From 85078a8c92ab7566b4dac8715d8285f83ecfde6a Mon Sep 17 00:00:00 2001 From: origin-release-container Date: Mon, 28 Oct 2024 17:52:55 +0000 Subject: [PATCH] update api validation on minimumKubeletVersion Signed-off-by: Peter Hunt --- .../MinimumKubeletVersion.yaml | 21 +++++++++++++++++++ config/v1/types_node.go | 10 ++++++--- ...operator_01_nodes-CustomNoUpgrade.crd.yaml | 11 ++++++++-- ...ator_01_nodes-DevPreviewNoUpgrade.crd.yaml | 11 ++++++++-- ...tor_01_nodes-TechPreviewNoUpgrade.crd.yaml | 11 ++++++++-- .../MinimumKubeletVersion.yaml | 11 ++++++++-- .../v1/zz_generated.swagger_doc_generated.go | 2 +- kubecontrolplane/v1/types.go | 4 +++- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 5 +++-- openapi/openapi.json | 7 ++++--- ...operator_01_nodes-CustomNoUpgrade.crd.yaml | 11 ++++++++-- ...ator_01_nodes-DevPreviewNoUpgrade.crd.yaml | 11 ++++++++-- ...tor_01_nodes-TechPreviewNoUpgrade.crd.yaml | 11 ++++++++-- 14 files changed, 103 insertions(+), 25 deletions(-) diff --git a/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml index 41ed1e8c072..314bac204f2 100644 --- a/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml +++ b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml @@ -12,3 +12,24 @@ tests: apiVersion: config.openshift.io/v1 kind: Node spec: {} + - name: Should be able to create a minimumKubeletVersion + initial: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: 1.30.0 + expected: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: 1.30.0 + - name: Should be able to create a minimumKubeletVersion + initial: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: bogus + expected: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: {} diff --git a/config/v1/types_node.go b/config/v1/types_node.go index 20b536a2bf2..2bd448a86cb 100644 --- a/config/v1/types_node.go +++ b/config/v1/types_node.go @@ -47,14 +47,18 @@ type NodeSpec struct { // +optional WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"` - // MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. // Specifically, the apiserver will deny most authorization requests of kubelets that are older // than the specified version, only allowing the kubelet to get and update its node object, and perform // subjectaccessreviews. - // +kubebuilder:validation:Pattern=`^[0-9]*\.[0-9]*\.[0-9]*$` + // This means the kubelet won't be able to view API objects it's responsible for running, + // and will eventually be marked as NotReady. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 // +openshift:enable:FeatureGate=MinimumKubeletVersion // +optional - MinimumKubeletVersion string `json:"minimumKubeletVersion,omitempty"` + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } type NodeStatus struct { diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 121a47ac41a..a3ae641ff0d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 3b6f33dffaa..cfa7cdff69e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 3e92f0df978..d5ac756e0ae 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml index 2a9d9f372a9..28589c71680 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 2ce5ea99f67..0d85fbe57a9 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2090,7 +2090,7 @@ func (NodeList) SwaggerDoc() map[string]string { var map_NodeSpec = map[string]string{ "cgroupMode": "CgroupMode determines the cgroups version on the node", "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", - "minimumKubeletVersion": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\".", } func (NodeSpec) SwaggerDoc() map[string]string { diff --git a/kubecontrolplane/v1/types.go b/kubecontrolplane/v1/types.go index 31a0a8b7826..f7dc904c60b 100644 --- a/kubecontrolplane/v1/types.go +++ b/kubecontrolplane/v1/types.go @@ -63,10 +63,12 @@ type KubeAPIServerConfig struct { // TODO this needs to be removed. APIServerArguments map[string]Arguments `json:"apiServerArguments"` - // MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. // Specifically, the apiserver will deny most authorization requests of kubelets that are older // than the specified version, only allowing the kubelet to get and update its node object, and perform // subjectaccessreviews. + // This means the kubelet won't be able to view API objects it's responsible for running, + // and will eventually be marked as NotReady. // +openshift:enable:FeatureGate=MinimumKubeletVersion MinimumKubeletVersion string `json:"minimumKubeletVersion,omitempty"` } diff --git a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go index 75264a69bff..3515b58683d 100644 --- a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go +++ b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go @@ -33,7 +33,7 @@ var map_KubeAPIServerConfig = map[string]string{ "projectConfig": "projectConfig feeds an admission plugin", "serviceAccountPublicKeyFiles": "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", "oauthConfig": "oauthConfig, if present start the /oauth endpoint in this process", - "minimumKubeletVersion": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady.", } func (KubeAPIServerConfig) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index ae21056c5d5..118909dbd8c 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -15554,7 +15554,8 @@ func schema_openshift_api_config_v1_NodeSpec(ref common.ReferenceCallback) commo }, "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\".", + Default: "", Type: []string{"string"}, Format: "", }, @@ -26508,7 +26509,7 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref }, "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady.", Type: []string{"string"}, Format: "", }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 19ac8961af7..767e5853ecb 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -8271,8 +8271,9 @@ "type": "string" }, "minimumKubeletVersion": { - "description": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", - "type": "string" + "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\".", + "type": "string", + "default": "" }, "workerLatencyProfile": { "description": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", @@ -14791,7 +14792,7 @@ "$ref": "#/definitions/com.github.openshift.api.kubecontrolplane.v1.KubeletConnectionInfo" }, "minimumKubeletVersion": { - "description": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means the kubelet won't be able to view API objects it's responsible for running, and will eventually be marked as NotReady.", "type": "string" }, "oauthConfig": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 121a47ac41a..a3ae641ff0d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 3b6f33dffaa..cfa7cdff69e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 3e92f0df978..d5ac756e0ae 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -55,12 +55,19 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means the kubelet won't be able to view API objects it's responsible for running, + and will eventually be marked as NotReady. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating