WIP: debug rebase + patch#2687
Open
haircommander wants to merge 2965 commits into
Open
Conversation
The fast-delete pod status tests currently require the intentionally failing "fail" container to report exit code 1. In CI, some runtimes occasionally report exit code 2 with reason=Error even though the tested invariant still holds: the container failed and the blocked workload container never started. The latest dims/test-k8s failure on master showed exactly that state: the pod remained Failed, Initialized=False, the blocked container reported started=false, and only the failing init container drifted from exit 1 to exit 2. This matches kubernetes/kubernetes issue 135713 and the related pending-container history in PR 131605. Accept exit code 2 in this verifier so the test continues to assert the behavior it is meant to cover instead of a lower-layer exit-code detail. Fixes issue 135713 Tested: - hack/verify-gofmt.sh - hack/verify-test-code.sh - hack/verify-typecheck.sh ./test/e2e/node/... - go test ./test/e2e/node -run TestNonExistent -count=1 Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Replace plain bool with sync/atomic.Bool for the useStreaming field in remoteRuntimeService and remoteImageService to eliminate a data race when multiple goroutines concurrently read/write the field during Unimplemented fallback. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
…logquery-lock-defualt [FeatureGate] Promote NodeLogQuery to GA in v1.36 and lock default to `true`
…-flake Set WithSerial on HPA tests that conflict api registration
…able-tolerance-e2e-deterministic-cpu-load fix: [sig-autoscaling] flaky HPAConfigurableTolerance e2e should scale up but should not scale down
…-pod-status-exit-2 test/e2e/node: tolerate exit code 2 in pod status flake
gRPC defaults to the DNS resolver for bare targets passed to NewClient. For CRI socket endpoints, GetAddressAndDialer returns a socket path plus a custom dialer, but handing the bare path to grpc.NewClient still lets gRPC resolve the target first. That breaks unix socket clients with errors like "name resolver error: produced zero addresses" before the custom dialer ever sees the raw path. Use the passthrough resolver for socket-style addresses so the runtime and image clients hand the original endpoint directly to the custom dialer. Add a regression test for unix sockets, Windows named pipes, and TCP addresses. Precedent: https://github.com/etcd-io/etcd/blob/v3.3.27/clientv3/client.go#L266-L270 https://github.com/grpc/grpc-go/blob/v1.72.2/dialoptions.go#L448-L451 Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
…nt-unix-socket-dialing cri-client: use passthrough resolver for socket endpoints
KEP-5729: DRA: ResourceClaim Support for Workloads
…v1alpha2 Add workload aware preemption
…g-fixes [InPlacePodLevelResourcesVerticalScaling] Plr ippr kubelet bug fixes
[InPlacePodLevelResourcesVerticalScaling] Ippr flaky test
[PodLevelResources] Graduate InPlacePodLevelResourcesVerticalScaling feature to beta
cri-client: use atomic.Bool for useStreaming to fix data race
Fix restartable init container startup race
Fix user namespace test cleanup race
This reverts commit 4a69899.
Co-authored-by: Omar Sayed <omarsayed@google.com>
…rces is set to false
…er_manager_linux_test.go Squash into: UPSTREAM: <carry>: disable load balancing on created cgroups when managed is enabled
…s in flagz_test.go and statusz_test.go
Squash into: UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total
…acheGC is enabled Squash into UPSTREAM: <carry>: create termination events
Squash into: UPSTREAM: <carry>: add management support to kubelet
Signed-off-by: jubittajohn <jujohn@redhat.com>
… driver when not enabled The upstream csi-hostpath-plugin.yaml manifest now includes a csi-snapshot-metadata sidecar container and volume (added in k/k#130918). Upstream PR k/k#137057 added conditional stripping of these when CapSnapshotMetadata is not enabled, but only for the upstream hostpathCSIDriver. The OpenShift-specific groupSnapshotHostpathCSIDriver was never updated, causing the driver pod to fail with "secret csi-snapshot-metadata-server-certs not found" and all csi-hostpath-groupsnapshot tests to fail in techpreview jobs. Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: Sai Ramesh Vanka <svanka@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
openshift-ci-robot
added
the
backports/unvalidated-commits
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
WalkthroughThis PR updates Kubernetes OpenAPI v3 specifications and API discovery metadata to support sharded list/watch operations via a new ChangesShardedListAndWatch Feature Implementation
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
|
Member
Author
|
/test e2e-aws-ovn-techpreview-serial-1of2 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 10
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json (1)
224-281:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftPreserve the legacy
PodCertificateRequestSpecshape in the published schema.Lines 225 and 240 describe
pkixPublicKey+proofOfPossessionas a deprecated path that is still valid whenstubPKCS10Requestis not set, but Lines 273-281 makestubPKCS10Requestunconditionally required. That removes the legacy request shape from the v1beta1 contract and will cause generated clients/validators to reject requests the field descriptions still imply are accepted. Either model both accepted shapes explicitly or keep the legacy pair valid until the version changes.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json` around lines 224 - 281, The published OpenAPI for PodCertificateRequestSpec currently makes stubPKCS10Request unconditionally required which breaks the legacy shape (pkixPublicKey + proofOfPossession); update the schema for PodCertificateRequestSpec to explicitly model both accepted shapes instead of a single required list — replace the flat "required" array with an anyOf (or oneOf) that has two object schemas: one schema requiring stubPKCS10Request plus the common required fields (signerName, podName, podUID, serviceAccountName, serviceAccountUID, nodeName, nodeUID) and a second schema requiring pkixPublicKey and proofOfPossession plus the same common required fields; ensure field descriptions for pkixPublicKey and proofOfPossession remain unchanged and reference the same property names so generated clients/validators accept both legacy and CSR-based requests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.gitignore:
- Around line 110-113: Update the .gitignore TODO so it references the existing
open PR instead of a generic TODO: mention the WIP PR title “UPSTREAM: <carry>:
add AGENTS.md for AI code contributions” and clarify that AGENTS.md and
AGENTS.override.md are intentionally ignored until that PR merges, then remove
these entries; edit the AGENTS.md and AGENTS.override.md lines/comments in
.gitignore to include the PR reference and a removal note so future reviewers
know why these files are excluded and when to delete the rules.
