Block runc on RHEL 10 via OSImageURL stream class inspection

[bitoku]

Assisted-by: Claude Code https://claude.com/claude-code

- What I did

When OSImageStream is not available, detect RHEL 10 by inspecting the container image's io.openshift.os.streamclass label from the OSImageURL. This complements the OSImageStream-based check (commit 50a5088) by covering the OSImageURL path.

- How to verify it

manual test and e2e test

- Description for the changelog

Added a block mechanism when OSImageURL is RHEL 10 based and runc is used.

Summary by CodeRabbit

• New Features

  • Expanded image-related validation during rendering and bootstrap to detect unsupported runtime configurations on newer OS images.
  • Added support for inspecting OS image stream class information using registry mirrors and pull secrets.

• Bug Fixes

  • Improved handling when image stream data is unavailable by continuing with a safe fallback.
  • Added caching so previously inspected image stream information can be reused when the image URL matches.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3a1126f2-978c-49b0-bb1f-9d6d90f7474e

📥 Commits

Reviewing files that changed from the base of the PR and between c3ce5f2 and 2338c29.

📒 Files selected for processing (7)

• cmd/machine-config-controller/start.go
• pkg/controller/bootstrap/bootstrap.go
• pkg/controller/common/constants.go
• pkg/controller/render/render_controller.go
• pkg/controller/render/render_controller_test.go
• pkg/osimagestream/inspector.go
• test/e2e-bootstrap/bootstrap_test.go

---

Walkthrough

The PR adds mirror-aware OS image stream-class inspection, threads the resulting class into bootstrap and render validation, and updates controller wiring and tests to pass the new image and mirror informers.

Changes

Stream-class validation flow

Layer / File(s)	Summary
Inspection helpers pkg/controller/common/constants.go, pkg/osimagestream/inspector.go	New annotation keys are added, and stream-class inspection helpers resolve an image’s class from mirrored registry configuration and image labels.
Controller wiring pkg/controller/render/render_controller.go, cmd/machine-config-controller/start.go, test/e2e-bootstrap/bootstrap_test.go, pkg/controller/render/render_controller_test.go	render.New(...) accepts image and mirror informers, builds the default stream-class inspector, waits on the new caches, and the command, test fixture, and e2e bootstrap setup pass the extra informer sources.
Bootstrap plumbing pkg/controller/bootstrap/bootstrap.go, pkg/controller/render/render_controller.go	Bootstrap.Run computes baseStreamClass when needed, getBaseStreamClass performs the timed inspection, and render.RunBootstrap receives the new argument.
Bootstrap runc guard pkg/controller/render/render_controller.go, pkg/controller/render/render_controller_test.go	RunBootstrap uses the shared runc-block helper to reject generated MachineConfigs when the base stream class is RHEL10.
Reconciliation validation pkg/controller/render/render_controller.go, pkg/controller/render/render_controller_test.go	syncGeneratedMachineConfig validates from OSImageURL when no image stream set exists, cached annotations track the inspected URL and class, and tests cover cache hits, misses, and validation outcomes.

Sequence Diagram(s)

sequenceDiagram
  participant BootstrapRun as "Bootstrap.Run"
  participant GetBaseStreamClass as "Bootstrap.getBaseStreamClass"
  participant InspectMirrors as "osimagestream.InspectStreamClassWithMirrors"
  participant RenderRunBootstrap as "render.RunBootstrap"
  participant CheckRuncBlockedOnStream as "checkRuncBlockedOnStream"

  BootstrapRun->>GetBaseStreamClass: resolve baseStreamClass
  GetBaseStreamClass->>InspectMirrors: inspect base OS container image
  BootstrapRun->>RenderRunBootstrap: pass baseStreamClass
  RenderRunBootstrap->>CheckRuncBlockedOnStream: reject runc on RHEL10

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• openshift/machine-config-operator#5891: Adds the earlier RHEL10 runc guard in pkg/controller/render/render_controller.go that this change extends with stream-class inspection and bootstrap plumbing.

Suggested labels

jira/valid-bug, jira/valid-reference

Suggested reviewers

• asahay19
• pablintino
• djoshy

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	FAIL: new render logs print osImageURL/imageURL directly, and inspector errors embed the full image reference; bootstrap logs wrapped inspect errors too.	Log only sanitized image IDs (e.g. digest or registry-less name) and strip URLs from wrapped errors before warning/Info logs; keep full refs out of logs.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: blocking runc on RHEL 10 using OSImageURL stream class inspection.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All added test titles are static, descriptive strings; no dynamic data, generated IDs, dates, or other unstable values appear in titles.
Test Structure And Quality	✅ Passed	No Ginkgo-style structural issues found; the new tests are table-driven, waits use a bounded helper timeout, and setup/teardown follows existing repo patterns.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the e2e file only changes controller wiring, and the added coverage is standard Go unit tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed bootstrap test uses plain testing/T loops and OpenShift APIs only, with no multi-node/HA assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Touched files only add image-inspection/validation wiring; no affinity, topology spread, nodeSelector, tolerations, or replica changes were introduced.
Ote Binary Stdout Contract	✅ Passed	No new stdout writes were added in init/main/TestMain/suite setup; start cmd sets logtostderr before klog use, and changed files contain no fmt.Print/Stdout calls.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed tests use plain testing and only wire informers/static strings, with no IPv4-only or external-network calls.
No-Weak-Crypto	✅ Passed	The changed files only add OS image inspection and annotation logic; no weak crypto APIs, custom crypto, or secret/token comparisons were introduced.
Container-Privileges	✅ Passed	No changed manifest or pod spec adds privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation/root settings; grep over all changed files found none.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bitoku
Once this PR has been reviewed and has the lgtm label, please assign djoshy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment