Fix risk scenario to include node affinity

galal-hussein · galal-hussein · commit 7008144b4f8a · 2025-12-08T02:41:58.000+02:00
Signed-off-by: galal-hussein &lt;hussein.galal.ahmed.11@gmail.com&gt;
diff --git a/keps/sig-scheduling/5721-semver-operators/README.md b/keps/sig-scheduling/5721-semver-operators/README.md
@@ -208,11 +208,51 @@ spec:
 
 #### Invalid SemVer Node Label or Taint
 
-**Risk**: Node labels or taints are currently free-form strings and are not validated for SemVer compliance at registration time (e.g. a node may carry a taint like this `node.kubernetes.io/containerRuntimeVersion=containerd://2.1.4` instead of `node.kubernetes.io/containerRuntimeVersion=2.1.4`). Since taint values are not validated at node registration time, these misconfigurations are only detected during scheduling when a pod with `SemverLt`/`SemverGt`/`SemverEq` tolerations attempts to match. This can lead to pods remaining in `Pending` state without clear indication of the root cause.
+**Risk**: Node labels and taints are currently free-form strings and are not validated for SemVer compliance at registration time. This creates two problematic scenarios:
+
+1. **Invalid node-side values**: A node may carry a taint like `node.kubernetes.io/containerRuntimeVersion=containerd://2.1.4` instead of `node.kubernetes.io/containerRuntimeVersion=2.1.4`, or a label like `kernel.version=5.15.0-generic` instead of `kernel.version=5.15.0`.
+
+2. **Delayed detection**: Since node labels/taints are not validated at node registration time, misconfigurations are only detected during scheduling when a pod with `SemverLt`/`SemverGt`/`SemverEq` operators attempts to match against them.
+
+This can lead to:
+- Pods stuck in `Pending` state indefinitely
+- Unclear error messages for cluster operators
+- Silent scheduling failures for `preferredDuringSchedulingIgnoredDuringExecution` affinity (pod schedules but ignores the preference)
 
 **Mitigation**:
 
-- Pod validation: Current validation strictly enforces that only `Equal` and `Exists` operators are allowed. Users with version taint values today must explicitly change the operator to `SemverLt` or `SemverGt`, at which point pod-side validation will catch non-version toleration values and reject the pod spec before scheduling.
+**1. Pod-Side Validation (Admission Time)**
+
+- **Tolerations**: API server validation strictly requires that toleration values using `SemverLt`, `SemverGt`, or `SemverEq` operators must be valid SemVer strings. Invalid values are rejected during pod admission:
+  ```
+  spec.tolerations[0].value: Invalid value: "containerd://2.1.4":
+  Invalid character(s) found in major number "containerd:"
+  ```
+
+- **Node Affinity**: API server validation strictly requires that node affinity requirement values using `SemverLt`, `SemverGt`, or `SemverEq` operators must be valid SemVer strings. Invalid values are rejected during pod admission:
+  ```
+  spec.affinity.nodeAffinity...matchExpressions[0].values[0]: Invalid value: "v1.2.x":
+  Invalid character(s) found in patch number "x"
+  ```
+
+This ensures that users cannot create pods with invalid SemVer values on the pod side.
+
+**2. Node-Side Handling (Scheduling Time)**
+
+When a pod with valid SemVer operators encounters a node with invalid taint/label values:
+
+- **Tolerations**: If a node taint value cannot be parsed as SemVer, the `compareSemVerValues` function returns `false`, meaning the toleration does not match:
+  - For `NoSchedule`/`NoExecute` taints: Pod cannot schedule on that node
+  - For `PreferNoSchedule` taints: Node receives lower score
+  - Scheduler event: `0/N nodes are available: X node(s) had untolerated taint {key: invalid-value}`
+  - Scheduler logs (Error level): `"failed to parse taint value as semantic version" taint="invalid-value"`
+
+- **Node Affinity**: If a node label value cannot be parsed as SemVer, the affinity matching returns `false`:
+  - For `requiredDuringSchedulingIgnoredDuringExecution`: Pod cannot schedule on that node
+  - For `preferredDuringSchedulingIgnoredDuringExecution`: Node receives 0 score contribution for that term (pod can still schedule)
+  - Scheduler logs (V(10) level): `"Parse semver failed for value X in label Y"`
+
+The behavior is **fail-safe**: Invalid values cause matching to fail, preventing pods from scheduling on potentially incompatible nodes.
 
 #### Controller Hot-Loop When Feature Gate is Disabled
 
@@ -447,6 +487,7 @@ func compareSemVerValues(logger klog.Logger, tolerationVal, taintVal string, op
 	taintVersion, err := semver.ParseTolerant(taintVal)
 	if err != nil {
 		logger.Error(err, "failed to parse taint value as semantic version", "taint", taintVal)
+		return false
 	}
 
 	switch op {
