Skip to content

fix: stop emitting false-positive deprecated-API warnings for RBAC rules#496

Open
SebTardif wants to merge 2 commits into
operator-framework:masterfrom
SebTardif:fix/rbac-deprecated-api-false-positive
Open

fix: stop emitting false-positive deprecated-API warnings for RBAC rules#496
SebTardif wants to merge 2 commits into
operator-framework:masterfrom
SebTardif:fix/rbac-deprecated-api-false-positive

Conversation

@SebTardif
Copy link
Copy Markdown

@SebTardif SebTardif commented Jun 2, 2026

Problem

The deprecatedGroupResource map in getRemovedAPIsOn1_25From() flags RBAC PolicyRules that reference API groups where a beta version was removed in Kubernetes v1.25. However, RBAC PolicyRule objects only specify apiGroups and resources, they do not carry a version field. This means the validator cannot distinguish between a rule granting access to batch/v1 CronJob (stable) and batch/v1beta1 CronJob (removed).

This produces false-positive warnings for every operator that has RBAC rules for common resources like CronJobs, HPAs, Events, PDBs, EndpointSlices, or RuntimeClasses, even when the operator exclusively uses stable API versions.

Impact: This warning appears on the community-operators-prod CI pipeline for every operator that needs RBAC access to these resources (see community-operators-prod#9875 for an example). As noted in the original issue, the misleading warning has led developers to incorrectly modify their RBAC rules.

Fix

Remove entries from deprecatedGroupResource where the resource still exists under a stable API version in the same group:

Removed Entry Stable Version
batch/cronjobs batch/v1 (stable since v1.21)
discovery.k8s.io/endpointslices discovery.k8s.io/v1 (stable since v1.21)
events.k8s.io/events events.k8s.io/v1 (stable since v1.19)
autoscaling/horizontalpodautoscalers autoscaling/v2 (stable since v1.23)
policy/poddisruptionbudgets policy/v1 (stable since v1.21)
node.k8s.io/runtimeclasses node.k8s.io/v1 (stable since v1.20)

Keep policy/podsecuritypolicies since PodSecurityPolicy was entirely removed in v1.25 with no stable replacement in the same API group.

The deprecatedGvk check (for actual versioned manifests in the bundle) is unaffected and continues to correctly flag deprecated objects like autoscaling/v2beta1 HorizontalPodAutoscaler or policy/v1beta1 PodDisruptionBudget when they appear as bundle manifests.

Testing

  • Updated Test_GetRemovedAPIsOn1_25From to expect warnings only for podsecuritypolicies
  • Full test suite passes: go test ./...

Fixes #378

@SebTardif
fix: stop emitting false-positive deprecated-API warnings for RBAC rules
e856b0b 
RBAC PolicyRules only specify apiGroups and resources, not versions.
The deprecatedGroupResource map was flagging any RBAC rule that
referenced a group+resource combination where a beta version had been
removed, even when a stable version still exists in the same group.

This produced false-positive warnings for operators that use stable
APIs like batch/v1 CronJob, autoscaling/v2 HPA, events.k8s.io/v1
Event, policy/v1 PDB, discovery.k8s.io/v1 EndpointSlice, and
node.k8s.io/v1 RuntimeClass.

Remove these entries from the deprecatedGroupResource map since RBAC
rules for them are valid. Keep only PodSecurityPolicy, which was
entirely removed in v1.25 with no stable replacement in the policy
group.

The deprecatedGvk check (for actual versioned manifests in the bundle)
is unaffected and continues to correctly flag deprecated objects.

Fixes operator-framework#378

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Copilot AI review requested due to automatic review settings June 2, 2026 00:04
@openshift-ci openshift-ci Bot requested review from kevinrizza and perdasilva June 2, 2026 00:04
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR refines Kubernetes v1.25 “removed API” validation to avoid emitting RBAC deprecation warnings for resources that still exist under stable versions, and keeps RBAC warnings focused on resources truly removed from the API surface.

Changes:

  • Limit RBAC warnings in v1.25 checks to policy/podsecuritypolicies (fully removed), excluding resources that still exist in stable versions.
  • Update unit test expectations to match the reduced RBAC warning set.
  • Add clarifying comments explaining why RBAC rules cannot be version-disambiguated.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/validation/internal/removed_apis.go Narrows the “deprecated” RBAC group/resource set to only PodSecurityPolicy and documents the rationale.
pkg/validation/internal/removed_apis_test.go Updates expected RBAC warnings to only include PodSecurityPolicy and adds explanatory test comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/validation/internal/removed_apis.go Outdated
Comment thread pkg/validation/internal/removed_apis.go Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 22.07%. Comparing base (755d5d1) to head (fde72cb).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #496      +/-   ##
==========================================
- Coverage   22.13%   22.07%   -0.06%     
==========================================
  Files          60       60              
  Lines        7869     7863       -6     
==========================================
- Hits         1742     1736       -6     
  Misses       5969     5969              
  Partials      158      158

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@SebTardif
refactor: rename deprecatedGroupResource to removedGroupResource
fde72cb 
Rename identifiers to match actual semantics: this map tracks
resources entirely removed from their API group, not merely
deprecated. Renames deprecatedGroupResource -> removedGroupResource
and warnIfDeprecated -> warnIfRemoved.

Suggested-by: Copilot
Requested-by: perdasilva
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@perdasilva
Copy link
Copy Markdown
Contributor

perdasilva commented Jun 3, 2026

/approve

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Jun 3, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kevinrizza kevinrizza Awaiting requested review from kevinrizza

@perdasilva perdasilva Awaiting requested review from perdasilva

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validation code incorrectly issues warning for deprecated apis referenced in RBAC

3 participants

@SebTardif @perdasilva