Validation Rules
Purpose: For platform engineers, provides all schema constraints, business rules, and provider-specific checks.
Validation Layers
opencenter cluster validate runs three layers of checks in order:
- Schema validation — JSON Schema constraints
- Business rules — cross-field logic and dependency checks
- Provider-specific rules — cloud provider requirements
Validation stops at the first layer that produces errors.
Schema Rules
These are enforced by the JSON Schema (schema_version: "2.0"):
| Rule | Constraint |
|---|---|
schema_version | Must be "2.0" |
opencenter.meta.cluster_name | Required, lowercase alphanumeric + hyphens |
opencenter.meta.organization | Required, non-empty string |
opencenter.infrastructure.provider | Required, one of: openstack, vmware, aws, kind, baremetal |
opencenter.cluster.kubernetes_version | Required, semver format (vX.Y.Z) |
| Node counts | Integer, minimum 1 |
| CIDR fields | Valid CIDR notation |
v1 configurations are rejected with a message directing users to migrate.
Business Rules
Cross-field validations that the schema alone cannot express:
| Rule | Description |
|---|---|
| Control plane count must be odd | Required for etcd quorum (1, 3, 5) |
| Pod CIDR must not overlap service CIDR | Prevents routing conflicts |
| Service versions must exist in base | Enabled services must have a matching base definition |
SOPS key must exist if secrets backend is sops | Key file path must resolve to an existing file |
SSH key must exist for setup/bootstrap | Required for Git authentication |
| Cluster name uniqueness per org | No two clusters with the same name in one org |
Provider-Specific Rules
OpenStack
| Rule | Check |
|---|---|
| Auth URL reachable | --check-connectivity flag |
| Flavor exists | --check-provider flag |
| Network/subnet exists | --check-provider flag |
| Floating IP pool available | --check-provider flag |
| Security groups configurable | --check-provider flag |
VMware
| Rule | Check |
|---|---|
| vCenter reachable | --check-connectivity flag |
| Datacenter exists | --check-provider flag |
| Datastore has sufficient capacity | --check-provider flag |
| Configured VM inventory is coherent | --check-provider flag |
Baremetal
| Rule | Check |
|---|---|
| Bastion reachable | --check-connectivity flag |
| Static node inventory valid | --check-provider flag |
| Control-plane and worker counts match | --check-provider flag |
AWS
AWS provider support is planned for a future release and is not available in the documented GA provider set. The validation rules below are draft specifications for the planned implementation. Documented GA providers are: OpenStack, VMware, Baremetal, and Kind.
| Rule | Check |
|---|---|
| Credentials valid | --check-connectivity flag |
| VPC/subnet exists | --check-provider flag |
| Instance type available in region | --check-provider flag |
GCP
GCP provider support is planned for a future release and is not available in the documented GA provider set. Documented GA providers are: OpenStack, VMware, Baremetal, and Kind.
No validation rules defined yet. GCP-specific rules will be added when the provider is implemented.
Azure
Azure provider support is planned for a future release and is not available in the documented GA provider set. Documented GA providers are: OpenStack, VMware, Baremetal, and Kind.
No validation rules defined yet. Azure-specific rules will be added when the provider is implemented.
Kind
| Rule | Check |
|---|---|
| Docker daemon running | Always checked |
| Sufficient local resources | Warning only |
Output Formats
Text output (default) groups results by validation layer:
Schema Validation: PASS (12 checks)
Business Rules: FAIL (1 error, 2 warnings)
✗ Control plane count (2) must be odd for etcd quorum
⚠ Pod CIDR overlaps with default Docker bridge network
⚠ SSH key expires in 12 days — consider rotating
JSON output (--json) returns a structured object for CI/CD:
{
"valid": false,
"errors": [
{"layer": "business", "rule": "odd-control-plane", "message": "Control plane count (2) must be odd"}
],
"warnings": [
{"layer": "business", "rule": "cidr-overlap", "message": "Pod CIDR overlaps with Docker bridge"}
]
}
Running Validation
# Basic validation
opencenter cluster validate my-cluster
# Full validation with provider checks
opencenter cluster validate my-cluster --check-connectivity --check-provider
# CI/CD pipeline
opencenter cluster validate my-cluster --json