Skip to content

[NRR] add CEL validation for taint key format against Kubernetes qualified name rule#155

Merged
k8s-ci-robot merged 2 commits intokubernetes-sigs:mainfrom
Priyankasaggu11929:validate-taint-key-format
Mar 15, 2026
Merged

[NRR] add CEL validation for taint key format against Kubernetes qualified name rule#155
k8s-ci-robot merged 2 commits intokubernetes-sigs:mainfrom
Priyankasaggu11929:validate-taint-key-format

Conversation

@Priyankasaggu11929
Copy link
Member

@Priyankasaggu11929 Priyankasaggu11929 commented Mar 7, 2026
edited
Loading

/kind feature
/kind design

This PR is adding CEL validation (x-kubernetes-validation) to the NRR (node readiness rule) CRD to make sure that the taint keys in NodeReadinessRule object follow the Kubernetes qualified name format defined here -
https://github.com/kubernetes/kubernetes/blob/dfbe79674a33c47c1f0fd7b75882314f6db5e136/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go#L24-L72

Related Issue

It was flagged while locally testing the security-agent-readiness.md guide.

The suggested node taint in the doc ( readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule) is not a valid taint format and thus fails at admission time with the following error:

❯ kubectl taint nodes security-agent-demo-worker readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule
error: invalid taint spec: readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule, a qualified name must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
See 'kubectl taint -h' for help and examples

But the same taint ( readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule) defined in the NRR object goes through admission without error, which should not be the case.
The taints defined in the NRR object should match the taint format/validation per the Kubernetes qualified name format.

Testing

Relevant truncated output of the newly added e2e tests:

❯ make test-e2e 
No kind clusters found.
Creating Kind cluster 'nrr-test-e2e'...
Creating cluster "nrr-test-e2e" ...
...
Will run 13 of 13 specs
------------------------------
...
...
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with multiple slashes
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:53
  STEP: installing CRDs for validation tests @ 03/08/26 03:08:14.856
  running: "make install"
• [3.527 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name starting with dash
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:79
• [0.157 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name ending with dash
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:105
• [0.156 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name longer than 63 characters
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:131
• [0.155 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should accept valid taint keys
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:158
  running: "kubectl apply -f -"
  running: "kubectl apply -f -"
  running: "kubectl apply -f -"
  running: "kubectl apply -f -"
  running: "kubectl apply -f -"
  running: "kubectl apply -f -"
  running: "kubectl delete nodereadinessrule --all"
• [0.699 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject empty name part
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:199
• [0.159 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with special characters in name
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:225
  STEP: uninstalling CRDs after validation tests @ 03/08/26 03:08:19.863
  running: "make uninstall"
• [1.469 seconds]
------------------------------
[AfterSuite] 
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/e2e_suite_test.go:90
  Uninstalling CertManager...
  running: "kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml"
  running: "kubectl delete lease cert-manager-cainjector-leader-election -n kube-system --ignore-not-found --force --grace-period=0"
  running: "kubectl delete lease cert-manager-controller -n kube-system --ignore-not-found --force --grace-period=0"
[AfterSuite] PASSED [13.306 seconds]
------------------------------

Ran 13 of 13 Specs in 176.633 seconds
SUCCESS! -- 13 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestE2E (176.63s)
PASS
ok  	sigs.k8s.io/node-readiness-controller/test/e2e	176.641s
make cleanup-test-e2e
make[1]: Entering directory '/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller'
Deleting cluster "nrr-test-e2e" ...
Deleted nodes: ["nrr-test-e2e-control-plane"]

Checklist

  • make test passes
  • make lint passes
  • make test-e2e passes
  • make verify-all passes

Does this PR introduce a user-facing change?

Add CEL validation to enforce Kubernetes qualified name format for taint keys in NodeReadinessRule, preventing invalid configurations at admission time

@Priyankasaggu11929
add CEL validation for taint key format to match k8s qualified name r…
3fbaae4 
…ules

exactly one '/' separator (prefix/name format), 1-63 character, alphanumeric, '-', '_', '.', must start/end with alphanumeric

ref: git.k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go#L24-L72
@Priyankasaggu11929
add e2e tests for taint key validation in the NRR CRD
d0e8b0e
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 7, 2026

@Priyankasaggu11929: The label(s) kind/design cannot be applied, because the repository doesn't have them.

