_types.go (the Value field on the
MachineTaint struct) so empty "" values are allowed while keeping the existing
MaxLength and Pattern annotations.
| ## :bug: Bug Fixes | ||
| - API: Fix v1beta1 ControlPlane contract to handle .status.initialized correctly (#13188) | ||
| - ClusterClass: Allow adding spec via ClusterClass JSON patches (#13226) | ||
| - Runtime SDK: Improve client cert/key rotation of the RuntimeSDK client (#13217) |
There was a problem hiding this comment.
Fix double-space typo in bug-fix entry.
There is an extra space in client cert/key; please change it to client cert/key.
🧰 Tools
🪛 LanguageTool
[grammar] ~16-~16: Ensure spelling is correct
Context: ...mprove client cert/key rotation of the RuntimeSDK client (#13217) - Testing: Fix webhook ...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG/v1.12.2.md` at line 16, In the changelog entry replace the
double-space typo in the text "client cert/key" with a single space so it reads
"client cert/key" (update the exact string in CHANGELOG/v1.12.2.md, locating the
line containing "Runtime SDK: Improve client cert/key rotation of the
RuntimeSDK client (`#13217`)" and change "client cert/key" → "client cert/key").
| - Machine/MachineSet/MachineDeployment: Fix UpToDate calculation for rolloutAfter (#13404) | ||
| - MachineSet: Use MachineSet template values in completeMoveMachine for in-place updates (#13059) | ||
| - Misc: Fix bug while setting status for deprecated fields (#13336) | ||
| - Runtime SDK: Improve client cert/key rotation of the RuntimeSDK client (#13213) |
There was a problem hiding this comment.
Fix double-space typo in Runtime SDK bullet.
client cert/key has an extra space; use client cert/key.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG/v1.13.0-beta.0.md` at line 81, There's a double-space typo in the
changelog bullet "Runtime SDK: Improve client cert/key rotation of the
RuntimeSDK client (`#13213`)"; update that line (the bullet text) to "Runtime SDK:
Improve client cert/key rotation of the RuntimeSDK client (`#13213`)" by removing
the extra space between "client" and "cert/key".
| - Machine/MachineSet/MachineDeployment: Fix UpToDate calculation for rolloutAfter (#13404) | ||
| - MachineSet: Use MachineSet template values in completeMoveMachine for in-place updates (#13059) | ||
| - Misc: Fix bug while setting status for deprecated fields (#13336) | ||
| - Runtime SDK: Improve client cert/key rotation of the RuntimeSDK client (#13213) |
There was a problem hiding this comment.
Fix double-space typo in Runtime SDK bullet.
client cert/key should be client cert/key.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG/v1.13.0-beta.1.md` at line 148, Update the Runtime SDK bullet in
the changelog to fix the double-space typo: replace "client cert/key" with
"client cert/key" in the Runtime SDK line ("Runtime SDK: Improve client
cert/key rotation of the RuntimeSDK client (`#13213`)") so the entry reads
"Runtime SDK: Improve client cert/key rotation of the RuntimeSDK client
(`#13213`)".
Comment on lines
+551
to
+613
| taints: | ||
| description: |- | ||
| taints are the node taints that Cluster API will manage. | ||
| This list is not necessarily complete: other Kubernetes components may add or remove other taints from nodes, | ||
| e.g. the node controller might add the node.kubernetes.io/not-ready taint. | ||
| Only those taints defined in this list will be added or removed by core Cluster API controllers. | ||
|
|
||
| There can be at most 64 taints. | ||
| A pod would have to tolerate all existing taints to run on the corresponding node. | ||
|
|
||
| NOTE: This list is implemented as a "map" type, meaning that individual elements can be managed by different owners. | ||
| items: | ||
| description: MachineTaint defines a taint equivalent to | ||
| corev1.Taint, but additionally having a propagation field. | ||
| properties: | ||
| effect: | ||
| description: effect is the effect for the taint. Valid | ||
| values are NoSchedule, PreferNoSchedule and NoExecute. | ||
| enum: | ||
| - NoSchedule | ||
| - PreferNoSchedule | ||
| - NoExecute | ||
| type: string | ||
| key: | ||
| description: |- | ||
| key is the taint key to be applied to a node. | ||
| Must be a valid qualified name of maximum size 63 characters | ||
| with an optional subdomain prefix of maximum size 253 characters, | ||
| separated by a `/`. | ||
| maxLength: 317 | ||
| minLength: 1 | ||
| pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/)?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$ | ||
| type: string | ||
| propagation: | ||
| description: |- | ||
| propagation defines how this taint should be propagated to nodes. | ||
| Valid values are 'Always' and 'OnInitialization'. | ||
| Always: The taint will be continuously reconciled. If it is not set for a node, it will be added during reconciliation. | ||
| OnInitialization: The taint will be added during node initialization. If it gets removed from the node later on it will not get added again. | ||
| enum: | ||
| - Always | ||
| - OnInitialization | ||
| type: string | ||
| value: | ||
| description: |- | ||
| value is the taint value corresponding to the taint key. | ||
| It must be a valid label value of maximum size 63 characters. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ | ||
| type: string | ||
| required: | ||
| - effect | ||
| - key | ||
| - propagation | ||
| type: object | ||
| maxItems: 64 | ||
| minItems: 1 | ||
| type: array | ||
| x-kubernetes-list-map-keys: | ||
| - key | ||
| - effect | ||
| x-kubernetes-list-type: map |
There was a problem hiding this comment.
