openshift
diff --git a/‎machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml‎
Lines changed: 195 additions & 0 deletions b/‎machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml‎
Lines changed: 195 additions & 0 deletions
diff --git a/‎machineconfiguration/v1/types.go‎
Lines changed: 25 additions & 10 deletions b/‎machineconfiguration/v1/types.go‎
Lines changed: 25 additions & 10 deletions
diff --git a/‎machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml‎
Lines changed: 29 additions & 9 deletions b/‎machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml‎
Lines changed: 29 additions & 9 deletions
@@ -0,0 +1,195 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "KubeletConfig"
+crdName: kubeletconfigs.machineconfiguration.openshift.io
+tests:
+  onCreate:
+    # LogLevel Boundary Tests
+    - name: Should be able to set logLevel to 0 (minimum)
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 0
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 0
+    - name: Should be able to set logLevel to 10 (maximum)
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 10
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 10
+    - name: Should reject logLevel less than 0
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: -1
+      expectedError: "Invalid value"
+    - name: Should reject logLevel greater than 10
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 11
+      expectedError: "Invalid value"
+
+    # TLSSecurityProfile CEL Validation tests
+    - name: Should allow tlsSecurityProfile with Old type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Old
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Old
+    - name: Should allow tlsSecurityProfile with Intermediate type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Intermediate
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Intermediate
+    - name: Should reject tlsSecurityProfile with Modern type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Modern
+      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
+    - name: Should reject tlsSecurityProfile with Custom type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Custom
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
+    - name: Should allow tlsSecurityProfile without type field for backward compatibility
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+
+  onUpdate:
+    # Ratcheting tests - ensure existing objects with previously valid values can be updated
+    - name: Should allow updating other fields with a previously valid Custom TLS profile persisted
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/tlsSecurityProfile/x-kubernetes-validations
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Custom
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      updated: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 5
+          tlsSecurityProfile:
+            type: Custom
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 5
+          tlsSecurityProfile:
+            type: Custom
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+    - name: Should allow updating other fields with a previously valid Modern TLS profile persisted
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/tlsSecurityProfile/x-kubernetes-validations
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            type: Modern
+      updated: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 3
+          tlsSecurityProfile:
+            type: Modern
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 3
+          tlsSecurityProfile:
+            type: Modern
+    - name: Should allow updating other fields with a previously valid logLevel outside current range
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/logLevel/maximum
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/logLevel/minimum
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 15
+      updated: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 15
+          autoSizingReserved: true
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          logLevel: 15
+          autoSizingReserved: true
@@ -737,27 +737,42 @@ type KubeletConfig struct {
 	Status KubeletConfigStatus `json:"status"`
 }
 
-// KubeletConfigSpec defines the desired state of KubeletConfig
+// KubeletConfigSpec configures the kubelet running on cluster nodes.
 type KubeletConfigSpec struct {
+	// autoSizingReserved controls whether system-reserved CPU and memory are automatically
+	// calculated based on each node's installed capacity. When enabled, prevents node failure
+	// from resource starvation of system components (kubelet, CRI-O) without manual configuration.
+	// When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
+	// which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
+	// When set to false, automatic resource reservation is disabled and manual settings must be configured.
 	// +optional
 	AutoSizingReserved *bool `json:"autoSizingReserved,omitempty"`
+	// logLevel sets the kubelet log verbosity, controlling the amount of detail in kubelet logs.
+	// Valid values range from 0 (minimal logging) to 10 (maximum verbosity with trace-level detail).
+	// Higher log levels may impact node performance. When omitted, the platform chooses a reasonable default,
+	// which is subject to change over time. The current default is 2 (standard informational logging).
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=10
 	// +optional
 	LogLevel *int32 `json:"logLevel,omitempty"`
 
-	// machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to.
-	// A nil selector will result in no pools being selected.
+	// machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
+	// A nil selector results in no pools being selected, meaning this kubelet configuration
+	// will not be applied to any nodes in the cluster.
 	// +optional
 	MachineConfigPoolSelector *metav1.LabelSelector `json:"machineConfigPoolSelector,omitempty"`
-	// kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by
-	// OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from
-	// upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes
-	// for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable.
+	// kubeletConfig contains upstream Kubernetes kubelet configuration fields.
+	// Values are validated by the kubelet itself. Invalid values may render nodes unusable.
+	// Refer to OpenShift documentation for the Kubernetes version corresponding to your
+	// OpenShift release to find valid kubelet configuration options.
 	// +optional
 	KubeletConfig *runtime.RawExtension `json:"kubeletConfig,omitempty"`
 
-	// If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
-	// Note that only Old and Intermediate profiles are currently supported, and
-	// the maximum available minTLSVersion is VersionTLS12.
+	// tlsSecurityProfile configures TLS settings for the kubelet.
+	// When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
+	// When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
+	// Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
+	// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type == 'Old' || self.type == 'Intermediate'",message="only Old and Intermediate TLS profiles are supported for kubelet"
 	// +optional
 	TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
 }
 
@@ -47,22 +47,37 @@ spec:
             description: spec contains the desired kubelet configuration.
             properties:
               autoSizingReserved:
+                description: |-
+                  autoSizingReserved controls whether system-reserved CPU and memory are automatically
+                  calculated based on each node's installed capacity. When enabled, prevents node failure
+                  from resource starvation of system components (kubelet, CRI-O) without manual configuration.
+                  When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
+                  which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
+                  When set to false, automatic resource reservation is disabled and manual settings must be configured.
                 type: boolean
               kubeletConfig:
                 description: |-
-                  kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by
-                  OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from
-                  upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes
-                  for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable.
+                  kubeletConfig contains upstream Kubernetes kubelet configuration fields.
+                  Values are validated by the kubelet itself. Invalid values may render nodes unusable.
+                  Refer to OpenShift documentation for the Kubernetes version corresponding to your
+                  OpenShift release to find valid kubelet configuration options.
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
               logLevel:
+                description: |-
+                  logLevel sets the kubelet log verbosity, controlling the amount of detail in kubelet logs.
+                  Valid values range from 0 (minimal logging) to 10 (maximum verbosity with trace-level detail).
+                  Higher log levels may impact node performance. When omitted, the platform chooses a reasonable default,
+                  which is subject to change over time. The current default is 2 (standard informational logging).
                 format: int32
+                maximum: 10
+                minimum: 0
                 type: integer
               machineConfigPoolSelector:
                 description: |-
-                  machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to.
-                  A nil selector will result in no pools being selected.
+                  machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
+                  A nil selector results in no pools being selected, meaning this kubelet configuration
+                  will not be applied to any nodes in the cluster.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
@@ -109,9 +124,10 @@ spec:
                 x-kubernetes-map-type: atomic
               tlsSecurityProfile:
                 description: |-
-                  If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
-                  Note that only Old and Intermediate profiles are currently supported, and
-                  the maximum available minTLSVersion is VersionTLS12.
+                  tlsSecurityProfile configures TLS settings for the kubelet.
+                  When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
+                  When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
+                  Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
                 properties:
                   custom:
                     description: |-
@@ -240,6 +256,10 @@ spec:
                     - Custom
                     type: string
                 type: object
+                x-kubernetes-validations:
+                - message: only Old and Intermediate TLS profiles are supported for
+                    kubelet
+                  rule: '!has(self.type) || self.type == ''Old'' || self.type == ''Intermediate'''
             type: object
           status:
             description: status contains observed information about the kubelet configuration.