Skip to content

Tighten adoption filters#758

Open
mandre wants to merge 12 commits intok-orc:mainfrom
shiftstack:fix-fip-adoption
Open

Tighten adoption filters#758
mandre wants to merge 12 commits intok-orc:mainfrom
shiftstack:fix-fip-adoption

Conversation

@mandre
Copy link
Copy Markdown
Collaborator

@mandre mandre commented Apr 17, 2026
edited
Loading

Tighten ListOSResourcesForAdoption across all controllers to include parent resource IDs, immutable identifying fields, and project/domain scoping in the adoption filter.

Fixes #757

@github-actions github-actions bot added the semver:patch No API change label Apr 17, 2026
mandre added 12 commits April 17, 2026 14:32
@mandre
FloatingIP: Tighten adoption filter
6a95342 
ListOSResourcesForAdoption only filtered by floating IP address and
tags, without considering the floating network or project. Adoption
could match a floating IP on the wrong network when concurrent tests
created floating IPs with the same address on different external
networks.

Resolve FloatingNetworkRef or FloatingSubnetRef to obtain the OpenStack
network ID and include it in the list filter. Also include ProjectID
when ProjectRef is set.

Collapse floatingipCreateActuator into floatingipActuator since the
split is no longer needed now that k8sClient is on the base actuator.
@mandre
Subnet: Tighten adoption filter
0fd870c 
ListOSResourcesForAdoption only filtered by name. Resolve NetworkRef
and include NetworkID, the immutable CIDR and IPVersion fields, and
ProjectID when set in the list filter to prevent adopting a subnet on
the wrong network or with the wrong addressing.
@mandre
Port: Tighten adoption filter
053fc18 
ListOSResourcesForAdoption only filtered by name. Resolve NetworkRef
and include NetworkID, MACAddress when specified (immutable, globally
unique), and ProjectID when set in the list filter to prevent adopting
a port on the wrong network.
@mandre
Trunk: Tighten adoption filter
8c80674 
ListOSResourcesForAdoption only filtered by name and description.
Resolve PortRef and include PortID, and ProjectID when set, in the
list filter to prevent adopting a trunk associated with the wrong
parent port.
@mandre
Project: Tighten adoption filter
cbd09dd 
ListOSResourcesForAdoption only filtered by name and tags. Resolve
DomainRef when set and include DomainID in the list filter to prevent
adopting a project in the wrong domain.
@mandre
User: Tighten adoption filter
1253074 
ListOSResourcesForAdoption only filtered by name. Resolve DomainRef
when set and include DomainID in the list filter to prevent adopting
a user in the wrong domain.
@mandre
Group: Tighten adoption filter
7fe8404 
ListOSResourcesForAdoption only filtered by name. Resolve DomainRef
when set and include DomainID in the list filter to prevent adopting
a group in the wrong domain.
@mandre
AddressScope: Tighten adoption filter
71912ee 
ListOSResourcesForAdoption only filtered by name. Include the
immutable IPVersion field and ProjectID when set in the list filter
to prevent adopting an address scope with the wrong IP version or
from the wrong project.
@mandre
SecurityGroup: Tighten adoption filter
9545833 
ListOSResourcesForAdoption only filtered by name. Resolve ProjectRef
when set and include ProjectID and the Stateful field in the list
filter to prevent adopting a security group from the wrong project
or with the wrong stateful/stateless behavior.
@mandre
Network: Tighten adoption filter
bfb881a 
ListOSResourcesForAdoption only filtered by name. Resolve ProjectRef
when set and include ProjectID in the list filter to prevent adopting
a network from the wrong project with admin-scoped credentials.
@mandre
Router: Tighten adoption filter
578eccc 
ListOSResourcesForAdoption only filtered by name. Resolve ProjectRef
when set and include ProjectID and the immutable Distributed field in
the list filter to prevent adopting a router from the wrong project or
with the wrong topology.

Collapse routerCreateActuator into routerActuator since the split is
no longer needed now that k8sClient is on the base actuator.
@mandre
ServerGroup: Tighten adoption filter
8fb26f7 
Include the immutable Policy field in the client-side adoption filter
to prevent adopting a server group with the wrong scheduling policy
(e.g. affinity vs anti-affinity).
@mandre mandre force-pushed the fix-fip-adoption branch from 31eba3d to 8fb26f7 Compare April 17, 2026 13:14
@mandre mandre changed the title floatingip: Fix adoption matching resources on wrong network Tighten adoption filters Apr 17, 2026
@mandre mandre added the backport-v2.0 This PR will be backported to v2.0 label Apr 17, 2026
@dlaw4608
Copy link
Copy Markdown
Contributor

dlaw4608 commented Apr 17, 2026

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dlaw4608 dlaw4608 dlaw4608 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-v2.0 This PR will be backported to v2.0 semver:patch No API change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Floating IP controller might adopt the wrong resource

2 participants

@mandre @dlaw4608