feat: add CEL validation rules to MemberCluster taint API types

[Yetkin Timocin (ytimocin)]

Description of your changes

Adds CRD CEL validation for MemberCluster taints in both API versions (v1 and v1beta1), replacing the webhook-based taint validation with declarative CRD-level validation.

What changed

• API type updates:
  • Added CEL rules on MemberClusterSpec.Taints and Taint in:
    • apis/cluster/v1/membercluster_types.go
    • apis/cluster/v1beta1/membercluster_types.go
  • Rules cover:
    • taint key name segment format and max length
    • taint key prefix DNS-subdomain format and max length
    • taint value label-value format and max length
    • taint uniqueness by (key, value, effect)
  • Added MaxLength, MinLength, and MaxItems constraints to bound CEL cost
• Regenerated CRD schema:
  • config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml
• Removed webhook taint validation:
  • pkg/webhook/membercluster/membercluster_validating_webhook.go — CREATE/UPDATE now returns Allowed since CEL handles validation before the webhook is reached. DELETE path (ServiceExport check) is unchanged.
  • pkg/utils/validator/membercluster.go — Deleted (dead code)
  • pkg/utils/validator/membercluster_test.go — Deleted (dead code)
• Added integration validation coverage:
  • test/apis/cluster/v1/api_validation_integration_test.go
  • test/apis/cluster/v1beta1/api_validation_integration_test.go
  • Comprehensive valid/invalid taint CEL cases for both versions.
• Updated e2e assertion:
  • test/e2e/webhook_test.go
  • Adjusted expected error message to match CEL validation output.

Why

• Enforces invalid taints earlier at CRD admission time (schema validation runs before webhooks).
• Removes runtime dependency on the webhook for taint validation — if the webhook is unavailable, taint validation still works.
• Simplifies webhook code by removing redundant validation logic.

Breaking change note

Error responses for invalid taints have changed:

• Before: Webhook returned 403 Forbidden with messages from k8s.io/apimachinery/pkg/util/validation (e.g., "name part must consist of...")
• After: CRD validation returns 422 Unprocessable Entity with CEL rule messages (e.g., "taint key name segment must consist of...")

If external tooling parses taint validation error messages or status codes, it will need to be updated.

How has this code been tested

• make reviewable passes clean
• Integration tests:
  • go test ./test/apis/cluster/v1 -run TestAPIs -count=1 -- -ginkgo.focus="MemberCluster taint CEL validation" -ginkgo.v
  • go test ./test/apis/cluster/v1beta1 -run TestAPIs -count=1 -- -ginkgo.focus="MemberCluster taint CEL validation" -ginkgo.v

Special notes for your reviewer

• CEL validation runs at schema validation time, before validating webhooks. Invalid taints are rejected before reaching the webhook.
• The webhook DELETE path is preserved — it performs cross-object validation (checking InternalServiceExport resources) that cannot be expressed in CEL.
• Estimated total CEL cost is ~4.4M out of the 10M per-object budget (~56% headroom).

I have:

• Run make reviewable to ensure this PR is ready for review.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds CRD-level CEL validations for MemberCluster taints (v1 + v1beta1) so invalid taints are rejected at schema validation time, aligning with existing webhook validation for defense-in-depth.

Changes:

• Added CEL rules and length constraints to MemberClusterSpec.Taints / Taint in both API versions (format, prefix/name/value limits, and uniqueness by (key,value,effect)).
• Regenerated the MemberCluster CRD schema to include the new validations.
• Expanded validation coverage via API integration tests (v1 + v1beta1), updated validator unit tests, and adjusted an e2e assertion to match CEL error output.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
apis/cluster/v1/membercluster_types.go	Adds CEL validations + length constraints for taints in v1 API types.
apis/cluster/v1beta1/membercluster_types.go	Adds the same CEL validations + constraints for v1beta1 API types.
config/crd/bases/cluster.kubernetes-fleet.io_memberclusters.yaml	CRD schema regeneration to include taint CEL validations and max/min length constraints.
test/apis/cluster/v1/api_validation_integration_test.go	Adds integration coverage for valid/invalid taint CEL cases (v1).
test/apis/cluster/v1beta1/api_validation_integration_test.go	Adds integration coverage for valid/invalid taint CEL cases (v1beta1).
pkg/utils/validator/membercluster_test.go	Adds a unit test covering “same key+effect, different value” as valid (uniqueness is by key+value+effect).
test/e2e/webhook_test.go	Updates expected error text to match CEL/CRD validation output.

[Copilot]

This assertion uses MatchRegexp with a literal string that contains regex metacharacters (notably the unescaped "."), which can make the test pass for unintended messages. Consider using ContainSubstring for this check, or wrapping the expected message with regexp.QuoteMeta() before passing it to MatchRegexp to ensure the regex matches the literal text.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

[Copilot]

The webhook now short-circuits CREATE/UPDATE, but the validating webhook is still configured (in pkg/webhook/webhook.go) with FailurePolicy=Fail and Operations={Create,Update,Delete} for MemberCluster. That means webhook unavailability will still block MemberCluster CREATE/UPDATE even though taint validation moved to CEL, which undermines the stated goal of removing the webhook dependency for taint validation. Consider updating the webhook configuration to only target DELETE (or set FailurePolicy=Ignore for CREATE/UPDATE) now that only DELETE performs cross-object validation.

[Copilot]

This spec is a valid (allowed) case but is placed under the "invalid cases" Context, which makes the test suite harder to understand/maintain. Move this It block into the "valid cases" Context (or rename/split the Contexts to match the actual expectations).

[Copilot]

This spec is a valid (allowed) case but is placed under the "invalid cases" Context, which makes the test suite harder to understand/maintain. Move this It block into the "valid cases" Context (or rename/split the Contexts to match the actual expectations).

Suggested change

	It("should allow creating MemberCluster with taints having same key and effect but different values", func() {
	mc := &clusterv1beta1.MemberCluster{
	ObjectMeta: metav1.ObjectMeta{
	Name: "mc-taint-same-key-effect",
	},
	Spec: clusterv1beta1.MemberClusterSpec{
	Identity: rbacv1.Subject{
	Name: "fleet-member-agent-cluster-1",
	Kind: "ServiceAccount",
	Namespace: "fleet-system",
	APIGroup: "",
	},
	Taints: []clusterv1beta1.Taint{
	{Key: "key1", Value: "value1", Effect: "NoSchedule"},
	{Key: "key1", Value: "value2", Effect: "NoSchedule"},
	},
	},
	}
	By("expecting success of CREATE with same key+effect but different values")
	Expect(hubClient.Create(ctx, mc)).Should(Succeed())
	Expect(hubClient.Delete(ctx, mc)).Should(Succeed())
	Context("Test MemberCluster API validation - valid taint cases", func() {
	It("should allow creating MemberCluster with taints having same key and effect but different values", func() {
	mc := &clusterv1beta1.MemberCluster{
	ObjectMeta: metav1.ObjectMeta{
	Name: "mc-taint-same-key-effect",
	},
	Spec: clusterv1beta1.MemberClusterSpec{
	Identity: rbacv1.Subject{
	Name: "fleet-member-agent-cluster-1",
	Kind: "ServiceAccount",
	Namespace: "fleet-system",
	APIGroup: "",
	},
	Taints: []clusterv1beta1.Taint{
	{Key: "key1", Value: "value1", Effect: "NoSchedule"},
	{Key: "key1", Value: "value2", Effect: "NoSchedule"},
	},
	},
	}
	By("expecting success of CREATE with same key+effect but different values")
	Expect(hubClient.Create(ctx, mc)).Should(Succeed())
	Expect(hubClient.Delete(ctx, mc)).Should(Succeed())
	})

[Arvind Thirumurugan (Arvindthiru)]

The CEL validation for name and label seem too complex ? Currently we depend on validation functions provided by k8s which guarantee that we are following established conventions once this CEL validation is merged we would also need to maintain consistency between our validation and k8s (very unlikely but still something to keep in mind)