Skip to content

feat: support AllNamespaces install mode for OLMv1#73

Open
karampok wants to merge 1 commit into
openshift:mainfrom
karampok:allns-install-mode
Open

feat: support AllNamespaces install mode for OLMv1#73
karampok wants to merge 1 commit into
openshift:mainfrom
karampok:allns-install-mode

Conversation

@karampok

@karampok karampok commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Enable AllNamespaces install mode for OLMv1 readiness (CNF-23024, parent CNF-22688)
  • CRs watched across all namespaces; DaemonSets created in operator namespace where operand SA and SCC binding exist
  • Finalizer-based cleanup for cross-namespace DaemonSet lifecycle
  • Cluster-wide interface uniqueness validation (was per-namespace)
  • Operand SCC RBAC converted from Role to ClusterRole

Details

Architecture

  • WATCH_NAMESPACE="" (set by OLM via olm.targetNamespaces annotation) enables all-namespace watch
  • New OPERATOR_NAMESPACE env (downward API) identifies where DaemonSets are created
  • DaemonSet naming: pf-status-relay-ds-{cr-namespace}-{cr-name} prevents collisions
  • Labels pfstatusrelay.openshift.io/monitor-name and monitor-namespace track ownership
  • Owns() replaced with Watches() + label mapper (owner refs don't work cross-namespace)

Backward compatibility

  • OwnNamespace mode still supported (non-empty WATCH_NAMESPACE scopes cache as before)
  • OPERATOR_NAMESPACE always set via downward API in both deployment methods

Test plan

  • make generate && make manifests -- no unexpected changes
  • make test -- all unit tests pass (controller + webhook)
  • Bundle validates with operator-sdk bundle validate
  • Deploy with operator-sdk run bundle in AllNamespaces mode
  • Create PFLACPMonitor CR in non-operator namespace, verify DaemonSet in operator namespace
  • Delete CR, verify DaemonSet cleanup via finalizer
  • Verify interface uniqueness across namespaces

Ref: CNF-23024

Assisted-By: Claude noreply@anthropic.com

Summary by CodeRabbit

  • New Features

    • Operator now supports cluster-wide installation (AllNamespaces); other namespace-scoped install modes marked unsupported.
    • Monitor resources are namespace-restricted: create/update outside the configured operator namespace are rejected.
  • Configuration

    • Operator scope is driven by OPERATOR_NAMESPACE (env var) sourced from deployment/CSV and used at startup.
  • Tests

    • Added unit and end-to-end tests validating the namespace-restriction behavior.

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR enforces that PFLACPMonitor resources must be created in the operator's namespace. It wires an OPERATOR_NAMESPACE env var into the operator bootstrap and manifests, passes that namespace into the PFLACPMonitor webhook, and rejects create/update requests for monitors in other namespaces; unit and e2e tests cover the behavior.

Changes

Namespace Enforcement for PFLACPMonitor

Layer / File(s) Summary
Operator bootstrap and config
cmd/main.go, config/manager/manager.yaml
Read mandatory OPERATOR_NAMESPACE via getOperatorNamespace(), configure cache.Options.DefaultNamespaces with it, and pass operatorNamespace into webhook setup; change manager manifest env var name to OPERATOR_NAMESPACE.
Webhook validation with namespace enforcement
api/v1alpha1/pflacpmonitor_webhook.go
Add OperatorNamespace to pflacpmonitorValidator, import fmt, and reject create/update requests when monitor.Namespace != OperatorNamespace returning a Forbidden error with a formatted message.
Webhook validation testing
api/v1alpha1/pflacpmonitor_webhook_test.go, e2e/webhook_test.go
Unit and e2e tests initialize the validator with OperatorNamespace: "default" and assert that creating or updating a monitor outside the operator namespace is forbidden and the error contains "operator namespace".
Deployment manifests and CSV updates
bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml, manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml, config/manifests/bases/pf-status-relay-operator.clusterserviceversion.yaml, config/openshift/kustomization.yaml
Replace WATCH_NAMESPACE with OPERATOR_NAMESPACE sourced from metadata.namespace, update CSV installModes to enable AllNamespaces and mark single-namespace modes unsupported, and adjust kustomize patches for webhook service cert annotation.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, verified-later

