kubernetes-sigs
diff --git a/‎api/v1alpha1/nodereadinessrule_types.go‎
Lines changed: 4 additions & 0 deletions b/‎api/v1alpha1/nodereadinessrule_types.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config/crd/bases/readiness.node.x-k8s.io_nodereadinessrules.yaml‎
Lines changed: 10 additions & 0 deletions b/‎config/crd/bases/readiness.node.x-k8s.io_nodereadinessrules.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎docs/book/src/user-guide/concepts.md‎
Lines changed: 11 additions & 0 deletions b/‎docs/book/src/user-guide/concepts.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎internal/controller/node_controller.go‎
Lines changed: 1 addition & 5 deletions b/‎internal/controller/node_controller.go‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎internal/controller/node_controller_test.go‎
Lines changed: 10 additions & 10 deletions b/‎internal/controller/node_controller_test.go‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎internal/controller/nodereadinessrule_controller.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/controller/nodereadinessrule_controller.go‎
Lines changed: 1 addition & 0 deletions
@@ -74,6 +74,10 @@ type NodeReadinessRuleSpec struct {
 	// when combined with continuous enforcement mode. Prefer NoSchedule for most use cases.
 	//
 	// +required
+	// +kubebuilder:validation:XValidation:rule="self.key.startsWith('readiness.k8s.io/')",message="taint key must start with 'readiness.k8s.io/'"
+	// +kubebuilder:validation:XValidation:rule="self.key.size() <= 253",message="taint key length must be at most 253 characters"
+	// +kubebuilder:validation:XValidation:rule="!has(self.value) || self.value.size() <= 63",message="taint value length must be at most 63 characters"
+	// +kubebuilder:validation:XValidation:rule="self.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute']",message="taint effect must be one of 'NoSchedule', 'PreferNoSchedule', 'NoExecute'"
 	Taint corev1.Taint `json:"taint,omitempty,omitzero"`
 
 	// nodeSelector limits the scope of this rule to a specific subset of Nodes.
 
@@ -183,6 +183,16 @@ spec:
                 - effect
                 - key
                 type: object
+                x-kubernetes-validations:
+                - message: taint key must start with 'readiness.k8s.io/'
+                  rule: self.key.startsWith('readiness.k8s.io/')
+                - message: taint key length must be at most 253 characters
+                  rule: self.key.size() <= 253
+                - message: taint value length must be at most 63 characters
+                  rule: '!has(self.value) || self.value.size() <= 63'
+                - message: taint effect must be one of 'NoSchedule', 'PreferNoSchedule',
+                    'NoExecute'
+                  rule: self.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute']
             required:
             - conditions
             - enforcementMode
 
@@ -13,6 +13,17 @@ A rule specifies:
 
 When a rule is created, the controller continuously watches all matching nodes. If a node does not satisfy the required conditions, the controller ensures the configured taint is present, preventing the scheduler from assigning new pods to that node.
 
+### Readiness Domain and Taint Keys
+
+Node Readiness Controller uses the `readiness.k8s.io` domain for taints and annotations that it owns. All `spec.taint.key` values in `NodeReadinessRule` must start with the `readiness.k8s.io/` prefix; this is enforced by the CRD schema.
+
+Typical taint keys look like:
+- `readiness.k8s.io/cni.example.net/network-not-ready`
+- `readiness.k8s.io/csi.vendor.com/storage-driver-not-ready`
+- `readiness.k8s.io/<dns.subdomain>/<component-name>`
+
+The segment after `readiness.k8s.io/` should describe the dependency or subsystem whose readiness is being guarded (for example, a CNI plugin, storage backend, or security agent). Treat this domain as reserved for the controller and closely related components, and avoid reusing it for unrelated taints.
+
 ## Enforcement Modes
 
 The controller supports two distinct modes of enforcement, configured via `spec.enforcementMode`, to handle different operational needs.
 
