[WIP] OCPCLOUD-3557: split capi-controllers and machine-api-migration#622
[WIP] OCPCLOUD-3557: split capi-controllers and machine-api-migration#622stefanonardo wants to merge 1 commit into
Conversation
Separate the two binaries into independent Deployments with dedicated ServiceAccounts and least-privilege RBAC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@stefanonardo: This pull request references OCPCLOUD-3557 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThis PR separates the machine-api-migration functionality from capi-controllers into its own ServiceAccount, RBAC roles/bindings, Deployment, metrics Service, and ServiceMonitor. capi-controllers RBAC is narrowed accordingly, its Deployment loses the migration container, ports are renamed, and the NetworkPolicy/metrics-service/ServiceMonitor configurations are updated. Documentation reflects the new split. Changesmachine-api-migration separation
Estimated code review effort: 4 (Complex) | ~50 minutes Sequence Diagram(s)sequenceDiagram
participant Prometheus
participant MachineAPIMigrationSvc as machine-api-migration-metrics Service
participant MachineAPIMigrationPod as machine-api-migration Deployment
participant K8sAPI as Kubernetes API Server
MachineAPIMigrationPod->>K8sAPI: Authenticate via machine-api-migration ServiceAccount
K8sAPI-->>MachineAPIMigrationPod: Authorize using Role/ClusterRole bindings
Prometheus->>MachineAPIMigrationSvc: Scrape metrics (HTTPS, bearer token, TLS)
MachineAPIMigrationSvc->>MachineAPIMigrationPod: Route to diagnostics port
MachineAPIMigrationPod-->>Prometheus: Return metrics
Possibly related PRs
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/test e2e-aws-capi-techpreview |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/rbac.md`:
- Around line 41-43: The RBAC summary for the `machine-api-migration` Role in
`openshift-cluster-api` is mislabeled as “(read)” even though the manifest
grants both read and write verbs. Update the description in `docs/rbac.md` to
reflect the actual permissions from
`0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml`, using the
`machine-api-migration` Role entry and its Machine/MachineSet permissions as the
reference point.
In `@manifests/0000_30_cluster-api_17_machine-api-migration-deployment.yaml`:
- Around line 26-69: The machine-api-migration Deployment container spec is
missing required hardening and health settings. Update the machine-api-migration
pod/container spec to add an explicit securityContext with
readOnlyRootFilesystem, allowPrivilegeEscalation disabled, and capabilities
dropping all, and set automountServiceAccountToken to false if the controller
does not need the token. Also add resource limits alongside the existing
requests, and define livenessProbe and readinessProbe for the healthz endpoint
exposed by the machine-api-migration container on port 9440.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: af553a64-1e21-4c5f-92f4-9de4822110af
📒 Files selected for processing (12)
docs/rbac.mdmanifests/0000_30_cluster-api_02_machine-api-migration-service-account.yamlmanifests/0000_30_cluster-api_03_machine-api-migration-rbac-roles.yamlmanifests/0000_30_cluster-api_03_rbac_roles.yamlmanifests/0000_30_cluster-api_04_machine-api-migration-rbac-bindings.yamlmanifests/0000_30_cluster-api_10_capi-controllers-servicemonitor.yamlmanifests/0000_30_cluster-api_10_machine-api-migration-metrics-service.yamlmanifests/0000_30_cluster-api_10_machine-api-migration-servicemonitor.yamlmanifests/0000_30_cluster-api_10_metrics-service.yamlmanifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yamlmanifests/0000_30_cluster-api_17_deployment.yamlmanifests/0000_30_cluster-api_17_machine-api-migration-deployment.yaml
💤 Files with no reviewable changes (1)
- manifests/0000_30_cluster-api_10_capi-controllers-servicemonitor.yaml
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | ClusterRole `openshift-machine-api-migration` | cluster-wide | Cluster-scoped resources: infrastructures, featuregates, clusterversions, CRDs | | ||
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-cluster-api` | CAPI Cluster (read), Machine/MachineSet + infra cluster (read)/machine/machinetemplate resources, secrets, pod self-read, events, leases | | ||
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-machine-api` | MAPI machines, machinesets, controlplanemachinesets, secrets, events | |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
"(read)" label inconsistent with actual RBAC verbs.
Line 42 describes the machine-api-migration Role in openshift-cluster-api as granting Machine/MachineSet access with "(read)" only. The referenced manifest (0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml) grants get, list, watch, create, update, patch on cluster.x-k8s.io machines/machinesets — i.e., full read/write, not read-only.
📝 Suggested fix
-| `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-cluster-api` | CAPI Cluster (read), Machine/MachineSet + infra cluster (read)/machine/machinetemplate resources, secrets, pod self-read, events, leases |
+| `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-cluster-api` | CAPI Cluster (read), Machine/MachineSet (read/write) + infra cluster/machine/machinetemplate resources, secrets, pod self-read, events, leases |📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | ClusterRole `openshift-machine-api-migration` | cluster-wide | Cluster-scoped resources: infrastructures, featuregates, clusterversions, CRDs | | |
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-cluster-api` | CAPI Cluster (read), Machine/MachineSet + infra cluster (read)/machine/machinetemplate resources, secrets, pod self-read, events, leases | | |
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-machine-api` | MAPI machines, machinesets, controlplanemachinesets, secrets, events | | |
| | `0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml` | Role `machine-api-migration` | `openshift-cluster-api` | CAPI Cluster (read), Machine/MachineSet (read/write) + infra cluster/machine/machinetemplate resources, secrets, pod self-read, events, leases | |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/rbac.md` around lines 41 - 43, The RBAC summary for the
`machine-api-migration` Role in `openshift-cluster-api` is mislabeled as
“(read)” even though the manifest grants both read and write verbs. Update the
description in `docs/rbac.md` to reflect the actual permissions from
`0000_30_cluster-api_03_machine-api-migration-rbac-roles.yaml`, using the
`machine-api-migration` Role entry and its Machine/MachineSet permissions as the
reference point.
