ComplianceAsCode
CMP-3930: Include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy
This PR means to include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy.
Without this PR, for the make e2e-serial, you will get the below error:
creating Machine Config Pool e2e-invalid: machineconfigpools.machineconfiguration.openshift.io "e2e-invalid" is forbidden: ValidatingAdmissionPolicy
'custom-machine-config-pool-selector' with binding 'custom-machine-config-pool-selector-binding' denied request: expression '( has(object.spec.machineConfigSelector.matchLabels) && (
(object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master") || (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker")
|| (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && (
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "In" && "worker" in e.values) ) ||
(object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "NotIn" && !("worker" in e.values)) ) ) )' resulted in error: no such key:
machineConfigSelector... retrying after 351.247769ms
:robot: To deploy this PR, run the following command:
make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-eb093931238b7aaf6d4a39deb2326c298eeef881
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@xiaojiey: This pull request references CMP-3930 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.
In response to this:
This PR means to include the required selectors to machineconfig to pass the ValidatingAdmissionPolicy. Without this PR, for the
make e2e-serial, you will get the below error:creating Machine Config Pool e2e-invalid: machineconfigpools.machineconfiguration.openshift.io "e2e-invalid" is forbidden: ValidatingAdmissionPolicy 'custom-machine-config-pool-selector' with binding 'custom-machine-config-pool-selector-binding' denied request: expression '( has(object.spec.machineConfigSelector.matchLabels) && ( (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master") || (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker") || (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter") ) ) || ( has(object.spec.machineConfigSelector.matchExpressions) && ( (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "In" && "worker" in e.values) ) || (object.spec.machineConfigSelector.matchExpressions.exists( e, e.key == "machineconfiguration.openshift.io/role" && e.operator == "NotIn" && !("worker" in e.values)) ) ) )' resulted in error: no such key: machineConfigSelector... retrying after 351.247769ms
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
:robot: To deploy this PR, run the following command:
make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-5ad04b70337f58cfb96024b8fe35b949e60bc8e7
Looks like this worked as expected on a 4.17 cluster in CI:
2025/12/03 03:18:36 e2e Machine Config Pool has not updated... retrying
2025/12/03 03:18:46 successfully created Machine Config Pool e2e
2025/12/03 03:18:46 ValidatingAdmissionPolicy 'custom-machine-config-pool-selector' not found, creating MachineConfigPool e2e-invalid without selectors (legacy mode)
=== RUN TestProfileVersion
=== PAUSE TestProfileVersion
=== RUN TestProfileModification
The profile bundle problem is affecting these test results, but we're chasing that down in a separate PR.
https://github.com/ComplianceAsCode/compliance-operator/pull/1019
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: rhmdnd, xiaojiey
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [rhmdnd,xiaojiey]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
:robot: To deploy this PR, run the following command:
make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:960-a1c0b1dd2e7c757df27fa1d5371a46f1b2c5b145
@xiaojiey: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-rosa | a1c0b1dd2e7c757df27fa1d5371a46f1b2c5b145 | link | true | /test e2e-rosa |
| ci/prow/e2e-aws-serial | a1c0b1dd2e7c757df27fa1d5371a46f1b2c5b145 | link | true | /test e2e-aws-serial |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.