taint propagation: implement validation unit tests

chrischdi · chrischdi · commit 7a05fb425cf6 · 2025-11-03T14:45:20.000+01:00
diff --git a/internal/webhooks/machine_test.go b/internal/webhooks/machine_test.go
@@ -20,11 +20,15 @@ import (
 	"testing"
 
 	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
+	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/webhooks/util"
+	"sigs.k8s.io/cluster-api/util/test/builder"
 )
 
 func TestMachineDefault(t *testing.T) {
@@ -225,3 +229,119 @@ func TestMachineVersionValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestMachineTaintValidation(t *testing.T) {
+	m := builder.Machine("default", "machine1").
+		WithBootstrapTemplate(builder.BootstrapTemplate("default", "bootstrap-template").Build())
+	webhook := &Machine{}
+
+	tests := []struct {
+		name           string
+		machine        *clusterv1.Machine
+		featureEnabled bool
+		expectErr      bool
+	}{
+		{
+			name:           "should allow empty taints with feature gate disabled",
+			featureEnabled: false,
+			machine:        m.DeepCopy().Build(),
+			expectErr:      false,
+		},
+		{
+			name:           "should allow empty taints with feature gate enabled",
+			featureEnabled: true,
+			machine:        m.DeepCopy().Build(),
+			expectErr:      false,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/uninitialized",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/uninitialized", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/outdated-revision",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/outdated-revision", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint with key prefix node.kubernetes.io/, which is not `out-of-service`",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should allow taint node.kubernetes.io/out-of-service",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/out-of-service", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: false,
+		},
+		{
+			name:           "should block taint with keyprefix node.cloudprovider.kubernetes.io/",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cloudprovider.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/master",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/master", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should allow taint key node-role.kubernetes.io/control-plane for control-plane nodes",
+			featureEnabled: true,
+			machine: m.DeepCopy().
+				WithLabels(map[string]string{clusterv1.MachineControlPlaneLabel: "true"}).
+				WithTaints(clusterv1.MachineTaint{
+					Key: "node-role.kubernetes.io/control-plane", Effect: corev1.TaintEffectNoSchedule,
+				}).Build(),
+			expectErr: false,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/control-plane for worker nodes",
+			featureEnabled: true,
+			machine: m.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/control-plane", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+	}
+	for i := range tests {
+		tt := tests[i]
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			utilfeature.SetFeatureGateDuringTest(t, feature.Gates, feature.MachineTaintPropagation, tt.featureEnabled)
+
+			warnings, err := webhook.ValidateCreate(ctx, tt.machine)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+
+			warnings, err = webhook.ValidateUpdate(ctx, tt.machine, tt.machine)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+		})
+	}
+}
diff --git a/internal/webhooks/machinedeployment_test.go b/internal/webhooks/machinedeployment_test.go
@@ -23,14 +23,18 @@ import (
 
 	. "github.com/onsi/gomega"
 	admissionv1 "k8s.io/api/admission/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
+	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/webhooks/util"
+	"sigs.k8s.io/cluster-api/util/test/builder"
 )
 
