From 3cbc2910ba7996278ad564d1dbb8f94218e03692 Mon Sep 17 00:00:00 2001 From: Pablo Acevedo Montserrat Date: Fri, 16 Jan 2026 14:42:29 +0100 Subject: [PATCH 1/4] USHIFT-6487: Set aws machine name limit to 64 --- scripts/aws/cf-gen.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/aws/cf-gen.yaml b/scripts/aws/cf-gen.yaml index a7a58814ce..babea03205 100644 --- a/scripts/aws/cf-gen.yaml +++ b/scripts/aws/cf-gen.yaml @@ -32,8 +32,8 @@ Parameters: Description: Current RHEL AMI to use. Type: AWS::EC2::Image::Id Machinename: - AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$ - MaxLength: 27 + AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]*)$ + MaxLength: 64 MinLength: 1 ConstraintDescription: Machinename Description: Machinename From f14f28576069b6ced3be489673c7a7b76ac4d4a5 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Mon, 19 Jan 2026 15:19:30 -0600 Subject: [PATCH 2/4] do not allow users to set Dev/TechPreview feature sets --- pkg/config/apiserver.go | 2 ++ pkg/config/config_test.go | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/pkg/config/apiserver.go b/pkg/config/apiserver.go index f2151ebe8f..e8235988ff 100644 --- a/pkg/config/apiserver.go +++ b/pkg/config/apiserver.go @@ -153,6 +153,8 @@ type FeatureGates struct { CustomNoUpgrade CustomNoUpgrade `json:"customNoUpgrade"` } +// ToApiserverArgs converts the FeatureGates struct to a list of feature-gates arguments for the kube-apiserver. +// Validation checks should be performed before calling this function to ensure the FeatureGates struct is valid. func (fg FeatureGates) ToApiserverArgs() ([]string, error) { ret := sets.NewString() addFeatures := func(features []string, enabled bool) { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 1f9defbb9d..7a5cd8cc53 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -892,6 +892,37 @@ func TestValidate(t *testing.T) { }(), expectErr: true, }, + { + name: "feature-gates-required-feature-gate-cannot-be-disabled", + config: func() *Config { + c := mkDefaultConfig() + c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" + c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"feature1"} + c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{"UserNamespacesSupport"} + return c + }(), + expectErr: true, + }, + { + name: "feature-gates-required-feature-gate-cannot-be-explicitly-enabled", + config: func() *Config { + c := mkDefaultConfig() + c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" + c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"UserNamespacesSupport"} + c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{"feature2"} + return c + }(), + expectErr: true, + }, + { + name: "feature-gates-preview-feature-sets-not-supported", + config: func() *Config { + c := mkDefaultConfig() + c.ApiServer.FeatureGates.FeatureSet = "TechPreviewNoUpgrade" + return c + }(), + expectErr: true, + }, } for _, tt := range ttests { t.Run(tt.name, func(t *testing.T) { From 0d058914a7054a7053051760bc52776767dd0d5d Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Fri, 23 Jan 2026 10:58:08 -0600 Subject: [PATCH 3/4] Apply suggestion from @agullon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Alejandro Gullón --- pkg/config/config_test.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 7a5cd8cc53..8b565cd24e 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -914,6 +914,17 @@ func TestValidate(t *testing.T) { }(), expectErr: true, }, + { + name: "feature-gates-custom-no-upgrade-with-empty-enabled-and-disabled-lists", + config: func() *Config { + c := mkDefaultConfig() + c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" + c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{} + c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{} + return c + }(), + expectErr: false, + }, { name: "feature-gates-preview-feature-sets-not-supported", config: func() *Config { From a76c7347a5710fd092159116dc1af437b929790c Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Mon, 23 Feb 2026 22:43:50 -0600 Subject: [PATCH 4/4] Add validation for required feature gates and empty FeatureSet - Prevent explicitly enabling required feature gates (e.g., UserNamespacesSupport) - Error