feat(preflight): Add VM Image kubernetes version check (#1172)

This check ensures images that have the standard NKP naming scheme have
the image with the same kubernetes version as the cluster version.

**How has this been tested?**
create a cluster using `nkp create cluster nutanix --dry-run` and tweak
the image kubernetes version to be different from cluster kubernetes
version.
```
$ cat cluster.yaml
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  ...
  name: nkp-sid
  namespace: default
spec:
  ...
  topology:
    ...
    variables:
    - name: clusterConfig
      value:
        ...
        controlPlane:
          nutanix:
            machineDetails:
              ...
              image:
                name: nkp-rocky-9.5-release-1.31.4-20250214003015.qcow2
                type: name
    version: v1.32.3
    workers:
      machineDeployments:
      - class: default-worker
        ...
        name: md-0
        variables:
          overrides:
          - name: workerConfig
            value:
              nutanix:
                machineDetails:
                  ...
                  image:
                    name: nkp-rocky-9.5-release-1.31.4-20250214003015.qcow2
                    type: name
```
create the cluster
```
$ k apply -f cluster.yaml -v4
The request is invalid: 
* cluster.spec.topology.variables[.name=clusterConfig].value.nutanix.controlPlane.machineDetails: kubernetes version mismatch: cluster kubernetes version '1.32.3' does not match image kubernetes version '1.31.4' (from image name 'nkp-rocky-9.5-release-1.31.4-20250214003015.qcow2')
* cluster.spec.topology.workers.machineDeployments[.name=md-0].variables[.name=workerConfig].value.nutanix.machineDetails: kubernetes version mismatch: cluster kubernetes version '1.32.3' does not match image kubernetes version '1.31.4' (from image name 'nkp-rocky-9.5-release-1.31.4-20250214003015.qcow2')
```

---------

Co-authored-by: Daniel Lipovetsky <daniel.lipovetsky@nutanix.com>

Author: thunderboltsid

pkg/webhook/preflight/nutanix/checker.go

@@ -18,10 +18,11 @@ import (
 )
 
 var Checker = &nutanixChecker{
-	configurationCheckFactory:     newConfigurationCheck,
-	credentialsCheckFactory:       newCredentialsCheck,
-	vmImageChecksFactory:          newVMImageChecks,
-	storageContainerChecksFactory: newStorageContainerChecks,
+	configurationCheckFactory:             newConfigurationCheck,
+	credentialsCheckFactory:               newCredentialsCheck,
+	vmImageChecksFactory:                  newVMImageChecks,
+	vmImageKubernetesVersionChecksFactory: newVMImageKubernetesVersionChecks,
+	storageContainerChecksFactory:         newStorageContainerChecks,
 }
 
 type nutanixChecker struct {
@@ -39,6 +40,10 @@ type nutanixChecker struct {
 		cd *checkDependencies,
 	) []preflight.Check
 
+	vmImageKubernetesVersionChecksFactory func(
+		cd *checkDependencies,
+	) []preflight.Check
+
 	storageContainerChecksFactory func(
 		cd *checkDependencies,
 	) []preflight.Check
@@ -74,6 +79,7 @@ func (n *nutanixChecker) Init(
 	}
 
 	checks = append(checks, n.vmImageChecksFactory(cd)...)
+	checks = append(checks, n.vmImageKubernetesVersionChecksFactory(cd)...)
 	checks = append(checks, n.storageContainerChecksFactory(cd)...)
 
 	// Add more checks here as needed.

pkg/webhook/preflight/nutanix/checker_test.go

@@ -33,24 +33,26 @@ func (m *mockCheck) Run(ctx context.Context) preflight.CheckResult {
 