 func TestMachineDeploymentDefault(t *testing.T) {
@@ -838,3 +842,109 @@ func TestMachineDeploymentTemplateMetadataValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestMachineDeploymentTaintValidation(t *testing.T) {
+	md := builder.MachineDeployment("default", "md").
+		WithBootstrapTemplate(builder.BootstrapTemplate("default", "bootstrap-template").Build())
+	webhook := &MachineDeployment{}
+
+	tests := []struct {
+		name              string
+		machineDeployment *clusterv1.MachineDeployment
+		featureEnabled    bool
+		expectErr         bool
+	}{
+		{
+			name:              "should allow empty taints with feature gate disabled",
+			featureEnabled:    false,
+			machineDeployment: md.DeepCopy().Build(),
+			expectErr:         false,
+		},
+		{
+			name:              "should allow empty taints with feature gate enabled",
+			featureEnabled:    true,
+			machineDeployment: md.DeepCopy().Build(),
+			expectErr:         false,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/uninitialized",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/uninitialized", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/outdated-revision",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/outdated-revision", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint with key prefix node.kubernetes.io/, which is not `out-of-service`",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should allow taint node.kubernetes.io/out-of-service",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/out-of-service", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: false,
+		},
+		{
+			name:           "should block taint with key prefix node.cloudprovider.kubernetes.io/",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cloudprovider.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/master",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/master", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/control-plane for worker nodes",
+			featureEnabled: true,
+			machineDeployment: md.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/control-plane", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+	}
+	for i := range tests {
+		tt := tests[i]
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			utilfeature.SetFeatureGateDuringTest(t, feature.Gates, feature.MachineTaintPropagation, tt.featureEnabled)
+
+			warnings, err := webhook.ValidateCreate(ctx, tt.machineDeployment)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+
+			warnings, err = webhook.ValidateUpdate(ctx, tt.machineDeployment, tt.machineDeployment)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+		})
+	}
+}
diff --git a/internal/webhooks/machineset_test.go b/internal/webhooks/machineset_test.go
@@ -22,13 +22,17 @@ import (
 	"testing"
 
 	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
+	"sigs.k8s.io/cluster-api/feature"
 	"sigs.k8s.io/cluster-api/internal/webhooks/util"
+	"sigs.k8s.io/cluster-api/util/test/builder"
 )
 
 func TestMachineSetDefault(t *testing.T) {
@@ -742,3 +746,109 @@ func TestMachineSetMachineNamingValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestMachineSetTaintValidation(t *testing.T) {
+	ms := builder.MachineSet("default", "machineset1").
+		WithBootstrapTemplate(builder.BootstrapTemplate("default", "bootstrap-template").Build())
+	webhook := &MachineSet{}
+
+	tests := []struct {
+		name           string
+		machineSet     *clusterv1.MachineSet
+		featureEnabled bool
+		expectErr      bool
+	}{
+		{
+			name:           "should allow empty taints with feature gate disabled",
+			featureEnabled: false,
+			machineSet:     ms.DeepCopy().Build(),
+			expectErr:      false,
+		},
+		{
+			name:           "should allow empty taints with feature gate enabled",
+			featureEnabled: true,
+			machineSet:     ms.DeepCopy().Build(),
+			expectErr:      false,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/uninitialized",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/uninitialized", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node.cluster.x-k8s.io/outdated-revision",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cluster.x-k8s.io/outdated-revision", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint with key prefix node.kubernetes.io/, which is not `out-of-service`",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should allow taint node.kubernetes.io/out-of-service",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.kubernetes.io/out-of-service", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: false,
+		},
+		{
+			name:           "should block taint with keyprefix node.cloudprovider.kubernetes.io/",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node.cloudprovider.kubernetes.io/some-taint", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/master",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/master", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+		{
+			name:           "should block taint key node-role.kubernetes.io/control-plane for worker nodes",
+			featureEnabled: true,
+			machineSet: ms.DeepCopy().WithTaints(clusterv1.MachineTaint{
+				Key: "node-role.kubernetes.io/control-plane", Effect: corev1.TaintEffectNoSchedule,
+			}).Build(),
+			expectErr: true,
+		},
+	}
+	for i := range tests {
+		tt := tests[i]
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			utilfeature.SetFeatureGateDuringTest(t, feature.Gates, feature.MachineTaintPropagation, tt.featureEnabled)
+
+			warnings, err := webhook.ValidateCreate(ctx, tt.machineSet)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+
+			warnings, err = webhook.ValidateUpdate(ctx, tt.machineSet, tt.machineSet)
+			if tt.expectErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+			g.Expect(warnings).To(BeEmpty())
+		})
+	}
+}
diff --git a/util/test/builder/builders.go b/util/test/builder/builders.go
