Adding annotations to manifests for CVO to identify

[miyadav]

Manifests changes , annoations added for capability to be identified by CVO . ( linked PR )
WIP - OCPCLOUD-3368
/hold

Generated by - claude-opus-4-6(2.1.169)

Summary by CodeRabbit

• New Features
  • Added OpenShift capability annotations across Cluster API and compatibility-related resources, including namespaces, workloads, services, RBAC, webhooks, and network policies.
  • Updated several cloud credential entries to reflect Cluster API support.
• Bug Fixes
  • No functional behavior changes; existing access, networking, and service settings remain unchanged.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 96471ec8-70f9-44a9-b59e-1ea8b3efe32d

📥 Commits

Reviewing files that changed from the base of the PR and between c0ef9ff and 89817c1.

📒 Files selected for processing (44)

• manifests/0000_20_cluster-api-tls-config_role.yaml
• manifests/0000_20_crd-compatibility-checker_00_namespace.yaml
• manifests/0000_20_crd-compatibility-checker_02_service_account.yaml
• manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml
• manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml
• manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml
• manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml
• manifests/0000_20_crd-compatibility-checker_08_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml
• manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml
• manifests/0000_30_cluster-api-operator_00_namespace.yaml
• manifests/0000_30_cluster-api-operator_00_tombstones.yaml
• manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml
• manifests/0000_30_cluster-api-operator_01_metrics-service.yaml
• manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml
• manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml
• manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml
• manifests/0000_30_cluster-api-operator_03_clusterrole.yaml
• manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml
• manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml
• manifests/0000_30_cluster-api-operator_06_deployment.yaml
• manifests/0000_30_cluster-api-operator_07_clusterapi.yaml
• manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml
• manifests/0000_30_cluster-api_00_namespace.yaml
• manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml
• manifests/0000_30_cluster-api_01_credentials-request.yaml
• manifests/0000_30_cluster-api_02_service_account.yaml
• manifests/0000_30_cluster-api_02_webhook-service.yaml
• manifests/0000_30_cluster-api_03_rbac_roles.yaml
• manifests/0000_30_cluster-api_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api_10_metrics-service.yaml
• manifests/0000_30_cluster-api_10_webhooks.yaml
• manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml
• manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml
• manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml
• manifests/0000_30_cluster-api_15_default-deny.yaml
• manifests/0000_30_cluster-api_16_allow-egress-operators.yaml
• manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml
• manifests/0000_30_cluster-api_17_deployment.yaml

✅ Files skipped from review due to trivial changes (31)

• manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml
• manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml
• manifests/0000_30_cluster-api-operator_07_clusterapi.yaml
• manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml
• manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml
• manifests/0000_30_cluster-api_02_service_account.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml
• manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_00_namespace.yaml
• manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml
• manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml
• manifests/0000_20_crd-compatibility-checker_00_namespace.yaml
• manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml
• manifests/0000_30_cluster-api_02_webhook-service.yaml
• manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml
• manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml
• manifests/0000_30_cluster-api_00_namespace.yaml
• manifests/0000_30_cluster-api-operator_06_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml
• manifests/0000_20_cluster-api-tls-config_role.yaml
• manifests/0000_30_cluster-api_10_webhooks.yaml
• manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml
• manifests/0000_30_cluster-api_10_metrics-service.yaml
• manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml
• manifests/0000_30_cluster-api-operator_00_tombstones.yaml
• manifests/0000_30_cluster-api-operator_03_clusterrole.yaml
• manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml
• manifests/0000_20_crd-compatibility-checker_02_service_account.yaml
• manifests/0000_30_cluster-api-operator_01_metrics-service.yaml
• manifests/0000_30_cluster-api_16_allow-egress-operators.yaml

🚧 Files skipped from review as they are similar to previous changes (9)

• manifests/0000_30_cluster-api_17_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_08_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml
• manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml
• manifests/0000_30_cluster-api_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml
• manifests/0000_30_cluster-api_03_rbac_roles.yaml
• manifests/0000_30_cluster-api_15_default-deny.yaml
• manifests/0000_30_cluster-api_01_credentials-request.yaml

---

Walkthrough

The PR adds capability.openshift.io/name annotations across CompatibilityRequirements and ClusterAPI manifests, including namespaces, RBAC, service accounts, services, deployments, webhook configurations, credentials requests, and network policies.

Changes

CompatibilityRequirements annotations

Layer / File(s)	Summary
Core workload and RBAC annotations manifests/0000_20_crd-compatibility-checker_00_namespace.yaml, manifests/0000_20_cluster-api-tls-config_role.yaml, manifests/0000_20_crd-compatibility-checker_02_service_account.yaml, manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml, manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml, manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml, manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml, manifests/0000_20_crd-compatibility-checker_08_deployment.yaml	capability.openshift.io/name: CompatibilityRequirements is added to the namespace, RBAC, service account, secret, services, and deployment manifests.
Network policy annotations manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml, manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml	capability.openshift.io/name: CompatibilityRequirements is added to both CompatibilityRequirements NetworkPolicy manifests.

