AUTOSCALE-558: Expose KubeletConfig on OpenShiftEC2Nodeclass as structured fields + preserveunknown/overflow

[jkyros]

What this PR does / why we need it:

• Exposes spec.Kubelet on OpenShiftEC2NodeClass as a set of structured fields (the ones Karpenter needs for scheduling/bin packing) + preserves unknown
• Reconciles the structured fields to Karpenter's ec2nodeclass so it can use them
• Preserves the unstructured fields and sends them on to ignition so they make it to the node

Which issue(s) this PR fixes:

Fixes
AUTOSCALE-558

Special notes for your reviewer:

• CEL expressions can't see inside the unstructured 😞
• This tries to give us the approximate behavior we wanted from our sync discussion
• The API Guidelines for OpenShift APIs want the bools to be enums, but that's going to be a weird corner if the karpenter-specific bools are enums and the rest arent. I left them as bools and marked them out of the linter, I will adjust it however you want

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • NodeClass now accepts detailed kubelet configuration and maps selected fields to provisioned nodes; per-NodeClass kubelet ConfigMaps, a cluster taint ConfigMap, finalizers, and NodePool config reference selection are reconciled. Added helpers to generate Karpenter taint manifests and label/name helpers. Added privileged checker Pod manifest for node kubelet validation.

• Tests

  • New unit and e2e tests covering JSON marshal/unmarshal, unknown-field preservation, mapping to upstream config, ConfigMap lifecycle, finalizers, manifest validation, and runtime kubelet checks.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@jkyros: This pull request references AUTOSCALE-558 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

• Exposes spec.Kubelet on OpenShiftEC2NodeClass as a set of structured fields (the ones Karpenter needs for scheduling/bin packing) + preserves unknown
• Reconciles the structured fields to Karpenter's ec2nodeclass so it can use them
• Preserves the unstructured fields and sends them on to ignition so they make it to the node

Which issue(s) this PR fixes:

Fixes
AUTOSCALE-558

Special notes for your reviewer:

• CEL expressions can't see inside the unstructured 😞
• This tries to give us the approximate behavior we wanted from our sync discussion
• The API Guidelines for OpenShift APIs want the bools to be enums, but that's going to be a weird corner if the karpenter-specific bools are enums and the rest arent. I left them as bools and marked them out of the linter, I will adjust it however you want

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Introduces structured kubelet configuration: a new KubeletConfiguration API type with custom JSON marshal/unmarshal, IsZero semantics, and an optional kubelet field on OpenshiftEC2NodeClassSpec. Adds helpers/constants to generate a Karpenter taint KubeletConfig manifest. Controllers now reconcile a global Karpenter taint ConfigMap and per-NodeClass kubelet ConfigMaps (create/update/delete and finalizer lifecycle). Reconciliation copies selected kubelet fields into upstream EC2NodeClass Kubelet. Extensive unit and e2e tests validate JSON overflow preservation, ConfigMap lifecycle, manifest contents, and node-level kubelet propagation. Lint exclusions updated for kubelet fields.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant OSE2NC as OpenshiftEC2NodeClass
    participant KarpIgnition as KarpenterIgnitionController
    participant KubeletCM as Kubelet ConfigMap\n(Management Cluster)
    participant EC2NC as EC2NodeClass\n(Karpenter)
    participant NP as NodePool\n(Karpenter)
    participant Node as Provisioned Node

    User->>OSE2NC: Create/Update with spec.kubelet
    OSE2NC->>KarpIgnition: Notify controller of change

    alt spec.kubelet is set
        KarpIgnition->>KarpIgnition: Add kubeletConfigFinalizer
        KarpIgnition->>KarpIgnition: Merge user kubelet config + base taints
        KarpIgnition->>KubeletCM: Create/Update per-NodeClass ConfigMap (data["config"]=KubeletConfig YAML)
    else spec.kubelet is unset
        KarpIgnition->>KubeletCM: Delete per-NodeClass ConfigMap
        KarpIgnition->>KarpIgnition: Remove kubeletConfigFinalizer if present
    end

    User->>NP: Create NodePool referencing OpenshiftEC2NodeClass
    NP->>EC2NC: Populate EC2NodeClass.Kubelet via KarpenterKubeletConfiguration()
    NP->>Node: Provision node referencing Kubelet ConfigMap
    Node->>KubeletCM: Read and apply kubelet config

Loading

sequenceDiagram
    actor Operator
    participant KarController as KarpenterController
    participant MgrCM as Management ConfigMap\n(karpenter taint)
    participant Support as support/karpenter helpers

    Operator->>KarController: Reconcile loop
    KarController->>Support: KarpenterTaintConfigManifest()
    Support-->>KarController: YAML manifest
    KarController->>MgrCM: Create/Update global taint ConfigMap (data["config"]=manifest)
    MgrCM-->>KarController: Created/Updated or Error

Loading

🚥 Pre-merge checks | ✅ 7 | ❌ 5

❌ Failed checks (5 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code manually patches finalizers instead of calling Reconcile(), verifying state mutation but not controller logic execution.	Refactor finalizer tests to call r.Reconcile() directly instead of manually manipulating finalizers to verify the controller's own logic is exercised.
Microshift Test Compatibility	⚠️ Warning	The e2e test TestKarpenter uses MicroShift-unavailable APIs (Karpenter NodePool, AWS EC2NodeClass) and features with no protection mechanisms to prevent execution on MicroShift clusters.	Add [Skipped:MicroShift] label to test name or wrap with exutil.IsMicroShiftCluster() check that calls g.Skip() to prevent execution on MicroShift.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	The testKubeletPropagation e2e test lacks SNO protection and will fail on Single Node OpenShift clusters.	Add [Skipped:SingleReplicaTopology] label to test or use exutil.IsSingleNode() check with g.Skip().
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	Pod manifest specifies 'image: alpine' without registry prefix, requiring external pull from Docker Hub in disconnected environments; test lacks IP family detection for IPv6-only clusters.	Use image from internal registry, add IP family detection with GetIPAddressFamily(), or add [Skipped:Disconnected] tag for disconnected cluster scenarios.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly summarizes the main change: exposing KubeletConfig on OpenShiftEC2NodeClass as structured fields with overflow preservation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test function names referenced in the PR (TestReconcileTaintConfigMap, TestCreateInMemoryNodePool, TestReconcileKubeletConfigMap, TestReconcileDeletedNodeClass) are stable, deterministic, and contain no dynamic values like timestamps, UUIDs, or generated identifiers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces karpenter integration without topology-aware scheduling constraints. Changes include kubelet config API types, controller reconciliation logic, and e2e tests with no affinity rules or control-plane node assumptions.
Ote Binary Stdout Contract	✅ Passed	Module-level variable initializer contains panic(err) in IIFE, but panic writes to stderr, not stdout. Embedded YAML is valid, so panic condition should never execute. Code does not emit non-JSON content to stdout.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 78.13953% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.65%. Comparing base (bded456) to head (194f1a3).
⚠️ Report is 46 commits behind head on main.

Files with missing lines	Patch %	Lines
.../karpenterignition/karpenterignition_controller.go	73.60%	22 Missing and 11 partials ⚠️
...ator/controllers/karpenter/karpenter_controller.go	66.66%	5 Missing and 1 partial ⚠️
support/karpenter/karpenter.go	80.76%	4 Missing and 1 partial ⚠️
...r-operator/controllers/nodeclass/karpenter_util.go	95.23%	1 Missing and 1 partial ⚠️
...trollers/hostedcluster/hostedcluster_controller.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8192      +/-   ##
==========================================
+ Coverage   37.53%   37.65%   +0.11%     
==========================================
  Files         751      751              
  Lines       92026    92206     +180     
==========================================
+ Hits        34544    34717     +173     
+ Misses      54841    54834       -7     
- Partials     2641     2655      +14     

Files with missing lines	Coverage Δ
...ft-operator/controllers/hostedcluster/karpenter.go	75.49% <100.00%> (+12.16%)	⬆️
.../controllers/nodeclass/ec2_nodeclass_controller.go	53.72% <100.00%> (+0.08%)	⬆️
...trollers/hostedcluster/hostedcluster_controller.go	43.23% <0.00%> (ø)
...r-operator/controllers/nodeclass/karpenter_util.go	85.71% <95.23%> (+3.36%)	⬆️
support/karpenter/karpenter.go	74.50% <80.76%> (+6.50%)	⬆️
...ator/controllers/karpenter/karpenter_controller.go	28.77% <66.66%> (+2.00%)	⬆️
.../karpenterignition/karpenterignition_controller.go	64.94% <73.60%> (+2.27%)	⬆️

... and 2 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	32.80% <80.76%> (+0.04%)	⬆️
cpo-hostedcontrolplane	36.78% <ø> (+0.01%)	⬆️
cpo-other	37.84% <ø> (+0.08%)	⬆️
hypershift-operator	47.99% <66.66%> (+0.05%)	⬆️
other	28.70% <77.95%> (+0.92%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jkyros]

/test e2e-aws-autonode

[jkyros]

Heyyy that is super cool, I don't have to have my claude watch and root cause test failures anymore
/test e2e-aws-autonode

[jkyros]

KubeletConfig passed, teardown failure. One more time
/test e2e-aws-autonode

[enxebre]

this will need test coverage once d448ab4 merges

[jkyros]

I can either come back afterwards and add it, or we can wait for that to merge and then do this one, and I can add it here. I'll set a test up based on your branch in the mean time.

[jkyros]

Added envtest test coverage for KubeletConfiguration

[jkyros]

/test e2e-aws-autonode

[maxcao13]

tests are just taking too long i think 😂

We can see TestKarpenter hitting the 2 hour mark which is when it stops.

[openshift-ci-robot]

@jkyros: This pull request references AUTOSCALE-558 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

What this PR does / why we need it:

• Exposes spec.Kubelet on OpenShiftEC2NodeClass as a set of structured fields (the ones Karpenter needs for scheduling/bin packing) + preserves unknown
• Reconciles the structured fields to Karpenter's ec2nodeclass so it can use them
• Preserves the unstructured fields and sends them on to ignition so they make it to the node

Which issue(s) this PR fixes:

Fixes
AUTOSCALE-558

Special notes for your reviewer:

• CEL expressions can't see inside the unstructured 😞
• This tries to give us the approximate behavior we wanted from our sync discussion
• The API Guidelines for OpenShift APIs want the bools to be enums, but that's going to be a weird corner if the karpenter-specific bools are enums and the rest arent. I left them as bools and marked them out of the linter, I will adjust it however you want

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Added kubelet configuration field to NodeClass specifications with support for image garbage collection thresholds, eviction policies, and resource reservation settings that are applied to provisioned nodes.

• Tests

• Added comprehensive tests for kubelet configuration lifecycle management, YAML serialization, and end-to-end validation of kubelet settings on nodes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jkyros]

Rebased, fixed review feedback issues, and swapped out that map[string]json.RawMessage with a runtime.rawExtension so we're out of the business of maintaining that bespoke DeepCopy function.

Now that we're parallel, let's see what we get
/test e2e-aws-autonode

[enxebre]

nit: it be nice to populate Expected: for these cases

[jkyros]

Thanks, populated expected for these

[enxebre]

nit: may be mention overflow fields bypass all CRD validation, invalid values will manifest as node bootstrap failures (kubelet crash loop), not admission errors.

[jkyros]

Updated language to mention the kubelet crash loop

[enxebre]

what happens with overflow fields set in existing configs, if upstream Karpenter introduce support for it, and we want to promote it but karpenter upstream choose to differ from upstream kubelet on how the semantic is exposed?

[JoelSpeed]

I think we actually want to match kubelet. Users today will set kubelet fields which end up in our overflow, and we want to maintain compatibility with those. If Karpenter decide to change the field, that would break our upgrades if we made the field structured and kept them aligned to karpenter, so we would have to align to kubelet, then translate to karpenter (so that it can then translate back to kubelet)

[jkyros]

I agree. Match kubelet. I changed that one weird EvictionSoftGracePeriod Karpenter time.Duration back to a string (so we're matching upstream Kube not Karpenter, it will serialize the same) and updated the AGENTS, etc language to match this.

[enxebre]

do we need to validate that evictionHard and EvictionSoft doesn't clash any values?

[jkyros]

Added as much CEL as we can to validate this.

They can be either quantities or percentages (yay!) and that makes it difficult to compare since CEL doesn't know node capacity. But we can can compare percentages to percentages and values to values so I added what ended up being kind of a gnarly expression that compares them if it can and fails open if they are mix/match quantity/percentage.

EDIT: Nope. Too gnarly. quantity() and compareTo() are too expensive. And apparently...I can't put max lengths on the map key strings to help without type aliasing them so I have somewhere to attach. Yuck. (unless we want to hack on the CRD like adjust-cel.sh does or something? I don't think we do )

I'm going to turn into Joel here with the "ugh, this API sucks" 😛

Yeah I think (because contents can be either type) we either have to hack on the CRD or type alias it to pass budget and still validate.

[jkyros]

Added separate type definition for the strings so we can limit their length to 64 inside the map, CEL budget is okay now.

[JoelSpeed]

On each of the maps, could we add a maximum limit too? Seems like the realistic user case is ~4/5 entries in each map, what if we limited to 32 to give plenty of buffer but bring estimated CEL costs down?

[JoelSpeed]

Is it karpenter, or kubelet that we must match?

[enxebre]

relates to #8192 (comment)

[jkyros]

Matching Kubelet, adjusted accordingly.

[jkyros]

envtest...cancelled itself? hmmm
/retest

[jkyros]

/test e2e-aws-autonode

[jkyros]

/retest-required

[jkyros]

I wonder if I can...
/test e2e-aks
/test e2e-aks-4-22
/test e2e-aws
/test e2e-aws-4-22
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[jkyros]

Infra

�[31mERRO�[0m[2026-05-12T00:57:31Z] Some steps failed:                           
�[31mERRO�[0m[2026-05-12T00:57:31Z] 
  * could not run steps: step [release:n3minor] failed: failed to get CLI image: unable to extract the 'cli' image from the release image, pod produced no output 
�[36mINFO�[0m[2026-05-12T00:57:31Z] Reporting job state 'failed' with reason 'executing_graph:step_failed:importing_release' 

/test e2e-aws

[jkyros]

/test e2e-aks-4-22

[JoelSpeed]

/approve

For api

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enxebre, jkyros, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [enxebre]
• api/OWNERS [JoelSpeed,enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoelSpeed]

/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[jkyros]

/verified by e2e-tests

[openshift-ci-robot]

@jkyros: This PR has been marked as verified by e2e-tests.

Details

In response to this:

/verified by e2e-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@jkyros: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.