Skip to content

Add ownerReferences and subjects correlators to reduce false positives#258

Open
mgonzalezo wants to merge 1 commit intoopenshift:mainfrom
mgonzalezo:feature/owner-references-support
Open

Add ownerReferences and subjects correlators to reduce false positives#258
mgonzalezo wants to merge 1 commit intoopenshift:mainfrom
mgonzalezo:feature/owner-references-support

Conversation

@mgonzalezo
Copy link

@mgonzalezo mgonzalezo commented Jan 14, 2026

Added two new correlators to reduce false positives when validating OpenShift Hub clusters:

  1. OwnerReferenceCorrelator - Finds resources that exist as ownerReferences in cluster resources but not as standalone files. This handles operator-managed resources like ClusterLogForwarder and StorageCluster that are only referenced by their child resources.

  2. SubjectsCorrelator - Finds ServiceAccounts and other subjects referenced in RBAC bindings but not present as standalone files in the collection.

PR raised after raising tickets OCPBUGS-69679 and TELCODOCS-2616 for OCP Hub cluster.

@openshift-ci
Copy link

openshift-ci bot commented Jan 14, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nocturnalastro for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jan 14, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 14, 2026

Hi @mgonzalezo. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@lack
Copy link
Member

lack commented Jan 15, 2026

Thanks very much for the submission!

I think to help solidify my understand of what cases this addresses, we could benefit from having a couple test cases that exemplify exactly what these new correlators accomplish.

@mgonzalezo mgonzalezo force-pushed the feature/owner-references-support branch from 87a6766 to 07e50a3 Compare January 16, 2026 02:39
@mgonzalezo
Copy link
Author

mgonzalezo commented Jan 16, 2026

Hi @lack , I have added integration test cases for ownerReferences and RBAC subjects correlators following the existing structure of this repo.

These tests show the new correlators fix false positives:

  • OwnerReferencesMatch: Tests that templates are matched when resources
    exist only as ownerReferences in cluster resources. Covers:

    • ClusterLogForwarder referenced by DaemonSet
    • StorageCluster referenced by Deployment
    • Provisioning (cluster-scoped) referenced by namespaced Deployment

  • RBACSubjectsMatch: Tests that ServiceAccounts are matched when they
    exist only as subjects in ClusterRoleBinding resources.

These tests validate the fix for 4 false positives identified for telco-hub:

  • clusterLogForwarder.yaml (found via ownerReferences)
  • storageCluster.yaml (found via ownerReferences)
  • acmProvisioning.yaml (found via ownerReferences)
  • ServiceAccount "collector" (found via RBAC subjects)

@mgonzalezo mgonzalezo force-pushed the feature/owner-references-support branch from 07e50a3 to 19b0634 Compare February 6, 2026 08:13
@mgonzalezo
Copy link
Author

mgonzalezo commented Feb 6, 2026

@lack based on your feedback, I have updated the implementation to address both parts of validation check:

  • Resources are still marked as matched (not missing) - avoiding false positives

  • Warning added when contents cannot be validated

let me know what you think.

@lack
Copy link
Member

lack commented Feb 9, 2026

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 9, 2026
@mgonzalezo
Add ownerReferences and RBAC subjects correlators
5e42626 
- Match resources via ownerReferences in cluster objects
- Match ServiceAccounts via RBAC subjects in ClusterRoleBindings
- Add Warnings array to JSON output for inferred resources
- Fix golangci-lint issues (formatting and cyclomatic complexity)
- Add test cases for both correlators
@mgonzalezo mgonzalezo force-pushed the feature/owner-references-support branch from befe5d1 to 5e42626 Compare February 10, 2026 13:50
@openshift-ci
Copy link

openshift-ci bot commented Feb 10, 2026

@mgonzalezo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MarSik MarSik Awaiting requested review from MarSik

@nocturnalastro nocturnalastro Awaiting requested review from nocturnalastro

Assignees

No one assigned

Labels

ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mgonzalezo @lack