Skip to content

fix(api): mark Sandbox.spec.volumeClaimTemplates immutable via CEL#858

Open
mesutoezdil wants to merge 2 commits into
kubernetes-sigs:mainfrom
mesutoezdil:fix/727-sandbox-vct-immutable
Open

fix(api): mark Sandbox.spec.volumeClaimTemplates immutable via CEL#858
mesutoezdil wants to merge 2 commits into
kubernetes-sigs:mainfrom
mesutoezdil:fix/727-sandbox-vct-immutable

Conversation

@mesutoezdil

@mesutoezdil mesutoezdil commented May 23, 2026

Copy link
Copy Markdown
Contributor

Move the XValidation rule from the optional `volumeClaimTemplates` field to the `SandboxSpec` parent struct so the API server enforces immutability for all three transitions: set to modified set, unset to set, and set to unset. The previous rule on the optional field was skipped when the field was absent in either the old or new object, leaving two gaps.

This aligns Sandbox with the StatefulSet immutability contract and prevents controller reconciliation failures or orphaned PVCs caused by post-creation mutations.

Related issue: 727

Changes

  • `api/v1beta1/sandbox_types.go`: move XValidation marker to `SandboxSpec` with `has()` checks covering all transitions
  • `k8s/crds/agents.x-k8s.io_sandboxes.yaml`: regenerated via `go generate ./...`
  • `helm/crds/agents.x-k8s.io_sandboxes.yaml`: regenerated via `go generate ./...`
  • `docs/api.md`: regenerated via `make generate-api-docs`
  • `test/e2e/volumeclaimtemplate_test.go`: added table-driven e2e tests for all three rejection cases

Summary by CodeRabbit

  • New Features
    • Added validation to prevent changes to volumeClaimTemplates after a Sandbox is created.
  • Documentation
    • Updated the API reference to explain that volumeClaimTemplates is immutable after creation, while the matching template field remains editable.
  • Tests
    • Added end-to-end coverage for update attempts that modify, remove, or add volume claim templates, confirming they are rejected with a clear error.
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label May 23, 2026
@netlify

netlify Bot commented May 23, 2026

Copy link
Copy Markdown

Deploy Preview for agent-sandbox canceled.

Name Link
🔨 Latest commit 5d7b1cc
🔍 Latest deploy log https://app.netlify.com/projects/agent-sandbox/deploys/6a455d07e556360009aa6450
@k8s-ci-robot k8s-ci-robot requested review from janetkuo and soltysh May 23, 2026 14:26
@linux-foundation-easycla

linux-foundation-easycla Bot commented May 23, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: mesutoezdil / name: mesutoezdil (a93d3cb)

@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Welcome @mesutoezdil!

It looks like this is your first PR to kubernetes-sigs/agent-sandbox 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/agent-sandbox has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 23, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Hi @mesutoezdil. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 23, 2026
@mesutoezdil mesutoezdil force-pushed the fix/727-sandbox-vct-immutable branch from a93d3cb to a625000 Compare May 23, 2026 14:30
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label May 23, 2026
@mesutoezdil mesutoezdil force-pushed the fix/727-sandbox-vct-immutable branch from a625000 to 49297c9 Compare May 23, 2026 14:37
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 23, 2026
@janetkuo janetkuo requested a review from Copilot May 23, 2026 15:00

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes Sandbox.spec.volumeClaimTemplates immutable after creation by adding a CEL XValidation rule (self == oldSelf). This aligns Sandbox behavior with Kubernetes’ StatefulSet immutability expectations and prevents silent drift between Sandbox spec and already-created PVCs.

Changes:

  • Added a kubebuilder XValidation CEL rule to enforce immutability of SandboxSpec.VolumeClaimTemplates.
  • Regenerated CRDs in both k8s/crds/ and helm/crds/ to include the resulting x-kubernetes-validations stanza.
  • Updated the API reference docs to mention the immutability behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
api/v1beta1/sandbox_types.go Adds CEL immutability validation for spec.volumeClaimTemplates.
k8s/crds/agents.x-k8s.io_sandboxes.yaml Regenerated CRD reflecting x-kubernetes-validations for the field.
helm/crds/agents.x-k8s.io_sandboxes.yaml Same regenerated CRD change for the Helm chart.
docs/api.md Documents that volumeClaimTemplates is immutable after creation.
Comment thread docs/api.md
Comment thread api/v1beta1/sandbox_types.go Outdated

@barney-s barney-s left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • While this is a step in the right direction to align with StatefulSet expectations, the current CEL rule configuration on an optional field leaves gaps that allow transitions from unset to set (and vice versa) on update. To ensure strict immutability, the validation rule should be defined at the parent struct level.
  • Additionally, there are no tests included to verify this validation behavior.
Comment thread api/v1beta1/sandbox_types.go Outdated
@barney-s barney-s self-assigned this Jun 3, 2026
mesutoezdil added a commit to mesutoezdil/agent-sandbox that referenced this pull request Jun 3, 2026
The previous rule was placed on the optional field itself, so Kubernetes
skipped it when the field was absent in old or new object. Moving the
rule to SandboxSpec covers all three transitions: set-to-modified-set,
unset-to-set, and set-to-unset.

Regenerated CRDs via go generate ./... and docs/api.md via
make generate-api-docs. Added e2e tests for all three rejection cases.

Fixes: barney-s review on kubernetes-sigs#858
Closes kubernetes-sigs#727
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jun 3, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mesutoezdil
Once this PR has been reviewed and has the lgtm label, please ask for approval from barney-s. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 3, 2026
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 3, 2026
@mesutoezdil mesutoezdil force-pushed the fix/727-sandbox-vct-immutable branch from 8161d28 to 7fde87d Compare June 3, 2026 08:39
Move the XValidation rule to SandboxSpec so the API server enforces
immutability for all transitions: set to modified set, unset to set,
and set to unset. The previous rule on the optional field was skipped
when the field was absent in either the old or new object.

Regenerated CRDs via go generate ./... and docs via make generate-api-docs.
Added e2e tests covering all three rejection cases.

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
@mesutoezdil mesutoezdil force-pushed the fix/727-sandbox-vct-immutable branch from 7fde87d to c51e561 Compare June 3, 2026 08:41
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jun 3, 2026
@mesutoezdil

mesutoezdil commented Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @barney-s. Both points are addressed in the latest commit.

@aditya-shantanu

Copy link
Copy Markdown
Collaborator

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 3, 2026
@janetkuo janetkuo added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 18, 2026
@aditya-shantanu

Copy link
Copy Markdown
Collaborator

/lgtm

1 similar comment
@aditya-shantanu

Copy link
Copy Markdown
Collaborator

/lgtm

@kubernetes-prow kubernetes-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 1, 2026
@kubernetes-prow

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

…mmutable

# Conflicts:
#	api/v1beta1/sandbox_types.go
@kubernetes-prow

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@kubernetes-prow kubernetes-prow Bot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2026
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mesutoezdil
Once this PR has been reviewed and has the lgtm label, please ask for approval from barney-s. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a CEL-based immutability validation rule for volumeClaimTemplates on the v1beta1 SandboxSpec, propagates it to the generated CRD manifest, documents the restriction in the API docs, and adds an e2e test verifying that updates to this field after creation are rejected.

Changes

volumeClaimTemplates immutability

Layer / File(s) Summary
API validation rule and generated artifacts
api/v1beta1/sandbox_types.go, helm/crds/agents.x-k8s.io_sandboxes.yaml, docs/api.md
Adds a kubebuilder XValidation CEL rule requiring volumeClaimTemplates on SandboxSpec to stay unchanged once set, mirrors this rule in the generated CRD's x-kubernetes-validations, and documents that the field is immutable after creation while noting SandboxTemplate copies remain editable.
E2E immutability test
test/e2e/volumeclaimtemplate_test.go
Adds TestSandboxVolumeClaimTemplatesImmutable, which attempts to append, unset, or modify volumeClaimTemplates on an existing Sandbox and asserts each update fails with a "volumeClaimTemplates is immutable" error.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: lgtm

Suggested reviewers: barney-s, janetkuo

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is specific and matches the main change: making Sandbox.spec.volumeClaimTemplates immutable via CEL.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The PR clearly explains the change, motivation, related issue, and affected files, though it doesn't explicitly use the template headings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mesutoezdil

mesutoezdil commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

This PR has been open since May 23, and in true fast-moving-monorepo fashion the codebase moved on without me. main landed #995, hoisting PodTemplate/VolumeClaimTemplates into a shared SandboxBlueprint struct used by both Sandbox and SandboxTemplate. That conflicted with this branch badly enough that I had to re-read my own diff to remember what it was doing.

To be honest, six weeks for a small, self-contained CEL rule change is a long time to sit in review, long enough that the base branch drifted out from under it and turned a trivial merge into an archaeology exercise. It would help to get eyes on small API PRs like this sooner, before the diff itself becomes stale.

@janetkuo @soltysh @barney-s @SHRUTI6991, tagging everyone who has already weighed in so this doesn't sit unnoticed again. Ready for another pass whenever you have time, hopefully without another multi-week wait and another round of drift to untangle.

@kubernetes-prow kubernetes-prow Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. ready-for-review size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

7 participants