CAPI MachineSet VAP

theobarberbany · theobarberbany · commit aa3e93b00476 · 2026-01-09T15:06:04.000Z
diff --git a/manifests/0000_30_cluster-api_09_admission-policies.yaml b/manifests/0000_30_cluster-api_09_admission-policies.yaml
@@ -277,7 +277,7 @@ data:
               variables.newLabels[?k].orValue(null) == variables.oldLabels[?k].orValue(null) ||
               variables.newLabels[?k].orValue(null) == variables.paramLabels[k]
             )
-          message: "Cannot modify a Cluster API controlled label except to match the Cluster API mirrored machine. This is because status.authoritativeAPI is set to Cluster API."
+          message: "Cannot modify a Cluster API controlled label except to match the Cluster API mirrored MachineSet. This is because status.authoritativeAPI is set to Cluster API."
     ---
     apiVersion: admissionregistration.k8s.io/v1
     kind: ValidatingAdmissionPolicyBinding
@@ -391,6 +391,113 @@ data:
           message: "Setting the 'machine-template-hash' label is forbidden.'"
     ---
     apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: cluster-api-machine-set-vap
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        namespace: openshift-machine-api
+        # We 'Allow' here as we don't want to block CAPI Machine functionality
+        # when no MAPI machine (param) exists. This might happen when a user
+        # wants to not use MAPI, or is migrating.
+        parameterNotFoundAction: Allow
+        selector: {}
+      policyName: cluster-api-machine-set-vap
+      validationActions: [Deny]
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: cluster-api-machine-set-vap
+    spec:
+      failurePolicy: Fail
+    
+      paramKind:
+        apiVersion: machine.openshift.io/v1beta1
+        kind: MachineSet
+    
+      matchConstraints:
+        resourceRules:
+        - apiGroups:   ["cluster.x-k8s.io"]
+          apiVersions: ["v1beta2"]
+          operations:  ["UPDATE"]
+          resources:   ["machinesets"]
+    
+      # Requests must satisfy every matchCondition to reach the validations
+      matchConditions:
+        - name: check-only-non-service-account-requests
+          expression: >-
+            !(request.userInfo.username in [
+                "system:serviceaccount:openshift-machine-api:machine-api-controllers",
+                "system:serviceaccount:openshift-cluster-api:cluster-capi-operator"
+            ])
+        - name: check-param-match
+          expression: 'object.metadata.name == params.metadata.name'
+        - name: check-authoritativeAPI-machineapi
+          expression: "params.?status.?authoritativeAPI.orValue(\"\") == \"MachineAPI\""
+      variables:
+        # label maps
+        - name: newLabels
+          expression: "object.metadata.?labels.orValue({})"
+        - name: oldLabels
+          expression: "oldObject.metadata.?labels.orValue({})"
+        - name: paramLabels
+          expression: "params.metadata.?labels.orValue({})"
+    
+        # annotation maps
+        - name: newAnn
+          expression: "object.metadata.?annotations.orValue({})"
+        - name: oldAnn
+          expression: "oldObject.metadata.?annotations.orValue({})"
+    
+      # All validations must evaluate to TRUE
+      validations:
+        # Only spec.authoritativeAPI may change
+        - expression: "object.spec == oldObject.spec"
+          message:  "Changing .spec is not allowed. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Guard machine.openshift.io/* and kubernetes.io/*  and cluster.x-k8s.io/* labels
+        - expression: >
+            !(
+              variables.newLabels.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
+                  (variables.oldLabels[?k].orValue(null) != variables.newLabels[k])
+              ) ||
+              variables.oldLabels.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
+                  !(k in variables.newLabels)
+              )
+            )
+          message: "Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Guard machine.openshift.io/* and cluster.x-k8s.io/* and clusters.x-k8s.io/* annotations
+        - expression: >
+            !(
+              variables.newAnn.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
+                  (variables.oldAnn[?k].orValue(null) != variables.newAnn[k])
+              ) ||
+              variables.oldAnn.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
+                  !(k in variables.newAnn)
+              )
+            )
+          message: "Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Param-controlled labels (labels on the MAPI machine) may change only to match the value on the MAPI Machine
+        - expression: >
+            variables.paramLabels.all(
+              k,
+              variables.newLabels[?k].orValue(null) == variables.oldLabels[?k].orValue(null) ||
+              variables.newLabels[?k].orValue(null) == variables.paramLabels[k]
+            )
+          message: "Cannot modify a Machine API controlled label except to match the Machine API mirrored MachineSet. This is because status.authoritativeAPI is set to Machine API."
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
     kind: ValidatingAdmissionPolicy
     metadata:
       name: openshift-cluster-api-prevent-setting-of-capi-fields-unsupported-by-mapi
diff --git a/pkg/controllers/machinesetsync/machineset_vap_test.go b/pkg/controllers/machinesetsync/machineset_vap_test.go
@@ -418,7 +418,7 @@ var _ = Describe("MachineSet VAP Tests", func() {
 
 			Eventually(k.Get(capiSentinelMachineSet)).Should(Succeed())
 
-			admissiontestutils.VerifySentinelValidation(k, sentinelMachineSet, 2*timeout)
+			admissiontestutils.VerifySentinelValidation(k, sentinelMachineSet, timeout)
 
 			By("Creating a shared machineset pair to be used across the tests")
 			mapiMachineSetBuilder = machinev1resourcebuilder.MachineSet().
@@ -586,7 +586,7 @@ var _ = Describe("MachineSet VAP Tests", func() {
 				It("rejects changing a label to differ from the param machine", func() {
 					Eventually(k.Update(mapiMachineSet, func() {
 						mapiMachineSet.Labels["capi-param-controlled-label"] = "foo"
-					}), timeout).Should(MatchError(ContainSubstring("Cannot modify a Cluster API controlled label except to match the Cluster API mirrored machine")))
+					}), timeout).Should(MatchError(ContainSubstring("Cannot modify a Cluster API controlled label except to match the Cluster API mirrored MachineSet")))
 				})
 			})
 
@@ -746,4 +746,239 @@ var _ = Describe("MachineSet VAP Tests", func() {
 			})
 		})
 	})
+
+	Context("Prevent changes to non-authoritative CAPI MachineSets except from sync controller", func() {
+		var mapiMachineSetBuilder machinev1resourcebuilder.MachineSetBuilder
+		var mapiMachineSet *mapiv1beta1.MachineSet
+
+		const (
+			vapName        string = "cluster-api-machine-set-vap"
+			testLabelValue string = "test-value"
+		)
+
+		BeforeEach(func() {
+			By("Waiting for VAP to be ready")
+			machineSetVap = &admissionregistrationv1.ValidatingAdmissionPolicy{}
+			Eventually(k8sClient.Get(ctx, client.ObjectKey{Name: vapName}, machineSetVap), timeout).Should(Succeed())
+
+			Eventually(k.Update(machineSetVap, func() {
+				admissiontestutils.AddSentinelValidation(machineSetVap)
+			})).Should(Succeed())
+
+			Eventually(k.Object(machineSetVap), timeout).Should(
+				HaveField("Status.ObservedGeneration", BeNumerically(">=", 2)),
+			)
+
+			By("Updating the VAP binding")
+			policyBinding = &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}
+			Eventually(k8sClient.Get(ctx, client.ObjectKey{
+				Name: vapName}, policyBinding), timeout).Should(Succeed())
+
+			Eventually(k.Update(policyBinding, func() {
+				// paramNamespace=mapiNamespace (MAPI resources are params)
+				// targetNamespace=capiNamespace (CAPI resources are validated)
+				admissiontestutils.UpdateVAPBindingNamespaces(policyBinding, mapiNamespace.GetName(), capiNamespace.GetName())
+			}), timeout).Should(Succeed())
+
+			// Wait until the binding shows the patched values
+			Eventually(k.Object(policyBinding), timeout).Should(
+				SatisfyAll(
+					HaveField("Spec.MatchResources.NamespaceSelector.MatchLabels",
+						HaveKeyWithValue("kubernetes.io/metadata.name",
+							capiNamespace.GetName())),
+				),
+			)
+
+			By("Creating throwaway MachineSet pair for sentinel validation")
+			sentinelMachineSet := machinev1resourcebuilder.MachineSet().
+				WithNamespace(mapiNamespace.Name).
+				WithName("sentinel-machineset").
+				WithAuthoritativeAPI(mapiv1beta1.MachineAuthorityMachineAPI).
+				Build()
+			Eventually(k8sClient.Create(ctx, sentinelMachineSet), timeout).Should(Succeed())
+
+			Eventually(k.UpdateStatus(sentinelMachineSet, func() {
+				sentinelMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMachineAPI
+			})).Should(Succeed())
+
+			Eventually(k.Object(sentinelMachineSet), timeout).Should(
+				HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)))
+
+			capiSentinelMachineSet := clusterv1resourcebuilder.MachineSet().
+				WithName("sentinel-machineset").
+				WithNamespace(capiNamespace.Name).
+				WithTemplate(clusterv1.MachineTemplateSpec{
+					Spec: clusterv1.MachineSpec{
+						ProviderID: "force-having-a-spec",
+					},
+				}).
+				Build()
+			Eventually(k8sClient.Create(ctx, capiSentinelMachineSet)).Should(Succeed())
+
+			Eventually(k.Get(capiSentinelMachineSet)).Should(Succeed())
+
+			admissiontestutils.VerifySentinelValidation(k, capiSentinelMachineSet, timeout)
+
+			By("Creating a shared machineset pair to be used across the tests")
+			mapiMachineSetBuilder = machinev1resourcebuilder.MachineSet().
+				WithNamespace(mapiNamespace.Name).
+				WithName(capiMachineSet.Name).
+				WithProviderSpecBuilder(machinev1resourcebuilder.AWSProviderSpec().WithLoadBalancers(nil)).
+				WithLabels(map[string]string{
+					"machine.openshift.io/cluster-api-cluster": "ci-op-gs2k97d6-c9e33-2smph",
+					"mapi-param-controlled-label":              "param-controlled-key",
+				}).WithAnnotations(map[string]string{
+				"capacity.cluster-autoscaler.kubernetes.io/labels": "kubernetes.io/arch=amd64",
+				"machine.openshift.io/GPU":                         "0",
+				"machine.openshift.io/memoryMb":                    "16384",
+				"machine.openshift.io/vCPU":                        "4",
+			})
+			mapiMachineSet = mapiMachineSetBuilder.Build()
+			Eventually(k8sClient.Create(ctx, mapiMachineSet), timeout).Should(Succeed())
+
+			capiMachineSet = capiMachineSetBuilder.WithLabels(map[string]string{
+				"machine.openshift.io/cluster-api-cluster": "ci-op-gs2k97d6-c9e33-2smph",
+				"cluster.x-k8s.io/cluster-name":            "ci-op-gs2k97d6-c9e33-2smph",
+
+				"capi-param-controlled-label": "param-controlled-key",
+			}).WithAnnotations(map[string]string{
+				"capacity.cluster-autoscaler.kubernetes.io/labels": "kubernetes.io/arch=amd64",
+				"machine.openshift.io/GPU":                         "0",
+				"machine.openshift.io/memoryMb":                    "16384",
+				"machine.openshift.io/vCPU":                        "4",
+			}).Build()
+
+			Eventually(k8sClient.Create(ctx, capiMachineSet), timeout).Should(Succeed())
+
+		})
+		Context("with status.authoritativeAPI: Machine API (on MAPI MachineSet)", func() {
+			BeforeEach(func() {
+				By("Setting the MAPI MachineSet AuthoritativeAPI to Machine API")
+				Eventually(k.UpdateStatus(mapiMachineSet, func() {
+					mapiMachineSet.Status.AuthoritativeAPI = mapiv1beta1.MachineAuthorityMachineAPI
+				})).Should(Succeed())
+
+				Eventually(k.Object(mapiMachineSet), timeout).Should(
+					HaveField("Status.AuthoritativeAPI", Equal(mapiv1beta1.MachineAuthorityMachineAPI)))
+			})
+
+			It("updating the spec should be prevented", func() {
+				Eventually(k.Update(capiMachineSet, func() {
+					replicas := int32(5)
+					capiMachineSet.Spec.Replicas = &replicas
+				}), timeout).Should(MatchError(ContainSubstring("Changing .spec is not allowed")))
+			})
+
+			It("updating the spec.AuthoritativeAPI (on the MAPI MachineSet) should be allowed", func() {
+				Eventually(k.Update(mapiMachineSet, func() {
+					mapiMachineSet.Spec.AuthoritativeAPI = mapiv1beta1.MachineAuthorityClusterAPI
+				}), timeout).Should(Succeed())
+			})
+
+			Context("when trying to update metadata.labels", func() {
+				It("rejects modification of the protected machine.openshift.io label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["machine.openshift.io/cluster-api-cluster"] = "different-cluster"
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects deletion of the protected machine.openshift.io label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						delete(capiMachineSet.Labels, "machine.openshift.io/cluster-api-cluster")
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects setting of the protected machine.openshift.io label to the empty string ''", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["machine.openshift.io/cluster-api-cluster"] = ""
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects adding a new machine.openshift.io label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["machine.openshift.io/foo"] = testLabelValue
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects adding a new machine.openshift.io label with an empty string value", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["machine.openshift.io/foo"] = ""
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects modification of the protected cluster.x-k8s.io label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["cluster.x-k8s.io/cluster-name"] = "different-cluster"
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("rejects deletion of the protected cluster.x-k8s.io label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						delete(capiMachineSet.Labels, "cluster.x-k8s.io/cluster-name")
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label")))
+				})
+
+				It("allows modification of a non-protected label", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["test"] = "val"
+					}), timeout).Should(Succeed(), "expected success when modifying unrelated labels")
+				})
+			})
+
+			Context("when trying to update metadata.Annotations", func() {
+				It("rejects modification of a protected machine.openshift.io annotation", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Annotations["machine.openshift.io/vCPU"] = "8"
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation")))
+				})
+
+				It("rejects deletion of a protected machine.openshift.io annotation", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						delete(capiMachineSet.Annotations, "machine.openshift.io/vCPU")
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation")))
+				})
+
+				It("rejects modification of a protected machine.openshift.io annotation to the empty string ''", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Annotations["machine.openshift.io/vCPU"] = ""
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation")))
+				})
+
+				It("rejects adding a new protected machine.openshift.io annotation", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Annotations["machine.openshift.io/foo"] = testLabelValue
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation")))
+				})
+
+				It("rejects adding a new protected machine.openshift.io annotation with an empty string value", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Annotations["machine.openshift.io/foo"] = ""
+					}), timeout).Should(MatchError(ContainSubstring("Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation")))
+				})
+
+				It("allows modification of a non-protected annotation", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Annotations["bar"] = "baz"
+					}), timeout).Should(Succeed(), "expected success when modifying unrelated annotations")
+				})
+			})
+
+			Context("when trying to update Machine API owned metadata.labels", func() {
+				It("allows changing a metadata label to match the param MachineSet", func() {
+					Eventually(k.Object(mapiMachineSet), timeout).Should(
+						HaveField("Labels", HaveKeyWithValue("mapi-param-controlled-label", "param-controlled-key")))
+
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["mapi-param-controlled-label"] = "param-controlled-key"
+					}), timeout).Should(Succeed(), "expected success when updating label to match MAPI MachineSet")
+				})
+
+				It("rejects changing a label to differ from the param MachineSet", func() {
+					Eventually(k.Update(capiMachineSet, func() {
+						capiMachineSet.Labels["mapi-param-controlled-label"] = testLabelValue
+					}), timeout).Should(MatchError(ContainSubstring("Cannot modify a Machine API controlled label except to match the Machine API mirrored MachineSet")))
+				})
+			})
+		})
+	})
 })