Suggested reviewers

  • SchSeba
🚥 Pre-merge checks | ✅ 15 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: enabling AllNamespaces install mode support for OLMv1, which is the primary objective of this pull request.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Operator Image Source ✅ Passed The controller correctly reads DaemonSet image from PF_STATUS_RELAY_IMAGE env var via getDaemonSetImage() function; no hardcoded images found in controller/API code.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in pflacpmonitor_webhook_test.go and e2e/webhook_test.go are stable and deterministic, containing only static descriptive strings with no dynamic content, timestamps, UUIDs, v...
Test Structure And Quality ✅ Passed All test quality requirements are met: tests have single responsibility, proper setup/cleanup via BeforeEach/suite AfterEach, meaningful assertion messages, and follow codebase patterns. Webhook va...
Microshift Test Compatibility ✅ Passed The new webhook_test.go e2e tests use only standard K8s APIs (apierrors, metav1) and a custom CRD (PFLACPMonitor). No MicroShift-unavailable OpenShift APIs or resources are referenced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new e2e test added in e2e/webhook_test.go (lines 46-58) tests webhook validation logic that rejects PFLACPMonitor CRs created outside the operator namespace. It makes no multi-node assumptions...
Topology-Aware Scheduling Compatibility ✅ Passed PR introduces AllNamespaces install mode and scheduling-neutral changes; no pod affinity, topology constraints, control-plane selectors, or problematic replica configs that would break SNO, TNF, TN...
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes detected. All logging uses ctrl.SetLogger(zap) to stderr, test suites write to GinkgoWriter, and webhook code uses logf logger. PR changes maintain OTE Binary Stdout...
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The new e2e test in webhook_test.go (lines 46-58) creates a PFLACPMonitor in the default namespace and checks for a Forbidden error. It contains no IPv4 assumptions, hardcoded IPs, or external conn...
No-Weak-Crypto ✅ Passed No weak cryptographic algorithms, custom crypto implementations, or insecure secret/token comparisons found in the PR code.
Container-Privileges ✅ Passed All containers have restrictive security contexts with allowPrivilegeEscalation=false, readOnlyRootFilesystem=true, and no privileged/hostPID/hostNetwork/hostIPC flags. Pods run non-root.
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data exposure detected. Logging limited to standard Kubernetes metadata (CR names, namespaces) and generic error messages. No passwords, tokens, API keys, PII, or credentials are logged.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from SchSeba and zeeke June 10, 2026 10:40
@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: karampok

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 10, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
api/v1alpha1/pflacpmonitor_webhook_test.go (1)

73-96: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Add cross-namespace conflict test to validate the primary feature.

All existing tests create monitors in the same namespace ("default"), but the primary purpose of this PR change is to enable cluster-wide interface uniqueness validation across different namespaces. The test suite should include at least one test that:

  1. Creates a monitor with interfaces ["eth0"] in namespace "ns1"
  2. Attempts to create a monitor with interfaces ["eth0"] in namespace "ns2" (different namespace, overlapping interfaces)
  3. Verifies the validation correctly detects the conflict and includes both namespace and name in the error message

Without cross-namespace test coverage, the core behavior change (line 11 in validate.go requiring both Name and Namespace match) is not verified.

🧪 Suggested cross-namespace test
Context("with cross-namespace conflicts", func() {
	BeforeEach(func() {
		// Create a monitor in namespace "namespace-a"
		monitorInNsA := &PFLACPMonitor{
			ObjectMeta: metav1.ObjectMeta{Name: "monitor-a", Namespace: "namespace-a"},
			Spec: PFLACPMonitorSpec{
				Interfaces: []string{"eth0"},
			},
		}
		err := validator.Client.Create(ctx, monitorInNsA)
		Expect(err).NotTo(HaveOccurred())
	})

	It("should reject a monitor in a different namespace with conflicting interfaces", func() {
		monitorInNsB := &PFLACPMonitor{
			ObjectMeta: metav1.ObjectMeta{Name: "monitor-b", Namespace: "namespace-b"},
			Spec: PFLACPMonitorSpec{
				Interfaces: []string{"eth0"}, // Conflicts with monitor-a
			},
		}
		_, err := validator.ValidateCreate(ctx, monitorInNsB)
		Expect(err).To(HaveOccurred())
		Expect(err.Error()).To(ContainSubstring("interfaces [eth0] conflict with the ones from PFLACPMonitor namespace-a/monitor-a"))
	})
})

