OCPBUGS-74525: OCPBUGS-74526: Remove UserNamespacesPodSecurityStandards and UserNamespacesSupport

[bitoku]

UserNamespacesPodSecurityStandards dropped in 1.35 kubernetes/kubernetes@e8bd3f6

UserNamespacesSupport enabled by default in 1.33 kubernetes/kubernetes@96c2b81

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bitoku: This pull request references Jira Issue OCPBUGS-74525, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 805bb9d5-663c-43e0-9abf-fe8b65caa775

📥 Commits

Reviewing files that changed from the base of the PR and between 55d3f7b and b6544bf.

⛔ Files ignored due to path filters (3)

• security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (13)

• features.md
• features/features.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• security/v1/generated.proto
• security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
• security/v1/types.go

💤 Files with no reviewable changes (13)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• features.md
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• security/v1/types.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
• security/v1/generated.proto
• features/features.go

---

📝 Walkthrough

Walkthrough

This pull request removes two feature gates: UserNamespacesSupport and UserNamespacesPodSecurityStandards. The removals update feature gate registrations in features.go, the features.md table, multiple FeatureGate manifests for Hypershift and SelfManagedHA profiles, and remove related feature-gate annotations in proto/types files. The test YAML for UserNamespacesPodSecurityStandards is deleted. Remaining feature entries, fields, and manifest structures are otherwise unchanged.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: removing two specific feature gates (UserNamespacesPodSecurityStandards and UserNamespacesSupport).
Description check	✅ Passed	The description is directly related to the changeset, providing context about why the feature gates are being removed with references to upstream Kubernetes changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR contains no modifications to Ginkgo test files or test declarations, only deletion of a YAML test configuration file and changes to feature gate definitions.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code; custom check for Ginkgo quality standards is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only removes existing feature gates and deletes a test configuration file without adding any new Ginkgo e2e tests, making this check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are being added; PR only removes feature gates and test files, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request only removes feature gate references without introducing new scheduling constraints or deployment logic.
Ote Binary Stdout Contract	✅ Passed	PR removes feature gate definitions with zero new code additions; modified files are API type definitions containing no process-level code or stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR removes feature gates and test configuration files, not adding new Ginkgo e2e tests. The custom check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hello @bitoku! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bitoku: This pull request references Jira Issue OCPBUGS-74525, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

Details

In response to this:

UserNamespacesPodSecurityStandards dropped in 1.35 kubernetes/kubernetes@e8bd3f6

UserNamespacesSupport enabled by default in 1.33 kubernetes/kubernetes@96c2b81

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bitoku]

/test all

[qodo-code-review]

PR-Agent: could not fine a component named all in a supported language in this PR.

[bitoku]

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/c6667530-1e26-11f1-9894-8d3e157c037f-0

[bitoku]

/retest

[bitoku]

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4eb8e340-1ef0-11f1-9273-49c828a7ffdd-0

[bitoku]

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/437605e0-2129-11f1-8035-7e0764c49893-0

[everettraven]

Assuming we get clean CI signal, this LGTM.

/pipeline run

[everettraven]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[bitoku]

/retest

[bitoku]

/payload-job periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/3ba7cc50-23a3-11f1-867c-8820cbf18d3c-0

[bitoku]

/payload-job periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5e3dd390-23bc-11f1-9219-58006376d688-0

[bitoku]

/payload-job periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

[openshift-ci]

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-ovn-ocp-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/921c9b30-23bf-11f1-9ea6-3630f034002a-0

[everettraven]

@bitoku Looks like this is hung up on merge conflicts and needing the verified label. If you get the merge conflicts resolved I can help with the necessary labels.

[bitoku]

@everettraven Thank you. I'm thinking now that we are close to code freeze, and this one is not a release blocker so I'll delay it to 4.23.

[JoelSpeed]

Could we get this rebased please?

[JoelSpeed]

/lgtm
/retest
/pipeline auto

[openshift-merge-bot]

Pipeline controller notification

The pipeline-auto label has been added to this PR. Second-stage tests will be triggered automatically when all first-stage tests pass.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed,everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[JoelSpeed]

/retest-required
/verified by E2E

[openshift-ci-robot]

@JoelSpeed: This PR has been marked as verified by E2E.

Details

In response to this:

/retest-required
/verified by E2E

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 34e6087 and 2 for PR HEAD b6544bf in total

[JoelSpeed]

/retest

[openshift-ci]

@bitoku: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure	b6544bf	link	true	/test e2e-azure

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[JoelSpeed]

/retest