Skip to content

Add standard Kubernetes labels to controller-manager deployment#1989

Merged
weshayutin merged 1 commit intoopenshift:oadp-devfrom
shubham-pampattiwar:add-standard-k8s-labels
Oct 13, 2025
Merged

Add standard Kubernetes labels to controller-manager deployment#1989
weshayutin merged 1 commit intoopenshift:oadp-devfrom
shubham-pampattiwar:add-standard-k8s-labels

Conversation

@shubham-pampattiwar
Copy link
Member

@shubham-pampattiwar shubham-pampattiwar commented Oct 9, 2025
edited
Loading

Summary

This PR adds standard Kubernetes labels to the openshift-adp-controller-manager deployment to enable more specific NetworkPolicy targeting.

Changes

Adds the following labels to both the Deployment metadata and Pod template:

  • app.kubernetes.io/name: oadp-operator
  • app.kubernetes.io/component: controller-manager
  • app.kubernetes.io/part-of: oadp

Motivation

The current generic label control-plane: controller-manager could inadvertently match unintended pods when used in NetworkPolicy selectors. These more specific labels follow Kubernetes recommended practices and allow for precise pod targeting.

Files Changed

  • config/manager/manager.yaml - Added labels to deployment template
  • bundle/manifests/oadp-operator.clusterserviceversion.yaml - Regenerated with make bundle

Testing

  • Verified labels are applied to deployment
  • Verified labels are present in CSV after bundle regeneration
  • Confirmed no unintended RBAC changes included

Fixes #1988

🤖 Generated with Claude Code

@openshift-ci openshift-ci bot requested review from mpryc and mrnold October 9, 2025 17:03
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 9, 2025
@shubham-pampattiwar
Copy link
Member Author

shubham-pampattiwar commented Oct 9, 2025

Testing Verification ✅

All testing checkboxes from the PR description have been verified on a live OpenShift cluster.

1. ✅ Verified labels are applied to deployment

Deployed the operator using make deploy-olm and confirmed the deployment has all three new labels:

$ oc get deployment openshift-adp-controller-manager -n openshift-adp -o yaml | grep -A 4 "labels:"
labels:
  app.kubernetes.io/component: controller-manager
  app.kubernetes.io/name: oadp-operator
  app.kubernetes.io/part-of: oadp
  control-plane: controller-manager

2. ✅ Verified labels are present on running pods

Pod selector with the new label works correctly:

$ oc get pods -n openshift-adp -l app.kubernetes.io/name=oadp-operator
NAME                                                READY   STATUS    RESTARTS   AGE
openshift-adp-controller-manager-749866fbbf-5j2xg   1/1     Running   0          5m

$ oc get pods -n openshift-adp -l app.kubernetes.io/name=oadp-operator --show-labels
NAME                                                READY   STATUS    RESTARTS   AGE   LABELS
openshift-adp-controller-manager-749866fbbf-5j2xg   1/1     Running   0          5m    app.kubernetes.io/component=controller-manager,app.kubernetes.io/name=oadp-operator,app.kubernetes.io/part-of=oadp,control-plane=controller-manager,pod-template-hash=749866fbbf

3. ✅ Verified labels are present in CSV after bundle regeneration

CSV contains the labels in both deployment metadata and pod template:

deployments:
- label:
    app.kubernetes.io/component: controller-manager
    app.kubernetes.io/name: oadp-operator
    app.kubernetes.io/part-of: oadp
    control-plane: controller-manager
  spec:
    template:
      metadata:
        labels:
          app.kubernetes.io/component: controller-manager
          app.kubernetes.io/name: oadp-operator
          app.kubernetes.io/part-of: oadp
          control-plane: controller-manager

NetworkPolicy Use Case

These labels enable precise NetworkPolicy targeting. Example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: oadp-controller-egress
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: oadp-operator
      app.kubernetes.io/component: controller-manager
  # ... egress rules

This selector will only match the OADP controller-manager pods, avoiding the issue mentioned in #1988 where the generic control-plane: controller-manager label could match unintended pods.

weshayutin
weshayutin previously approved these changes Oct 9, 2025
View reviewed changes
kaovilai
kaovilai reviewed Oct 9, 2025
View reviewed changes
@shubham-pampattiwar @claude
Add standard Kubernetes labels to controller-manager deployment
7706183 
Add three standard Kubernetes labels to the openshift-adp-controller-manager
deployment to enable more specific pod selection in NetworkPolicies:
- app.kubernetes.io/name: oadp-operator
- app.kubernetes.io/component: controller-manager
- app.kubernetes.io/part-of: oadp-operator

The current label 'control-plane: controller-manager' is too generic and
could match unintended pods when used in NetworkPolicy selectors.

These labels follow the recommended Kubernetes labeling conventions and
match the existing standard used in config/prometheus/monitor.yaml.

Fixes: openshift#1988

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@kaovilai
Copy link
Member

kaovilai commented Oct 10, 2025

looks like sir health check isn't working

@shubham-pampattiwar
Copy link
Member Author

shubham-pampattiwar commented Oct 13, 2025

/retest

1 similar comment
@shubham-pampattiwar
Copy link
Member Author

shubham-pampattiwar commented Oct 13, 2025

/retest

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2025

@shubham-pampattiwar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.20-e2e-test-aws 7706183 link false /test 4.20-e2e-test-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@weshayutin weshayutin merged commit b296ca1 into openshift:oadp-dev Oct 13, 2025
12 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weshayutin weshayutin weshayutin approved these changes

@kaovilai kaovilai kaovilai approved these changes

@mpryc mpryc Awaiting requested review from mpryc

@mrnold mrnold Awaiting requested review from mrnold

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add standard Kubernetes labels to openshift-adp-controller-manager deployment

3 participants

@shubham-pampattiwar @kaovilai @weshayutin