Skip to content

fix:Add preflight guard against cluster identity changes on existing …#13242

Open
isumitsolanki wants to merge 1 commit into
kubernetes-sigs:masterfrom
isumitsolanki:issue_13233
Open

fix:Add preflight guard against cluster identity changes on existing …#13242
isumitsolanki wants to merge 1 commit into
kubernetes-sigs:masterfrom
isumitsolanki:issue_13233

Conversation

@isumitsolanki
Copy link
Copy Markdown
Contributor

@isumitsolanki isumitsolanki commented May 8, 2026

What type of PR is this?

/kind bug

What this PR does / why we need it:

Adds a preflight validation in kubernetes/preinstall to prevent unsafe changes to cluster identity on existing clusters.

When Kubespray is re-run against an existing cluster, it now reads the current kubeadm config ({{ kube_config_dir }}/kubeadm-config.yaml) and compares:

  • cluster_name (kubeadm clusterName)
  • dns_domain (kubeadm networking.dnsDomain)

If either value differs from inventory, the playbook fails fast with a clear error. This avoids partial reconfiguration that can break certificates, service-account token issuer expectations, DNS, and CNI behavior.

Which issue(s) this PR fixes:

Fixes #13233

Special notes for your reviewer:

  • The check is scoped to existing clusters only (when kubeadm config file exists).
  • It runs once on the first control-plane host.
  • It respects ignore_assert_errors, consistent with other preinstall assertions.
  • Fresh installs are not affected.

Does this PR introduce a user-facing change?:

Kubespray now fails early if `cluster_name` or `dns_domain` is changed for an existing cluster. Changing these values in-place is unsupported and can cause cluster-wide disruption; users should keep the original values or redeploy a new cluster.

@isumitsolanki
fix:Add preflight guard against cluster identity changes on existing …
4f06ad5 
…clusters

Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com>
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 8, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 8, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: isumitsolanki
Once this PR has been reviewed and has the lgtm label, please assign yankay for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from guoard and tico88612 May 8, 2026 08:57
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 8, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 8, 2026

Hi @isumitsolanki. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yankay
Copy link
Copy Markdown
Member

yankay commented May 10, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guoard guoard Awaiting requested review from guoard

@tico88612 tico88612 Awaiting requested review from tico88612

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Changing cluster_name via Kubespray causes cluster-wide disruption without validation or graceful failure

3 participants

@isumitsolanki @k8s-ci-robot @yankay