Fix core API group detection in crdNameFromGVK#180
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @nirdothan. Thanks for your PR. I'm waiting for a openshift-virtualization member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
|
/cc @tiraboschi |
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
219a290 to
b354934
Compare
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
b354934 to
88fa1de
Compare
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
88fa1de to
e4c5a8a
Compare
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
1 similar comment
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
fa133a3 to
a6217ea
Compare
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
The crdNameFromGVK function was incorrectly treating built-in Kubernetes API groups (apps, rbac.authorization.k8s.io, etc.) as CRDs, causing assets using these APIs to be skipped with "CRD not installed" errors. Now correctly identifies built-in API groups and returns empty RequiredCRD for them, allowing Deployment, ClusterRole, ClusterRoleBinding, and other core resources to be deployed. This fixes deployment of network-resources-injector which uses: - apps/v1 (Deployment) - rbac.authorization.k8s.io/v1 (ClusterRole, ClusterRoleBinding) Signed-off-by: Nir Dothan <ndothan@redhat.com> Assisted by: Claude Sonnet 4.5 <noreply@anthropic.com>
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
a6217ea to
ab7da58
Compare
|
❌ Generated Files Verification Failed One or more generated files in this PR are out of sync:
Please regenerate the files locally and commit the changes. |
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
ab7da58 to
7b9ad47
Compare
When virt-platform-autopilot creates ClusterRoles for managed components, it must hold all permissions those ClusterRoles grant (Kubernetes privilege escalation prevention). Adds static RBAC rules for: - Workload resources (pods, daemonsets, replicasets, statefulsets, replicationcontrollers, network-attachment-definitions) - Webhook registration (mutatingwebhookconfigurations, validatingwebhookconfigurations) - Configmap read access - Secrets and services delete permission These permissions allow the operator to create ClusterRoles that grant these same permissions to managed components. Updates ClusterRole templates to use explicit verbs (create, delete, get, list, patch, update, watch) instead of wildcards, matching what the operator can grant. Signed-off-by: Nir Dothan <ndothan@redhat.com> Assisted by: Claude Sonnet 4.5 <noreply@anthropic.com> tests: Add comprehensive unit tests for RBAC generation Adds tests for: - StaticRules: Verify static infrastructure rules - parseGVK: Test GVK parsing logic - pluralize: Test resource name pluralization - generateDynamicRules: Test dynamic rule generation with various scenarios - AllRules: Integration test with test filesystem Also fixes trailing whitespace in registry_test.go
IsManagedCRD is used by the CRD event handler to filter which CRD
install/removal events should trigger reconciliation. An empty string
is not a valid CRD name, so it should always return false.
The bug was exposed when assets with core API types (apiVersion: v1)
were added - these have empty RequiredCRD fields, causing IsManagedCRD("")
to incorrectly return true by matching the empty fields.
Signed-off-by: Nir Dothan <ndothan@redhat.com>
Assisted by: Claude Sonnet 4.5 <noreply@anthropic.com>
make update-crds make generate-rbac Signed-off-by: Nir Dothan <ndothan@redhat.com>
nirdothan
force-pushed
the
fix-core-api-group-detection
branch
from
7b9ad47 to
e397d58
Compare
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
1 participant
Summary
Fixes a bug where built-in Kubernetes API groups (apps, rbac.authorization.k8s.io, etc.) were incorrectly treated as CRDs, causing assets using these APIs to be skipped with "CRD not installed" errors.
Problem
The
crdNameFromGVKfunction inpkg/assets/registry.gowas treating ALL apiVersions containing/as CRDs. This caused core Kubernetes resources to be incorrectly flagged:Solution
Updated
crdNameFromGVKto recognize built-in Kubernetes API groups and return emptyRequiredCRDfor them, allowing the reconciler to skip CRD checks for these resources.Built-in API groups now recognized:
apps(Deployment, StatefulSet, DaemonSet, ReplicaSet)batch(Job, CronJob)rbac.authorization.k8s.io(ClusterRole, ClusterRoleBinding, Role, RoleBinding)networking.k8s.io,policy,autoscaling,admissionregistration.k8s.io, etc.Impact
This enables virt-platform-autopilot to deploy resources using built-in Kubernetes API groups, not just
v1resources and actual CRDs.Test Plan
Tested with network-resources-injector deployment which uses:
apps/v1(Deployment)rbac.authorization.k8s.io/v1(ClusterRole, ClusterRoleBinding)Before fix: Resources skipped with "CRD not installed"
After fix: Resources deployed successfully
🤖 Generated with Claude Code