when CustomNoUpgrade lists are set with empty FeatureSet - Add corresponding unit tests (cherry pick of PR #6082) --- pkg/config/apiserver.go | 6 +++-- pkg/config/config_test.go | 49 ++++----------------------------------- 2 files changed, 8 insertions(+), 47 deletions(-) diff --git a/pkg/config/apiserver.go b/pkg/config/apiserver.go index e8235988ff..10c6be6f79 100644 --- a/pkg/config/apiserver.go +++ b/pkg/config/apiserver.go @@ -153,8 +153,6 @@ type FeatureGates struct { CustomNoUpgrade CustomNoUpgrade `json:"customNoUpgrade"` } -// ToApiserverArgs converts the FeatureGates struct to a list of feature-gates arguments for the kube-apiserver. -// Validation checks should be performed before calling this function to ensure the FeatureGates struct is valid. func (fg FeatureGates) ToApiserverArgs() ([]string, error) { ret := sets.NewString() addFeatures := func(features []string, enabled bool) { @@ -187,6 +185,9 @@ func (fg *FeatureGates) validateFeatureGates() error { switch fg.FeatureSet { case "": + if len(fg.CustomNoUpgrade.Enabled) > 0 || len(fg.CustomNoUpgrade.Disabled) > 0 { + return fmt.Errorf("CustomNoUpgrade enabled/disabled lists must be empty when FeatureSet is empty") + } return nil case FeatureSetCustomNoUpgrade: // Valid - continue with validation @@ -213,6 +214,7 @@ func (fg *FeatureGates) validateFeatureGates() error { msg string }{ {disabledCustom, sets.New(RequiredFeatureGates...), "required feature gates cannot be disabled"}, + {enabledCustom, sets.New(RequiredFeatureGates...), "required feature gates cannot be explicitly enabled"}, {enabledCustom, disabledCustom, "feature gates cannot be both enabled and disabled"}, } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 8b565cd24e..497fe49953 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -818,16 +818,6 @@ func TestValidate(t *testing.T) { }(), expectErr: true, }, - { - name: "feature-gates-custom-no-upgrade-with-feature-set-empty", - config: func() *Config { - c := mkDefaultConfig() - c.ApiServer.FeatureGates.FeatureSet = "" - c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"feature1"} - c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{"feature2"} - return c - }(), - }, { name: "feature-gates-custom-no-upgrade-valid", config: func() *Config { @@ -840,15 +830,15 @@ func TestValidate(t *testing.T) { expectErr: false, }, { - name: "feature-gates-required-feature-gate-cannot-be-explicitly-enabled", + name: "feature-gates-custom-no-upgrade-with-feature-set-empty", config: func() *Config { c := mkDefaultConfig() - c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" - c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"UserNamespacesSupport"} + c.ApiServer.FeatureGates.FeatureSet = "" + c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"feature1"} c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{"feature2"} return c }(), - expectErr: false, + expectErr: true, }, { name: "feature-gates-custom-no-upgrade-enabled-and-disabled-have-same-feature-gate", @@ -872,37 +862,6 @@ func TestValidate(t *testing.T) { }(), expectErr: true, }, - { - name: "feature-gates-custom-no-upgrade-with-empty-enabled-and-disabled-lists", - config: func() *Config { - c := mkDefaultConfig() - c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" - c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{} - c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{} - return c - }(), - expectErr: false, - }, - { - name: "feature-gates-preview-feature-sets-not-supported", - config: func() *Config { - c := mkDefaultConfig() - c.ApiServer.FeatureGates.FeatureSet = "TechPreviewNoUpgrade" - return c - }(), - expectErr: true, - }, - { - name: "feature-gates-required-feature-gate-cannot-be-disabled", - config: func() *Config { - c := mkDefaultConfig() - c.ApiServer.FeatureGates.FeatureSet = "CustomNoUpgrade" - c.ApiServer.FeatureGates.CustomNoUpgrade.Enabled = []string{"feature1"} - c.ApiServer.FeatureGates.CustomNoUpgrade.Disabled = []string{"UserNamespacesSupport"} - return c - }(), - expectErr: true, - }, { name: "feature-gates-required-feature-gate-cannot-be-explicitly-enabled", config: func() *Config {