In `@api/openapi-spec/README.md`:
- Around line 59-60: The README text incorrectly uses the extension name
x-kubernetes-list-maps-keys; update that string to the correct extension
x-kubernetes-list-map-keys wherever it appears in the new docs section (the
sentence describing Operations and Definitions and the sentence referencing
x-kubernetes-list-type = map) so the documentation consistently references
x-kubernetes-list-map-keys and avoids confusion for consumers.
In
`@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`:
- Around line 1332-1340: The OpenAPI parameter "shardSelector" is incorrectly
documented for the deletecollection routes (parameter name "shardSelector" in
the query schema) as "restricts the list of returned objects" even though
deletecollection returns Status and the selector would affect which objects are
deleted; update the spec to either remove the "shardSelector" parameter from the
deletecollection operations or regenerate the API spec from the authoritative
source that documents delete semantics correctly so that "shardSelector" is
absent (or has a correct description) for the deletecollection routes; look for
the parameter object with "name": "shardSelector" and remove it (or correct its
description and semantics) in the deletecollection operation definitions.
- Around line 769-775: The OpenAPI exposes ListMeta.shardInfo but watch
endpoints still return a plain WatchEvent with no shard metadata, breaking the
sharded list/watch contract; either include shardInfo in the watch stream (e.g.,
extend the WatchEvent schema so the object for BOOKMARK events is a ListMeta
that includes shardInfo, or add shardInfo to the WatchEvent object schema) or
remove/disable advertising shardSelector on all watch routes referenced in this
spec (the WatchEvent schema, the BOOKMARK/bookmark path handling, and the
ListMeta.shardInfo usage). Update the OpenAPI components/schemas for WatchEvent
and any bookmark event object to reference
io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta including shardInfo, or remove
shardSelector from the watch operation parameter definitions to keep them
consistent.
In `@api/openapi-spec/v3/apis__apps__v1_openapi.json`:
- Around line 6447-6454: The shardSelector query parameter's schema incorrectly
includes "uniqueItems" on a type: "string" schema; remove the "uniqueItems":
true property from the shardSelector schema so it emits a plain string schema
for every shardSelector occurrence (look for the "shardSelector" parameter
definition and its "schema" object in the OpenAPI emitter/templating code or the
generated fragment and delete the uniqueItems key).
In `@api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json`:
- Line 135: Update the description text for TokenReviewStatus.audiences to
consistently use the plural field name "status.audiences" (not
"status.audience"); edit the description string that currently references
"status.audience" so it reads "status.audiences" and ensure any surrounding text
still makes grammatical sense with the plural form; locate the description
associated with TokenReviewStatus.audiences (references to spec.audiences and
status.audiences in the same sentence) and perform the single-word fix.
In `@api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json`:
- Line 68: Replace the inaccurate phrase "standard list metadata" with "standard
object's metadata" in the OpenAPI description for metadata properties;
specifically update the JSON schema descriptions that contain the exact string
"metadata is the standard list metadata. More info: ..." so each "metadata"
property (the ObjectMeta references) uses "metadata is the standard object's
metadata. More info: ..." instead, ensuring all occurrences mentioned in the
review (the metadata description at the top-level and the other schema entries)
are updated to maintain consistency.
In `@api/openapi-spec/v3/apis__autoscaling__v1_openapi.json`:
- Around line 68-70: The OpenAPI contract erroneously marks
HorizontalPodAutoscaler.spec as required and adds a non-upstream shardSelector
parameter to the collection delete operation; remove "spec" from the required
array of the HorizontalPodAutoscaler schema and delete the shardSelector
parameter entry from the
deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler operation so the
spec matches upstream autoscaling/v1 (look for the "required": ["spec"] array
and the operation named
deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler and remove the
shardSelector parameter).
In `@api/openapi-spec/v3/apis__batch__v1_openapi.json`:
- Around line 2982-2998: The PodSchedulingGroup schema currently allows an empty
object despite the comment “Exactly one field must be specified”; update the
schema generation so PodSchedulingGroup enforces that podGroupName is required
(or emit an explicit oneOf/required constraint) so {} is invalid for consumers
and generators—modify the source that emits the PodSchedulingGroup definition
(the symbol PodSchedulingGroup and its podGroupName property, and the usage at
PodSpec.schedulingGroup) to include podGroupName in the required array (or
convert the x-kubernetes-unions into an explicit oneOf with required) and regen
the OpenAPI output so the published spec reflects a non-empty object.
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json`:
- Around line 239-240: The proofOfPosssession description is incorrect and has
typos: update the text for the "proofOfPossession" field to state that the proof
is constructed by signing the ASCII bytes of the pod's UID with the private key
corresponding to pkixPublicKey (not with pkixPublicKey itself), fix "contructed"
to "constructed", remove the duplicated "the the" before the ED25519 spec, and
keep the existing note about deprecation/StubPKCS10Request and
PodCertificateRequest validation intact (refer to symbols proofOfPossession,
pkixPublicKey, StubPKCS10Request, and PodCertificateRequest to locate the
string).