ClusterAPI annotations

Layer / File(s)	Summary
Operator registration annotations manifests/0000_30_cluster-api-operator_00_namespace.yaml, manifests/0000_30_cluster-api-operator_00_tombstones.yaml, manifests/0000_30_cluster-api-operator_07_clusterapi.yaml, manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml	The operator namespace, tombstones ConfigMap, ClusterAPI resource, and ClusterOperator gain capability.openshift.io/name: ClusterAPI.
CredentialsRequest capability names manifests/0000_30_cluster-api_01_credentials-request.yaml	The AWS, Azure, GCP, OpenStack, IBM PowerVS, vSphere, and baremetal CredentialsRequest annotations are updated for ClusterAPI.
Operator monitoring and RBAC manifests/0000_30_cluster-api-operator_01_*, manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml, manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml, manifests/0000_30_cluster-api-operator_03_clusterrole.yaml, manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml	The operator ServiceAccount, metrics Service, ServiceMonitor, Prometheus RBAC, ClusterRole, and ClusterRoleBindings gain the ClusterAPI capability annotation.
Installer support and deployment wiring manifests/0000_30_cluster-api-operator_02_capi-installer-*, manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml, manifests/0000_30_cluster-api-operator_05_*, manifests/0000_30_cluster-api-operator_06_deployment.yaml	The capi-installer ServiceAccount, metrics Service, ServiceMonitor, ClusterRoleBinding, provider image ConfigMap, Deployment, and allow-egress NetworkPolicy gain the ClusterAPI capability annotation.
Runtime identity and API resources manifests/0000_30_cluster-api_00_*, manifests/0000_30_cluster-api_02_*, manifests/0000_30_cluster-api_03_rbac_roles.yaml, manifests/0000_30_cluster-api_04_rbac_bindings.yaml, manifests/0000_30_cluster-api_10_*, manifests/0000_30_cluster-api_17_deployment.yaml	The ClusterAPI namespace, tombstones, ServiceAccount, Secret, RBAC roles and bindings, services, webhook configuration, and deployment gain the ClusterAPI capability annotation.
Runtime network policies manifests/0000_30_cluster-api_11_*, manifests/0000_30_cluster-api_12_*, manifests/0000_30_cluster-api_13_*, manifests/0000_30_cluster-api_15_*, manifests/0000_30_cluster-api_16_*	The ClusterAPI NetworkPolicy manifests gain the ClusterAPI capability annotation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

jira/valid-reference

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: adding annotations to manifests so CVO can identify them.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only changes YAML manifests; my diff checks found no Go/Ginkgo test files or test titles to audit.
Test Structure And Quality	✅ Passed	Only YAML manifests were changed; no Ginkgo test code or test fixtures were added or modified, so the test-quality check is not applicable.
Microshift Test Compatibility	✅ Passed	Diff vs origin/main touches only manifests; no Ginkgo test files or MicroShift-unsupported APIs/features were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only adds capability annotations to 38 YAML manifests; no new Ginkgo tests or node-topology logic were added, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The PR only adds capability annotations to manifests; no new affinity, spread, nodeSelector, replica, or PDB changes were introduced.
Ote Binary Stdout Contract	✅ Passed	Diff vs main touches only YAML manifests adding annotations; no process-level code or stdout-writing entrypoints changed.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo/e2e tests were added or modified; the PR only updates Kubernetes manifests with capability annotations.
No-Weak-Crypto	✅ Passed	PASS: The PR only adds capability annotations to Kubernetes manifests; no weak crypto algorithms, custom crypto, or secret comparisons were introduced.
Container-Privileges	✅ Passed	The PR only adds capability annotations; the touched manifests contain no privileged, hostPID/Network/IPC, allowPrivilegeEscalation, SYS_ADMIN, or root security settings.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds capability annotations to YAML manifests; no log statements or sensitive data exposures were introduced.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nrb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests/0000_20_crd-compatibility-checker_08_deployment.yaml (1)

38-87: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add explicit securityContext to the container spec.

The container lacks explicit securityContext settings. While the pod template annotation references restricted-v3 SCC, the coding guidelines require explicit security settings in the manifest itself.

As per coding guidelines, Kubernetes manifests should include:

• runAsNonRoot: true
• readOnlyRootFilesystem: true
• allowPrivilegeEscalation: false
• Drop ALL capabilities and add only required ones

🔒 Proposed securityContext addition

       - name: compatibility-requirements-controllers
         image: registry.ci.openshift.org/openshift:cluster-capi-operator
         command:
         - ./crd-compatibility-checker
         args:
           - --diagnostics-address=:8443
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
         env:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml` around lines
38 - 87, Add an explicit securityContext to the container spec for the container
named compatibility-requirements-controllers: set runAsNonRoot: true,
readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, and configure
capabilities to drop ["ALL"] (and only add any specific capabilities if truly
required). Update the container block that contains
ports/volumeMounts/readinessProbe/livenessProbe to include this securityContext
so the manifest no longer relies solely on the pod SCC annotation.

