openshift · openshift-merge-bot · Jan 16, 2026 · Jan 14, 2026 · Jan 14, 2026
diff --git a/...econfigurations.operator.openshift.io/BootImageSkewEnforcement+ManagedBootImagesCPMS.yaml b/...econfigurations.operator.openshift.io/BootImageSkewEnforcement+ManagedBootImagesCPMS.yaml
@@ -0,0 +1,223 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "MachineConfiguration"
+crdName: machineconfigurations.operator.openshift.io
+featureGates:
+- BootImageSkewEnforcement
+- ManagedBootImagesCPMS
+tests:
+  onUpdate:
+    - name: Should permit an "All" CPMS boot image configuration when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal  
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+    - name: Should permit a None CPMS boot image configuration when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal  
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"      
+    - name: Should not permit a None MachineSet and All CPMS boot image configuration when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None                  
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expectedError: "when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
+    - name: Should not permit a None MachineSet and None CPMS boot image configuration when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              - resource: controlplanemachinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None                  
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expectedError: "when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"      
+
diff --git a/operator/v1/tests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml b/operator/v1/tests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml
@@ -336,7 +336,7 @@ tests:
             automatic:
               ocpVersion: "4.18.2"
               rhcosVersion: "416.94.202411201433-0"
-      expectedError: "when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+      expectedError: "when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
     - name: Should not be able to set boot image configuration to an empty list if bootImageSkewEnforcementStatus.mode is set to Automatic
       initial: |
         apiVersion: operator.openshift.io/v1
@@ -373,7 +373,7 @@ tests:
             automatic:
               ocpVersion: "4.18.2"
               rhcosVersion: "416.94.202411201433-0"
-      expectedError: "when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+      expectedError: "when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list"
     - name: Should require boot image configuration status to be set to All when bootImageSkewEnforcementStatus.mode is Automatic
       initial: |
         apiVersion: operator.openshift.io/v1

diff --git a/operator/v1/types_machineconfiguration.go b/operator/v1/types_machineconfiguration.go
@@ -18,7 +18,8 @@ import (
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 // +openshift:compatibility-gen:level=1
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"
 type MachineConfiguration struct {
 	metav1.TypeMeta `json:",inline"`

diff --git a/...ed.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/...ed.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''

diff --git a/...rd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/...rd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''

diff --git a/...d-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml b/...d-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''

diff --git a/...d-crd-manifests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml b/...d-crd-manifests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml
@@ -1222,12 +1222,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''