Fix

Author: sats-23

README.md

@@ -51,7 +51,7 @@ spec:
     - type: "example.com/CNIReady"
       requiredStatus: "True"
   taint:
-    key: "readiness.k8s.io/network/not-ready"
+    key: "readiness.k8s.io/example.com/network-not-ready"
     effect: "NoSchedule"
     value: "pending"
   enforcementMode: "bootstrap-only"
@@ -64,16 +64,18 @@ Find a more detailed walkthrough of setting up Node Readiness Controller in your
 
 ### Taint Key Conventions
 
-- Reserved core prefixes are not allowed for user rules (except the controller-owned `readiness.k8s.io/network/not-ready` and `readiness.k8s.io/storage/not-ready`):
-  - readiness.k8s.io/system/*
-  - readiness.k8s.io/core/*
-  - readiness.k8s.io/node/*
-  - readiness.k8s.io/device/*
-  - readiness.k8s.io/network/* (except readiness.k8s.io/network/not-ready)
-  - readiness.k8s.io/storage/* (except readiness.k8s.io/storage/not-ready)
-- Use user-space keys under readiness.k8s.io/* with a DNS-style component, for example:
-  - readiness.k8s.io/network/not-ready
-  - readiness.k8s.io/storage/not-ready
+All taint keys must use the `readiness.k8s.io/` prefix. The following core prefixes are reserved and not allowed for user rules:
+- `readiness.k8s.io/system/*`
+- `readiness.k8s.io/core/*`
+- `readiness.k8s.io/node/*`
+- `readiness.k8s.io/device/*`
+- `readiness.k8s.io/network/*`
+- `readiness.k8s.io/storage/*`
+
+Use user-space keys under `readiness.k8s.io/*` with a DNS-style component to avoid conflicts, for example:
+- `readiness.k8s.io/example.com/network-not-ready`
+- `readiness.k8s.io/projectcalico.org/cni-ready`
+- `readiness.k8s.io/vendor.io/storage-driver-ready`
 
 ## High-level Roadmap
 

api/v1alpha1/nodereadinessrule_types.go

@@ -79,8 +79,8 @@ type NodeReadinessRuleSpec struct {
 	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/core/')",message="reserved taint prefix 'readiness.k8s.io/core/*' is not allowed"
 	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/node/')",message="reserved taint prefix 'readiness.k8s.io/node/*' is not allowed"
 	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/device/')",message="reserved taint prefix 'readiness.k8s.io/device/*' is not allowed"
-	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/network/') || self.key == 'readiness.k8s.io/network/not-ready'",message="reserved taint prefix 'readiness.k8s.io/network/*' is not allowed except 'readiness.k8s.io/network/not-ready'"
-	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/storage/') || self.key == 'readiness.k8s.io/storage/not-ready'",message="reserved taint prefix 'readiness.k8s.io/storage/*' is not allowed except 'readiness.k8s.io/storage/not-ready'"
+	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/network/')",message="reserved taint prefix 'readiness.k8s.io/network/*' is not allowed"
+	// +kubebuilder:validation:XValidation:rule="!self.key.startsWith('readiness.k8s.io/storage/')",message="reserved taint prefix 'readiness.k8s.io/storage/*' is not allowed"
 	// +kubebuilder:validation:XValidation:rule="self.key.size() <= 253",message="taint key length must be at most 253 characters"
 	// +kubebuilder:validation:XValidation:rule="!has(self.value) || self.value.size() <= 63",message="taint value length must be at most 63 characters"
 	// +kubebuilder:validation:XValidation:rule="self.effect in ['NoSchedule', 'PreferNoSchedule', 'NoExecute']",message="taint effect must be one of 'NoSchedule', 'PreferNoSchedule', 'NoExecute'"

config/samples/v1alpha1_nodereadinessrule.yaml

@@ -10,7 +10,7 @@ spec:
     - type: "network.kubernetes.io/CNIReady"
       requiredStatus: "True"
   taint:
-    key: "readiness.k8s.io/network/not-ready"
+    key: "readiness.k8s.io/example.com/network-not-ready"
     effect: "NoSchedule"
     value: "pending"
   enforcementMode: "bootstrap-only"

docs/book/src/user-guide/concepts.md

@@ -27,10 +27,13 @@ Reserved core prefixes (not allowed for user rules):
 - `readiness.k8s.io/core/*`
 - `readiness.k8s.io/node/*`
 - `readiness.k8s.io/device/*`
-- `readiness.k8s.io/network/*` (except `readiness.k8s.io/network/not-ready`)
-- `readiness.k8s.io/storage/*` (except `readiness.k8s.io/storage/not-ready`)
+- `readiness.k8s.io/network/*`
+- `readiness.k8s.io/storage/*`
 
-Use vendor/user-space paths under `readiness.k8s.io/*` that include a DNS-style component to avoid conflicts.
+Use vendor/user-space paths under `readiness.k8s.io/*` that include a DNS-style component to avoid conflicts, for example:
+- `readiness.k8s.io/example.com/my-component`
+- `readiness.k8s.io/projectcalico.org/network-not-ready`
+- `readiness.k8s.io/vendor.io/storage-driver-ready`
 
 The segment after `readiness.k8s.io/` should describe the dependency or subsystem whose readiness is being guarded (for example, a CNI plugin, storage backend, or security agent). Treat this domain as reserved for the controller and closely related components, and avoid reusing it for unrelated taints.
 

examples/cni-readiness/network-readiness-dryrun-rule.yaml

@@ -8,7 +8,7 @@ spec:
     - type: "projectcalico.org/CalicoReady"
       requiredStatus: "True"
   taint:
-    key: "readiness.k8s.io/network/not-ready"
+    key: "readiness.k8s.io/projectcalico.org/network-not-ready"
     effect: "NoSchedule"
     value: "pending"
   enforcementMode: "bootstrap-only"

examples/cni-readiness/network-readiness-rule.yaml

@@ -7,7 +7,7 @@ spec:
     - type: "projectcalico.org/CalicoReady"
       requiredStatus: "True"
   taint:
-    key: "readiness.k8s.io/network/not-ready"
+    key: "readiness.k8s.io/projectcalico.org/network-not-ready"
     effect: "NoSchedule"
     value: "pending"
   enforcementMode: "continuous"

internal/webhook/nodereadinessgaterule_webhook.go

@@ -111,10 +111,6 @@ func (w *NodeReadinessRuleWebhook) validateSpec(spec readinessv1alpha1.NodeReadi
 			}
 			for _, p := range reserved {
 				if strings.HasPrefix(spec.Taint.Key, p) {
-					if (p == "readiness.k8s.io/network/" && spec.Taint.Key == "readiness.k8s.io/network/not-ready") ||
-						(p == "readiness.k8s.io/storage/" && spec.Taint.Key == "readiness.k8s.io/storage/not-ready") {
-						continue
-					}
 					allErrs = append(allErrs, field.Invalid(taintField.Child("key"), spec.Taint.Key, fmt.Sprintf("reserved taint prefix '%s*' is not allowed", p)))
 					break
 				}

internal/webhook/nodereadinessgaterule_webhook_test.go

@@ -636,7 +636,7 @@ var _ = Describe("NodeReadinessRule Validation Webhook", func() {
 	})
 
 	Context("Reserved Prefix Validation", func() {
-		It("should reject reserved readiness.k8s.io core prefixes", func() {
+		It("should reject all reserved readiness.k8s.io core prefixes", func() {
 			reservedKeys := []string{
 				"readiness.k8s.io/system/foo",
 				"readiness.k8s.io/core/bar",
@@ -668,6 +668,76 @@ var _ = Describe("NodeReadinessRule Validation Webhook", func() {
 				Expect(allErrs[0].Field).To(Equal("spec.taint.key"))
 			}
 		})
+
+		It("should reject readiness.k8s.io/network/not-ready", func() {
+			rule := &readinessv1alpha1.NodeReadinessRule{
+				Spec: readinessv1alpha1.NodeReadinessRuleSpec{
+					Conditions: []readinessv1alpha1.ConditionRequirement{
+						{Type: "Ready", RequiredStatus: corev1.ConditionTrue},
+					},
+					NodeSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"node-role.kubernetes.io/worker": "",
+						},
+					},
+					Taint: corev1.Taint{
+						Key:    "readiness.k8s.io/network/not-ready",
+						Effect: corev1.TaintEffectNoSchedule,
+					},
+					EnforcementMode: readinessv1alpha1.EnforcementModeBootstrapOnly,
+				},
+			}
+			allErrs := webhook.validateSpec(rule.Spec)
+			Expect(allErrs).NotTo(BeEmpty())
+			Expect(allErrs[0].Field).To(Equal("spec.taint.key"))
+			Expect(allErrs[0].Detail).To(ContainSubstring("reserved taint prefix 'readiness.k8s.io/network/*' is not allowed"))
+		})
+
+		It("should reject readiness.k8s.io/storage/not-ready", func() {
+			rule := &readinessv1alpha1.NodeReadinessRule{
+				Spec: readinessv1alpha1.NodeReadinessRuleSpec{
+					Conditions: []readinessv1alpha1.ConditionRequirement{
+						{Type: "Ready", RequiredStatus: corev1.ConditionTrue},
+					},
+					NodeSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"node-role.kubernetes.io/worker": "",
+						},
+					},
+					Taint: corev1.Taint{
+						Key:    "readiness.k8s.io/storage/not-ready",
+						Effect: corev1.TaintEffectNoSchedule,
+					},
+					EnforcementMode: readinessv1alpha1.EnforcementModeBootstrapOnly,
+				},
+			}
+			allErrs := webhook.validateSpec(rule.Spec)
+			Expect(allErrs).NotTo(BeEmpty())
+			Expect(allErrs[0].Field).To(Equal("spec.taint.key"))
+			Expect(allErrs[0].Detail).To(ContainSubstring("reserved taint prefix 'readiness.k8s.io/storage/*' is not allowed"))
+		})
+
+		It("should allow user-space keys under readiness.k8s.io", func() {
+			rule := &readinessv1alpha1.NodeReadinessRule{
+				Spec: readinessv1alpha1.NodeReadinessRuleSpec{
+					Conditions: []readinessv1alpha1.ConditionRequirement{
+						{Type: "Ready", RequiredStatus: corev1.ConditionTrue},
+					},
+					NodeSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"node-role.kubernetes.io/worker": "",
+						},
+					},
+					Taint: corev1.Taint{
+						Key:    "readiness.k8s.io/example.com/my-component",
+						Effect: corev1.TaintEffectNoSchedule,
+					},
+					EnforcementMode: readinessv1alpha1.EnforcementModeBootstrapOnly,
+				},
+			}
+			allErrs := webhook.validateSpec(rule.Spec)
+			Expect(allErrs).To(BeEmpty())
+		})
 	})
 
 	Context("Full Validation Integration", func() {