Source: Coding guidelines

🧹 Nitpick comments (1)

manifests/0000_20_crd-compatibility-checker_08_deployment.yaml (1)

76-79: ⚡ Quick win

Consider adding resource limits to complement requests.

The container defines resource requests but no limits. As per coding guidelines, resource limits (cpu, memory) should be set on every container to prevent resource exhaustion and ensure predictable scheduling behavior.

📊 Proposed resource limits addition

         resources:
           requests:
             cpu: 10m
             memory: 50Mi
+          limits:
+            cpu: 100m
+            memory: 200Mi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml` around lines
76 - 79, The container resource spec currently only sets requests (cpu: 10m,
memory: 50Mi) in the resources block; add corresponding resource limits to
prevent resource exhaustion. Update the same resources section for the container
in manifests/0000_20_crd-compatibility-checker_08_deployment.yaml by adding
limits.cpu and limits.memory (e.g., cpu: "100m" and memory: "128Mi" or values
appropriate for the app) alongside the existing requests so both requests and
limits are defined for the container.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml`:
- Around line 38-87: Add an explicit securityContext to the container spec for
the container named compatibility-requirements-controllers: set runAsNonRoot:
true, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, and
configure capabilities to drop ["ALL"] (and only add any specific capabilities
if truly required). Update the container block that contains
ports/volumeMounts/readinessProbe/livenessProbe to include this securityContext
so the manifest no longer relies solely on the pod SCC annotation.

---

Nitpick comments:
In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml`:
- Around line 76-79: The container resource spec currently only sets requests
(cpu: 10m, memory: 50Mi) in the resources block; add corresponding resource
limits to prevent resource exhaustion. Update the same resources section for the
container in manifests/0000_20_crd-compatibility-checker_08_deployment.yaml by
adding limits.cpu and limits.memory (e.g., cpu: "100m" and memory: "128Mi" or
values appropriate for the app) alongside the existing requests so both requests
and limits are defined for the container.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 75630441-0604-4f2c-9c0c-02f159d02830

📥 Commits

Reviewing files that changed from the base of the PR and between 05c113e and 623adff.

📒 Files selected for processing (35)

• manifests/0000_20_cluster-api-tls-config_role.yaml
• manifests/0000_20_crd-compatibility-checker_00_namespace.yaml
• manifests/0000_20_crd-compatibility-checker_02_service_account.yaml
• manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml
• manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml
• manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml
• manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml
• manifests/0000_20_crd-compatibility-checker_08_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml
• manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml
• manifests/0000_30_cluster-api-installer_00_namespace.yaml
• manifests/0000_30_cluster-api-installer_00_tombstones.yaml
• manifests/0000_30_cluster-api-installer_01_metrics-service.yaml
• manifests/0000_30_cluster-api-installer_01_serviceaccount.yaml
• manifests/0000_30_cluster-api-installer_02_clusterrole.yaml
• manifests/0000_30_cluster-api-installer_03_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-installer_05_deployment.yaml
• manifests/0000_30_cluster-api-installer_06_clusterapi.yaml
• manifests/0000_30_cluster-api_00_namespace.yaml
• manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml
• manifests/0000_30_cluster-api_01_credentials-request.yaml
• manifests/0000_30_cluster-api_02_service_account.yaml
• manifests/0000_30_cluster-api_02_webhook-service.yaml
• manifests/0000_30_cluster-api_03_rbac_roles.yaml
• manifests/0000_30_cluster-api_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api_10_metrics-service.yaml
• manifests/0000_30_cluster-api_10_webhooks.yaml
• manifests/0000_30_cluster-api_11_deployment.yaml
• manifests/0000_30_cluster-api_12_clusteroperator.yaml
• manifests/0000_30_cluster-api_13_allow-ingress-to-metrics-controllers.yaml
• manifests/0000_30_cluster-api_14_allow-ingress-to-metrics-operators.yaml
• manifests/0000_30_cluster-api_15_allow-egress-controllers.yaml
• manifests/0000_30_cluster-api_16_allow-egress-operators.yaml
• manifests/0000_30_cluster-api_17_default-deny.yaml
• manifests/0000_30_cluster-api_18_allow-ingress-to-webhook.yaml

[stefanonardo]

Suggested change

	capability.openshift.io/name: ClusterAPI
	capability.openshift.io/name: CompatibilityRequirements

This ClusterRole is also used by the CompatibilityRequirements operator (see system:openshift:compatibility-requirements-read-tls-configuration)

[miyadav]

/unhold

[mdbooth]

This file looks like a rebase error? We shouldn't be adding this.

[miyadav]

yeah rebased and pushed again , seems like the rebase miss resulted in annotations not being added as well which is also done.

[openshift-ci]

@miyadav: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.