Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32277

ValidatingAdmissionPolicy failing when ManagedBootImages enabled using CustomNoUpgrade

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 1
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      When we enable ValidatingAdmissionPolicy and ManagedBootImages featuregates via  CustomNoUpgrade in the cluster FeatureGate resource, the created ValidatingAdmissionPolicy reports fails reporting this error:


apiVersion: v1
items:
- apiVersion: admissionregistration.k8s.io/v1beta1
  kind: ValidatingAdmissionPolicy
  metadata:
    creationTimestamp: "2024-04-16T08:51:09Z"
    generation: 1
    name: managed-bootimages-platform-check
    resourceVersion: "84813"
    uid: 081d1234-757b-4ec5-9cc4-6a7075c6b399
  spec:
    failurePolicy: Fail
    matchConstraints:
      matchPolicy: Equivalent
      namespaceSelector: {}
      objectSelector: {}
      resourceRules:
      - apiGroups:
        - operator.openshift.io
        apiVersions:
        - v1
        operations:
        - CREATE
        - UPDATE
        resources:
        - machineconfigurations
        scope: '*'
    paramKind:
      apiVersion: config.openshift.io/v1
      kind: Infrastructure
    validations:
    - expression: '!has(object.spec.managedBootImages) || (has(object.spec.managedBootImages)
        && params.status.platformStatus.type in [''GCP''])'
      message: 'This feature is only supported on these platforms: GCP'
  status:
    observedGeneration: 1
    typeChecking:
      expressionWarnings:
      - fieldRef: spec.validations[0].expression
        warning: |
          operator.openshift.io/v1, Kind=MachineConfiguration: ERROR: <input>:1:5: undefined field 'managedBootImages'
           | !has(object.spec.managedBootImages) || (has(object.spec.managedBootImages) && params.status.platformStatus.type in ['GCP'])
           | ....^
          ERROR: <input>:1:44: undefined field 'managedBootImages'
           | !has(object.spec.managedBootImages) || (has(object.spec.managedBootImages) && params.status.platformStatus.type in ['GCP'])
           | ...........................................^
kind: List
metadata:
  resourceVersion: ""

      Version-Release number of selected component (if applicable):

      pre-merge: https://github.com/openshift/machine-config-operator/pull/4285

      How reproducible:

      Always

      Steps to Reproduce:

          1. Enable ValidatingAdmissionPolicy and ManagedBootImages featuregates via  CustomNoUpgrade 

apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
  creationTimestamp: "2024-04-16T06:38:07Z"
  generation: 3
  name: cluster
  resourceVersion: "72432"
  uid: af8fb180-60e6-493c-a533-a775b42761ba
spec:
  customNoUpgrade:
    disabled:
    - AlertingRules
    - AutomatedEtcdBackup
    - CSIDriverSharedResource
    - ClusterAPIInstall
    - DNSNameResolver
    - DynamicResourceAllocation
    - EventedPLEG
    - Example
    - ExternalOIDC
    - ExternalRouteCertificate
    - GCPClusterHostedDNS
    - GCPLabelsTags
    - GatewayAPI
    - HardwareSpeed
    - ImagePolicy
    - InsightsConfig
    - InsightsConfigAPI
    - InsightsOnDemandDataGather
    - InstallAlternateInfrastructureAWS
    - MachineAPIOperatorDisableMachineHealthCheckController
    - MachineAPIProviderOpenStack
    - MachineConfigNodes
    - MaxUnavailableStatefulSet
    - MetricsCollectionProfiles
    - MetricsServer
    - MixedCPUsAllocation
    - NetworkDiagnosticsConfig
    - NewOLM
    - NodeDisruptionPolicy
    - NodeSwap
    - OnClusterBuild
    - PinnedImages
    - PlatformOperators
    - RouteExternalCertificate
    - ServiceAccountTokenNodeBinding
    - ServiceAccountTokenNodeBindingValidation
    - ServiceAccountTokenPodNodeInfo
    - SignatureStores
    - SigstoreImageVerification
    - TranslateStreamCloseWebsocketRequests
    - UpgradeStatus
    - VSphereDriverConfiguration
    - VolumeGroupSnapshot
    enabled:
    - ManagedBootImages
    - AdminNetworkPolicy
    - AlibabaPlatform
    - AzureWorkloadIdentity
    - BareMetalLoadBalancer
    - BuildCSIVolumes
    - CloudDualStackNodeIPs
    - DisableKubeletCloudCredentialProviders
    - ExternalCloudProvider
    - ExternalCloudProviderAzure
    - ExternalCloudProviderExternal
    - ExternalCloudProviderGCP
    - KMSv1
    - NetworkLiveMigration
    - OpenShiftPodSecurityAdmission
    - PrivateHostedZoneAWS
    - VSphereControlPlaneMachineSet
    - VSphereStaticIPs
    - ValidatingAdmissionPolicy
  featureSet: CustomNoUpgrade

      Actual results:

      The created ValidatingAdmissionPolicy reports this error: 

  status:
    observedGeneration: 1
    typeChecking:
      expressionWarnings:
      - fieldRef: spec.validations[0].expression
        warning: |
          operator.openshift.io/v1, Kind=MachineConfiguration: ERROR: <input>:1:5: undefined field 'managedBootImages'
           | !has(object.spec.managedBootImages) || (has(object.spec.managedBootImages) && params.status.platformStatus.type in ['GCP'])
           | ....^
          ERROR: <input>:1:44: undefined field 'managedBootImages'
           | !has(object.spec.managedBootImages) || (has(object.spec.managedBootImages) && params.status.platformStatus.type in ['GCP'])
           | ...........................................^

      Expected results:

      No error should happen

      Additional info:

              djoshy David Joshy
              sregidor@redhat.com Sergio Regidor de la Rosa
              None
              None
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: