kubefleet-dev
diff --git a/‎apis/cluster/v1/membercluster_types.go‎
Lines changed: 10 additions & 0 deletions b/‎apis/cluster/v1/membercluster_types.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎apis/cluster/v1beta1/membercluster_types.go‎
Lines changed: 10 additions & 0 deletions b/‎apis/cluster/v1beta1/membercluster_types.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml‎
Lines changed: 58 additions & 2 deletions b/‎config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml‎
Lines changed: 58 additions & 2 deletions
diff --git a/‎pkg/utils/validator/membercluster_test.go‎
Lines changed: 15 additions & 0 deletions b/‎pkg/utils/validator/membercluster_test.go‎
Lines changed: 15 additions & 0 deletions
@@ -71,6 +71,7 @@ type MemberClusterSpec struct {
 	//
 	// This field is beta-level and is for the taints and tolerations feature.
 	// +kubebuilder:validation:MaxItems=100
+	// +kubebuilder:validation:XValidation:rule="self.all(t, self.filter(u, u.key == t.key && (has(u.value) ? u.value : '') == (has(t.value) ? t.value : '') && u.effect == t.effect).size() == 1)",message="taints must be unique"
 	// +optional
 	Taints []Taint `json:"taints,omitempty"`
 }
@@ -136,12 +137,21 @@ type MemberClusterStatus struct {
 
 // Taint attached to MemberCluster has the "effect" on
 // any ClusterResourcePlacement that does not tolerate the Taint.
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.substring(self.key.indexOf('/') + 1) : self.key).matches('^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$')",message="taint key name segment must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.substring(0, self.key.indexOf('/')).split('.').all(label, label.matches('^[a-z0-9]([a-z0-9-]*[a-z0-9])?$') && label.size() <= 63)",message="taint key prefix must be a lowercase DNS subdomain"
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.size() - self.key.indexOf('/') - 1 : self.key.size()) <= 63",message="taint key name segment must be 63 characters or less"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.indexOf('/') <= 253",message="taint key prefix must be 253 characters or less"
+// +kubebuilder:validation:XValidation:rule="!has(self.value) || size(self.value) == 0 || self.value.matches('^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$')",message="taint value must be a valid label value"
 type Taint struct {
 	// The taint key to be applied to a MemberCluster.
+	// MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+	// +kubebuilder:validation:MaxLength=317
+	// +kubebuilder:validation:MinLength=1
 	// +required
 	Key string `json:"key"`
 
 	// The taint value corresponding to the taint key.
+	// +kubebuilder:validation:MaxLength=63
 	// +optional
 	Value string `json:"value,omitempty"`
 
 
@@ -72,6 +72,7 @@ type MemberClusterSpec struct {
 	//
 	// This field is beta-level and is for the taints and tolerations feature.
 	// +kubebuilder:validation:MaxItems=100
+	// +kubebuilder:validation:XValidation:rule="self.all(t, self.filter(u, u.key == t.key && (has(u.value) ? u.value : '') == (has(t.value) ? t.value : '') && u.effect == t.effect).size() == 1)",message="taints must be unique"
 	// +optional
 	Taints []Taint `json:"taints,omitempty"`
 
@@ -156,12 +157,21 @@ type MemberClusterStatus struct {
 
 // Taint attached to MemberCluster has the "effect" on
 // any ClusterResourcePlacement that does not tolerate the Taint.
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.substring(self.key.indexOf('/') + 1) : self.key).matches('^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$')",message="taint key name segment must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.substring(0, self.key.indexOf('/')).split('.').all(label, label.matches('^[a-z0-9]([a-z0-9-]*[a-z0-9])?$') && label.size() <= 63)",message="taint key prefix must be a lowercase DNS subdomain"
+// +kubebuilder:validation:XValidation:rule="(self.key.contains('/') ? self.key.size() - self.key.indexOf('/') - 1 : self.key.size()) <= 63",message="taint key name segment must be 63 characters or less"
+// +kubebuilder:validation:XValidation:rule="!self.key.contains('/') || self.key.indexOf('/') <= 253",message="taint key prefix must be 253 characters or less"
+// +kubebuilder:validation:XValidation:rule="!has(self.value) || size(self.value) == 0 || self.value.matches('^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$')",message="taint value must be a valid label value"
 type Taint struct {
 	// The taint key to be applied to a MemberCluster.
+	// MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+	// +kubebuilder:validation:MaxLength=317
+	// +kubebuilder:validation:MinLength=1
 	// +required
 	Key string `json:"key"`
 
 	// The taint value corresponding to the taint key.
+	// +kubebuilder:validation:MaxLength=63
 	// +optional
 	Value string `json:"value,omitempty"`
 
 
@@ -128,17 +128,45 @@ spec:
                       - NoSchedule
                       type: string
                     key:
-                      description: The taint key to be applied to a MemberCluster.
+                      description: |-
+                        The taint key to be applied to a MemberCluster.
+                        MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+                      maxLength: 317
+                      minLength: 1
                       type: string
                     value:
                       description: The taint value corresponding to the taint key.
+                      maxLength: 63
                       type: string
                   required:
                   - effect
                   - key
                   type: object
+                  x-kubernetes-validations:
+                  - message: taint key name segment must consist of alphanumeric characters,
+                      '-', '_' or '.', and must start and end with an alphanumeric
+                      character
+                    rule: '(self.key.contains(''/'') ? self.key.substring(self.key.indexOf(''/'')
+                      + 1) : self.key).matches(''^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$'')'
+                  - message: taint key prefix must be a lowercase DNS subdomain
+                    rule: '!self.key.contains(''/'') || self.key.substring(0, self.key.indexOf(''/'')).split(''.'').all(label,
+                      label.matches(''^[a-z0-9]([a-z0-9-]*[a-z0-9])?$'') && label.size()
+                      <= 63)'
+                  - message: taint key name segment must be 63 characters or less
+                    rule: '(self.key.contains(''/'') ? self.key.size() - self.key.indexOf(''/'')
+                      - 1 : self.key.size()) <= 63'
+                  - message: taint key prefix must be 253 characters or less
+                    rule: '!self.key.contains(''/'') || self.key.indexOf(''/'') <=
+                      253'
+                  - message: taint value must be a valid label value
+                    rule: '!has(self.value) || size(self.value) == 0 || self.value.matches(''^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$'')'
                 maxItems: 100
                 type: array
+                x-kubernetes-validations:
+                - message: taints must be unique
+                  rule: 'self.all(t, self.filter(u, u.key == t.key && (has(u.value)
+                    ? u.value : '''') == (has(t.value) ? t.value : '''') && u.effect
+                    == t.effect).size() == 1)'
             required:
             - identity
             type: object
@@ -500,17 +528,45 @@ spec:
                       - NoSchedule
                       type: string
                     key:
-                      description: The taint key to be applied to a MemberCluster.
+                      description: |-
+                        The taint key to be applied to a MemberCluster.
+                        MaxLength is 253 (prefix) + 1 (slash) + 63 (name segment) = 317.
+                      maxLength: 317
+                      minLength: 1
                       type: string
                     value:
                       description: The taint value corresponding to the taint key.
+                      maxLength: 63
                       type: string
                   required:
                   - effect
                   - key
                   type: object
+                  x-kubernetes-validations:
+                  - message: taint key name segment must consist of alphanumeric characters,
+                      '-', '_' or '.', and must start and end with an alphanumeric
+                      character
+                    rule: '(self.key.contains(''/'') ? self.key.substring(self.key.indexOf(''/'')
+                      + 1) : self.key).matches(''^[A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?$'')'
+                  - message: taint key prefix must be a lowercase DNS subdomain
+                    rule: '!self.key.contains(''/'') || self.key.substring(0, self.key.indexOf(''/'')).split(''.'').all(label,
+                      label.matches(''^[a-z0-9]([a-z0-9-]*[a-z0-9])?$'') && label.size()
+                      <= 63)'
+                  - message: taint key name segment must be 63 characters or less
+                    rule: '(self.key.contains(''/'') ? self.key.size() - self.key.indexOf(''/'')
+                      - 1 : self.key.size()) <= 63'
+                  - message: taint key prefix must be 253 characters or less
+                    rule: '!self.key.contains(''/'') || self.key.indexOf(''/'') <=
+                      253'
+                  - message: taint value must be a valid label value
+                    rule: '!has(self.value) || size(self.value) == 0 || self.value.matches(''^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$'')'
                 maxItems: 100
                 type: array
+                x-kubernetes-validations:
+                - message: taints must be unique
+                  rule: 'self.all(t, self.filter(u, u.key == t.key && (has(u.value)
+                    ? u.value : '''') == (has(t.value) ? t.value : '''') && u.effect
+                    == t.effect).size() == 1)'
             required:
             - identity
             type: object
 
@@ -66,6 +66,21 @@ func TestValidateTaints(t *testing.T) {
 			wantErr:    true,
 			wantErrMsg: "taints must be unique",
 		},
+		"valid taints, same key and effect with different values": {
+			taints: []clusterv1beta1.Taint{
+				{
+					Key:    "key1",
+					Value:  "value1",
+					Effect: "NoSchedule",
+				},
+				{
+					Key:    "key1",
+					Value:  "value2",
+					Effect: "NoSchedule",
+				},
+			},
+			wantErr: false,
+		},
 		"valid taints": {
 			taints: []clusterv1beta1.Taint{
 				{