@@ -244,11 +244,7 @@ func (r *RuleReadinessController) hasTaintBySpec(node *corev1.Node, taintSpec co
 // addTaintBySpec adds a taint to a node.
 func (r *RuleReadinessController) addTaintBySpec(ctx context.Context, node *corev1.Node, taintSpec corev1.Taint) error {
 	patch := client.StrategicMergeFrom(node.DeepCopy())
-	node.Spec.Taints = append(node.Spec.Taints, corev1.Taint{
-		Key:    taintSpec.Key,
-		Value:  taintSpec.Value,
-		Effect: taintSpec.Effect,
-	})
+	node.Spec.Taints = append(node.Spec.Taints, taintSpec)
 	return r.Patch(ctx, node, patch)
 }
 
 
@@ -36,7 +36,7 @@ var _ = Describe("Node Controller", func() {
 	const (
 		nodeName      = "node-controller-test-node"
 		ruleName      = "node-controller-test-rule"
-		taintKey      = "test-taint"
+		taintKey      = "readiness.k8s.io/test-taint"
 		conditionType = "TestCondition"
 	)
 
@@ -66,19 +66,19 @@ var _ = Describe("Node Controller", func() {
 
 		It("should correctly compare node taints", func() {
 			taint1 := []corev1.Taint{
-				{Key: "key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
-				{Key: "key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
+				{Key: "readiness.k8s.io/key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
+				{Key: "readiness.k8s.io/key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
 			}
 			taint2 := []corev1.Taint{
-				{Key: "key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
-				{Key: "key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
+				{Key: "readiness.k8s.io/key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
+				{Key: "readiness.k8s.io/key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
 			}
 			taint3 := []corev1.Taint{
-				{Key: "key1", Effect: corev1.TaintEffectNoSchedule, Value: "different"},
-				{Key: "key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
+				{Key: "readiness.k8s.io/key1", Effect: corev1.TaintEffectNoSchedule, Value: "different"},
+				{Key: "readiness.k8s.io/key2", Effect: corev1.TaintEffectNoExecute, Value: "value2"},
 			}
 			taint4 := []corev1.Taint{
-				{Key: "key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
+				{Key: "readiness.k8s.io/key1", Effect: corev1.TaintEffectNoSchedule, Value: "value1"},
 			}
 
 			Expect(taintsEqual(taint1, taint2)).To(BeTrue(), "identical taints should be equal")
@@ -547,7 +547,7 @@ var _ = Describe("Node Controller", func() {
 				},
 				Spec: corev1.NodeSpec{
 					Taints: []corev1.Taint{
-						{Key: "status-test-taint", Effect: corev1.TaintEffectNoSchedule, Value: "pending"},
+						{Key: "readiness.k8s.io/status-test-taint", Effect: corev1.TaintEffectNoSchedule, Value: "pending"},
 					},
 				},
 				Status: corev1.NodeStatus{
@@ -566,7 +566,7 @@ var _ = Describe("Node Controller", func() {
 						{Type: "StatusTestCondition", RequiredStatus: corev1.ConditionTrue},
 					},
 					Taint: corev1.Taint{
-						Key:    "status-test-taint",
+						Key:    "readiness.k8s.io/status-test-taint",
 						Effect: corev1.TaintEffectNoSchedule,
 						Value:  "pending",
 					},
 
@@ -563,6 +563,7 @@ func (r *RuleReadinessController) processDryRun(ctx context.Context, rule *readi
 	}
 
 	// Update rule status with dry run results
+	rule.Status.ObservedGeneration = rule.Generation
 	rule.Status.DryRunResults = readinessv1alpha1.DryRunResults{
 		AffectedNodes:   &affectedNodes,
 		TaintsToAdd:     &taintsToAdd,
Original file line number	Diff line number	Diff line change
`@@ -563,6 +563,7 @@ func (r RuleReadinessController) processDryRun(ctx context.Context, rule readi`
`563`	`563`	`}`
`564`	`564`
`565`	`565`	`// Update rule status with dry run results`
	`566`	`+ rule.Status.ObservedGeneration = rule.Generation`
`566`	`567`	`rule.Status.DryRunResults = readinessv1alpha1.DryRunResults{`
`567`	`568`	`AffectedNodes: &affectedNodes,`
`568`	`569`	`TaintsToAdd: &taintsToAdd,`