---
Outside diff comments:
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json`:
- Around line 224-281: The published OpenAPI for PodCertificateRequestSpec
currently makes stubPKCS10Request unconditionally required which breaks the
legacy shape (pkixPublicKey + proofOfPossession); update the schema for
PodCertificateRequestSpec to explicitly model both accepted shapes instead of a
single required list — replace the flat "required" array with an anyOf (or
oneOf) that has two object schemas: one schema requiring stubPKCS10Request plus
the common required fields (signerName, podName, podUID, serviceAccountName,
serviceAccountUID, nodeName, nodeUID) and a second schema requiring
pkixPublicKey and proofOfPossession plus the same common required fields; ensure
field descriptions for pkixPublicKey and proofOfPossession remain unchanged and
reference the same property names so generated clients/validators accept both
legacy and CSR-based requests.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 1f810d74-8d84-4c9e-a84b-6340a285b092
⛔ Files ignored due to path filters (26)
LICENSES/vendor/github.com/armon/circbuf/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/cenkalti/backoff/v4/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/cenkalti/backoff/v5/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/gregjones/httpcache/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/grpc-ecosystem/go-grpc-prometheus/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/karrick/godirwalk/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/libopenstorage/openstorage/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/mohae/deepcopy/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/mrunalp/fileutils/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/pkg/errors/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/metric/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/sdk/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/trace/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.uber.org/zap/LICENSEis excluded by!**/vendor/**LICENSES/vendor/k8s.io/utils/third_party/forked/golang/LICENSEis excluded by!**/vendor/**LICENSES/vendor/k8s.io/utils/third_party/forked/golang/btree/LICENSEis excluded by!**/vendor/**cmd/kubeadm/app/discovery/token/testdata/ca-cert.pemis excluded by!**/*.pemcmd/kubeadm/app/util/config/testdata/mynode.pemis excluded by!**/*.pemcmd/kubeadm/app/util/pubkeypin/testdata/test-cert.pemis excluded by!**/*.pemcmd/kubeadm/app/util/pubkeypin/testdata/test-cert2.pemis excluded by!**/*.pem
📒 Files selected for processing (274)
.ci-operator.yaml.github/PULL_REQUEST_TEMPLATE.md.gitignore.go-versionCHANGELOG/CHANGELOG-1.35.mdCHANGELOG/CHANGELOG-1.36.mdCHANGELOG/README.mdOWNERS_ALIASESapi/api-rules/sample_controller_violation_exceptions.listapi/api-rules/violation_exceptions.listapi/discovery/aggregated_v2.jsonapi/discovery/apis.jsonapi/discovery/apis__admissionregistration.k8s.io__v1.jsonapi/discovery/apis__resource.k8s.io__v1alpha3.jsonapi/discovery/apis__resource.k8s.io__v1beta2.jsonapi/discovery/apis__scheduling.k8s.io.jsonapi/discovery/apis__scheduling.k8s.io__v1alpha1.jsonapi/discovery/apis__scheduling.k8s.io__v1alpha2.jsonapi/discovery/apis__storage.k8s.io__v1.jsonapi/discovery/apis__storage.k8s.io__v1beta1.jsonapi/openapi-spec/README.mdapi/openapi-spec/swagger.jsonapi/openapi-spec/v3/api__v1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__apps__v1_openapi.jsonapi/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__autoscaling__v1_openapi.jsonapi/openapi-spec/v3/apis__autoscaling__v2_openapi.jsonapi/openapi-spec/v3/apis__batch__v1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__events.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__node.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__policy__v1_openapi.jsonapi/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha2_openapi.jsonapi/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__storagemigration.k8s.io__v1beta1_openapi.jsonbuild/build-image/cross/VERSIONbuild/common.shbuild/dependencies.yamlbuild/lib/release.shbuild/nsswitch.confbuild/pause/CHANGELOG.mdbuild/pause/Dockerfile.Rhelbuild/pause/Makefilebuild/server-image/Dockerfilebuild/server-image/kube-apiserver/Dockerfilebuild/tools.gocluster/addons/dns/coredns/coredns.yaml.basecluster/addons/dns/coredns/coredns.yaml.incluster/addons/dns/coredns/coredns.yaml.sedcluster/addons/dns/kube-dns/kube-dns.yaml.basecluster/addons/dns/kube-dns/kube-dns.yaml.incluster/addons/dns/kube-dns/kube-dns.yaml.sedcluster/addons/dns/nodelocaldns/nodelocaldns.yamlcluster/addons/kube-proxy/OWNERScluster/addons/kube-proxy/kube-proxy-ds.yamlcluster/addons/kube-proxy/kube-proxy-rbac.yamlcluster/addons/volumesnapshots/volume-snapshot-controller/volume-snapshot-controller-deployment.yamlcluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yamlcluster/gce/config-common.shcluster/gce/config-default.shcluster/gce/config-test.shcluster/gce/gci/configure-helper.shcluster/gce/gci/configure.shcluster/gce/gci/master.yamlcluster/gce/gci/mounter/mounter.gocluster/gce/gci/node.yamlcluster/gce/manifests/cloud-controller