As per coding guidelines, Ginkgo test code should be reviewed for quality including single responsibility and consistency with codebase patterns.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook_test.go` around lines 73 - 96, The test
suite lacks coverage for cross-namespace interface conflicts; add a Ginkgo
Context that uses the validator.Client to create a PFLACPMonitor in one
namespace (e.g., PFLACPMonitor with Name "monitor-a", Namespace "namespace-a",
Spec.Interfaces ["eth0"]), then attempt to ValidateCreate a second PFLACPMonitor
in a different namespace (e.g., Name "monitor-b", Namespace "namespace-b",
Spec.Interfaces ["eth0"]) and assert ValidateCreate returns an error whose
message contains the conflicting monitor's namespace/name (e.g.,
"namespace-a/monitor-a"); target the ValidateCreate flow and PFLACPMonitor
objects so the test verifies cluster-wide uniqueness behavior.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/v1alpha1/pflacpmonitor_webhook.go`:
- Line 84: The change that removed the namespace filter on
v.Client.List(ctxTimeout, monitorList) is intentional to enable cluster-wide
uniqueness checks across namespaces; ensure the List call remains
namespace-agnostic (no Namespace option passed), verify that monitorList (the
PFLACPMonitor list object) and ctxTimeout (the context with timeout) are
properly constructed and used, and add a short code comment near v.Client.List
mentioning this is deliberate for cross-namespace validation and that webhook
latency should be monitored (and the 60s timeout reviewed) in large clusters.

---

Outside diff comments:
In `@api/v1alpha1/pflacpmonitor_webhook_test.go`:
- Around line 73-96: The test suite lacks coverage for cross-namespace interface
conflicts; add a Ginkgo Context that uses the validator.Client to create a
PFLACPMonitor in one namespace (e.g., PFLACPMonitor with Name "monitor-a",
Namespace "namespace-a", Spec.Interfaces ["eth0"]), then attempt to
ValidateCreate a second PFLACPMonitor in a different namespace (e.g., Name
"monitor-b", Namespace "namespace-b", Spec.Interfaces ["eth0"]) and assert
ValidateCreate returns an error whose message contains the conflicting monitor's
namespace/name (e.g., "namespace-a/monitor-a"); target the ValidateCreate flow
and PFLACPMonitor objects so the test verifies cluster-wide uniqueness behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: a5791f83-f230-4cb5-8fd0-b16939523a18

📥 Commits

Reviewing files that changed from the base of the PR and between fdc4ea6 and 4a1cfd9.

📒 Files selected for processing (17)
  • api/v1alpha1/pflacpmonitor_webhook.go
  • api/v1alpha1/pflacpmonitor_webhook_test.go
  • api/v1alpha1/validate.go
  • bundle/manifests/pf-status-relay-operator-pf-status-relay_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundle/manifests/pf-status-relay-operator-pf-status-relay_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml
  • bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml
  • cmd/main.go
  • config/manager/manager.yaml
  • config/manifests/bases/pf-status-relay-operator.clusterserviceversion.yaml
  • config/rbac/operand/role.yaml
  • config/rbac/operand/role_binding.yaml
  • internal/controller/pflacpmonitor_controller.go
  • internal/controller/pflacpmonitor_controller_test.go
  • internal/controller/suite_test.go
  • manifests/stable/pf-status-relay-operator-pf-status-relay_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • manifests/stable/pf-status-relay-operator-pf-status-relay_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml
  • manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml

Comment thread api/v1alpha1/pflacpmonitor_webhook.go Outdated

monitorList := &PFLACPMonitorList{}
err := v.Client.List(ctxTimeout, monitorList, client.InNamespace(monitor.Namespace))
err := v.Client.List(ctxTimeout, monitorList)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Cluster-wide list enables cross-namespace validation.

The removal of the namespace filter correctly enables cluster-wide interface uniqueness checking, which is the intended behavior for AllNamespaces install mode.

Operational note: In clusters with a large number of PFLACPMonitor resources across many namespaces, this cluster-wide list during webhook admission may introduce latency. Consider monitoring webhook response times after deployment and verifying that the 60-second timeout (line 33) is sufficient for your largest clusters.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook.go` at line 84, The change that removed
the namespace filter on v.Client.List(ctxTimeout, monitorList) is intentional to
enable cluster-wide uniqueness checks across namespaces; ensure the List call
remains namespace-agnostic (no Namespace option passed), verify that monitorList
(the PFLACPMonitor list object) and ctxTimeout (the context with timeout) are
properly constructed and used, and add a short code comment near v.Client.List
mentioning this is deliberate for cross-namespace validation and that webhook
latency should be monitored (and the 60s timeout reviewed) in large clusters.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/controller/pflacpmonitor_controller.go`:
- Around line 158-160: The daemonSetName function currently returns a name based
only on namePrefix and pfMonitor.Name which causes DaemonSet name collisions
when two PFLACPMonitor resources share the same name in different namespaces;
update daemonSetName (used by the reconciler) to incorporate the monitor's
namespace (e.g., include pfMonitor.Namespace) into the generated DaemonSet name
so each (namespace,name) pair maps to a unique DaemonSet, and/or add a
validation path in the reconciler to reject duplicate monitor names across
namespaces until the CRD is cluster-scoped.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 884d351e-908b-4e89-a99c-4d60dbe3126a

📥 Commits

Reviewing files that changed from the base of the PR and between 4a1cfd9 and d74d6ca.

📒 Files selected for processing (3)
  • internal/controller/pflacpmonitor_controller.go
  • internal/controller/pflacpmonitor_controller_test.go
  • internal/controller/suite_test.go

Comment on lines +158 to +160
func (r *PFLACPMonitorReconciler) daemonSetName(pfMonitor *pfstatusrelayv1alpha1.PFLACPMonitor) string {
return fmt.Sprintf("%s-ds-%s", namePrefix, pfMonitor.Name)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Name collision when monitors share names across namespaces.

In AllNamespaces mode, two PFLACPMonitor resources with the same name in different namespaces will generate identical DaemonSet names (e.g., "pf-status-relay-ds-foo") in r.OperatorNamespace. The second monitor's reconciliation will overwrite the first's DaemonSet spec, causing configuration thrashing and operand misconfiguration (wrong interfaces, polling intervals, node selectors).

The commit message mentions removing the namespace prefix "to avoid upgrade issues and prepare for cluster-scoped CRD migration," but until the CRD becomes cluster-scoped, this creates a critical collision window.

🔒 Recommended fix: include namespace in DaemonSet name
 func (r *PFLACPMonitorReconciler) daemonSetName(pfMonitor *pfstatusrelayv1alpha1.PFLACPMonitor) string {
-	return fmt.Sprintf("%s-ds-%s", namePrefix, pfMonitor.Name)
+	return fmt.Sprintf("%s-ds-%s-%s", namePrefix, pfMonitor.Namespace, pfMonitor.Name)
 }

Alternatively, if maintaining the original name is required for upgrade compatibility, add cluster-wide validation to reject monitors with duplicate names across namespaces.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func (r *PFLACPMonitorReconciler) daemonSetName(pfMonitor *pfstatusrelayv1alpha1.PFLACPMonitor) string {
return fmt.Sprintf("%s-ds-%s", namePrefix, pfMonitor.Name)
}
func (r *PFLACPMonitorReconciler) daemonSetName(pfMonitor *pfstatusrelayv1alpha1.PFLACPMonitor) string {
return fmt.Sprintf("%s-ds-%s-%s", namePrefix, pfMonitor.Namespace, pfMonitor.Name)
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/pflacpmonitor_controller.go` around lines 158 - 160, The
daemonSetName function currently returns a name based only on namePrefix and
pfMonitor.Name which causes DaemonSet name collisions when two PFLACPMonitor
resources share the same name in different namespaces; update daemonSetName
(used by the reconciler) to incorporate the monitor's namespace (e.g., include
pfMonitor.Namespace) into the generated DaemonSet name so each (namespace,name)
pair maps to a unique DaemonSet, and/or add a validation path in the reconciler
to reject duplicate monitor names across namespaces until the CRD is
cluster-scoped.

@karampok karampok mentioned this pull request Jun 10, 2026
Comment thread config/rbac/operand/role_binding.yaml Outdated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
kind: ClusterRoleBinding

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this change? The pf-status-relay svcacc only use securitycontextconstraints, and Role should be enough. right?

@karampok karampok force-pushed the allns-install-mode branch 2 times, most recently from 9cc002b to 6784b6a Compare June 11, 2026 09:16

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
cmd/main.go (1)

164-169: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make namespace enforcement non-optional at runtime.

Line 164 keeps webhook registration optional. In this PR, namespace policy is enforced in the webhook validator; if ENABLE_WEBHOOKS=false, out-of-namespace PFLACPMonitor objects can be admitted but never reconciled (cache is still scoped to operatorNamespace).

Proposed fix
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = (&pfstatusrelayv1alpha1.PFLACPMonitor{}).SetupWebhookWithManager(mgr, operatorNamespace); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "PFLACPMonitor")
-			os.Exit(1)
-		}
-	}
+	if os.Getenv("ENABLE_WEBHOOKS") == "false" {
+		setupLog.Error(fmt.Errorf("ENABLE_WEBHOOKS=false"), "namespace enforcement requires webhooks enabled")
+		os.Exit(1)
+	}
+	if err = (&pfstatusrelayv1alpha1.PFLACPMonitor{}).SetupWebhookWithManager(mgr, operatorNamespace); err != nil {
+		setupLog.Error(err, "unable to create webhook", "webhook", "PFLACPMonitor")
+		os.Exit(1)
+	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/main.go` around lines 164 - 169, The webhook registration is currently
gated by the ENABLE_WEBHOOKS env which allows namespace enforcement to be
bypassed; remove that conditional so
(&pfstatusrelayv1alpha1.PFLACPMonitor{}).SetupWebhookWithManager(mgr,
operatorNamespace) is always invoked (and keep the existing error handling),
ensuring the webhook validator enforcing operatorNamespace is always registered
regardless of ENABLE_WEBHOOKS.
♻️ Duplicate comments (1)
api/v1alpha1/pflacpmonitor_webhook.go (1)

97-97: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Interface uniqueness check is still namespace-scoped.

Line 97 uses client.InNamespace(monitor.Namespace), so duplicate interfaces across namespaces are not detected. That contradicts the cluster-wide uniqueness behavior described for AllNamespaces mode.

Suggested fix
-	err := v.Client.List(ctxTimeout, monitorList, client.InNamespace(monitor.Namespace))
+	err := v.Client.List(ctxTimeout, monitorList)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook.go` at line 97, The list call that checks
for duplicate Interfaces is incorrectly limited to a single namespace: change
the v.Client.List invocation that currently passes
client.InNamespace(monitor.Namespace) so it performs a cluster-wide list when
running in AllNamespaces mode (i.e., remove the client.InNamespace(...) option
and call v.Client.List(ctxTimeout, monitorList) or otherwise omit the namespace
option). Update the code around v.Client.List, the client.InNamespace usage, and
any conditional that detects AllNamespaces so duplicate-interface checks use a
cluster-scoped list instead of monitor.Namespace.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/v1alpha1/pflacpmonitor_webhook.go`:
- Around line 72-78: The namespace check currently rejects all namespaced
objects when v.OperatorNamespace is empty; change the conditional to only
enforce the namespace when v.OperatorNamespace is non-empty (e.g., if
v.OperatorNamespace != "" && monitor.Namespace != v.OperatorNamespace) so the
validator becomes a no-op when OperatorNamespace is unset; update the block that
returns apierrors.NewForbidden (using monitor.Namespace, v.OperatorNamespace,
GroupVersion.Group and resource "pflacpmonitors") accordingly.

---

Outside diff comments:
In `@cmd/main.go`:
- Around line 164-169: The webhook registration is currently gated by the
ENABLE_WEBHOOKS env which allows namespace enforcement to be bypassed; remove
that conditional so
(&pfstatusrelayv1alpha1.PFLACPMonitor{}).SetupWebhookWithManager(mgr,
operatorNamespace) is always invoked (and keep the existing error handling),
ensuring the webhook validator enforcing operatorNamespace is always registered
regardless of ENABLE_WEBHOOKS.

---

Duplicate comments:
In `@api/v1alpha1/pflacpmonitor_webhook.go`:
- Line 97: The list call that checks for duplicate Interfaces is incorrectly
limited to a single namespace: change the v.Client.List invocation that
currently passes client.InNamespace(monitor.Namespace) so it performs a
cluster-wide list when running in AllNamespaces mode (i.e., remove the
client.InNamespace(...) option and call v.Client.List(ctxTimeout, monitorList)
or otherwise omit the namespace option). Update the code around v.Client.List,
the client.InNamespace usage, and any conditional that detects AllNamespaces so
duplicate-interface checks use a cluster-scoped list instead of
monitor.Namespace.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 4608a187-7b29-47a7-b951-e517cf085119

📥 Commits

Reviewing files that changed from the base of the PR and between d74d6ca and 6784b6a.

