Uploaded image for project: 'Operator Ecosystem'
  1. Operator Ecosystem
  2. OPECO-2567

bundle validate logic for checking k8s 1.25 removed APIs in bundle

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • OSDK Sprint 226

      Goal

      Operator authors/pipelines can run bundle validate command to check Operator's CSV includes any k8s APIs removed in 1.25.

      Why is this important?

      k8s 1.25 will stop serving several deprecated API versions. There's a need from the pipeline side to run "k8s 1.25/OCP 4.12 API deprecation test" to provide some feedback to the Operator authors if identified their Operator version/bundle still includes any of those removed APIs.

      Problems

      However, all of these APIs cannot be directly installed by the OLM in the bundle. This means this cannot be identified simply by checking if the bundle manifests included any of these API's YAML manifests.

      1. One potential approach is to check the RBAC permissions of the Operator in the bundle. However, the `rules` of the permission do not include API version
      --> can only tell the Operator does use these k8s APIs
      --> cannot tell the exact API version from the permission

      e.g. Couchbase Community Operator (v2.3.0): "cronjob" is listed in the permission resources
      --> but cannot tell the exact API version.

      2. Another way to check if an Operator is still using the deprecated APIs is to check:

      • {{"spec.customresourcedefinitions.owned[].resources[].kind" }}and
      • "spec.customresourcedefinitions.owned[].resources[].version"

      these two self-proclaimed fields by the Operator authors in the CSV YAML.

      to see if any of the "kind/version" are the secondary resources of the provided custom resources.

      e.g.

      1. Couchbase Community Operator (v2.3.0): CrobJob in "batch/v1beta1"
      2. Couchbase Certified Operator (v2.3.2-1): CrobJob in "batch/v1beta1"

      Proposed check:

      k8s 1.25 removed APIs validate command checks the CSV in the bundle and will:

      • raise "WARNING" if identified removed APIs as the "resources" listed in the "permissions/clusterPermissions" stanza
        • include the k8s 1.25 removed API upstream URL in the messages.
      • raise "ERROR" if identified removed APIs as the "kind/version" listed in the "spec.customresourcedefinitions.owned[].resources" stanza

      Acceptance Criteria

      • Operator authors/pipelines can use Operator SDK to validate Operator bundle(s) statically to:
        • get warning/error message if their Operator bundle may include removed APIs in k8s 1.25
        • see the k8s doc for 1.25 removed APIs.
      • Community pipeline team enable this validation checks for bundles.
      • Red Hat pipeline team to enable this validation checks for bundles.

            rh-ee-bpalmer Bryce Palmer
            rhn-coreos-tunwu Tony Wu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: