OCPBUGS-56698: Skip tests modifying cluster/network.config when it is not permitted

[kyrtapz]

In HyperShift a ValidatingAdmissionPolicy blocks the tests from modifying cluster config resources. Skip the tests that modify cluster/network.config.openshift.io if the admin client is not allowed to do so.

Note that the ValidatingAdmissionPolicy failures return an Invalid(422) and not Forbidden(403) error:

I0527 19:02:21.445832 2048333 request.go:1154] Request Body: {"spec":{"networkType": ""}}
I0527 19:02:21.445873 2048333 round_trippers.go:463] PATCH https://api.wveww-wjddj-6em.auu6.p3.openshiftapps.com:443/apis/config.openshift.io/v1/networks/cluster?dryRun=All&fieldManager=kubectl-patch
I0527 19:02:21.445878 2048333 round_trippers.go:469] Request Headers:
I0527 19:02:21.445886 2048333 round_trippers.go:473]     Accept: application/json
I0527 19:02:21.445892 2048333 round_trippers.go:473]     Content-Type: application/merge-patch+json
I0527 19:02:21.445897 2048333 round_trippers.go:473]     User-Agent: oc/v4.2.0 (linux/amd64) kubernetes/5559085
I0527 19:02:21.445902 2048333 round_trippers.go:473]     Authorization: Bearer <masked>
I0527 19:02:21.577807 2048333 round_trippers.go:574] Response Status: 422 Unprocessable Entity in 131 milliseconds
I0527 19:02:21.577830 2048333 round_trippers.go:577] Response Headers:
I0527 19:02:21.577836 2048333 round_trippers.go:580]     Cache-Control: no-cache, private
I0527 19:02:21.577841 2048333 round_trippers.go:580]     Content-Type: application/json
I0527 19:02:21.577847 2048333 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I0527 19:02:21.577852 2048333 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 6e3b2d16-aa1b-42a1-bf05-eb06efacf90c
I0527 19:02:21.577857 2048333 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 488a1e74-530c-4ca1-8d71-31360b7f84da
I0527 19:02:21.577863 2048333 round_trippers.go:580]     Content-Length: 702
I0527 19:02:21.577868 2048333 round_trippers.go:580]     Date: Tue, 27 May 2025 17:02:21 GMT
I0527 19:02:21.577874 2048333 round_trippers.go:580]     Audit-Id: 0a1efc9d-4405-4c9a-bc6f-8563fd714f77
I0527 19:02:21.577903 2048333 request.go:1154] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"networks.config.openshift.io \"cluster\" is forbidden: ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object.","reason":"Invalid","details":{"name":"cluster","group":"config.openshift.io","kind":"networks","causes":[{"message":"ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object."}]},"code":422}
The networks "cluster" is invalid: : ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kyrtapz
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• test/extended/networking/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kyrtapz]

/payload periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance-serial

[openshift-ci]

@kyrtapz: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[kyrtapz]

/payload-job periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance-serial

[openshift-ci]

@kyrtapz: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance-serial

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/315e32c0-3b1e-11f0-9f02-b490c9446465-0

[openshift-ci-robot]

@kyrtapz: This pull request references Jira Issue OCPBUGS-56698, which is invalid:

• expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

In HyperShift a ValidatingAdmissionPolicy blocks the tests from modifying cluster config resources. Skip the tests that modify cluster/network.config.openshift.io if the admin client is not allowed to do so.

Note that the ValidatingAdmissionPolicy failures return an Invalid(422) and not Forbidden(403) error:

I0527 19:02:21.445832 2048333 request.go:1154] Request Body: {"spec":{"networkType": ""}}
I0527 19:02:21.445873 2048333 round_trippers.go:463] PATCH https://api.wveww-wjddj-6em.auu6.p3.openshiftapps.com:443/apis/config.openshift.io/v1/networks/cluster?dryRun=All&fieldManager=kubectl-patch
I0527 19:02:21.445878 2048333 round_trippers.go:469] Request Headers:
I0527 19:02:21.445886 2048333 round_trippers.go:473]     Accept: application/json
I0527 19:02:21.445892 2048333 round_trippers.go:473]     Content-Type: application/merge-patch+json
I0527 19:02:21.445897 2048333 round_trippers.go:473]     User-Agent: oc/v4.2.0 (linux/amd64) kubernetes/5559085
I0527 19:02:21.445902 2048333 round_trippers.go:473]     Authorization: Bearer <masked>
I0527 19:02:21.577807 2048333 round_trippers.go:574] Response Status: 422 Unprocessable Entity in 131 milliseconds
I0527 19:02:21.577830 2048333 round_trippers.go:577] Response Headers:
I0527 19:02:21.577836 2048333 round_trippers.go:580]     Cache-Control: no-cache, private
I0527 19:02:21.577841 2048333 round_trippers.go:580]     Content-Type: application/json
I0527 19:02:21.577847 2048333 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I0527 19:02:21.577852 2048333 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 6e3b2d16-aa1b-42a1-bf05-eb06efacf90c
I0527 19:02:21.577857 2048333 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 488a1e74-530c-4ca1-8d71-31360b7f84da
I0527 19:02:21.577863 2048333 round_trippers.go:580]     Content-Length: 702
I0527 19:02:21.577868 2048333 round_trippers.go:580]     Date: Tue, 27 May 2025 17:02:21 GMT
I0527 19:02:21.577874 2048333 round_trippers.go:580]     Audit-Id: 0a1efc9d-4405-4c9a-bc6f-8563fd714f77
I0527 19:02:21.577903 2048333 request.go:1154] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"networks.config.openshift.io \"cluster\" is forbidden: ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object.","reason":"Invalid","details":{"name":"cluster","group":"config.openshift.io","kind":"networks","causes":[{"message":"ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object."}]},"code":422}
The networks "cluster" is invalid: : ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kyrtapz]

/jira refresh

[openshift-ci-robot]

@kyrtapz: This pull request references Jira Issue OCPBUGS-56698, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kyrtapz]

/payload-job periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance-serial

[openshift-ci]

@kyrtapz: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance-serial

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1e0f2040-3b22-11f0-88db-f268c092b6d1-0

[openshift-ci]

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial-publicnet-1of2	a655bd4	link	false	/test e2e-aws-ovn-serial-publicnet-1of2
ci/prow/e2e-aws-disruptive	a655bd4	link	false	/test e2e-aws-disruptive
ci/prow/e2e-openstack-serial	a655bd4	link	false	/test e2e-openstack-serial
ci/prow/okd-scos-e2e-aws-ovn	a655bd4	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-gcp-disruptive	a655bd4	link	false	/test e2e-gcp-disruptive
ci/prow/e2e-azure	a655bd4	link	false	/test e2e-azure
ci/prow/e2e-azure-ovn-etcd-scaling	a655bd4	link	false	/test e2e-azure-ovn-etcd-scaling
ci/prow/e2e-gcp-ovn-etcd-scaling	a655bd4	link	false	/test e2e-gcp-ovn-etcd-scaling
ci/prow/e2e-vsphere-ovn-etcd-scaling	a655bd4	link	false	/test e2e-vsphere-ovn-etcd-scaling
ci/prow/e2e-aws-ovn-single-node-serial	a655bd4	link	false	/test e2e-aws-ovn-single-node-serial
ci/prow/e2e-azure-ovn-upgrade	a655bd4	link	false	/test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-single-node-upgrade	a655bd4	link	false	/test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-etcd-scaling	a655bd4	link	false	/test e2e-aws-ovn-etcd-scaling
ci/prow/okd-e2e-gcp	a655bd4	link	false	/test okd-e2e-gcp
ci/prow/e2e-gcp-fips-serial-1of2	a655bd4	link	false	/test e2e-gcp-fips-serial-1of2
ci/prow/e2e-gcp-fips-serial-2of2	a655bd4	link	false	/test e2e-gcp-fips-serial-2of2
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	a655bd4	link	false	/test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	a655bd4	link	false	/test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kyrtapz]

Tests were skipped on hypershift:
https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-29859-periodics-e2e-aws-ovn-conformance-serial/1927420868317679616

They were not skipped on other platforms:
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/29859/pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2/1927421159410765824
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/29859/pull-ci-openshift-origin-main-e2e-metal-ipi-serial-1of2/1927424194207813632