 func TestNutanixChecker_Init(t *testing.T) {
 	tests := []struct {
-		name                       string
-		nutanixConfig              *carenv1.NutanixClusterConfigSpec
-		workerNodeConfigs          map[string]*carenv1.NutanixWorkerNodeConfigSpec
-		expectedCheckCount         int
-		expectedFirstCheckName     string
-		expectedSecondCheckName    string
-		vmImageCheckCount          int
-		storageContainerCheckCount int
+		name                               string
+		nutanixConfig                      *carenv1.NutanixClusterConfigSpec
+		workerNodeConfigs                  map[string]*carenv1.NutanixWorkerNodeConfigSpec
+		expectedCheckCount                 int
+		expectedFirstCheckName             string
+		expectedSecondCheckName            string
+		vmImageCheckCount                  int
+		vmImageKubernetesVersionCheckCount int
+		storageContainerCheckCount         int
 	}{
 		{
-			name:                       "basic initialization with no configs",
-			nutanixConfig:              nil,
-			workerNodeConfigs:          nil,
-			expectedCheckCount:         2, // config check and credentials check
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          0,
-			storageContainerCheckCount: 0,
+			name:                               "basic initialization with no configs",
+			nutanixConfig:                      nil,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 2, // config check and credentials check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  0,
+			vmImageKubernetesVersionCheckCount: 0,
+			storageContainerCheckCount:         0,
 		},
 		{
 			name: "initialization with control plane config",
@@ -59,12 +61,13 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			workerNodeConfigs:          nil,
-			expectedCheckCount:         4, // config check, credentials check, 1 VM image check, 1 storage container check
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          1,
-			storageContainerCheckCount: 1,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 5, //nolint:lll // config check, credentials check, 1 VM image check, 1 storage container check, 1 VM image Kubernetes version check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  1,
+			vmImageKubernetesVersionCheckCount: 1,
+			storageContainerCheckCount:         1,
 		},
 		{
 			name:          "initialization with worker node configs",
@@ -77,11 +80,12 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			expectedCheckCount:         6, // config check, credentials check, 2 VM image checks, 2 storage container checks
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          2,
-			storageContainerCheckCount: 2,
+			expectedCheckCount:                 8, //nolint:lll // config check, credentials check, 2 VM image checks, 2 storage container checks, 2 VM image Kubernetes version checks
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
+			storageContainerCheckCount:         2,
 		},
 		{
 			name: "initialization with both control plane and worker node configs",
@@ -95,12 +99,12 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			// config check, credentials check, 2 VM image checks (1 CP + 1 worker), 2 storage container checks (1 CP + 1 worker)
-			expectedCheckCount:         6,
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          2,
-			storageContainerCheckCount: 2,
+			expectedCheckCount:                 8, //nolint:lll // config check, credentials check, 2 VM image checks (1 CP + 1 worker), 2 storage container checks (1 CP + 1 worker), 2 VM image Kubernetes version checks
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
+			storageContainerCheckCount:         2,
 		},
 	}
 
@@ -114,6 +118,7 @@ func TestNutanixChecker_Init(t *testing.T) {
 			credsCheckCalled := false
 			vmImageCheckCount := 0
 			storageContainerCheckCount := 0
+			vmImageKubernetesVersionCheckCount := 0
 
 			checker.configurationCheckFactory = func(cd *checkDependencies) preflight.Check {
 				configCheckCalled = true
@@ -167,6 +172,22 @@ func TestNutanixChecker_Init(t *testing.T) {
 				return checks
 			}
 
+			checker.vmImageKubernetesVersionChecksFactory = func(cd *checkDependencies) []preflight.Check {
+				checks := []preflight.Check{}
+				for i := 0; i < tt.vmImageKubernetesVersionCheckCount; i++ {
+					vmImageKubernetesVersionCheckCount++
+					checks = append(checks,
+						&mockCheck{
+							name: fmt.Sprintf("NutanixVMImageKubernetesVersion-%d", i),
+							result: preflight.CheckResult{
+								Allowed: true,
+							},
+						},
+					)
+				}
+				return checks
+			}
+
 			// Call Init
 			ctx := context.Background()
 			checks := checker.Init(ctx, nil, &clusterv1.Cluster{

pkg/webhook/preflight/nutanix/image.go

@@ -115,6 +115,10 @@ func getVMImages(
 		if err != nil {
 			return nil, err
 		}
+		if resp == nil {
+			// No images were returned.
+			return []vmmv4.Image{}, nil
+		}
 		image, ok := resp.GetData().(vmmv4.Image)
 		if !ok {
 			return nil, fmt.Errorf("failed to get data returned by GetImageById")

pkg/webhook/preflight/nutanix/image_test.go

@@ -416,6 +416,20 @@ func TestGetVMImages(t *testing.T) {
 			wantErr:  true,
 			errorMsg: "image identifier is missing both name and uuid",
 		},
+		{
+			name: "no image found by uuid",
+			client: &mocknclient{
+				getImageByIdFunc: func(uuid *string) (*vmmv4.GetImageApiResponse, error) {
+					return nil, nil
+				},
+			},
+			id: &capxv1.NutanixResourceIdentifier{
+				Type: capxv1.NutanixIdentifierUUID,
+				UUID: ptr.To("test-uuid"),
+			},
+			wantErr: false,
+			want:    []vmmv4.Image{}, // No images found
+		},
 		{
 			name: "invalid data from GetImageById",
 			client: &mocknclient{

