OCPBUGS-10431: allow worker pools to set staticPodPath by relaxing validation to only block control plane pools

[harche]

- What I did
Relaxed the staticPodPath validation to be pool-aware instead of a blanket ban. Worker and custom pools are now allowed to set staticPodPath (e.g. to "") via a KubeletConfig CR, while control plane pools (master, arbiter) remain blocked.

Fixes: https://issues.redhat.com/browse/OCPBUGS-10431

- How to verify it

1. Deploy a cluster with this change
2. Create a KubeletConfig CR targeting worker pools with staticPodPath: "" — it should be accepted
3. Create a KubeletConfig CR targeting master pool with staticPodPath: "" — the controller should reject it with an error condition
4. Verify existing worker and control plane kubelet configs remain unchanged without a KubeletConfig CR override

- Description for the changelog

Allow worker pools to set staticPodPath via KubeletConfig CR to resolve DISA STIG V-242397 compliance finding.

[openshift-ci-robot]

@harche: This pull request references Jira Issue OCPBUGS-10431, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

- What I did
Removed staticPodPath from the worker node kubelet configuration template.

Fixes: https://issues.redhat.com/browse/OCPBUGS-10431

- How to verify it

1. Deploy a cluster with this change
2. SSH into a worker node and verify /etc/kubernetes/kubelet.conf does not contain staticPodPath
3. SSH into a control plane node and verify staticPodPath: /etc/kubernetes/manifests is still present

- Description for the changelog

Remove staticPodPath from worker kubelet config to resolve DISA STIG V-242397 compliance finding.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[harche]

/jira refresh

[openshift-ci-robot]

@harche: This pull request references Jira Issue OCPBUGS-10431, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[harche]

/jira refresh

[openshift-ci-robot]

@harche: This pull request references Jira Issue OCPBUGS-10431, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (schoudha@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[harche]

/retest-required

[harche]

/retest

[harche]

/cc @haircommander

[haircommander]

I think a better alternative would be to relax the validation to allow the worker pool to set its static pod path to "" but not control plane. Is this something you want to try @harche ?

[openshift-ci-robot]

@harche: An error was encountered searching for bug OCPBUGS-10431 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431": GET https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

- What I did
Removed staticPodPath from the worker node kubelet configuration template.

Fixes: https://issues.redhat.com/browse/OCPBUGS-10431

- How to verify it

1. Deploy a cluster with this change
2. SSH into a worker node and verify /etc/kubernetes/kubelet.conf does not contain staticPodPath
3. SSH into a control plane node and verify staticPodPath: /etc/kubernetes/manifests is still present

- Description for the changelog

Remove staticPodPath from worker kubelet config to resolve DISA STIG V-242397 compliance finding.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b28005b4-19dd-42d3-8c93-ec4670a41b27

📥 Commits

Reviewing files that changed from the base of the PR and between 489498b and cb8c576.

📒 Files selected for processing (4)

• pkg/controller/kubelet-config/helpers.go
• pkg/controller/kubelet-config/kubelet_config_bootstrap.go
• pkg/controller/kubelet-config/kubelet_config_controller.go
• pkg/controller/kubelet-config/kubelet_config_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/controller/kubelet-config/helpers.go
• pkg/controller/kubelet-config/kubelet_config_controller_test.go
• pkg/controller/kubelet-config/kubelet_config_controller.go

---

Walkthrough

Adds pool-aware validation that rejects non-empty Kubelet StaticPodPath per-pool during bootstrap and sync; introduces a helper to enforce this and updates tests accordingly.

Changes

Cohort / File(s)	Summary
Core Validation Logic pkg/controller/kubelet-config/helpers.go	Added validateStaticPodPathForPool(cfg *mcfgv1.KubeletConfig, poolName string) error which decodes the KubeletConfig and enforces that StaticPodPath must be empty for control-plane (Master/Arbiter) and other pools.
Workflow Integration pkg/controller/kubelet-config/kubelet_config_bootstrap.go, pkg/controller/kubelet-config/kubelet_config_controller.go	Call validateStaticPodPathForPool() in RunKubeletBootstrap and syncKubeletConfig per-pool, returning errors/status updates early when validation fails.
Tests pkg/controller/kubelet-config/kubelet_config_controller_test.go	Removed the previous denylist test case for StaticPodPath; added TestStaticPodPathPoolValidation to assert validation behavior across Master, Arbiter, Worker, and custom pools.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harche
Once this PR has been reviewed and has the lgtm label, please assign rishabhsaini for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@harche: An error was encountered searching for bug OCPBUGS-10431 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431": GET https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

- What I did
Relaxed the staticPodPath validation to be pool-aware instead of a blanket ban. Worker and custom pools are now allowed to set staticPodPath (e.g. to "") via a KubeletConfig CR, while control plane pools (master, arbiter) remain blocked.

