OCPNODE-4383: WIP: 4.22: require admin ack from 4.21 to 4.22 if runc is present

[haircommander]

assisted by Claude

[openshift-ci-robot]

@haircommander: This pull request references OCPNODE-4383 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

assisted by Claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (3)

• WIP
• do-not-merge
• work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d50f6539-b685-4c41-97ae-eae3e226e9da

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

A new blocked-edge rule configuration file is added for version 4.22.0 that detects deprecated runc container runtime usage and recommends migration to crun before upgrading, with PromQL-based matching rules.

Changes

Cohort / File(s)	Summary
Blocked-Edge Rule Configuration blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml	Adds a new rule scoped to upgrades to version 4.22.0 that warns users about deprecated runc container runtime and recommends migrating to crun. Includes PromQL expressions to detect runc usage via MachineConfigDaemon state and ContainerRuntimeConfig resources.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: haircommander
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[haircommander]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[haircommander]

btw: engineering is still discussing whether to take this approach, hence the WIP, but I wanted to put it together so we can work through any issues with the recommendation in parallel

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml`:
- Line 3: The metadata uses OCPNODE-4382 in the URL and another location but the
change should reference OCPNODE-4383; update the string
"https://redhat.atlassian.net/browse/OCPNODE-4382" and any other occurrences of
"OCPNODE-4382" in this file to "OCPNODE-4383" so the Jira ID is consistent
(check both the url line and the second occurrence noted in the comment).
- Line 2: The rule currently uses a broad source regex "from: .*" which applies
the risk to all upgrade sources; update the "from:" value in
blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml to narrowly match
only 4.21 patch versions (for example use a regex like ^4\.21\.\d+$) so the gate
applies only to 4.21→4.22 upgrades and does not affect other upgrade paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a138e7cb-939c-41ce-82f5-635732be1bd5

📥 Commits

Reviewing files that changed from the base of the PR and between aab60e4 and 246aa4c.

📒 Files selected for processing (1)

• blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Restrict source-version scope to 4.21.x upgrades

from: .* on Line 2 applies this risk to all upgrade sources, but this PR is scoped to 4.21 → 4.22. Please narrow the regex to 4.21.z so unrelated upgrade paths don’t get admin-ack gated.

Proposed change

-from: .*
+from: ^4\.21\..*$

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	from: .*
	from: ^4\.21\..*$

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml` at line 2, The
rule currently uses a broad source regex "from: .*" which applies the risk to
all upgrade sources; update the "from:" value in
blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml to narrowly match
only 4.21 patch versions (for example use a regex like ^4\.21\.\d+$) so the gate
applies only to 4.21→4.22 upgrades and does not affect other upgrade paths.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use the PR’s Jira ID consistently in metadata

Lines 3 and 6 point to OCPNODE-4382, while this change is tracked as OCPNODE-4383. Keeping these aligned is important for risk provenance and lifecycle tooling.

Also applies to: 6-6

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@blocked-edges/4.22.0-RuncDeprecatedUpgradeRecommendation.yaml` at line 3, The
metadata uses OCPNODE-4382 in the URL and another location but the change should
reference OCPNODE-4383; update the string
"https://redhat.atlassian.net/browse/OCPNODE-4382" and any other occurrences of
"OCPNODE-4382" in this file to "OCPNODE-4383" so the Jira ID is consistent
(check both the url line and the second occurrence noted in the comment).

[openshift-ci]

@haircommander: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[haircommander]

/close
in favor of openshift/machine-config-operator#5874

[openshift-ci]

@haircommander: Closed this PR.

Details

In response to this:

/close
in favor of openshift/machine-config-operator#5874

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.