| spec: | ||
| serviceAccountName: machine-api-migration | ||
| containers: | ||
| - name: machine-api-migration | ||
| image: registry.ci.openshift.org/openshift:cluster-capi-operator | ||
| command: | ||
| - /machine-api-migration | ||
| args: | ||
| - --diagnostics-address=:8443 | ||
| env: | ||
| - name: RELEASE_VERSION | ||
| value: "0.0.1-snapshot" | ||
| ports: | ||
| - containerPort: 8443 | ||
| name: diagnostics | ||
| protocol: TCP | ||
| - containerPort: 9440 | ||
| name: healthz | ||
| protocol: TCP | ||
| resources: | ||
| requests: | ||
| cpu: 10m | ||
| memory: 50Mi | ||
| terminationMessagePolicy: FallbackToLogsOnError | ||
| volumeMounts: | ||
| - name: metrics-cert | ||
| mountPath: /tmp/k8s-metrics-server/serving-certs | ||
| readOnly: true | ||
| nodeSelector: | ||
| node-role.kubernetes.io/control-plane: "" | ||
| priorityClassName: system-cluster-critical | ||
| restartPolicy: Always | ||
| tolerations: | ||
| - key: "node-role.kubernetes.io/master" | ||
| operator: "Exists" | ||
| effect: "NoSchedule" | ||
| - key: "node-role.kubernetes.io/control-plane" | ||
| operator: "Exists" | ||
| effect: "NoSchedule" | ||
| volumes: | ||
| - name: metrics-cert | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: machine-api-migration-metrics-tls |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add explicit securityContext, resource limits, and probes to the container spec.
This new Deployment lacks:
- Pod/container
securityContext(readOnlyRootFilesystem: true,allowPrivilegeEscalation: false,capabilities.drop: ["ALL"]). Noterestricted-v2SCC (referenced via theopenshift.io/required-scc: restricted-v2annotation) already drops all capabilities and disallows privilege escalation by default, but it does not enforcereadOnlyRootFilesystem, so this must be set explicitly. resources.limits(onlyrequestsare set).livenessProbe/readinessProbe, despite exposing ahealthzport on 9440.automountServiceAccountToken: false(unless the controller genuinely needs the projected SA token via the pod itself rather than client libraries).
Static analysis flags the missing root-fs/security-context settings (Checkov CKV_K8S_20/CKV_K8S_23, Trivy KSV-0014/KSV-0118).
As per path instructions: "securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false", "Drop ALL capabilities, add only what is required", "Resource limits (cpu, memory) on every container", "Liveness + readiness probes defined", "automountServiceAccountToken: false unless needed".
🛡️ Proposed fix
spec:
serviceAccountName: machine-api-migration
+ automountServiceAccountToken: false
containers:
- name: machine-api-migration
image: registry.ci.openshift.org/openshift:cluster-capi-operator
command:
- /machine-api-migration
args:
- --diagnostics-address=:8443
env:
- name: RELEASE_VERSION
value: "0.0.1-snapshot"
ports:
- containerPort: 8443
name: diagnostics
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
resources:
requests:
cpu: 10m
memory: 50Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - ALL
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: healthz
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: healthz
terminationMessagePolicy: FallbackToLogsOnError🧰 Tools
🪛 Checkov (3.3.2)
[medium] 2-69: Containers should not run with allowPrivilegeEscalation
(CKV_K8S_20)
[medium] 2-69: Minimize the admission of root containers
(CKV_K8S_23)
🪛 Trivy (0.69.3)
[error] 29-53: Root file system is not read-only
Container 'machine-api-migration' of Deployment 'machine-api-migration' should set 'securityContext.readOnlyRootFilesystem' to true
Rule: KSV-0014
(IaC/Kubernetes)
[error] 29-53: Default security context configured
container machine-api-migration in openshift-cluster-api namespace is using the default security context
Rule: KSV-0118
(IaC/Kubernetes)
[error] 26-69: Default security context configured
deployment machine-api-migration in openshift-cluster-api namespace is using the default security context, which allows root privileges
Rule: KSV-0118
(IaC/Kubernetes)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@manifests/0000_30_cluster-api_17_machine-api-migration-deployment.yaml`
around lines 26 - 69, The machine-api-migration Deployment container spec is
missing required hardening and health settings. Update the machine-api-migration
pod/container spec to add an explicit securityContext with
readOnlyRootFilesystem, allowPrivilegeEscalation disabled, and capabilities
dropping all, and set automountServiceAccountToken to false if the controller
does not need the token. Also add resource limits alongside the existing
requests, and define livenessProbe and readinessProbe for the healthz endpoint
exposed by the machine-api-migration container on port 9440.
Sources: Path instructions, Linters/SAST tools
|
/retest |
|
@stefanonardo: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
capi-controllersDeployment (two containers sharing one SA) into two independent Deployments with dedicated ServiceAccounts and least-privilege RBAC:8443(matching all other binaries)Test plan
make buildpassesmake lintpasses (0 issues)make unitpasses (pre-existing crdcompatibility failures excluded)audit2rbacon CI job audit logs to confirm zero 403s for both SAs🤖 Generated with Claude Code
Summary by CodeRabbit