-manager.manifestcluster/gce/manifests/etcd.manifestcluster/gce/manifests/konnectivity-server.yamlcluster/gce/manifests/kube-proxy.manifestcluster/gce/upgrade-aliases.shcluster/gce/util.shcluster/gce/windows/k8s-node-setup.psm1cluster/gce/windows/smoke-test.shcluster/images/etcd/Dockerfilecluster/images/etcd/Dockerfile.windowscluster/images/etcd/Makefilecluster/images/etcd/OWNERScluster/images/etcd/README.mdcluster/images/etcd/cloudbuild.yamlcluster/images/etcd/migrate-if-needed.batcluster/images/etcd/migrate-if-needed.shcluster/images/etcd/migrate/copy_file.gocluster/images/etcd/migrate/data_dir.gocluster/images/etcd/migrate/data_dir_test.gocluster/images/etcd/migrate/integration_test.gocluster/images/etcd/migrate/migrate.gocluster/images/etcd/migrate/migrate_client.gocluster/images/etcd/migrate/migrate_server.gocluster/images/etcd/migrate/migrator.gocluster/images/etcd/migrate/options.gocluster/images/etcd/migrate/options_test.gocluster/images/etcd/migrate/testdata/datadir_with_version/version.txtcluster/images/etcd/migrate/testdata/datadir_without_version/.placeholdercluster/images/etcd/migrate/util_others.gocluster/images/etcd/migrate/utils_windows.gocluster/images/etcd/migrate/versions.gocluster/images/etcd/migrate/versions_test.gocmd/cloud-controller-manager/.import-restrictionscmd/genfeaturegates/genfeaturegates.gocmd/kube-apiserver/OWNERScmd/kube-apiserver/app/aggregator.gocmd/kube-apiserver/app/testing/testserver.gocmd/kube-controller-manager/app/batch.gocmd/kube-controller-manager/app/controller_descriptor.gocmd/kube-controller-manager/app/controllermanager.gocmd/kube-controller-manager/app/controllermanager_test.gocmd/kube-controller-manager/app/core.gocmd/kube-controller-manager/app/options/options.gocmd/kube-controller-manager/app/options/options_test.gocmd/kube-controller-manager/app/options/resourceclaimcontroller.gocmd/kube-controller-manager/app/plugins.gocmd/kube-controller-manager/app/plugins_providers.gocmd/kube-controller-manager/app/plugins_test.gocmd/kube-controller-manager/app/resource.gocmd/kube-controller-manager/app/scheduling.gocmd/kube-controller-manager/app/scheduling_test.gocmd/kube-controller-manager/app/storageversionmigrator.gocmd/kube-controller-manager/app/testing/testserver.gocmd/kube-controller-manager/names/controller_names.gocmd/kube-proxy/app/conntrack.gocmd/kube-proxy/app/init_linux.gocmd/kube-proxy/app/init_other.gocmd/kube-proxy/app/init_windows.gocmd/kube-proxy/app/options.gocmd/kube-proxy/app/server.gocmd/kube-proxy/app/server_linux.gocmd/kube-proxy/app/server_linux_test.gocmd/kube-proxy/app/server_other.gocmd/kube-proxy/app/server_test.gocmd/kube-proxy/app/server_windows.gocmd/kube-scheduler/app/options/options.gocmd/kube-scheduler/app/options/options_test.gocmd/kube-scheduler/app/server.gocmd/kubeadm/app/apis/kubeadm/v1beta3/defaults_unix.gocmd/kubeadm/app/apis/kubeadm/v1beta3/defaults_windows.gocmd/kubeadm/app/apis/kubeadm/v1beta4/defaults_unix.gocmd/kubeadm/app/apis/kubeadm/v1beta4/defaults_windows.gocmd/kubeadm/app/apis/kubeadm/validation/util_unix.gocmd/kubeadm/app/apis/kubeadm/validation/util_windows.gocmd/kubeadm/app/cmd/certs_test.gocmd/kubeadm/app/cmd/config.gocmd/kubeadm/app/cmd/init.gocmd/kubeadm/app/cmd/options/constant.gocmd/kubeadm/app/cmd/phases/init/bootstraptoken.gocmd/kubeadm/app/cmd/phases/init/data.gocmd/kubeadm/app/cmd/phases/init/data_test.gocmd/kubeadm/app/cmd/phases/init/kubeletfinalize.gocmd/kubeadm/app/cmd/phases/init/uploadconfig.gocmd/kubeadm/app/cmd/phases/init/waitcontrolplane.gocmd/kubeadm/app/cmd/phases/join/controlplanejoin.gocmd/kubeadm/app/cmd/phases/join/data.gocmd/kubeadm/app/cmd/phases/join/data_test.gocmd/kubeadm/app/cmd/phases/join/kubelet.gocmd/kubeadm/app/cmd/phases/reset/cleanupnode.gocmd/kubeadm/app/cmd/phases/reset/data.gocmd/kubeadm/app/cmd/phases/reset/data_test.gocmd/kubeadm/app/cmd/phases/reset/removeetcdmember_test.gocmd/kubeadm/app/cmd/phases/reset/testdata/etcd-pod-without-data-volume.yamlcmd/kubeadm/app/cmd/phases/reset/testdata/etcd-pod.yamlcmd/kubeadm/app/cmd/phases/reset/unmount.gocmd/kubeadm/app/cmd/phases/reset/unmount_linux.gocmd/kubeadm/app/cmd/phases/reset/unmount_linux_test.gocmd/kubeadm/app/cmd/phases/upgrade/apply/bootstraptoken.gocmd/kubeadm/app/cmd/phases/upgrade/apply/uploadconfig.gocmd/kubeadm/app/cmd/phases/upgrade/data.gocmd/kubeadm/app/cmd/phases/upgrade/data_test.gocmd/kubeadm/app/cmd/phases/upgrade/postupgrade.gocmd/kubeadm/app/cmd/reset.gocmd/kubeadm/app/cmd/testdata/token-config.yamlcmd/kubeadm/app/cmd/token_test.gocmd/kubeadm/app/cmd/upgrade/common_test.gocmd/kubeadm/app/cmd/upgrade/plan.gocmd/kubeadm/app/cmd/upgrade/testdata/config-token.yamlcmd/kubeadm/app/cmd/util_other_test.gocmd/kubeadm/app/cmd/util_windows_test.gocmd/kubeadm/app/componentconfigs/kubelet_unix.gocmd/kubeadm/app/componentconfigs/kubelet_unix_test.gocmd/kubeadm/app/componentconfigs/kubelet_windows.gocmd/kubeadm/app/componentconfigs/kubelet_windows_test.gocmd/kubeadm/app/constants/constants.gocmd/kubeadm/app/constants/constants_test.gocmd/kubeadm/app/constants/constants_unix.gocmd/kubeadm/app/constants/constants_windows.gocmd/kubeadm/app/discovery/discovery.