📒 Files selected for processing (8)
  • api/v1alpha1/pflacpmonitor_webhook.go
  • api/v1alpha1/pflacpmonitor_webhook_test.go
  • bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml
  • cmd/main.go
  • config/manager/manager.yaml
  • config/manifests/bases/pf-status-relay-operator.clusterserviceversion.yaml
  • e2e/webhook_test.go
  • manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml

Comment on lines +72 to +78
if monitor.Namespace != v.OperatorNamespace {
return nil, apierrors.NewForbidden(
schema.GroupResource{Group: GroupVersion.Group, Resource: "pflacpmonitors"},
monitor.Name,
fmt.Errorf("PFLACPMonitor resources must be created in the operator namespace %q, got %q", v.OperatorNamespace, monitor.Namespace),
)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard namespace enforcement when OperatorNamespace is unset.

Line 72 currently blocks all namespaced objects when OperatorNamespace == "". That breaks the no-restriction validator path exercised by the new tests and makes behavior brittle for any direct validator wiring.

Suggested fix
-	if monitor.Namespace != v.OperatorNamespace {
+	if v.OperatorNamespace != "" && monitor.Namespace != v.OperatorNamespace {
 		return nil, apierrors.NewForbidden(
 			schema.GroupResource{Group: GroupVersion.Group, Resource: "pflacpmonitors"},
 			monitor.Name,
 			fmt.Errorf("PFLACPMonitor resources must be created in the operator namespace %q, got %q", v.OperatorNamespace, monitor.Namespace),
 		)
 	}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if monitor.Namespace != v.OperatorNamespace {
return nil, apierrors.NewForbidden(
schema.GroupResource{Group: GroupVersion.Group, Resource: "pflacpmonitors"},
monitor.Name,
fmt.Errorf("PFLACPMonitor resources must be created in the operator namespace %q, got %q", v.OperatorNamespace, monitor.Namespace),
)
}
if v.OperatorNamespace != "" && monitor.Namespace != v.OperatorNamespace {
return nil, apierrors.NewForbidden(
schema.GroupResource{Group: GroupVersion.Group, Resource: "pflacpmonitors"},
monitor.Name,
fmt.Errorf("PFLACPMonitor resources must be created in the operator namespace %q, got %q", v.OperatorNamespace, monitor.Namespace),
)
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook.go` around lines 72 - 78, The namespace
check currently rejects all namespaced objects when v.OperatorNamespace is
empty; change the conditional to only enforce the namespace when
v.OperatorNamespace is non-empty (e.g., if v.OperatorNamespace != "" &&
monitor.Namespace != v.OperatorNamespace) so the validator becomes a no-op when
OperatorNamespace is unset; update the block that returns apierrors.NewForbidden
(using monitor.Namespace, v.OperatorNamespace, GroupVersion.Group and resource
"pflacpmonitors") accordingly.

@karampok karampok force-pushed the allns-install-mode branch from 6784b6a to 3c1bd08 Compare June 11, 2026 12:55

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
api/v1alpha1/pflacpmonitor_webhook.go (1)

97-97: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider clarifying namespace-scoped list behavior.

Since line 72 enforces that all PFLACPMonitor resources must be in the operator namespace, the client.InNamespace(monitor.Namespace) filter at line 97 effectively performs a cluster-wide uniqueness check (all monitors are in the same namespace). Consider adding a comment explaining this, or removing the filter entirely for clarity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook.go` at line 97, The List call using
v.Client.List(ctxTimeout, monitorList, client.InNamespace(monitor.Namespace))
gives the impression of a namespace-scoped uniqueness check but earlier
validation requires all PFLACPMonitor resources to live in the operator
namespace, so this filter is redundant and confusing; remove the
client.InNamespace(monitor.Namespace) argument from the v.Client.List call (or
if you prefer to keep it, add a single-line comment next to the v.Client.List
invocation explaining that all PFLACPMonitor objects are validated to exist in
the operator namespace so the namespace filter is effectively
global/cluster-wide) to make the intent clear (referencing v.Client.List,
monitor.Namespace and the PFLACPMonitor validation logic).
♻️ Duplicate comments (1)
api/v1alpha1/pflacpmonitor_webhook.go (1)

72-78: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guard namespace enforcement when OperatorNamespace is unset.

While cmd/main.go ensures OPERATOR_NAMESPACE is set in production, adding a guard improves defensive programming and prevents issues if the validator is ever constructed directly in tests or other contexts.

