From 87bdf1fe27b53b508a38a8187b62012002fd8f74 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 6 Nov 2025 16:04:58 -0500 Subject: [PATCH] Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" Added logic to check if the resource is customer-created and update the cluster operator status Upgradeable=False accordingly. This prevents upgrades when a conflicting policy is detected. This check needs to be backported to 4.20.z as we plan to GA `openshift` ClusterImagePolicy in 4.21. Signed-off-by: Qi Wang --- pkg/operator/status.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/operator/status.go b/pkg/operator/status.go index e9d24f68d6..22dc25f63c 100644 --- a/pkg/operator/status.go +++ b/pkg/operator/status.go @@ -280,6 +280,16 @@ func (optr *Operator) syncUpgradeableStatus(co *configv1.ClusterOperator) error coStatusCondition.Reason = "ClusterOnCgroupV1" coStatusCondition.Message = "Cluster is using deprecated cgroup v1 and is not upgradable. Please update the `CgroupMode` in the `nodes.config.openshift.io` object to 'v2'. Once upgraded, the cluster cannot be changed back to cgroup v1" } + + // Check for ClusterImagePolicy named "openshift" which conflicts with the cluster default ClusterImagePolicy object + if _, err = optr.configClient.ConfigV1().ClusterImagePolicies().Get(context.TODO(), "openshift", metav1.GetOptions{}); err == nil { + coStatusCondition.Status = configv1.ConditionFalse + coStatusCondition.Reason = "ConflictingClusterImagePolicy" + coStatusCondition.Message = "ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed" + } else if !apierrors.IsNotFound(err) { + return err + } + var degraded, interrupted bool for _, pool := range pools { interrupted = isPoolStatusConditionTrue(pool, mcfgv1.MachineConfigPoolBuildInterrupted)