gocmd/kubeadm/app/discovery/discovery_test.gocmd/kubeadm/app/discovery/testdata/ca.crtcmd/kubeadm/app/discovery/token/testdata/expected-kubeconfig.yamlcmd/kubeadm/app/discovery/token/token_test.gocmd/kubeadm/app/features/features.gocmd/kubeadm/app/phases/addons/dns/dns_test.gocmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.gocmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap_test.gocmd/kubeadm/app/phases/certs/certlist.gocmd/kubeadm/app/phases/controlplane/manifests_test.gocmd/kubeadm/app/phases/controlplane/volumes.gocmd/kubeadm/app/phases/controlplane/volumes_test.gocmd/kubeadm/app/phases/copycerts/testutil_umask.gocmd/kubeadm/app/phases/copycerts/testutil_umask_noop.gocmd/kubeadm/app/phases/etcd/local.gocmd/kubeadm/app/phases/etcd/local_test.gocmd/kubeadm/app/phases/kubeconfig/kubeconfig.gocmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.gocmd/kubeadm/app/phases/upgrade/health.gocmd/kubeadm/app/preflight/checks.gocmd/kubeadm/app/preflight/checks_darwin.gocmd/kubeadm/app/preflight/checks_linux.gocmd/kubeadm/app/preflight/checks_other.gocmd/kubeadm/app/preflight/checks_unix.gocmd/kubeadm/app/preflight/checks_windows.gocmd/kubeadm/app/util/apiclient/wait.gocmd/kubeadm/app/util/chroot_unix.gocmd/kubeadm/app/util/chroot_windows.gocmd/kubeadm/app/util/config/cluster.gocmd/kubeadm/app/util/config/cluster_test.gocmd/kubeadm/app/util/config/common.gocmd/kubeadm/app/util/config/common_test.gocmd/kubeadm/app/util/config/initconfiguration.gocmd/kubeadm/app/util/config/initconfiguration_test.gocmd/kubeadm/app/util/config/testdata/kubelet-with-embedded-cert.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-invalid-context.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-invalid-user.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-linked-cert.yamlcmd/kubeadm/app/util/config/testdata/kubelet-without-cert.yamlcmd/kubeadm/app/util/config/upgradeconfiguration.gocmd/kubeadm/app/util/copy_unix.gocmd/kubeadm/app/util/copy_windows.gocmd/kubeadm/app/util/etcd/etcd.gocmd/kubeadm/app/util/etcd/etcd_test.gocmd/kubeadm/app/util/initsystem/initsystem_unix.gocmd/kubeadm/app/util/initsystem/initsystem_windows.gocmd/kubeadm/app/util/kubeconfig/kubeconfig.gocmd/kubeadm/app/util/kubeconfig/kubeconfig_test.gocmd/kubeadm/app/util/kubeconfig/testdata/user1.yamlcmd/kubeadm/app/util/kubeconfig/testdata/user2.yamlcmd/kubeadm/app/util/marshal_test.gocmd/kubeadm/app/util/pubkeypin/pubkeypin_test.gocmd/kubeadm/app/util/runtime/fake_impl.gocmd/kubeadm/app/util/runtime/impl.gocmd/kubeadm/app/util/runtime/runtime.gocmd/kubeadm/app/util/runtime/runtime_unix.gocmd/kubeadm/app/util/runtime/runtime_windows.gocmd/kubeadm/app/util/staticpod/testdata/invalid-with-default-fields.yamlcmd/kubeadm/app/util/staticpod/testdata/valid-pod-different-order.yamlcmd/kubeadm/app/util/staticpod/testdata/valid-pod.yamlcmd/kubeadm/app/util/staticpod/testdata/valid-pod2.yamlcmd/kubeadm/app/util/staticpod/utils.gocmd/kubeadm/app/util/staticpod/utils_linux.gocmd/kubeadm/app/util/staticpod/utils_linux_test.gocmd/kubeadm/app/util/staticpod/utils_others.go
💤 Files with no reviewable changes (1)
- api/discovery/apis__scheduling.k8s.io__v1alpha1.json
Comment on lines
+110
to
+113
| # Local agent override file | ||
| AGENTS.override.md | ||
| # TODO: remove once there is a merged AGENTS.md | ||
| AGENTS.md |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if AGENTS.md exists and search for related issues/PRs
# Check if AGENTS.md or AGENTS.override.md exist
if [ -f "AGENTS.md" ]; then
echo "AGENTS.md exists in the repository"
ls -la AGENTS.md
else
echo "AGENTS.md does not exist"
fi
if [ -f "AGENTS.override.md" ]; then
echo "AGENTS.override.md exists locally"
ls -la AGENTS.override.md
else
echo "AGENTS.override.md does not exist"
fi
# Search for references to AGENTS in recent commits
echo "=== Recent commits mentioning AGENTS ==="
git log --oneline --all -20 --grep="AGENTS"
# Search for open issues/PRs mentioning AGENTS
echo "=== Open issues/PRs mentioning AGENTS ==="
gh issue list --search "AGENTS" --state open --limit 5
gh pr list --search "AGENTS" --state open --limit 5Repository: openshift/kubernetes
Length of output: 909
Link the .gitignore AGENTS.md TODO to the existing PR
AGENTS.md (and AGENTS.override.md) does not exist in this repo, so the current temporary ignore rules in .gitignore are still applicable. An open WIP PR titled “UPSTREAM: : add AGENTS.md for AI code contributions” is already present; update the .gitignore TODO to reference that PR, and remove these entries once AGENTS.md lands.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.gitignore around lines 110 - 113, Update the .gitignore TODO so it
references the existing open PR instead of a generic TODO: mention the WIP PR
title “UPSTREAM: <carry>: add AGENTS.md for AI code contributions” and clarify
that AGENTS.md and AGENTS.override.md are intentionally ignored until that PR
merges, then remove these entries; edit the AGENTS.md and AGENTS.override.md
lines/comments in .gitignore to include the PR reference and a removal note so
future reviewers know why these files are excluded and when to delete the rules.
