OCPBUGS-74525: OCPBUGS-74526: Remove UserNamespacesPodSecurityStandards and UserNamespacesSupport by bitoku · Pull Request #2762 · openshift/api

bitoku · 2026-03-12T15:05:44Z

UserNamespacesPodSecurityStandards dropped in 1.35 kubernetes/kubernetes@e8bd3f6

UserNamespacesSupport enabled by default in 1.33 kubernetes/kubernetes@96c2b81

…eature gates Both feature gates have been enabled by default since 4.21 and are no longer needed. The userNamespaceLevel field on SecurityContextConstraints is now ungated and always available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

openshift-ci-robot · 2026-03-12T15:05:47Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

openshift-ci-robot · 2026-03-12T15:05:54Z

@bitoku: This pull request references Jira Issue OCPBUGS-74525, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-03-12T15:06:08Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 92c0952c-e59c-4fd0-95a7-214d54e2c35b

📥 Commits

Reviewing files that changed from the base of the PR and between f6ee4c0 and 55d3f7b.

⛔ Files ignored due to path filters (3)

security/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (13)

features.md
features/features.go
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
security/v1/generated.proto
security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
security/v1/types.go

💤 Files with no reviewable changes (13)

security/v1/types.go
features.md
security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
security/v1/generated.proto
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
features/features.go
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml

📝 Walkthrough

Walkthrough

This pull request removes two feature gates: UserNamespacesSupport and UserNamespacesPodSecurityStandards. The removals span feature gate definition files (features.go), documentation (features.md), configuration manifests across multiple Hypershift and SelfManagedHA profiles, and annotation references in proto and types definitions. Additionally, the test configuration file for UserNamespacesPodSecurityStandards is deleted. The changes eliminate these feature gates from the registry and all associated configuration profiles without modifying any remaining features or control flow.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, making it impossible to verify if the description relates to the changeset.	Add a clear description explaining why these feature gates are being removed and their current status (e.g., enabled by default since 4.21).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the primary change: removing two specific feature gates (UserNamespacesPodSecurityStandards and UserNamespacesSupport) across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR does not introduce new or modified Ginkgo test code; changes affect feature gates, manifests, and data files only.
Test Structure And Quality	✅ Passed	The PR only removes a YAML test specification file without modifying actual Ginkgo test code. The test infrastructure maintains quality standards with table-driven tests, proper setup/cleanup, timeouts, and meaningful assertions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

📝 Coding Plan for PR comments

Generate coding plan

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-03-12T15:06:41Z

Hello @bitoku! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

openshift-ci · 2026-03-12T15:06:42Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

openshift-ci-robot · 2026-03-12T15:10:29Z

@bitoku: This pull request references Jira Issue OCPBUGS-74525, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

Details

In response to this:

UserNamespacesPodSecurityStandards dropped in 1.35 kubernetes/kubernetes@e8bd3f6

UserNamespacesSupport enabled by default in 1.33 kubernetes/kubernetes@96c2b81

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

bitoku · 2026-03-12T15:10:38Z

/test all

qodo-code-review · 2026-03-12T15:10:45Z

PR-Agent: could not fine a component named all in a supported language in this PR.

bitoku · 2026-03-12T15:18:49Z

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

openshift-ci · 2026-03-12T15:19:41Z

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/c6667530-1e26-11f1-9894-8d3e157c037f-0

bitoku · 2026-03-13T10:16:40Z

/retest

bitoku · 2026-03-13T15:21:27Z

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

openshift-ci · 2026-03-13T15:21:32Z

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4eb8e340-1ef0-11f1-9273-49c828a7ffdd-0

bitoku · 2026-03-16T11:14:12Z

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

openshift-ci · 2026-03-16T11:14:16Z

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/437605e0-2129-11f1-8035-7e0764c49893-0

everettraven · 2026-03-16T12:14:12Z

Assuming we get clean CI signal, this LGTM.

/pipeline run

everettraven · 2026-03-16T12:14:21Z

/lgtm

openshift-ci-robot · 2026-03-16T12:15:55Z

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

openshift-ci · 2026-03-16T12:16:20Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

bitoku · 2026-03-16T13:12:50Z

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

bitoku · 2026-03-16T13:12:52Z

/hold

openshift-ci · 2026-03-16T13:12:53Z

@bitoku: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-ovn-usernamespace

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d6080ba0-2139-11f1-889b-387ba7acd7b5-0

bitoku · 2026-03-16T15:49:50Z

/unhold

bitoku · 2026-03-18T17:47:23Z

/retest

openshift-ci · 2026-03-18T21:23:29Z

@bitoku: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 12, 2026

openshift-ci bot requested a review from lyman9966 March 12, 2026 15:06

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 12, 2026

openshift-ci bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 12, 2026

bitoku marked this pull request as ready for review March 16, 2026 11:13

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 16, 2026

openshift-ci bot requested review from JoelSpeed and everettraven March 16, 2026 11:14

openshift-ci bot assigned everettraven Mar 16, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 16, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 16, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2026

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2026

Conversation

bitoku commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 12, 2026

Uh oh!

openshift-ci-robot commented Mar 12, 2026

Uh oh!

coderabbitai bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

❌ Failed checks (1 warning)

Uh oh!

openshift-ci bot commented Mar 12, 2026

Uh oh!

openshift-ci bot commented Mar 12, 2026

Uh oh!

openshift-ci-robot commented Mar 12, 2026

Uh oh!

bitoku commented Mar 12, 2026

Uh oh!

qodo-code-review bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bitoku commented Mar 12, 2026

Uh oh!

openshift-ci bot commented Mar 12, 2026

Uh oh!

bitoku commented Mar 13, 2026

Uh oh!

bitoku commented Mar 13, 2026

Uh oh!

openshift-ci bot commented Mar 13, 2026

Uh oh!

bitoku commented Mar 16, 2026

Uh oh!

openshift-ci bot commented Mar 16, 2026

Uh oh!

everettraven commented Mar 16, 2026

Uh oh!

everettraven commented Mar 16, 2026

Uh oh!

openshift-ci-robot commented Mar 16, 2026

Uh oh!

openshift-ci bot commented Mar 16, 2026

Uh oh!

bitoku commented Mar 16, 2026

Uh oh!

bitoku commented Mar 16, 2026

Uh oh!

openshift-ci bot commented Mar 16, 2026

Uh oh!

bitoku commented Mar 16, 2026

Uh oh!

bitoku commented Mar 18, 2026

Uh oh!

openshift-ci bot commented Mar 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

bitoku commented Mar 12, 2026 •

edited

Loading

coderabbitai bot commented Mar 12, 2026 •

edited

Loading

qodo-code-review bot commented Mar 12, 2026 •

edited

Loading