Skip to content

OCPNODE-3769: Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" #5395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

OCPNODE-3769: Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" #5395

wants to merge 1 commit into from

Conversation

@QiWang19
Copy link
Member

@QiWang19 QiWang19 commented Nov 6, 2025
edited
Loading

- What I did

Added logic to check if the resource openshift is customer-created and update the cluster operator status Upgradeable=False accordingly. The openshift CIP is cluster-managed reserved for release payload verification. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy (openshift/cluster-update-keys#85) in 4.21.

- How to verify it

  1. launch cluster with this patch
4.21.0-0.nightly-2025-11-05-234508, openshift/machine-config-operator#5395 (gcp)
  1. apply a ClusterImagePolicy name: openshift
oc create -f clusterimgpolicycr.yaml

# clusterimgpolicycr.yaml

apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
  name: openshift
spec:
  scopes:
  - "example.com/test"
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVW9GVW9ZQVJlS1hHeTU5eGU1U1FPazJhSjhvKwoyL1l6NVk4R2NOM3pGRTZWaUl2a0duSGhNbEFoWGFYL2JvME05UjYyczAvNnErK1Q3dXdORnVPZzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
    signedIdentity:
      matchPolicy: RemapIdentity
      remapIdentity:
        prefix: example.com
        signedPrefix: mirror.com
$ oc get clusterimagepolicy
NAME        AGE
openshift   3m11s
  1. Check the upgrade status has Upgradeable=False
$ oc adm upgrade
Cluster version is 4.21.0-0-2025-11-07-142257-test-ci-ln-6zj1wdt-latest

Upgradeable=False

  Reason: ConflictingClusterImagePolicy
  Message: Cluster operator machine-config should not be upgraded between minor versions: ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed

warning: Cannot display available updates:
  Reason: NoChannel
  Message: The update channel has not been configured.

oc describe co

Name:         machine-config
Namespace:    
Labels:       <none>
Annotations:  exclude.release.openshift.io/internal-openshift-hosted: true
              include.release.openshift.io/self-managed-high-availability: true
              include.release.openshift.io/single-node-developer: true
API Version:  config.openshift.io/v1
Kind:         ClusterOperator
Metadata:
  Creation Timestamp:  2025-11-07T14:38:17Z
  Generation:          1
  Owner References:
    API Version:     config.openshift.io/v1
    Controller:      true
    Kind:            ClusterVersion
    Name:            version
    UID:             ca29e303-4d5f-4199-b400-5af02af7c412
  Resource Version:  36347
  UID:               b83c6e38-f19f-452a-a5cb-711c91b056ae
Spec:
Status:
  Conditions:
    ...
    Last Transition Time:  2025-11-07T15:20:35Z
    Message:               ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed
    Reason:                ConflictingClusterImagePolicy
    Status:                False
    Type:                  Upgradeable
    ...

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

@QiWang19
Implement upgrade blocking for conflicting ClusterImagePolicy named "…
daaf4bc 
…openshift"

Added logic to check if the resource is customer-created and update the cluster operator status Upgradeable=False  accordingly. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA `openshift` ClusterImagePolicy in 4.21.
Signed-off-by: Qi Wang <[email protected]>
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 6, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 6, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: QiWang19
Once this PR has been reviewed and has the lgtm label, please assign rishabhsaini for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@QiWang19
Copy link
Member Author

QiWang19 commented Nov 6, 2025

/test all

@QiWang19 QiWang19 changed the title Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" OCPNODE-3769: Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" Nov 6, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 6, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 6, 2025
edited by openshift-ci bot
Loading

@QiWang19: This pull request references OCPNODE-3769 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

- What I did

Added logic to check if the resource is customer-created and update the cluster operator status Upgradeable=False accordingly. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy in 4.21.

- How to verify it

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025
edited by openshift-ci bot
Loading

@QiWang19: This pull request references OCPNODE-3769 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

- What I did

Added logic to check if the resource is customer-created and update the cluster operator status Upgradeable=False accordingly. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy (openshift/cluster-update-keys#85) in 4.21.

- How to verify it

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@QiWang19 QiWang19 marked this pull request as ready for review November 7, 2025 01:02
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 7, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 7, 2025

@QiWang19: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/bootstrap-unit daaf4bc link false /test bootstrap-unit

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025
edited by openshift-ci bot
Loading

@QiWang19: This pull request references OCPNODE-3769 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

- What I did

Added logic to check if the resource is customer-created and update the cluster operator status Upgradeable=False accordingly. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy (openshift/cluster-update-keys#85) in 4.21.

