OSAC-1156: Add ImplementationStrategy field to SecurityGroup spec

[ori-amizur]

SecurityGroup now reads its implementation strategy from
spec.implementationStrategy (set by the fulfillment-service),
falling back to "network_policy" when unset. This follows the
PublicIPPool pattern and keeps the policy decision in the
fulfillment-service rather than hardcoding it in the operator.

Summary by CodeRabbit

• New Features

  • SecurityGroups now support a configurable implementationStrategy field to specify how security policies are enforced. When not explicitly set, network_policy is used as the default enforcement mechanism.

• Refactor

  • SecurityGroup strategy configuration is now resolved directly from the SecurityGroup specification instead of being read from parent VirtualNetwork configurations, reducing configuration dependencies.

[openshift-ci-robot]

@ori-amizur: This pull request references OSAC-1156 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

SecurityGroup now always uses the network_policy implementation strategy instead of inheriting from the parent VirtualNetwork. This decouples SecurityGroup enforcement from the VirtualNetwork's NetworkClass, matching the osac-aap extraction of NetworkPolicy logic into a standalone role.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Review limit reached

@ori-amizur, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 44 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 2e409ed2-469b-4df1-8cf1-bb957e23931e

📥 Commits

Reviewing files that changed from the base of the PR and between 48e9720 and ea695f3.

📒 Files selected for processing (6)

• api/v1alpha1/securitygroup_types.go
• charts/operator-crds/templates/osac.openshift.io_securitygroups.yaml
• config/crd/bases/osac.openshift.io_securitygroups.yaml
• internal/controller/constants_common.go
• internal/controller/securitygroup_controller.go
• internal/controller/securitygroup_controller_test.go

Walkthrough

SecurityGroup now reads implementationStrategy directly from its own spec with a fallback to network_policy default, eliminating the parent VirtualNetwork lookup. The API contract, CRD schema, controller logic, and test coverage are updated cohesively.

Changes

SecurityGroup Implementation Strategy Resolution

Layer / File(s)	Summary
API Contract: ImplementationStrategy Field api/v1alpha1/securitygroup_types.go	SecurityGroupSpec gains an optional implementationStrategy string field with kubebuilder validation and omitempty JSON serialization.
Spec Validation and Default Strategy config/crd/bases/osac.openshift.io_securitygroups.yaml, internal/controller/constants_common.go	CRD schema validates spec.implementationStrategy as optional string; defaultSecurityGroupImplementationStrategy constant ("network_policy") provides fallback when spec field is unset.
Controller Strategy Resolution Logic internal/controller/securitygroup_controller.go	SecurityGroupReconciler.handleUpdate now derives implementationStrategy directly from sg.Spec.ImplementationStrategy, defaulting to the constant when unset. Removes prior parent VirtualNetwork lookup, requeue-on-missing behavior, and dependency on VirtualNetwork.Spec.ImplementationStrategy.
Test Coverage: Default and Spec-Based Resolution internal/controller/securitygroup_controller_test.go	New test confirms controller annotates SecurityGroup with default strategy when spec omits the field; existing tests updated to validate spec-provided strategy ("custom-backend") and annotation behavior against the resolved strategy (replacing prior hardcoded parent-derived value).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• osac-project/osac-operator#160: Overlaps directly on osacImplementationStrategyAnnotation setting in handleUpdate—MGMT-23402: SecurityGroup implementation-strategy annotation #160 propagates strategy from parent VirtualNetwork while this PR resolves it from SecurityGroup.spec with fallback.
• osac-project/osac-operator#209: Also modifies handleUpdate annotation/strategy logic; #209 addresses reconcile control-flow to prevent duplicate provisioning after the annotation is set.

Suggested labels

lgtm, approved

Suggested reviewers

• larsks
• tzvatot
• adriengentil
• eranco74
• danmanor

Risk Assessment & Security Notes

⚠️ Severity: Medium

• Dependency Simplification: Removes parent VirtualNetwork lookup, reducing object dependency graph but losing upstream validation that parent exists and has strategy defined.
• Default Strategy Exposure: All SecurityGroups with unset implementationStrategy now default to network_policy (standard Kubernetes behavior). Ensure this aligns with security posture—unintended SecurityGroups may auto-enforce if spec field is omitted.
• Backwards Compatibility: Existing SecurityGroups without the spec field will inherit the default on next reconcile. Verify no unexpected policy enforcement changes in production clusters.
• Test Coverage: Comprehensive test updates validate default resolution, spec override, and annotation idempotency, reducing implementation risk.

---

🛡️ From parent chains to self-reliance true,
SecurityGroups now choose their own way through,
Network policies flow with a sensible default,
No longer bound by VirtualNetwork's vault! 🔗✨

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ai-Attribution	⚠️ Warning	AI tool (Claude Opus 4.6) was used but attributed via Co-Authored-By instead of required Assisted-by or Generated-by trailer per Red Hat guidelines.	Add Assisted-by: Claude noreply@anthropic.com trailer and replace Co-Authored-By with Assisted-by for proper Red Hat AI attribution compliance.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets, API keys, tokens, passwords, credentials, or sensitive data patterns found in any modified files; only configuration strings like "network_policy" and field names present.
No-Weak-Crypto	✅ Passed	PR introduces no weak crypto algorithms, custom implementations, or non-constant-time secret comparisons. Changes only add configuration fields and string comparisons on non-sensitive values.
No-Injection-Vectors	✅ Passed	No injection vectors detected. The implementationStrategy field is safely used: K8s annotation (no execution), config hashing, and JSON serialization for AAP without shell/SQL/eval.
Container-Privileges	✅ Passed	PR makes no changes to container security configurations; check for privileged mode, host access, SYS_ADMIN, or allowPrivilegeEscalation is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	Logging statement records the implementationStrategy policy name (e.g., "network_policy"). No passwords, tokens, API keys, PII, session IDs, hostnames, or customer data is logged.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an ImplementationStrategy field to the SecurityGroup spec, which is the primary focus across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/controller/securitygroup_controller.go (1)

92-92: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drop obsolete virtualnetworks RBAC permission from SecurityGroup controller.

handleUpdate now resolves strategy from SecurityGroup.spec, so this controller no longer needs virtualnetworks read access. Keeping it broadens permissions unnecessarily.

Suggested change

-// +kubebuilder:rbac:groups=osac.openshift.io,resources=virtualnetworks,verbs=get;list;watch

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/securitygroup_controller.go` at line 92, Remove the
obsolete RBAC rule granting read access to virtualnetworks from the
SecurityGroup controller by deleting the kubebuilder comment line "//
+kubebuilder:rbac:groups=osac.openshift.io,resources=virtualnetworks,verbs=get;list;watch"
in internal/controller/securitygroup_controller.go; this controller now resolves
strategy from SecurityGroup.spec in handleUpdate, so ensure only necessary RBAC
annotations remain and run codegen/manifest regeneration if applicable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/v1alpha1/securitygroup_types.go`:
- Around line 79-83: spec.implementationStrategy is free-form and must be
constrained before reaching provisioning; update the CRD field in
securitygroup_types.go (ImplementationStrategy) to add a kubebuilder validation
allow-list or strict pattern (e.g. +kubebuilder:validation:Enum=<comma-separated
allowed tokens> or
+kubebuilder:validation:Pattern="^network_policy$|^other_allowed$") that
includes at least "network_policy" and any other controller-supported strategy
names, so invalid tokens are rejected at schema validation time.

---

Outside diff comments:
In `@internal/controller/securitygroup_controller.go`:
- Line 92: Remove the obsolete RBAC rule granting read access to virtualnetworks
from the SecurityGroup controller by deleting the kubebuilder comment line "//
+kubebuilder:rbac:groups=osac.openshift.io,resources=virtualnetworks,verbs=get;list;watch"
in internal/controller/securitygroup_controller.go; this controller now resolves
strategy from SecurityGroup.spec in handleUpdate, so ensure only necessary RBAC
annotations remain and run codegen/manifest regeneration if applicable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 907f69b1-e2b6-48f5-9c83-41733a870464

📥 Commits

Reviewing files that changed from the base of the PR and between b192e02 and 48e9720.

📒 Files selected for processing (5)

• api/v1alpha1/securitygroup_types.go
• config/crd/bases/osac.openshift.io_securitygroups.yaml
• internal/controller/constants_common.go
• internal/controller/securitygroup_controller.go
• internal/controller/securitygroup_controller_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Constrain implementationStrategy with an allow-list/pattern before it reaches provisioning paths.

spec.implementationStrategy is currently free-form. Since this value is propagated to controller annotations and consumed downstream, add schema-level validation (enum or strict pattern) to prevent unsafe/unexpected strategy tokens.

Suggested change

 	// ImplementationStrategy determines the backend used to enforce security rules.
 	// Set by the fulfillment-service; defaults to network_policy when empty.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9_-]*[a-z0-9])?$`
 	ImplementationStrategy string `json:"implementationStrategy,omitempty"`

As per coding guidelines, “Validate at trust boundaries with allow-lists, not deny-lists.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// ImplementationStrategy determines the backend used to enforce security rules.
	// Set by the fulfillment-service; defaults to network_policy when empty.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	ImplementationStrategy string `json:"implementationStrategy,omitempty"`
	// ImplementationStrategy determines the backend used to enforce security rules.
	// Set by the fulfillment-service; defaults to network_policy when empty.
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Type=string
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9_-]*[a-z0-9])?$`
	ImplementationStrategy string `json:"implementationStrategy,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/securitygroup_types.go` around lines 79 - 83,
spec.implementationStrategy is free-form and must be constrained before reaching
provisioning; update the CRD field in securitygroup_types.go
(ImplementationStrategy) to add a kubebuilder validation allow-list or strict
pattern (e.g. +kubebuilder:validation:Enum=<comma-separated allowed tokens> or
+kubebuilder:validation:Pattern="^network_policy$|^other_allowed$") that
includes at least "network_policy" and any other controller-supported strategy
names, so invalid tokens are rejected at schema validation time.

Source: Coding guidelines

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danmanor, ori-amizur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danmanor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ori-amizur]

/override /ci/prow/e2e-vmaas

[openshift-ci]

@ori-amizur: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• /ci/prow/e2e-vmaas

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-vmaas
• ci/prow/images
• pull-ci-osac-project-osac-operator-main-e2e-vmaas
• pull-ci-osac-project-osac-operator-main-images
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override /ci/prow/e2e-vmaas

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ori-amizur]

/override ci/prow/e2e-vmaas

[openshift-ci]

@ori-amizur: Overrode contexts on behalf of ori-amizur: ci/prow/e2e-vmaas

Details

In response to this:

/override ci/prow/e2e-vmaas

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.