Skip to content

OCPBUGS-65484: Add all managed resources to ClusterOperator relatedObjects#283

Draft
RadekManak wants to merge 2 commits into
openshift:mainfrom
RadekManak:add-clusterrole-relatedobjects
Draft

OCPBUGS-65484: Add all managed resources to ClusterOperator relatedObjects#283
RadekManak wants to merge 2 commits into
openshift:mainfrom
RadekManak:add-clusterrole-relatedobjects

Conversation

@RadekManak

@RadekManak RadekManak commented Nov 12, 2025

Copy link
Copy Markdown
Contributor

Adds all resources managed by the machine-approver operator to the ClusterOperator's relatedObjects list, ensuring oc adm inspect and must-gather collect the complete set of resources needed for debugging.

Resources added

  • ServiceAccounts
  • Roles and RoleBindings (operator namespace and openshift-config-managed)
  • ConfigMaps
  • Services, Deployments
  • ServiceMonitors and PrometheusRules

Both the static manifest YAML and the Go source are kept in sync.

Summary by CodeRabbit

  • Improvements
    • Enhanced cluster operator status reporting with expanded tracking of related cluster resources, RBAC components, and configuration-managed elements across all relevant namespaces for better visibility into resource relationships.

@openshift-ci-robot openshift-ci-robot added jira/severity-low Referenced Jira bug's severity is low for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Nov 12, 2025
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@RadekManak: This pull request references Jira Issue OCPBUGS-65484, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sunzhaohua2

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This adds the system:openshift:controller:machine-approver ClusterRole to the ClusterOperator's relatedObjects to ensure it's collected by oc adm inspect and must-gather for debugging purposes.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Nov 12, 2025

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign radekmanak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Comment thread status.go
},
{
Group: "rbac.authorization.k8s.io",
Resource: "clusterroles",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is a ClusterRole all you need? I'd expect you'd also need a ClusterRoleBinding that attaches that role to a ServiceAccount? And maybe other things?

@RadekManak RadekManak marked this pull request as draft November 12, 2025 17:36
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2025
@openshift-bot

Copy link
Copy Markdown
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 13, 2026
@openshift-bot

Copy link
Copy Markdown
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci Bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 28, 2026
@coderabbitai

coderabbitai Bot commented Mar 28, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2e0f670a-bb9f-46ec-83e0-913569e04c54

📥 Commits

Reviewing files that changed from the base of the PR and between 077692a and b02fadd.

📒 Files selected for processing (2)
  • manifests/05-clusteroperator.yaml
  • status.go

Walkthrough

The PR expands the ClusterOperator's status.relatedObjects list in both manifest and code to include comprehensive RBAC resources (clusterroles, clusterrolebindings, serviceaccounts, roles, rolebindings) and monitoring resources across multiple namespaces.

Changes

ClusterOperator RelatedObjects Expansion

Layer / File(s) Summary
Manifest Declaration
manifests/05-clusteroperator.yaml
Status.relatedObjects expanded from minimal entries to a comprehensive list of RBAC and monitoring resources across machine-approver and openshift-config-managed namespaces.
Code Definition
status.go
RelatedObjects list expanded to mirror the manifest, adding clusterroles, clusterrolebindings, serviceaccounts, roles, rolebindings, and monitoring resources.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning Tests violate requirements: (1) Single responsibility - test checks versions, conditions, relatedObjects together; (2) Assertion messages - all 15 Expect() calls lack meaningful failure messages. Split monolithic test into focused tests per behavior. Add meaningful messages to assertions.
Microshift Test Compatibility ⚠️ Warning Ginkgo tests in status_test.go use unavailable ClusterOperator API without MicroShift protection mechanisms. Add [apigroup:config.openshift.io] tag or guard with exutil.IsMicroShiftCluster() check with g.Skip()
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: expanding ClusterOperator relatedObjects to include all managed resources, which aligns with both the file changes and PR objectives.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names are stable and deterministic with no dynamic values like pod names, timestamps, UUIDs, node/namespace names, IP addresses, or fmt.Sprintf calls.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The added Ginkgo tests test ClusterOperator status controller using envtest. Tests do not assume multi-node clusters, pod scheduling across nodes, or multiple replicas. Compatible with SNO.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies only metadata in ClusterOperator status and relatedObjects list. No deployment scheduling constraints introduced or changed.
Ote Binary Stdout Contract ✅ Passed PR only modifies a module-level data structure (relatedObjects) and manifest file. No process-level code, stdout writes, or logging configuration changes. Existing klog setup is compliant.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR does not add any new Ginkgo e2e tests. Changes are limited to manifest files and source code (status.go) that expands relatedObjects list. The check is not applicable.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci

openshift-ci Bot commented Apr 20, 2026

Copy link
Copy Markdown
Contributor

@RadekManak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-hypershift-aks 9707b28 link true /test e2e-hypershift-aks
ci/prow/e2e-aws-techpreview-post-install 9707b28 link true /test e2e-aws-techpreview-post-install

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@damdo

damdo commented May 1, 2026

Copy link
Copy Markdown
Member

/remove-lifecycle rotten

@openshift-ci openshift-ci Bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label May 1, 2026
Add serviceaccounts, roles, rolebindings, configmaps, services,
deployments, servicemonitors, and prometheusrules to the relatedObjects
list so that oc adm inspect and must-gather collect the full set of
resources managed by the operator.
@RadekManak RadekManak force-pushed the add-clusterrole-relatedobjects branch from 9707b28 to b02fadd Compare May 6, 2026 13:47
@RadekManak RadekManak changed the title OCPBUGS-65484: Add ClusterRole to ClusterOperator relatedObjects OCPBUGS-65484: Add all managed resources to ClusterOperator relatedObjects May 6, 2026
@openshift-ci-robot openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels May 6, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@RadekManak: This pull request references Jira Issue OCPBUGS-65484, which is invalid:

  • expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Adds all resources managed by the machine-approver operator to the ClusterOperator's relatedObjects list, ensuring oc adm inspect and must-gather collect the complete set of resources needed for debugging.

Resources added

  • ServiceAccounts
  • Roles and RoleBindings (operator namespace and openshift-config-managed)
  • ConfigMaps
  • Services, Deployments
  • ServiceMonitors and PrometheusRules

Both the static manifest YAML and the Go source are kept in sync.

Summary by CodeRabbit

  • Improvements
  • Enhanced cluster operator status reporting with expanded tracking of related cluster resources, RBAC components, and configuration-managed elements across all relevant namespaces for better visibility into resource relationships.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-low Referenced Jira bug's severity is low for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants