The node-readiness-controller uses a custom annotation on Node objects to track completion of bootstrap-only rules.
Currently the annotation key is generated like this:
readiness.k8s.io/bootstrap-completed-<rule-name>
However, Kubernetes annotation keys must follow the format:
The name part (after the last /) is limited to 63 characters.
Since bootstrap-completed- already uses 20 characters, any NodeReadinessRule name longer than ~43 characters results in an invalid annotation key.
Because of this, the controller fails while patching the Node annotation and the bootstrap-only rule never gets marked as completed.
Expected Behavior
The controller should support any valid NodeReadinessRule name without failing to patch Node annotations.
Actual Behavior
The controller throws a validation error when trying to patch the Node annotation if the generated key exceeds Kubernetes annotation limits.
As a result:
- bootstrap-only rules never complete
- nodes can remain tainted indefinitely
- reconciliation loops may continue retrying
Steps to Reproduce
- Create a
NodeReadinessRule with a long name (50+ characters)
Example:
my-very-important-network-readiness-rule-for-worker-nodes
- Set:
spec:
enforcementMode: bootstrap-only
- Wait for the rule conditions to become successful
- Check controller logs
You will see annotation validation errors during the Node patch operation.
Suggested Fix
The annotation key should be shortened when the rule name is too long.
Possible approaches:
- Truncation + hash
- Deterministic hash-based suffix
- Store bootstrap tracking somewhere other than Node annotations
Example idea:
readiness.k8s.io/bootstrap-<hash>
A hash-based approach would probably be the safest option to avoid collisions while staying within Kubernetes limits.
I would like to work on this issue
The
node-readiness-controlleruses a custom annotation on Node objects to track completion of bootstrap-only rules.Currently the annotation key is generated like this:
However, Kubernetes annotation keys must follow the format:
The
namepart (after the last/) is limited to 63 characters.Since
bootstrap-completed-already uses 20 characters, anyNodeReadinessRulename longer than ~43 characters results in an invalid annotation key.Because of this, the controller fails while patching the Node annotation and the bootstrap-only rule never gets marked as completed.
Expected Behavior
The controller should support any valid
NodeReadinessRulename without failing to patch Node annotations.Actual Behavior
The controller throws a validation error when trying to patch the Node annotation if the generated key exceeds Kubernetes annotation limits.
As a result:
Steps to Reproduce
NodeReadinessRulewith a long name (50+ characters)Example:
You will see annotation validation errors during the Node patch operation.
Suggested Fix
The annotation key should be shortened when the rule name is too long.
Possible approaches:
Example idea:
A hash-based approach would probably be the safest option to avoid collisions while staying within Kubernetes limits.
I would like to work on this issue