NO-JIRA: machine-api-termination-handler: add scc annotation, terminationMessage: FallbackToLogsOnError

[damdo]

• set terminationMessagePolicy on termination-handler container
  The termination-handler container was missing terminationMessagePolicy=FallbackToLogsOnError

• require machine-api-termination-handler SCC via annotation
  pin the termination-handler DaemonSet pods to the dedicated
  machine-api-termination-handler SCC using the openshift.io/required-scc annotation.
  This makes the SCC binding explicit and prevents silent fallback to a different
  SCC if admission ordering changes

Summary by CodeRabbit

• Chores
  • Applied required OpenShift security constraint to the termination-handler pod so it meets platform security requirements.
  • Updated termination behavior to prefer logs on errors for the termination-handler container, improving post-termination diagnostics and error visibility.

[openshift-ci-robot]

@damdo: This pull request explicitly references no jira issue.

Details

In response to this:

• set terminationMessagePolicy on termination-handler container
  The termination-handler container was missing terminationMessagePolicy=FallbackToLogsOnError

• require machine-api-termination-handler SCC via annotation
  pin the termination-handler DaemonSet pods to the dedicated
  machine-api-termination-handler SCC using the openshift.io/required-scc annotation.
  This makes the SCC binding explicit and prevents silent fallback to a different
  SCC if admission ordering changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a53626b3-026e-4fd3-8dbb-a539d011a099

📥 Commits

Reviewing files that changed from the base of the PR and between e527fdd and d787f6b.

📒 Files selected for processing (1)

• pkg/operator/sync.go

✅ Files skipped from review due to trivial changes (1)

• pkg/operator/sync.go

---

Walkthrough

newTerminationPodTemplateSpec now clones the shared pod annotations and adds the OpenShift SCC annotation for the termination-handler Pod template. The termination-handler container spec now sets TerminationMessagePolicy to TerminationMessageFallbackToLogsOnError.

Changes

Termination Handler Pod Configuration

Layer / File(s)	Summary
Annotation Mutation Fix pkg/operator/sync.go	newTerminationPodTemplateSpec clones commonPodTemplateAnnotations (via maps.Clone) into a local annotations map and adds openshift.io/required-scc: machine-api-termination-handler to that clone.
Container Field pkg/operator/sync.go	newTerminationContainers sets TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError on the termination-handler container.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly summarizes the two main changes: adding the scc annotation and setting terminationMessage to FallbackToLogsOnError for the termination-handler.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies production code in sync.go; no Ginkgo test files are changed, so there are no test names to validate for stability.
Test Structure And Quality	✅ Passed	This PR does not modify any Ginkgo test files, only production code in pkg/operator/sync.go. The custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies operator sync configuration code but does not add any new Ginkgo e2e tests, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request adds no new Ginkgo e2e tests, only unit tests using the testing package and Gomega matchers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds operational metadata and logging configuration without introducing scheduling constraints that would break SNO, Two-Node, TNA, or HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	Changes are purely Kubernetes resource configuration (annotations and container settings) without process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies operator code only; no new Ginkgo e2e tests introduced, so custom check for IPv6 and disconnected network compatibility is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/sync.go`:
- Around line 1006-1011: The pod-template annotation map is being shared and
later mutated by ensureDependecyAnnotations, leaking deployment-specific
dependency-hash annotations into other pods; instead of relying on
maps.Clone(commonPodTemplateAnnotations) in only some places, ensure every use
creates an independent copy: replace any direct aliasing of
commonPodTemplateAnnotations (including where deployment pod templates are
created) with a fresh clone (e.g., call maps.Clone(commonPodTemplateAnnotations)
at each assignment site) or modify ensureDependecyAnnotations to accept and
mutate a copy rather than the original; update usages around
maps.Clone(commonPodTemplateAnnotations), commonPodTemplateAnnotations, and
ensureDependecyAnnotations so no shared map is passed into multiple pod
templates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 53476141-736e-49dd-b290-250edf49b3c7

📥 Commits

Reviewing files that changed from the base of the PR and between ddc3269 and e527fdd.

📒 Files selected for processing (1)

• pkg/operator/sync.go

[damdo]

/retest

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[nrb]

/lgtm
/approve
/verified by checking CI artifacts and observing the SCC is retained

[openshift-ci-robot]

@nrb: This PR has been marked as verified by checking CI artifacts and observing the SCC is retained.

Details

In response to this:

/lgtm
/approve
/verified by checking CI artifacts and observing the SCC is retained

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment