-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
Quality / Stability / Reliability
-
2
-
False
-
-
False
-
-
-
Workloads - Train 37 - 2
-
Low
-
None
Description of problem:
MulticlusterRoleAssignment resource allows invalid characters for k8s object names. These fields all translate to k8s object names:
- spec.roleAssignments[*].clusterRole
- spec.roleAssignments[*].clusterSelection.placements[*].name
- spec.roleAssignments[*].targetNamespaces
All of these translate to k8s object names, which means that they should follow those naming restrictions. We should block invalid names at CRD level to provide quick feedback.
Version-Release number of selected component (if applicable): 2.16
How reproducible: always
Steps to Reproduce:
1. Create CRD like this:
apiVersion: rbac.open-cluster-management.io/v1beta1 kind: MulticlusterRoleAssignment metadata: name: test namespace: open-cluster-management-global-set spec: roleAssignments: - clusterRole: acm-vm-cluster-migration:view clusterSelection: placements: - name: clusters-sno-1-c96x2 namespace: open-cluster-management-global-set type: placements name: 28535ba0eda targetNamespaces: - defaultAA subject: kind: User name: mattshort
2. Invalid name of namespace defaultAA is allowed, and error reported does not point towards specific issue:
status: appliedClusters: - sno-1-c96x2 conditions: - lastTransitionTime: "2026-03-05T01:46:21Z" message: 1 out of 1 ClusterPermission(s) applied successfully observedGeneration: 1 reason: Applied status: "True" type: Applied - lastTransitionTime: "2026-03-05T01:46:21Z" message: 1 out of 1 role assignment(s) pending observedGeneration: 1 reason: AssignmentsPending status: "False" type: Ready roleAssignments: - createdAt: "2026-03-05T01:46:21Z" message: 'Pending on 1 cluster(s): sno-1-c96x2 is unavailable' name: 28535ba0eda reason: Processing status: Pending
Actual results:
Invalid spec fields are allowed, and error does not point to actual issue (invalid namespace name)
Expected results:
Invalid characters should get blocked at CRD level.