pkg/webhook/preflight/nutanix/imagekubernetesversioncheck.go

@@ -0,0 +1,143 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package nutanix
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	vmmv4 "github.com/nutanix/ntnx-api-golang-clients/vmm-go-client/v4/models/vmm/v4/content"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+type imageKubernetesVersionCheck struct {
+	machineDetails    *carenv1.NutanixMachineDetails
+	field             string
+	nclient           client
+	clusterK8sVersion string
+}
+
+func (c *imageKubernetesVersionCheck) Name() string {
+	return "NutanixVMImageKubernetesVersion"
+}
+
+func (c *imageKubernetesVersionCheck) Run(ctx context.Context) preflight.CheckResult {
+	if c.machineDetails.ImageLookup != nil {
+		return preflight.CheckResult{
+			Allowed:  true,
+			Warnings: []string{fmt.Sprintf("%s uses imageLookup, which is not yet supported by checks", c.field)},
+		}
+	}
+
+	if c.machineDetails.Image != nil {
+		images, err := getVMImages(c.nclient, c.machineDetails.Image)
+		if err != nil {
+			return preflight.CheckResult{
+				Allowed: false,
+				Error:   true,
+				Causes: []preflight.Cause{
+					{
+						Message: fmt.Sprintf("failed to get VM Image: %s", err),
+						Field:   c.field,
+					},
+				},
+			}
+		}
+
+		if len(images) == 0 {
+			return preflight.CheckResult{
+				Allowed: true,
+			}
+		}
+
+		if err := c.checkKubernetesVersion(&images[0]); err != nil {
+			return preflight.CheckResult{
+				Allowed: false,
+				Error:   false,
+				Causes: []preflight.Cause{
+					{
+						Message: err.Error(),
+						Field:   c.field,
+					},
+				},
+			}
+		}
+	}
+
+	return preflight.CheckResult{Allowed: true}
+}
+
+func (c *imageKubernetesVersionCheck) checkKubernetesVersion(image *vmmv4.Image) error {
+	imageName := ""
+	if image.Name != nil {
+		imageName = *image.Name
+	}
+
+	if imageName == "" {
+		return fmt.Errorf("VM image name is empty")
+	}
+
+	if !strings.Contains(imageName, c.clusterK8sVersion) {
+		return fmt.Errorf(
+			"cluster kubernetes version '%s' is not part of image name '%s'",
+			c.clusterK8sVersion,
+			imageName,
+		)
+	}
+
+	return nil
+}
+
+func newVMImageKubernetesVersionChecks(
+	cd *checkDependencies,
+) []preflight.Check {
+	checks := make([]preflight.Check, 0)
+
+	if cd.nclient == nil {
+		return checks
+	}
+
+	// Get cluster Kubernetes version for version matching
+	clusterK8sVersion := ""
+	if cd.cluster != nil && cd.cluster.Spec.Topology != nil && cd.cluster.Spec.Topology.Version != "" {
+		clusterK8sVersion = strings.TrimPrefix(cd.cluster.Spec.Topology.Version, "v")
+	}
+
+	// If cluster Kubernetes version is not specified, skip the check.
+	if clusterK8sVersion == "" {
+		return checks
+	}
+
+	if cd.nutanixClusterConfigSpec != nil && cd.nutanixClusterConfigSpec.ControlPlane != nil &&
+		cd.nutanixClusterConfigSpec.ControlPlane.Nutanix != nil {
+		checks = append(checks,
+			&imageKubernetesVersionCheck{
+				machineDetails: &cd.nutanixClusterConfigSpec.ControlPlane.Nutanix.MachineDetails,
+				field: "cluster.spec.topology.variables[.name=clusterConfig]" +
+					".value.nutanix.controlPlane.machineDetails.image",
+				nclient:           cd.nclient,
+				clusterK8sVersion: clusterK8sVersion,
+			},
+		)
+	}
+
+	for mdName, nutanixWorkerNodeConfigSpec := range cd.nutanixWorkerNodeConfigSpecByMachineDeploymentName {
+		if nutanixWorkerNodeConfigSpec.Nutanix != nil {
+			checks = append(checks,
+				&imageKubernetesVersionCheck{
+					machineDetails: &nutanixWorkerNodeConfigSpec.Nutanix.MachineDetails,
+					field: fmt.Sprintf("cluster.spec.topology.workers.machineDeployments[.name=%s]"+
+						".variables[.name=workerConfig].value.nutanix.machineDetails.image", mdName),
+					nclient:           cd.nclient,
+					clusterK8sVersion: clusterK8sVersion,
+				},
+			)
+		}
+	}
+
+	return checks
+}