- How to verify it

  1. launch cluster with this patch
[4.21.0-0.nightly-2025-11-05-234508](https://amd64.ocp.releases.ci.openshift.org/releasetag/4.21.0-0.nightly-2025-11-05-234508), [openshift/machine-config-operator#5395](https://github.com/openshift/machine-config-operator/pull/5395) (gcp)
  1. apply a ClusterImagePolicy name: openshift
oc create -f clusterimgpolicycr.yaml

# clusterimgpolicycr.yaml

apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
 name: openshift
spec:
 scopes:
 - "example.com/test"
 policy:
   rootOfTrust:
     policyType: PublicKey
     publicKey:
       keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVW9GVW9ZQVJlS1hHeTU5eGU1U1FPazJhSjhvKwoyL1l6NVk4R2NOM3pGRTZWaUl2a0duSGhNbEFoWGFYL2JvME05UjYyczAvNnErK1Q3dXdORnVPZzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
   signedIdentity:
     matchPolicy: RemapIdentity
     remapIdentity:
       prefix: example.com
       signedPrefix: mirror.com
$ oc get clusterimagepolicy
NAME        AGE
openshift   3m11s
  1. Check the upgrade status has Upgradeable=False
$ oc adm upgrade
Cluster version is 4.21.0-0-2025-11-07-142257-test-ci-ln-6zj1wdt-latest

Upgradeable=False

 Reason: ConflictingClusterImagePolicy
 Message: Cluster operator machine-config should not be upgraded between minor versions: ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed

warning: Cannot display available updates:
 Reason: NoChannel
 Message: The update channel has not been configured.

oc describe co

Name:         machine-config
Namespace:    
Labels:       <none>
Annotations:  exclude.release.openshift.io/internal-openshift-hosted: true
             include.release.openshift.io/self-managed-high-availability: true
             include.release.openshift.io/single-node-developer: true
API Version:  config.openshift.io/v1
Kind:         ClusterOperator
Metadata:
 Creation Timestamp:  2025-11-07T14:38:17Z
 Generation:          1
 Owner References:
   API Version:     config.openshift.io/v1
   Controller:      true
   Kind:            ClusterVersion
   Name:            version
   UID:             ca29e303-4d5f-4199-b400-5af02af7c412
 Resource Version:  36347
 UID:               b83c6e38-f19f-452a-a5cb-711c91b056ae
Spec:
Status:
 Conditions:
   ...
   Last Transition Time:  2025-11-07T15:20:35Z
   Message:               ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed
   Reason:                ConflictingClusterImagePolicy
   Status:                False
   Type:                  Upgradeable
   ...

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@QiWang19
Copy link
Member Author

QiWang19 commented Nov 7, 2025

/verified by @QiWang19

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 7, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@QiWang19: This PR has been marked as verified by @QiWang19.

In response to this:

/verified by @QiWang19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025
edited by openshift-ci bot
Loading

@QiWang19: This pull request references OCPNODE-3769 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

- What I did

Added logic to check if the resource openshift is customer-created and update the cluster operator status Upgradeable=False accordingly. The openshift CIP is cluster-managed reserved for release payload verification. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy (openshift/cluster-update-keys#85) in 4.21.

- How to verify it

  1. launch cluster with this patch
[4.21.0-0.nightly-2025-11-05-234508](https://amd64.ocp.releases.ci.openshift.org/releasetag/4.21.0-0.nightly-2025-11-05-234508), [openshift/machine-config-operator#5395](https://github.com/openshift/machine-config-operator/pull/5395) (gcp)
  1. apply a ClusterImagePolicy name: openshift
oc create -f clusterimgpolicycr.yaml

# clusterimgpolicycr.yaml

apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
 name: openshift
spec:
 scopes:
 - "example.com/test"
 policy:
   rootOfTrust:
     policyType: PublicKey
     publicKey:
       keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVW9GVW9ZQVJlS1hHeTU5eGU1U1FPazJhSjhvKwoyL1l6NVk4R2NOM3pGRTZWaUl2a0duSGhNbEFoWGFYL2JvME05UjYyczAvNnErK1Q3dXdORnVPZzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
   signedIdentity:
     matchPolicy: RemapIdentity
     remapIdentity:
       prefix: example.com
       signedPrefix: mirror.com
$ oc get clusterimagepolicy
NAME        AGE
openshift   3m11s
  1. Check the upgrade status has Upgradeable=False
$ oc adm upgrade
Cluster version is 4.21.0-0-2025-11-07-142257-test-ci-ln-6zj1wdt-latest

Upgradeable=False

 Reason: ConflictingClusterImagePolicy
 Message: Cluster operator machine-config should not be upgraded between minor versions: ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed

warning: Cannot display available updates:
 Reason: NoChannel
 Message: The update channel has not been configured.

oc describe co

Name:         machine-config
Namespace:    
Labels:       <none>
Annotations:  exclude.release.openshift.io/internal-openshift-hosted: true
             include.release.openshift.io/self-managed-high-availability: true
             include.release.openshift.io/single-node-developer: true
API Version:  config.openshift.io/v1
Kind:         ClusterOperator
Metadata:
 Creation Timestamp:  2025-11-07T14:38:17Z
 Generation:          1
 Owner References:
   API Version:     config.openshift.io/v1
   Controller:      true
   Kind:            ClusterVersion
   Name:            version
   UID:             ca29e303-4d5f-4199-b400-5af02af7c412
 Resource Version:  36347
 UID:               b83c6e38-f19f-452a-a5cb-711c91b056ae
Spec:
Status:
 Conditions:
   ...
   Last Transition Time:  2025-11-07T15:20:35Z
   Message:               ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed
   Reason:                ConflictingClusterImagePolicy
   Status:                False
   Type:                  Upgradeable
   ...

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025
edited by openshift-ci bot
Loading

@QiWang19: This pull request references OCPNODE-3769 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

- What I did

Added logic to check if the resource openshift is customer-created and update the cluster operator status Upgradeable=False accordingly. The openshift CIP is cluster-managed reserved for release payload verification. This prevents upgrades when a conflicting policy is detected.

This check needs to be backported to 4.20.z as we plan to GA openshift ClusterImagePolicy (openshift/cluster-update-keys#85) in 4.21.

- How to verify it

  1. launch cluster with this patch
4.21.0-0.nightly-2025-11-05-234508, openshift/machine-config-operator#5395 (gcp)
  1. apply a ClusterImagePolicy name: openshift
oc create -f clusterimgpolicycr.yaml

# clusterimgpolicycr.yaml

apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
 name: openshift
spec:
 scopes:
 - "example.com/test"
 policy:
   rootOfTrust:
     policyType: PublicKey
     publicKey:
       keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVW9GVW9ZQVJlS1hHeTU5eGU1U1FPazJhSjhvKwoyL1l6NVk4R2NOM3pGRTZWaUl2a0duSGhNbEFoWGFYL2JvME05UjYyczAvNnErK1Q3dXdORnVPZzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
   signedIdentity:
     matchPolicy: RemapIdentity
     remapIdentity:
       prefix: example.com
       signedPrefix: mirror.com
$ oc get clusterimagepolicy
NAME        AGE
openshift   3m11s
  1. Check the upgrade status has Upgradeable=False
$ oc adm upgrade
Cluster version is 4.21.0-0-2025-11-07-142257-test-ci-ln-6zj1wdt-latest

Upgradeable=False

 Reason: ConflictingClusterImagePolicy
 Message: Cluster operator machine-config should not be upgraded between minor versions: ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed

warning: Cannot display available updates:
 Reason: NoChannel
 Message: The update channel has not been configured.

oc describe co

Name:         machine-config
Namespace:    
Labels:       <none>
Annotations:  exclude.release.openshift.io/internal-openshift-hosted: true
             include.release.openshift.io/self-managed-high-availability: true
             include.release.openshift.io/single-node-developer: true
API Version:  config.openshift.io/v1
Kind:         ClusterOperator
Metadata:
 Creation Timestamp:  2025-11-07T14:38:17Z
 Generation:          1
 Owner References:
   API Version:     config.openshift.io/v1
   Controller:      true
   Kind:            ClusterVersion
   Name:            version
   UID:             ca29e303-4d5f-4199-b400-5af02af7c412
 Resource Version:  36347
 UID:               b83c6e38-f19f-452a-a5cb-711c91b056ae
Spec:
Status:
 Conditions:
   ...
   Last Transition Time:  2025-11-07T15:20:35Z
   Message:               ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed
   Reason:                ConflictingClusterImagePolicy
   Status:                False
   Type:                  Upgradeable
   ...

- Description for the changelog

Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@QiWang19 QiWang19 closed this Nov 7, 2025
@QiWang19
Copy link
Member Author

QiWang19 commented Nov 7, 2025

Close this PR, only need this guard in 4.20: #5397

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isabella-janssen isabella-janssen Awaiting requested review from isabella-janssen

@RishabhSaini RishabhSaini Awaiting requested review from RishabhSaini

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@QiWang19 @openshift-ci-robot