Fixes: https://issues.redhat.com/browse/OCPBUGS-10431

- How to verify it

1. Deploy a cluster with this change
2. Create a KubeletConfig CR targeting worker pools with staticPodPath: "" — it should be accepted
3. Create a KubeletConfig CR targeting master pool with staticPodPath: "" — the controller should reject it with an error condition
4. Verify existing worker and control plane kubelet configs remain unchanged without a KubeletConfig CR override

- Description for the changelog

Allow worker pools to set staticPodPath via KubeletConfig CR to resolve DISA STIG V-242397 compliance finding.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controller/kubelet-config/helpers.go`:
- Around line 393-406: The validation currently only rejects non-empty
kcDecoded.StaticPodPath for control-plane pools; update
validateStaticPodPathForPool so any non-empty StaticPodPath is rejected
(workers/custom pools may only set it to the empty string to disable static
pods). Specifically, in validateStaticPodPathForPool, after DecodeKubeletConfig
and checking kcDecoded.StaticPodPath, return an error whenever
kcDecoded.StaticPodPath != "" (include poolName and kcDecoded.StaticPodPath in
the message) instead of restricting the check to
ctrlcommon.MachineConfigPoolMaster/Arbiter.

In `@pkg/controller/kubelet-config/kubelet_config_controller.go`:
- Around line 600-605: The current for-loop validates each mcp pool inside the
same loop that later mutates MachineConfigs, which can cause partial updates if
a later pool fails; change the logic to perform a two-phase approach: first
iterate over mcpPools and call validateStaticPodPathForPool(cfg, role) for every
pool and short-circuit by returning ctrl.syncStatusOnly(cfg, err) on the first
validation error, and only if all validations pass proceed to the existing
apply/mutation loop that updates MachineConfigs; ensure you reference the same
cfg, mcpPools, validateStaticPodPathForPool, and ctrl.syncStatusOnly symbols so
that validation is fully separated from mutation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d85d52c-1731-4652-b443-c22182afe04d

📥 Commits

Reviewing files that changed from the base of the PR and between 74fef05 and 489498b.

📒 Files selected for processing (4)

• pkg/controller/kubelet-config/helpers.go
• pkg/controller/kubelet-config/kubelet_config_bootstrap.go
• pkg/controller/kubelet-config/kubelet_config_controller.go
• pkg/controller/kubelet-config/kubelet_config_controller_test.go

[openshift-ci-robot]

@harche: An error was encountered searching for bug OCPBUGS-10431 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431": GET https://issues.redhat.com/rest/api/2/issue/OCPBUGS-10431 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

- What I did
Relaxed the staticPodPath validation to be pool-aware instead of a blanket ban. Worker and custom pools are now allowed to set staticPodPath (e.g. to "") via a KubeletConfig CR, while control plane pools (master, arbiter) remain blocked.

Fixes: https://issues.redhat.com/browse/OCPBUGS-10431

- How to verify it

1. Deploy a cluster with this change
2. Create a KubeletConfig CR targeting worker pools with staticPodPath: "" — it should be accepted
3. Create a KubeletConfig CR targeting master pool with staticPodPath: "" — the controller should reject it with an error condition
4. Verify existing worker and control plane kubelet configs remain unchanged without a KubeletConfig CR override

- Description for the changelog

Allow worker pools to set staticPodPath via KubeletConfig CR to resolve DISA STIG V-242397 compliance finding.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[harche]

/retest-required

[haircommander]

couldn't this error be covered by the above error case? why do we need different errors for different pool names (especially when we embed pool name in error)

[haircommander]

why not closer to where we get the mcpPools (587 or so)?

[openshift-ci]

@harche: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.