Skip to content

Validate OS not windows for PodLevelResources in API server #132627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Validate OS not windows for PodLevelResources in API server #132627

wants to merge 1 commit into from

Conversation

annasong20
Copy link

Reject Pod with PodLevelResources in spec if Pod targets Windows OS.

What type of PR is this?

/kind bug

What this PR does / why we need it:

Adds check to API server to reject Pod with PodLevelResources if Pod targets Windows OS.

Which issue(s) this PR is related to:

Addresses API server portion of #132582.
PodLevelResources KEP that documents this behavior: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2837-pod-level-resource-spec/README.md#future-kep-consideration-in-135-support-for-windows.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added validation in the API server to reject Pods with `PodLevelResources` that target the Windows OS in the `Pod.spec.os.name` field. `PodLevelResources` are not yet supported on Windows.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [Usage]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#example-2

@annasong20
Check OS for PodLevelResources in API server
081b345 
Reject Pod with PodLevelResources in spec if Pod targets Windows OS.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2025
@k8s-ci-robot k8s-ci-robot requested review from pwittrock and sttts June 30, 2025 16:42
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: annasong20
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added sig/apps Categorizes an issue or PR as relevant to SIG Apps. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 30, 2025
@github-project-automation github-project-automation bot moved this to Needs Triage in SIG Apps Jun 30, 2025
@annasong20
Copy link
Author

/sig node

@k8s-ci-robot k8s-ci-robot added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Jun 30, 2025
@annasong20
Copy link
Author

/assign @ndixita

annasong20
annasong20 commented Jun 30, 2025
View reviewed changes
pkg/apis/core/validation/validation.go
if spec.OS != nil && spec.OS.Name == core.Windows {
// Do not include more detailed errors on the resources field value
// if the resources field cannot be set on the target OS.
return field.ErrorList{
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LMK if I should append the error instead.

pkg/apis/core/validation/validation_test.go
podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
podtest.SetContainers(podtest.MakeContainer("container")),
podtest.SetOS(core.Linux),
),
}
for k, v := range successCases {
t.Run(k, func(t *testing.T) {
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, true)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI I found it interesting that I didn't need to enable the PodLevelResources feature gate in this test.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. That’s because only StrictIPCIDRValidation checks the FeatureGate directly inside the validation code.

kubernetes/pkg/apis/core/validation/validation.go

Line 8863 in b3341bd

return validation.IsValidIPForLegacyField(fldPath, value, utilfeature.DefaultFeatureGate.Enabled(features.StrictIPCIDRValidation), validOldIPs)

For other features, the FeatureGate is checked when creating PodValidationOptions, which is then passed to the validation logic. So if we can pass PodValidationOptions directly in unit tests, we don’t need to use featuregatetesting.SetFeatureGateDuringTest.

kubernetes/pkg/api/pod/util.go

Line 422 in 081b345

PodLevelResourcesEnabled: utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),

@ndixita
Copy link
Contributor

ndixita commented Jun 30, 2025

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 30, 2025
@ndixita
Copy link
Contributor

ndixita commented Jun 30, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jun 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@toVersus toVersus toVersus left review comments

@pwittrock pwittrock Awaiting requested review from pwittrock

@sttts sttts Awaiting requested review from sttts

Assignees

@ndixita ndixita

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Apps
Status: Needs Triage
SIG Node: code and documentation PRs
Status: Triage
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@annasong20 @k8s-ci-robot @ndixita @toVersus