Comment on lines
+59
to
+60
| Operations and Definitions may have `x-kubernetes-list-maps-keys` if they | ||
| are associated with a [kubernetes resource](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources). `x-kubernetes-list-type` = `map` specifies field names inside each list element to serve as unique keys for the list-as-map. |
There was a problem hiding this comment.
Fix extension name typo in the new docs section.
Line 59 says x-kubernetes-list-maps-keys, but the extension is x-kubernetes-list-map-keys. Please align the name to avoid confusion for consumers.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/README.md` around lines 59 - 60, The README text incorrectly
uses the extension name x-kubernetes-list-maps-keys; update that string to the
correct extension x-kubernetes-list-map-keys wherever it appears in the new docs
section (the sentence describing Operations and Definitions and the sentence
referencing x-kubernetes-list-type = map) so the documentation consistently
references x-kubernetes-list-map-keys and avoids confusion for consumers.
Comment on lines
+769
to
+775
| "shardInfo": { | ||
| "allOf": [ | ||
| { | ||
| "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ShardInfo" | ||
| } | ||
| ], | ||
| "description": "shardInfo is set when the list is a filtered subset of the full collection, as selected by a shard selector on the request. It echoes back the selector so clients can verify which shard they received and merge sharded responses. Clients should not cache sharded list responses as a full representation of the collection.\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate." |
There was a problem hiding this comment.
Expose shard identity on watch responses, or keep shardSelector off watch routes.
ListMeta.shardInfo now exists so clients can verify which shard they received, but every watch route added here still returns a plain WatchEvent with no equivalent echo of the applied selector. That makes the watch half of this new sharded list/watch contract unverifiable once a client switches from the initial list to a watch. Either surface shard metadata on the watch stream/bookmark path as well, or don't advertise shardSelector on watch endpoints yet.
Also applies to: 994-1006, 1126-1158, 3194-3202, 3374-3382, 3544-3552, 3724-3732
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`
around lines 769 - 775, The OpenAPI exposes ListMeta.shardInfo but watch
endpoints still return a plain WatchEvent with no shard metadata, breaking the
sharded list/watch contract; either include shardInfo in the watch stream (e.g.,
extend the WatchEvent schema so the object for BOOKMARK events is a ListMeta
that includes shardInfo, or add shardInfo to the WatchEvent object schema) or
remove/disable advertising shardSelector on all watch routes referenced in this
spec (the WatchEvent schema, the BOOKMARK/bookmark path handling, and the
ListMeta.shardInfo usage). Update the OpenAPI components/schemas for WatchEvent
and any bookmark event object to reference
io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta including shardInfo, or remove
shardSelector from the watch operation parameter definitions to keep them
consistent.
Comment on lines
+1332
to
+1340
| { | ||
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | ||
| "in": "query", | ||
| "name": "shardSelector", | ||
| "schema": { | ||
| "type": "string", | ||
| "uniqueItems": true | ||
| } | ||
| }, |
There was a problem hiding this comment.
Fix the shardSelector contract on deletecollection.
On both deletecollection routes, the new parameter description says it "restricts the list of returned objects", but these operations return Status; if supported at all, this selector changes which objects are deleted. Please either remove shardSelector from deletecollection or regenerate from a source that documents delete semantics correctly.
Also applies to: 2249-2257
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`
around lines 1332 - 1340, The OpenAPI parameter "shardSelector" is incorrectly
documented for the deletecollection routes (parameter name "shardSelector" in
the query schema) as "restricts the list of returned objects" even though
deletecollection returns Status and the selector would affect which objects are
deleted; update the spec to either remove the "shardSelector" parameter from the
deletecollection operations or regenerate the API spec from the authoritative
source that documents delete semantics correctly so that "shardSelector" is
absent (or has a correct description) for the deletecollection routes; look for
the parameter object with "name": "shardSelector" and remove it (or correct its
description and semantics) in the deletecollection operation definitions.
Comment on lines
+6447
to
+6454
| { | ||
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | ||
| "in": "query", | ||
| "name": "shardSelector", | ||
| "schema": { | ||
| "type": "string", | ||
| "uniqueItems": true | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In OpenAPI 3.x / JSON Schema, does uniqueItemshave any effect or validity on a schema whosetypeisstring?
💡 Result:
In OpenAPI 3.x and JSON Schema, the uniqueItems keyword is designed exclusively to apply to array instances [1][2][3]. It has no validation effect or validity when the type is set to string [1]. Because JSON Schema is a constraint-driven language, a schema that specifies uniqueItems: true for a type other than array will simply consider non-array instances (such as strings) to be automatically valid [2][4]. The keyword is ignored for these types rather than causing a validation error [2][4]. Technical linting rules and best practices for OpenAPI specifically warn against using uniqueItems on schemas where the type is not explicitly set to array, as it is semantically inapplicable and typically indicates a design error [1].
Citations:
- 1: https://docs.apimatic.io/rulesets/openapi-v3-standards-linting/schema-unique-items-only-for-arrays/
- 2: https://www.learnjsonschema.com/2020-12/validation/uniqueitems/
- 3: https://json-schema.org/understanding-json-schema/reference/array
- 4: https://www.learnjsonschema.com/draft7/validation/uniqueitems/
Remove uniqueItems from the shardSelector string schema
uniqueItems is array-only; using it on a type: "string" schema is semantically inapplicable and can trigger OpenAPI/JSON-schema validator or generator warnings. Ensure the generator emits only a plain string schema for every shardSelector occurrence.
Suggested emitted schema
"schema": {
- "type": "string",
- "uniqueItems": true
+ "type": "string"
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| { | |
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | |
| "in": "query", | |
| "name": "shardSelector", | |
| "schema": { | |
| "type": "string", | |
| "uniqueItems": true | |
| } | |
| { | |
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | |
| "in": "query", | |
| "name": "shardSelector", | |
| "schema": { | |
| "type": "string" | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__apps__v1_openapi.json` around lines 6447 - 6454,
The shardSelector query parameter's schema incorrectly includes "uniqueItems" on
a type: "string" schema; remove the "uniqueItems": true property from the
shardSelector schema so it emits a plain string schema for every shardSelector
occurrence (look for the "shardSelector" parameter definition and its "schema"
object in the OpenAPI emitter/templating code or the generated fragment and
delete the uniqueItems key).
| "properties": { | ||
| "audiences": { | ||
| "description": "Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.", | ||
| "description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.", |
There was a problem hiding this comment.
Fix field name mismatch in TokenReviewStatus.audiences description.
The description says status.audience field, but this schema field is audiences. This can confuse generated docs/clients.
Suggested patch
- "description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.",
+ "description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audiences field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.", | |
| "description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audiences field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.", |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json` at line
135, Update the description text for TokenReviewStatus.audiences to consistently
use the plural field name "status.audiences" (not "status.audience"); edit the
description string that currently references "status.audience" so it reads
"status.audiences" and ensure any surrounding text still makes grammatical sense
with the plural form; locate the description associated with
TokenReviewStatus.audiences (references to spec.audiences and status.audiences
in the same sentence) and perform the single-word fix.
| ], | ||
| "default": {}, | ||
| "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" | ||
| "description": "metadata is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" |
There was a problem hiding this comment.
Use “standard object's metadata” instead of “standard list metadata”.
These metadata properties are ObjectMeta references, so “list metadata” is inaccurate and inconsistent with object schemas.
Suggested patch
- "description": "metadata is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+ "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"Also applies to: 255-255, 328-328, 389-389
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json` at line 68,
Replace the inaccurate phrase "standard list metadata" with "standard object's
metadata" in the OpenAPI description for metadata properties; specifically
update the JSON schema descriptions that contain the exact string "metadata is
the standard list metadata. More info: ..." so each "metadata" property (the
ObjectMeta references) uses "metadata is the standard object's metadata. More
info: ..." instead, ensuring all occurrences mentioned in the review (the
metadata description at the top-level and the other schema entries) are updated
to maintain consistency.
Comment on lines
+68
to
+70
| "required": [ | ||
| "spec" | ||
| ], |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify if spec is required in upstream Kubernetes autoscaling/v1 API
# Check the generated OpenAPI spec in the upstream kubernetes/kubernetes repo
# to confirm this change matches upstream behavior
rg -A 5 '"io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"' --type jsonRepository: openshift/kubernetes
Length of output: 50377
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Candidate upstream OpenAPI sources in this repo
FILES=(
"staging/src/k8s.io/kubectl/testdata/openapi/v3/apis/autoscaling/v1.json"
"api/openapi-spec/v3/apis__autoscaling__v1_openapi.json"
)
python3 - <<'PY'
import json, sys
files = sys.argv[1:]
for path in files:
try:
with open(path, 'r', encoding='utf-8') as f:
data = json.load(f)
except FileNotFoundError:
print(f"[missing] {path}")
continue
# OpenAPI v3 testdata structure: components.schemas["io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"]
comps = data.get("components", {}).get("schemas", {})
schema = comps.get("io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler")
print(f"\n== {path} ==")
if not schema:
print("schema: not found in components.schemas")
continue
required = schema.get("required")
print("required:", required)
# Also print spec property schema/default (if present)
props = schema.get("properties", {})
spec_prop = props.get("spec")
if spec_prop:
print("spec property keys:", sorted(spec_prop.keys()))
if "default" in spec_prop:
print("spec default:", spec_prop["default"])
else:
print("spec property: not found")
PY "${FILES[@]}"Repository: openshift/kubernetes
Length of output: 253
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json
paths = [
"staging/src/k8s.io/kubectl/testdata/openapi/v3/apis/autoscaling/v1.json",
"api/openapi-spec/v3/apis__autoscaling__v1_openapi.json",
]
for p in paths:
with open(p, "r", encoding="utf-8") as f:
data = json.load(f)
schema = data.get("components", {}).get("schemas", {}).get("io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler")
print(f"\n== {p} ==")
if not schema:
print("HorizontalPodAutoscaler schema not found")
continue
print("required:", schema.get("required"))
spec_prop = (schema.get("properties", {}) or {}).get("spec", {})
if spec_prop:
print("spec default:", spec_prop.get("default"))
print("spec type:", spec_prop.get("type"))
else:
print("spec property not found")
PY
echo "---- shardSelector on deleteCollection (HorizontalPodAutoscaler v1) ----"
rg -n --context 6 '"deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler"' api/openapi-spec/v3/apis__autoscaling__v1_openapi.json || true
rg -n --context 6 '"deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler"' staging/src/k8s.io/kubectl/testdata/openapi/v3/apis/autoscaling/v1.json || true
# Also show whether shardSelector appears anywhere near that delete operation in both files
rg -n --context 10 'deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler|shardSelector' api/openapi-spec/v3/apis__autoscaling__v1_openapi.json | head -n 120 || true
rg -n --context 10 'deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler|shardSelector' staging/src/k8s.io/kubectl/testdata/openapi/v3/apis/autoscaling/v1.json | head -n 120 || trueRepository: openshift/kubernetes
Length of output: 50377
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json
files = [
("our", "api/openapi-spec/v3/apis__autoscaling__v1_openapi.json"),
("upstream", "staging/src/k8s.io/kubectl/testdata/openapi/v3/apis/autoscaling/v1.json"),
]
def get_required_spec(schema_obj):
req = schema_obj.get("required")
return req
def find_schema(data):
return data.get("components", {}).get("schemas", {}).get("io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler")
def find_delete_op(data):
paths = data.get("paths", {})
target_ops = []
for path, ops in paths.items():
if not isinstance(ops, dict):
continue
for method, op in ops.items():
if isinstance(op, dict) and op.get("operationId") == "deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler":
target_ops.append((path, method, op))
return target_ops
for label, path in files:
with open(path, "r", encoding="utf-8") as f:
data = json.load(f)
schema = find_schema(data)
req = get_required_spec(schema) if schema else None
spec_prop = (schema.get("properties", {}).get("spec") if schema else None)
spec_default = spec_prop.get("default") if isinstance(spec_prop, dict) else None
print(f"\n== {label}: {path} ==")
print("HorizontalPodAutoscaler.required:", req)
print("HorizontalPodAutoscaler.spec.default:", spec_default)
ops = find_delete_op(data)
print("deleteCollection ops found:", len(ops))
for op_path, method, op in ops[:3]:
params = op.get("parameters", []) if isinstance(op, dict) else []
param_names = []
for p in params:
if isinstance(p, dict) and "name" in p:
param_names.append(p["name"])
print(f"- {op_path} [{method}] shardSelector in parameters:", "shardSelector" in param_names)
if "shardSelector" in param_names:
idx = param_names.index("shardSelector")
# Print the corresponding parameter block minimally
shard_param = params[idx]
print(" shardSelector schema/type:", (shard_param.get("schema", {}) if isinstance(shard_param, dict) else None))
PYRepository: openshift/kubernetes
Length of output: 742
Fix OpenAPI contract drift (breaking spec required + invalid shardSelector on deleteCollection)
api/openapi-spec/v3/apis__autoscaling__v1_openapi.jsonmarksHorizontalPodAutoscaler.specas required (required: ["spec"], lines 68-70), but upstream autoscaling/v1 OpenAPI does not includespecinrequired. This makes existing HPA clients more likely to fail validation.shardSelectoris added to thedeleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaleroperation parameters in this spec, but it is absent from upstream autoscaling/v1 OpenAPI, so the deleteCollection API contract appears inconsistent.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__autoscaling__v1_openapi.json` around lines 68 - 70,
The OpenAPI contract erroneously marks HorizontalPodAutoscaler.spec as required
and adds a non-upstream shardSelector parameter to the collection delete
operation; remove "spec" from the required array of the HorizontalPodAutoscaler
schema and delete the shardSelector parameter entry from the
deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler operation so the
spec matches upstream autoscaling/v1 (look for the "required": ["spec"] array
and the operation named
deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler and remove the
shardSelector parameter).
Comment on lines
+2982
to
+2998
| "io.k8s.api.core.v1.PodSchedulingGroup": { | ||
| "description": "PodSchedulingGroup identifies the runtime scheduling group instance that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics. Exactly one field must be specified.", | ||
| "properties": { | ||
| "podGroupName": { | ||
| "description": "PodGroupName specifies the name of the standalone PodGroup object that represents the runtime instance of this group. Must be a DNS subdomain.", | ||
| "type": "string" | ||
| } | ||
| }, | ||
| "type": "object", | ||
| "x-kubernetes-unions": [ | ||
| { | ||
| "fields-to-discriminateBy": { | ||
| "podGroupName": "PodGroupName" | ||
| } | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
Make PodSchedulingGroup non-empty in the published schema.
Line 2983 says exactly one field must be specified, but this schema makes podGroupName optional, so {} is still valid for generic OpenAPI consumers and any generated client-side validation. Please fix the source markers so the generated spec emits a required member or equivalent one-of constraint for PodSpec.schedulingGroup.
Also applies to: 3351-3358
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__batch__v1_openapi.json` around lines 2982 - 2998,
The PodSchedulingGroup schema currently allows an empty object despite the
comment “Exactly one field must be specified”; update the schema generation so
PodSchedulingGroup enforces that podGroupName is required (or emit an explicit
oneOf/required constraint) so {} is invalid for consumers and generators—modify
the source that emits the PodSchedulingGroup definition (the symbol
PodSchedulingGroup and its podGroupName property, and the usage at
PodSpec.schedulingGroup) to include podGroupName in the required array (or
convert the x-kubernetes-unions into an explicit oneOf with required) and regen
the OpenAPI output so the published spec reflects a non-empty object.
Comment on lines
239
to
+240
| "proofOfPossession": { | ||
| "description": "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).", | ||
| "description": "A proof that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).\n\nDeprecated: This field is replaced by StubPKCS10Request. If StubPKCS10Request is set, this field must be empty.", |
There was a problem hiding this comment.
Fix the proof-of-possession description.
Line 240 says the signature is created using pkixPublicKey, but signing must be done with the corresponding private key. This text is also carrying the contructed typo and the the duplication, so the generated API docs currently give client authors incorrect crypto guidance.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json` around
lines 239 - 240, The proofOfPosssession description is incorrect and has typos:
update the text for the "proofOfPossession" field to state that the proof is
constructed by signing the ASCII bytes of the pod's UID with the private key
corresponding to pkixPublicKey (not with pkixPublicKey itself), fix "contructed"
to "constructed", remove the duplicated "the the" before the ED25519 spec, and
keep the existing note about deprecation/StubPKCS10Request and
PodCertificateRequest validation intact (refer to symbols proofOfPossession,
pkixPublicKey, StubPKCS10Request, and PodCertificateRequest to locate the
string).
Member
Author
|
/retest |
… pods Exclude non-admitted pods from allocation capacity calculations. Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
haircommander
force-pushed
the
debug-resize
branch
from
7fd3e6b to
83bd6c7
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haircommander The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Member
Author
|
/test e2e-aws-ovn-techpreview-serial-1of2 |
Member
Author
|
/test k8s-e2e-gcp-serial |
|
@haircommander: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR is related to:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
Summary by CodeRabbit
New Features
Chores