OCPCLOUD-3262: MAPI & CAPI MachineSet VAP

[theobarberbany]

Summary by CodeRabbit

• New Features
  • Expanded admission validations covering additional cluster labels/annotations (including cluster.x-k8s.io/*) and new policy bindings to enforce MAPI/CAPI consistency and migration safeguards.
  • Added warnings and clearer validation messages for authoritative-source and synchronization scenarios.
• Tests
  • Added extensive tests for creation/update restrictions, label/annotation protection, authoritative-source behavior, and machineset/machine synchronization semantics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds many new ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources guarding labels/annotations and authoritativeAPI transitions, extends admission error messaging, and adds extensive VAP-focused unit tests plus minor test message and constant refactors across Machine/MachineSet sync controllers.

Changes

Cohort / File(s)	Summary
Admission policy manifests manifests/0000_30_cluster-api_09_admission-policies.yaml	Added numerous ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding entries enforcing authoritativeAPI semantics, blocking/protecting label and annotation namespaces (including cluster.x-k8s.io/*), preventing unsupported CAPI fields for MAPI, and adding sync/creation/update guard rules (many new named policies and bindings).
MachineSet VAP unit tests pkg/controllers/machinesetsync/machineset_vap_test.go	Added large test contexts exercising non-authoritative MachineSet protections for both MAPI and CAPI: creation/update scenarios for spec, metadata.labels, metadata.annotations, status.authoritativeAPI, param-controlled label/annotation synchronization, and sync-controller-only mutation behavior.
MachineSet sync controller tests (messages) pkg/controllers/machinesetsync/machineset_sync_controller_test.go	Minor expectation text edits swapping synchronization message direction (phrasing changes in test assertions).
Machine sync controller tests (constants) pkg/controllers/machinesync/machine_sync_controller_test.go	Replaced repeated inline assertion substrings with new constants (errMsgProtectedLabels, errMsgProtectedAnnotations) used across tests to centralize protected-label/annotation messages.

Sequence Diagram(s)

sequenceDiagram
  actor User
  participant API_Server
  participant VAP as ValidatingAdmissionPolicy
  participant SyncController
  participant MAPI
  participant CAPI

  User->>API_Server: create/update Machine or MachineSet
  API_Server->>VAP: evaluate applicable policies/bindings
  VAP-->>API_Server: allow / deny / warn (with message)
  alt allowed
    API_Server->>MAPI: persist MAPI resource (if applicable)
    API_Server->>CAPI: persist CAPI resource (if applicable)
    MAPI->>SyncController: event/reconcile
    CAPI->>SyncController: event/reconcile
    SyncController->>MAPI: perform sync mutations (if authoritative)
    SyncController->>CAPI: perform sync mutations (if authoritative)
  else denied
    API_Server-->>User: rejection response (policy error)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐇
New policies bound, hopping through the glen,
Labels guarded, annotations penned,
MAPI and CAPI leap in line,
Syncs and checks make order fine,
I nibble a carrot and celebrate again 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically references the main change: adding ValidatingAdmissionPolicies for MAPI and CAPI MachineSets, matching the substantial additions documented in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between a70db0b and 020eb93.

📒 Files selected for processing (2)

• manifests/0000_30_cluster-api_09_admission-policies.yaml
• pkg/controllers/machinesync/machine_sync_controller_test.go

🔇 Additional comments (4)

pkg/controllers/machinesync/machine_sync_controller_test.go (1)

1051-1054: LGTM! Good refactoring to centralize error message strings.

The introduction of errMsgProtectedLabels and errMsgProtectedAnnotations constants consolidates error message strings used in test assertions throughout the file. This improves maintainability by providing a single source of truth for these messages and ensures consistency with the updated ValidatingAdmissionPolicy error messages in the manifest file.

manifests/0000_30_cluster-api_09_admission-policies.yaml (3)

130-131: LGTM! Improved error message clarity.

The updated error messages now explicitly list all blocked prefixes (machine.openshift.io/*, kubernetes.io/*, cluster.x-k8s.io/* for labels and machine.openshift.io/*, cluster.x-k8s.io/*, clusters.x-k8s.io/* for annotations), making the validation failures more informative and actionable for users. This aligns with the constants introduced in the test file and maintains consistency across all VAPs.

Also applies to: 144-144, 257-258, 271-271, 378-378, 489-489

---

161-281: LGTM! Well-structured MachineSet VAP for MAPI.

The new machine-api-machine-set-vap policy correctly extends admission controls to MachineSet resources, mirroring the existing Machine policy structure. Key aspects:

• Appropriate spec fields validated for MachineSet (deletePolicy, minReadySeconds, replicas, selector, template)
• Consistent label/annotation guards protecting machine.openshift.io/*, kubernetes.io/*, and cluster.x-k8s.io/* prefixes
• Param-controlled label validation ensures changes match the CAPI MachineSet mirror
• parameterNotFoundAction: Allow prevents blocking MAPI functionality when no CAPI MachineSet exists

---

394-499: LGTM! Well-structured MachineSet VAP for CAPI.

The new cluster-api-machine-set-vap policy correctly extends admission controls to CAPI MachineSet resources when MAPI is authoritative. Key aspects:

• Entire .spec locked when status.authoritativeAPI=MachineAPI on the param (MAPI MachineSet)
• Consistent label/annotation guards protecting machine.openshift.io/*, kubernetes.io/*, and cluster.x-k8s.io/* prefixes
• Param-controlled label validation ensures changes match the MAPI MachineSet mirror
• parameterNotFoundAction: Allow prevents blocking CAPI functionality when no MAPI MachineSet exists
• Error messages correctly reference "MachineSet" instead of "Machine"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added comprehensive validation controls for machine resource management to prevent invalid configurations and unsupported field combinations
• Enforced stricter consistency requirements between different machine management systems during resource creation and updates
• Introduced protective constraints on critical machine resource attributes

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @manifests/0000_30_cluster-api_09_admission-policies.yaml:
- Around line 245-271: The error messages are missing protected prefixes
referenced by the validation expressions; update the message for the label guard
(the rule guarding variables.newLabels/oldLabels in the expression that checks
startsWith('machine.openshift.io'), startsWith('kubernetes.io') and
contains('cluster.x-k8s.io/')) to include "cluster.x-k8s.io/*" alongside
"machine.openshift.io/*" and "kubernetes.io/*", and update the annotation guard
message (the rule using variables.newAnn/oldAnn that checks
startsWith('machine.openshift.io') and
contains('cluster.x-k8s.io'/'clusters.x-k8s.io')) to mention both
"cluster.x-k8s.io/*" and "clusters.x-k8s.io/*" in addition to
"machine.openshift.io/*"; mirror the wording used in the
cluster-api-machine-set-vap policy messages for consistency.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2d56218 and b944df0.

📒 Files selected for processing (4)

• manifests/0000_30_cluster-api_09_admission-policies.yaml
• pkg/controllers/machinesetsync/machineset_vap_test.go
• pkg/controllers/machinesync/__debug_bin2952830453
• pkg/controllers/machinesync/__debug_bin4126191047

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/controllers/machinesetsync/machineset_vap_test.go (2)

pkg/conversion/mapi2capi/interface.go (1)

• MachineSet (29-31)

pkg/admissionpolicy/testutils/util.go (3)

• AddSentinelValidation (185-190)
• UpdateVAPBindingNamespaces (216-239)
• VerifySentinelValidation (193-197)

🪛 Gitleaks (8.30.0)

pkg/controllers/machinesetsync/machineset_vap_test.go

[high] 428-428: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 440-440: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 681-681: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 693-693: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (9)

pkg/controllers/machinesetsync/machineset_vap_test.go (6)

50-50: LGTM!

Good refactoring to extract capiMachineSetBuilder as a reusable builder variable. This improves readability and allows the builder to be configured differently across test contexts.

Also applies to: 102-108

---

427-435: Static analysis false positive: cluster name mistaken for API key.

Gitleaks flags ci-op-gs2k97d6-c9e33-2smph as a "Generic API Key", but this is an OpenShift CI-generated cluster identifier used in test fixtures. This is a false positive and can be safely ignored.

The test setup for creating MAPI and CAPI MachineSet pairs with appropriate labels and annotations looks correct for validating the policy behavior.

Also applies to: 439-448

---

451-468: LGTM!

Correct test logic: when status.AuthoritativeAPI is MachineAPI, spec changes should be permitted since MAPI is the source of truth.

---

470-600: LGTM!

Comprehensive test coverage for the ClusterAPI-authoritative scenario:

• Correctly verifies spec fields (except authoritativeAPI) are locked
• Validates protection of machine.openshift.io/* labels and annotations
• Tests the param-controlled label synchronization logic

---

603-706: LGTM!

Good parallel test structure for CAPI MachineSet validation. The setup correctly:

• Configures the VAP binding with MAPI as param source and CAPI as target
• Sets status.AuthoritativeAPI on the MAPI MachineSet (as the param)
• Includes cluster.x-k8s.io/cluster-name label in CAPI MachineSet fixtures for testing CAPI-specific label protection

The cluster identifiers flagged by Gitleaks (lines 681, 693) are the same false positives noted earlier.

---

707-835: LGTM!

Thorough test coverage for CAPI MachineSet behavior when Machine API is authoritative:

• Verifies spec changes are blocked on the CAPI side
• Tests cluster.x-k8s.io/* label protections (lines 762-772)
• Validates param-controlled label synchronization from MAPI to CAPI

manifests/0000_30_cluster-api_09_admission-policies.yaml (3)

161-177: LGTM!

The binding configuration is correct:

• parameterNotFoundAction: Allow ensures MAPI functionality isn't blocked when no CAPI MachineSet exists
• Namespace targeting and param references are appropriate

---

394-410: LGTM!

Correct binding configuration with appropriate namespace targeting and param source inversion from the MAPI binding.

---

412-499: LGTM!

The CAPI MachineSet policy is well-structured:

• Correctly checks authoritativeAPI from the MAPI param (line 441)
• Uses simpler object.spec == oldObject.spec comparison (line 460) since CAPI MachineSets don't have an authoritativeAPI field to exclude
• Error messages are complete and accurate

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added comprehensive admission validations to prevent unsupported or conflicting machine/machineset configurations and enforce authoritative-source constraints.
• Strengthened label/annotation protections and param-driven label synchronization rules across machine management systems.
• Tests
• Added extensive tests covering creation/update restrictions and authoritative-source behaviors for machines and machinesets.
• Updated synchronization test expectations to reflect direction semantics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controllers/machinesetsync/machineset_sync_controller_test.go (1)

1171-1179: Use the shared constant for the sync-direction message instead of hardcoding.

The constants messageSuccessfullySynchronizedCAPItoMAPI and messageSuccessfullySynchronizedMAPItoCAPI already exist in machineset_sync_controller.go and are accessible from the test file in the same package. Replace the hardcoded string "Successfully synchronized CAPI MachineSet to MAPI" at line 1177 with the constant messageSuccessfullySynchronizedCAPItoMAPI. This improves maintainability and prevents inconsistencies if the message ever needs to be updated.

🤖 Fix all issues with AI agents

In @pkg/controllers/machinesetsync/machineset_vap_test.go:
- Around line 351-604: Tests embed a gitleaks-flagged hard-coded cluster id
string ("ci-op-gs2k97d6-c9e33-2smph") used as a label value in the
mapiMachineSet/mapiMachineSetBuilder and capiMachineSet builders; replace these
literal cluster-id label values with a clearly non-secret placeholder (e.g.
"ci-cluster-placeholder" or similar) wherever they appear (including the other
occurrences noted in the review), updating references in mapiMachineSetBuilder,
capiMachineSetBuilder, and the Label checks that assert
"capi-param-controlled-label" so the tests still assert matching behaviour but
no longer contain a secret-looking string.

🧹 Nitpick comments (2)

manifests/0000_30_cluster-api_09_admission-policies.yaml (2)

159-281: machine-api-machine-set-vap: policy structure matches intent; consider whether /status updates should also be covered.

Right now this only matches resources: ["machinesets"] with operations: ["UPDATE"]. If you also want to prevent privileged users from mutating status.authoritativeAPI (or other status fields) directly, you likely also want machinesets/status in resources.

---

393-499: cluster-api-machine-set-vap: good symmetry with MAPI-side policy; verify CEL optional-field features on target OCP/K8s.

This policy relies on CEL optional-field helpers like params.?status.?authoritativeAPI.orValue("") and map defaulting. Please confirm these CEL features are supported/enabled for the target branch payload (PR bot notes branch expects 4.22.*).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between b944df0 and a70db0b.

📒 Files selected for processing (3)

• manifests/0000_30_cluster-api_09_admission-policies.yaml
• pkg/controllers/machinesetsync/machineset_sync_controller_test.go
• pkg/controllers/machinesetsync/machineset_vap_test.go

🧰 Additional context used

🪛 Gitleaks (8.30.0)

pkg/controllers/machinesetsync/machineset_vap_test.go

[high] 431-431: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 443-443: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 832-832: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 844-844: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (1)

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

50-110: Builder hoist to outer scope is clean and reduces shadowing.

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3262 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Expanded admission validations covering additional cluster labels/annotations (including cluster.x-k8s.io/*) and new policy bindings to enforce MAPI/CAPI consistency and migration safeguards.
• Added warnings and clearer validation messages for authoritative-source and synchronization scenarios.
• Tests
• Added extensive tests for creation/update restrictions, label/annotation protection, authoritative-source behavior, and machineset/machine synchronization semantics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[theobarberbany]

/jira-refresh

[damdo]

Thanks Theo, looks reasonable to me!

/approve
/lgtm

Still it may be worth having a second pair of eyes to check such a long PR

/hold

[damdo]

/assign @RadekManak @nrb

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [damdo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[theobarberbany]

Ty dam! This is mostly a re-do of the existing Machine CAPI & MAPI VAPS, the logic is the same (apart from where the spec differs on machinesets, and without the machine-template-hash bit, as it's not present on CAPI MachineSets, only machines :)

[damdo]

/test e2e-aws-capi-techpreview

[damdo]

/test regression-clusterinfra-aws-ipi-techpreview-capi

[theobarberbany]

ah @damdo we've got some bad e2es we'll need to fix up - i'll look at those tomorrow

[openshift-ci]

@theobarberbany: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-capi-techpreview	020eb93	link	true	/test e2e-aws-capi-techpreview
ci/prow/e2e-metal3-capi-techpreview	020eb93	link	false	/test e2e-metal3-capi-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

@theobarberbany ack, ty

[sunzhaohua2]

ah @damdo we've got some bad e2es we'll need to fix up - i'll look at those tomorrow

Message: "machinesets.machine.openshift.io \"ms-authoritativeapi-capi\" is forbidden: ValidatingAdmissionPolicy 'machine-api-machine-set-vap' with binding 'machine-api-machine-set-vap' denied request: You may only modify spec.authoritativeAPI. Any other change inside .spec is not allowed. This is because status.authoritativeAPI is set to Cluster API.",

In e2e we also changed spec.template.spec.authoritativeAPI, is this also not allowed to change?

[miyadav]

ah @damdo we've got some bad e2es we'll need to fix up - i'll look at those tomorrow

Message: "machinesets.machine.openshift.io \"ms-authoritativeapi-capi\" is forbidden: ValidatingAdmissionPolicy 'machine-api-machine-set-vap' with binding 'machine-api-machine-set-vap' denied request: You may only modify spec.authoritativeAPI. Any other change inside .spec is not allowed. This is because status.authoritativeAPI is set to Cluster API.",

In e2e we also changed spec.template.spec.authoritativeAPI, is this also not allowed to change?

@sunzhaohua2 this VAP blocks when we are modifying machineset.c , I think you are referring to modifications of machineset.m , which should be allowed , i tried manually it works. ( When machineset authoritativeAPI is mapi , you can change .spec.template.spec.authoritative to capi from mapi and vice versa , not when machineset authoritativeAPI is capi)

[sunzhaohua2]

Added one case https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-87094
All tested as expect, only one question here