OCPSTRAT-3036: Promote MutatingAdmissionPolicy feature to Default

[jubittajohn]

Graduate MutatingAdmissionPolicy to the Default feature set.

MutatingAdmissionPolicy graduated to GA in upstream Kubernetes 1.36, and new conformance tests were added for it. This moves the feature to the Default feature set to match. We need this before the 1.36 rebase because the new conformance tests poll indefinitely when the feature is disabled in OpenShift, causing k8s-e2e-conformance-aws to time out at 2 hours in openshift/kubernetes#2653 PR.

Enabling it now on 1.35 is safe because the existing kas-operator version ranges(https://github.com/openshift/cluster-kube-apiserver-operator/blob/main/pkg/operator/configobservation/apienablement/observe_runtime_config.go#L[…]30) will serve the pre-GA APIs (v1alpha1/v1beta1). Once the rebase lands, only the native v1 API will be served, and we'll clean up the kas-operator runtime-config entries after that.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@jubittajohn: This pull request references OCPSTRAT-3036 which is a valid jira issue.

Details

In response to this:

Graduate MutatingAdmissionPolicy to the Default feature set.

Upstream Kubernetes 1.36 graduated MutatingAdmissionPolicy to GA (v1). Moving it to Default now (while still on 1.35) ensures the feature is enabled with pre-GA API versions (v1alpha1/v1beta1) served via the existing version ranges. Once the 1.36 rebase lands, only the native v1 API will be served, as the version ranges exclude 1.36.0+.

This unblocks k8s-e2e-conformance-aws, which is timing out because the new upstream conformance tests for MutatingAdmissionPolicy poll indefinitely when the feature is disabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @jubittajohn! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ba25685a-9c87-4f1a-abf7-739df83c0cb4

📥 Commits

Reviewing files that changed from the base of the PR and between 83d1462 and d03b52f.

📒 Files selected for processing (6)

• features.md
• features/features.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• features/features.go

---

📝 Walkthrough

Walkthrough

The MutatingAdmissionPolicy feature gate was enabled by default by adding inDefault() to its configuration in features/features.go. Corresponding payload manifests (payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml, featureGate-4-10-SelfManagedHA-Default.yaml, and OKD variants) were updated to move MutatingAdmissionPolicy from disabled to enabled lists. The ImageStreamImportMode enable block was removed from features/features.go. features.md was extended with many new feature rows and shows MutatingAdmissionPolicy marked Enabled across deployment variants.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: promoting MutatingAdmissionPolicy to the Default feature set, which matches the core purpose of all file modifications.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for graduating MutatingAdmissionPolicy to Default, upstream Kubernetes 1.36 GA status, and compatibility with existing kas-operator version ranges.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies no test files and contains no Ginkgo test code. Only configuration (features/features.go), documentation (features.md), and YAML manifests are changed. The check does not apply.
Test Structure And Quality	✅ Passed	PR includes new Ginkgo test file with proper BeforeSuite/AfterSuite, BeforeEach/AfterEach, 5s timeouts on Eventually calls, and comprehensive assertion messages.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only modifies feature gate configs in features.go, features.md, and YAML manifests. MicroShift compatibility check only applies when tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. All changes are feature gate configuration and documentation only. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only feature gate configs, not deployment manifests or operator code. Check applies only when such components are modified.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations detected. Test infrastructure correctly routes output to GinkgoWriter. Feature gate changes contain no process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are configuration and documentation updates. The custom check applies only when new e2e tests are added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

features/features.go (1)

86-92: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep Default and OKD in sync for this gate.

Most gates promoted into the default matrix here add inOKD() alongside inDefault(). With Line 91 only adding inDefault(), MutatingAdmissionPolicy stays disabled for OKD default clusters, which looks like an unintended divergence for a Kubernetes-scoped gate.

Suggested fix

-						enable(inDefault(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@features/features.go` around lines 86 - 92, The
FeatureGateMutatingAdmissionPolicy definition currently enables the gate with
inDefault() but omits inOKD(), causing OKD default clusters to remain disabled;
update the enable(...) call on FeatureGateMutatingAdmissionPolicy (the
newFeatureGate(...) chain) to include inOKD() alongside inDefault() (i.e.,
enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()))
so the Kubernetes-scoped gate stays in sync for OKD.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@features/features.go`:
- Around line 86-92: The FeatureGateMutatingAdmissionPolicy definition currently
enables the gate with inDefault() but omits inOKD(), causing OKD default
clusters to remain disabled; update the enable(...) call on
FeatureGateMutatingAdmissionPolicy (the newFeatureGate(...) chain) to include
inOKD() alongside inDefault() (i.e., enable(inDefault(), inOKD(),
inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade())) so the Kubernetes-scoped
gate stays in sync for OKD.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9f019e22-c89e-4a01-835b-ef5f050a9c63

📥 Commits

Reviewing files that changed from the base of the PR and between 4023bcf and f1683e9.

📒 Files selected for processing (1)

• features/features.go

[openshift-ci]

@jubittajohn: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.