Details

In response to this:

/kind feature
/kind design

This PR is adding CEL validation (x-kubernetes-validation) to the NRR (node readiness rule) CRD to make sure that the taint keys in NodeReadinessRule object follow the Kubernetes qualified name format defined here -
https://github.com/kubernetes/kubernetes/blob/dfbe79674a33c47c1f0fd7b75882314f6db5e136/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go#L24-L72

Related Issue

It was flagged while locally testing the security-agent-readiness.md guide.

The suggested node taint in the doc ( readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule) is not a valid taint format and thus fails at admission time with the following error:

❯ kubectl taint nodes security-agent-demo-worker readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule
error: invalid taint spec: readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule, a qualified name must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
See 'kubectl taint -h' for help and examples

But the same taint ( readiness.k8s.io/falco.org/security-agent-ready=pending:NoSchedule) defined in the NRR object goes through admission without error, which should not be the case.
The taints defined in the NRR object should match the taint format/validation per the Kubernetes qualified name format.

Testing

Relevant truncated output of the newly added e2e tests:

❯ make test-e2e 
No kind clusters found.
Creating Kind cluster 'nrr-test-e2e'...
Creating cluster "nrr-test-e2e" ...
...
Will run 13 of 13 specs
------------------------------
...
...
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with multiple slashes
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:53
 STEP: installing CRDs for validation tests @ 03/08/26 03:08:14.856
 running: "make install"
• [3.527 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name starting with dash
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:79
• [0.157 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name ending with dash
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:105
• [0.156 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with name longer than 63 characters
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:131
• [0.155 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should accept valid taint keys
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:158
 running: "kubectl apply -f -"
 running: "kubectl apply -f -"
 running: "kubectl apply -f -"
 running: "kubectl apply -f -"
 running: "kubectl apply -f -"
 running: "kubectl apply -f -"
 running: "kubectl delete nodereadinessrule --all"
• [0.699 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject empty name part
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:199
• [0.159 seconds]
------------------------------
NodeReadinessRule Taint Key Validation When creating a NodeReadinessRule should reject taint keys with special characters in name
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/taint_validation_test.go:225
 STEP: uninstalling CRDs after validation tests @ 03/08/26 03:08:19.863
 running: "make uninstall"
• [1.469 seconds]
------------------------------
[AfterSuite] 
/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller/test/e2e/e2e_suite_test.go:90
 Uninstalling CertManager...
 running: "kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml"
 running: "kubectl delete lease cert-manager-cainjector-leader-election -n kube-system --ignore-not-found --force --grace-period=0"
 running: "kubectl delete lease cert-manager-controller -n kube-system --ignore-not-found --force --grace-period=0"
[AfterSuite] PASSED [13.306 seconds]
------------------------------

Ran 13 of 13 Specs in 176.633 seconds
SUCCESS! -- 13 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestE2E (176.63s)
PASS
ok  	sigs.k8s.io/node-readiness-controller/test/e2e	176.641s
make cleanup-test-e2e
make[1]: Entering directory '/home/psaggu/work-upstream/kceu-2026-nrc/node-readiness-controller'
Deleting cluster "nrr-test-e2e" ...
Deleted nodes: ["nrr-test-e2e-control-plane"]

Checklist

  • make test passes
  • make lint passes
  • make test-e2e passes
  • make verify-all passes

Does this PR introduce a user-facing change?

Add CEL validation to enforce Kubernetes qualified name format for taint keys in NodeReadinessRule, preventing invalid configurations at admission time

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 7, 2026
@netlify
Copy link

netlify bot commented Mar 7, 2026
edited
Loading

Deploy Preview for node-readiness-controller canceled.

Name Link
🔨 Latest commit d0e8b0e
🔍 Latest deploy log https://app.netlify.com/projects/node-readiness-controller/deploys/69ac9fdee1a987000882ebee

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 7, 2026
@Priyankasaggu11929 Priyankasaggu11929 mentioned this pull request Mar 7, 2026
Open
4 tasks
@ajaysundark
Copy link
Contributor

ajaysundark commented Mar 15, 2026

/lgtm
/approve

Thanks for catching this!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 15, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 15, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ajaysundark, Priyankasaggu11929

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2026
@k8s-ci-robot k8s-ci-robot merged commit fb6b1f2 into kubernetes-sigs:main Mar 15, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajaysundark ajaysundark Awaiting requested review from ajaysundark

@haircommander haircommander Awaiting requested review from haircommander

Assignees

@ajaysundark ajaysundark

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Priyankasaggu11929 @k8s-ci-robot @ajaysundark