Restore per-segment taint key validation.
maxLength: 317 plus the regex only cap the overall string length, so keys like prefix/<70-char-name> now pass CRD admission even though the segment after / must stay within 63 characters. That weakens the CRD contract and defers the failure until taints are reconciled onto Nodes. Please restore the split-length x-kubernetes-validations check in the shared taint schema so this CRD and the MachinePool copy stay aligned.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml` around lines 551 -
613, The key property on MachineTaint currently only enforces overall length
(maxLength: 317) which allows a long name segment after '/'—restore the
per-segment validation by adding an x-kubernetes-validations rule on
properties.key (the MachineTaint schema) that enforces the segment after an
optional prefix slash is max 63 characters (and the optional prefix remains
within its 253 limit), i.e. add a validation regex/rule that checks "(optional
prefix/)?nameSegment" and requires nameSegment length <=63; apply the same
x-kubernetes-validations to the corresponding MachinePool/shared taint schema so
both CRDs stay aligned.
Comment on lines
+63
to
+67
| // ClusterFilter is a function that can be used to filter which clusters should be handled | ||
| // by the ClusterCache. If nil, all clusters will be handled. If set, only clusters for which | ||
| // the filter returns true will be handled. | ||
| ClusterFilter ClusterFilter | ||
|
|
There was a problem hiding this comment.
Wire Options.ClusterFilter into clusterCache initialization.
Options.ClusterFilter is introduced on Line 63, but SetupWithManager does not assign it when constructing clusterCache, so cc.clusterFilter remains nil and the filter branch in Reconcile never activates.
🔧 Proposed fix
cc := &clusterCache{
client: mgr.GetClient(),
clusterAccessorConfig: buildClusterAccessorConfig(mgr.GetScheme(), options, controllerPodMetadata),
clusterAccessors: make(map[client.ObjectKey]*clusterAccessor),
cacheCtx: cacheCtx,
cacheCtxCancel: cacheCtxCancel,
+ clusterFilter: options.ClusterFilter,
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| // ClusterFilter is a function that can be used to filter which clusters should be handled | |
| // by the ClusterCache. If nil, all clusters will be handled. If set, only clusters for which | |
| // the filter returns true will be handled. | |
| ClusterFilter ClusterFilter | |
| cc := &clusterCache{ | |
| client: mgr.GetClient(), | |
| clusterAccessorConfig: buildClusterAccessorConfig(mgr.GetScheme(), options, controllerPodMetadata), | |
| clusterAccessors: make(map[client.ObjectKey]*clusterAccessor), | |
| cacheCtx: cacheCtx, | |
| cacheCtxCancel: cacheCtxCancel, | |
| clusterFilter: options.ClusterFilter, | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@controllers/clustercache/cluster_cache.go` around lines 63 - 67, The cluster
filter Option (Options.ClusterFilter) is never wired into the clusterCache,
leaving cc.clusterFilter nil so the filter branch in Reconcile never runs;
update the SetupWithManager code that constructs clusterCache to pass
Options.ClusterFilter into the clusterCache initialization (set cc.clusterFilter
= opts.ClusterFilter or provide it as a constructor parameter) so
clusterCache.clusterFilter is populated and Reconcile can evaluate the filter.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
New Features
Improvements
Removals
--disable-groupingflag from describe command.