🛡️ Suggested defensive guard
 func (v *pflacpmonitorValidator) validate(ctx context.Context, monitor *PFLACPMonitor) (admission.Warnings, error) {
-	if monitor.Namespace != v.OperatorNamespace {
+	if v.OperatorNamespace != "" && monitor.Namespace != v.OperatorNamespace {
 		return nil, apierrors.NewForbidden(
 			schema.GroupResource{Group: GroupVersion.Group, Resource: "pflacpmonitors"},
 			monitor.Name,
 			fmt.Errorf("PFLACPMonitor resources must be created in the operator namespace %q, got %q", v.OperatorNamespace, monitor.Namespace),
 		)
 	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/pflacpmonitor_webhook.go` around lines 72 - 78, The namespace
check should guard for an unset operator namespace to avoid silent misvalidation
when the validator is constructed outside main; before comparing
monitor.Namespace to v.OperatorNamespace in the pflacpmonitor webhook validation
(the block referencing v.OperatorNamespace), add an early check for an empty
v.OperatorNamespace and return a clear API error (e.g.,
apierrors.NewInternalError or apierrors.NewBadRequest with a message like
"operator namespace not configured on validator") so callers get a deterministic
error instead of an incorrect allow/deny; ensure you reference
v.OperatorNamespace and use the same apierrors package used elsewhere in this
file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@api/v1alpha1/pflacpmonitor_webhook.go`:
- Line 97: The List call using v.Client.List(ctxTimeout, monitorList,
client.InNamespace(monitor.Namespace)) gives the impression of a
namespace-scoped uniqueness check but earlier validation requires all
PFLACPMonitor resources to live in the operator namespace, so this filter is
redundant and confusing; remove the client.InNamespace(monitor.Namespace)
argument from the v.Client.List call (or if you prefer to keep it, add a
single-line comment next to the v.Client.List invocation explaining that all
PFLACPMonitor objects are validated to exist in the operator namespace so the
namespace filter is effectively global/cluster-wide) to make the intent clear
(referencing v.Client.List, monitor.Namespace and the PFLACPMonitor validation
logic).

---

Duplicate comments:
In `@api/v1alpha1/pflacpmonitor_webhook.go`:
- Around line 72-78: The namespace check should guard for an unset operator
namespace to avoid silent misvalidation when the validator is constructed
outside main; before comparing monitor.Namespace to v.OperatorNamespace in the
pflacpmonitor webhook validation (the block referencing v.OperatorNamespace),
add an early check for an empty v.OperatorNamespace and return a clear API error
(e.g., apierrors.NewInternalError or apierrors.NewBadRequest with a message like
"operator namespace not configured on validator") so callers get a deterministic
error instead of an incorrect allow/deny; ensure you reference
v.OperatorNamespace and use the same apierrors package used elsewhere in this
file.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 14171852-7694-4b6a-ad79-0e5ff76b29ca

📥 Commits

Reviewing files that changed from the base of the PR and between 6784b6a and 3c1bd08.

📒 Files selected for processing (9)
  • api/v1alpha1/pflacpmonitor_webhook.go
  • api/v1alpha1/pflacpmonitor_webhook_test.go
  • bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml
  • cmd/main.go
  • config/manager/manager.yaml
  • config/manifests/bases/pf-status-relay-operator.clusterserviceversion.yaml
  • config/openshift/kustomization.yaml
  • e2e/webhook_test.go
  • manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml
💤 Files with no reviewable changes (1)
  • config/openshift/kustomization.yaml

@karampok

Copy link
Copy Markdown
Contributor Author

openshift/release#80415

@karampok karampok force-pushed the allns-install-mode branch 2 times, most recently from dc5e7f6 to 3ee20af Compare June 15, 2026 08:41
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 17, 2026
Switch install mode from OwnNamespace to AllNamespaces. Replace
WATCH_NAMESPACE with OPERATOR_NAMESPACE to always scope cache
to operator namespace regardless of OLM install mode.

Restrict CR creation to operator namespace via validating webhook.
Includes unit and e2e tests.

Assisted-By: Claude <noreply@anthropic.com>
@karampok karampok force-pushed the allns-install-mode branch from 3ee20af to 7d4fa82 Compare June 24, 2026 12:14
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2026
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown

@karampok: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-validation 7d4fa82 link true /test e2e-validation

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants