Azure · machi1990 · Apr 24, 2026 · JameelB · Jun 9, 2026 · JameelB
diff --git a/frontend/pkg/frontend/node_pool.go b/frontend/pkg/frontend/node_pool.go
@@ -227,19 +227,18 @@ func decodeDesiredNodePoolCreate(ctx context.Context, azureLocation string) (*ap
 // The spCluster and spNodePool parameters provide service provider state needed for
 // admission checks that depend on runtime state (e.g., version upgrade validation).
 // For UPDATE operations, these parameters are required and the function will fail if they're nil.
-// For CREATE operations, these can be nil since no prior state exists.
+// For CREATE operations, spNodePool should be nil (no prior state exists), and spCluster is to be provided
 func (f *Frontend) newNodePoolAdmissionContext(ctx context.Context, op operation.Operation, cluster *api.HCPOpenShiftCluster, spCluster *api.ServiceProviderCluster, spNodePool *api.ServiceProviderNodePool) (*admission.NodePoolAdmissionContext, error) {
 	if cluster == nil {
 		return nil, fmt.Errorf("cluster is required for admission context")
 	}
 
-	if op.Type == operation.Update {
-		if spCluster == nil {
-			return nil, fmt.Errorf("serviceProviderCluster is required for UPDATE operations")
-		}
-		if spNodePool == nil {
-			return nil, fmt.Errorf("serviceProviderNodePool is required for UPDATE operations")
-		}
+	if spCluster == nil && op.Type == operation.Update {
+		return nil, fmt.Errorf("serviceProviderCluster is required for %v operations", op.Type)
+	}
+
+	if spNodePool == nil && op.Type == operation.Update {
+		return nil, fmt.Errorf("serviceProviderNodePool is required for %v operations", op.Type)
 	}
 
 	return &admission.NodePoolAdmissionContext{
@@ -286,11 +285,16 @@ func (f *Frontend) createNodePool(writer http.ResponseWriter, request *http.Requ
 		return utils.TrackError(fmt.Errorf("cluster %s has no ClusterServiceID", cluster.ID))
 	}
 
+	serviceProviderCluster, err := database.GetOrCreateServiceProviderCluster(ctx, f.resourcesDBClient, resourceID.Parent)
+	if err != nil {
+		return utils.TrackError(err)
+	}
+
 	restOperation := operation.Operation{
 		Type:    operation.Create,
 		Options: validation.AFECsToValidationOptions(subscription.GetRegisteredFeatures()),
 	}
-	admissionContext, err := f.newNodePoolAdmissionContext(ctx, restOperation, cluster, nil, nil)
+	admissionContext, err := f.newNodePoolAdmissionContext(ctx, restOperation, cluster, serviceProviderCluster, nil)
 	if err != nil {
 		return utils.TrackError(err)
 	}

diff --git a/internal/admission/admit_nodepool.go b/internal/admission/admit_nodepool.go
@@ -32,7 +32,8 @@ import (
 
 // NodePoolAdmissionContext carries dependencies that node pool mutation/admission needs
 // beyond the node pool object itself. It includes the parent cluster and optionally
-// the service provider cluster and nodepool (for update-specific validations like version upgrades).
+// the service provider cluster (for version skew validation) and
+// service provider nodepool (for update-specific validations like version upgrades).
 type NodePoolAdmissionContext struct {
 	Cluster                 *api.HCPOpenShiftCluster
 	ServiceProviderNodePool *api.ServiceProviderNodePool
@@ -94,7 +95,8 @@ func AdmitNodePoolOnDelete(ctx context.Context, admissionContext *NodePoolDelete
 }
 
 // AdmitNodePool performs non-static checks of nodepool. Checks that require more information than is contained inside of
-// the nodepool instance itself. For update operations with version changes, include ServiceProviderNodePool and
+// the nodepool instance itself. For create operations, include ServiceProviderCluster in the admissionContext to enable
+// version skew validation. For update operations with version changes, include both ServiceProviderNodePool and
 // ServiceProviderCluster in the admissionContext to enable version upgrade validation.
 func AdmitNodePool(ctx context.Context, admissionContext *NodePoolAdmissionContext, op operation.Operation, newNodePool, oldNodePool *api.HCPOpenShiftClusterNodePool) field.ErrorList {
 	errs := field.ErrorList{}
@@ -128,9 +130,11 @@ func admitNodePoolVersion(ctx context.Context, admissionContext *NodePoolAdmissi
 		))
 	}
 
-	// Perform update-specific version upgrade validation
-	if op.Type == operation.Update {
-		errs = append(errs, validateNodePoolVersionChange(ctx, admissionContext, op, fldPath.Child("id"), newObj, oldObj)...)
+	switch op.Type {
+	case operation.Create:
+		errs = append(errs, validateNodePoolVersionOnCreate(ctx, admissionContext, op, fldPath.Child("id"), newObj)...)
+	case operation.Update:
+		errs = append(errs, validateNodePoolVersionOnUpdate(ctx, admissionContext, op, fldPath.Child("id"), newObj, oldObj)...)
 	}
 
 	return errs
@@ -166,13 +170,38 @@ func admitNodePoolPlatform(ctx context.Context, admissionContext *NodePoolAdmiss
 	return errs
 }
 
-// validateNodePoolVersionChange validates that a node pool version change is valid.
+// validateNodePoolVersionOnCreate validates the requested node pool version at CREATE time.
+// At CREATE time, only basic validations apply (format, minimum version).
+func validateNodePoolVersionOnCreate(ctx context.Context, admissionContext *NodePoolAdmissionContext, op operation.Operation, fldPath *field.Path, newObj *api.NodePoolVersionProfile) field.ErrorList {
+	if len(newObj.ID) == 0 {
+		return nil
+	}
+
+	errs := field.ErrorList{}
+	newVersion, err := semver.Parse(newObj.ID)
+	if err != nil {
+		errs = append(errs, field.Invalid(fldPath, newObj.ID, fmt.Sprintf("invalid node pool version format: %s", err.Error())))
+		return errs
+	}
+	spCluster := admissionContext.ServiceProviderCluster
+
+	lowestCPVersion, highestCPVersion := apihelpers.FindLowestAndHighestClusterVersion(spCluster.Status.ControlPlaneVersion.ActiveVersions)
+
+	err = validation.ValidateNodePoolVersionSkew(newVersion, lowestCPVersion, highestCPVersion, op.HasOption(api.FeatureExperimentalReleaseFeatures))
+	if err != nil {
+		errs = append(errs, field.Invalid(fldPath, newObj.ID, err.Error()))
+	}
+
+	return errs
+}
+
+// validateNodePoolVersionOnUpdate validates that a node pool version change is valid.
 // It checks:
 //   - Upgrade: at most +2 minor versions from current, and cannot exceed lowest control plane version
 //   - Downgrade: at most -2 minor versions from the highest control plane version
 //   - Cross-major changes (either direction) require AFEC FeatureExperimentalReleaseFeatures
 //   - NP version must be in the allowed skew map when CP and NP are on different majors
-func validateNodePoolVersionChange(ctx context.Context, admissionContext *NodePoolAdmissionContext, op operation.Operation, fldPath *field.Path, newObj, oldObj *api.NodePoolVersionProfile) field.ErrorList {
+func validateNodePoolVersionOnUpdate(ctx context.Context, admissionContext *NodePoolAdmissionContext, op operation.Operation, fldPath *field.Path, newObj, oldObj *api.NodePoolVersionProfile) field.ErrorList {
 	spNodePool, spCluster := admissionContext.ServiceProviderNodePool, admissionContext.ServiceProviderCluster
 	// Skip validation if no version is specified or version didn't change
 	if len(newObj.ID) == 0 || newObj.ID == oldObj.ID {
@@ -194,6 +223,7 @@ func validateNodePoolVersionChange(ctx context.Context, admissionContext *NodePo
 	}
 
 	lowestCPVersion, highestCPVersion := apihelpers.FindLowestAndHighestClusterVersion(spCluster.Status.ControlPlaneVersion.ActiveVersions)
+
 	if err := validation.ValidateNodePoolVersionChange(newVersion, spNodePool.Status.NodePoolVersion.ActiveVersions, lowestCPVersion, highestCPVersion, op.HasOption(api.FeatureExperimentalReleaseFeatures)); err != nil {
 		errs = append(errs, field.Invalid(fldPath, newObj.ID, err.Error()))
 	}

diff --git a/internal/admission/admit_nodepool_test.go b/internal/admission/admit_nodepool_test.go
@@ -638,10 +638,17 @@ func TestAdmitNodePool_VersionValidation(t *testing.T) {
 					},
 				},
 			}
+
+			// Use cluster version from test case's clusterVersions if cross-major upgrade
+			clusterVersion := "4.18"
+			if tt.allowMajorUpgrades && len(tt.clusterVersions) > 0 {
+				clusterVersion = tt.clusterVersions[0]
+			}
+
 			cluster := &api.HCPOpenShiftCluster{
 				CustomerProperties: api.HCPOpenShiftClusterCustomerProperties{
 					Version: api.VersionProfile{
-						ID:           "4.18",
+						ID:           clusterVersion,
 						ChannelGroup: "stable",
 					},
 				},
@@ -685,19 +692,7 @@ func TestAdmitNodePool_VersionValidation(t *testing.T) {
 				},
 			}
 
-			// Build ServiceProviderCluster with active versions
-			var clusterActiveVersions []api.HCPClusterActiveVersion
-			for _, v := range tt.clusterVersions {
-				ver := semver.MustParse(v)
-				clusterActiveVersions = append(clusterActiveVersions, api.HCPClusterActiveVersion{Version: &ver})
-			}
-			spCluster := &api.ServiceProviderCluster{
-				Status: api.ServiceProviderClusterStatus{
-					ControlPlaneVersion: api.ServiceProviderClusterStatusVersion{
-						ActiveVersions: clusterActiveVersions,
-					},
-				},
-			}
+			spCluster := serviceProviderClusterWithVersions(t, tt.clusterVersions)
 
 			errs := AdmitNodePool(context.Background(), &NodePoolAdmissionContext{
 				Cluster:                 cluster,
@@ -751,14 +746,7 @@ func TestAdmitNodePool_IncludesChannelGroupCheck(t *testing.T) {
 		},
 	}
 
-	clusterVer := semver.MustParse("4.18.0")
-	spCluster := &api.ServiceProviderCluster{
-		Status: api.ServiceProviderClusterStatus{
-			ControlPlaneVersion: api.ServiceProviderClusterStatusVersion{
-				ActiveVersions: []api.HCPClusterActiveVersion{{Version: &clusterVer}},
-			},
-		},
-	}
+	spCluster := serviceProviderClusterWithVersions(t, []string{"4.18.0"})
 
 	// Empty update operation (no experimental features)
 	op := operation.Operation{Type: operation.Update}
@@ -843,3 +831,19 @@ func TestAdmitNodePoolOnDelete(t *testing.T) {
 		})
 	}
 }
+
+func serviceProviderClusterWithVersions(t *testing.T, versions []string) *api.ServiceProviderCluster {
+	t.Helper()
+	var active []api.HCPClusterActiveVersion
+	for _, s := range versions {
+		v := semver.MustParse(s)
+		active = append(active, api.HCPClusterActiveVersion{Version: &v})
+	}
+	return &api.ServiceProviderCluster{
+		Status: api.ServiceProviderClusterStatus{
+			ControlPlaneVersion: api.ServiceProviderClusterStatusVersion{
+				ActiveVersions: active,
+			},
+		},
+	}
+}
diff --git a/internal/validation/validators.go b/internal/validation/validators.go
@@ -924,6 +924,39 @@ func ValidateNodePoolVersionChange(desiredVersion semver.Version, activeVersions
 	}
 
 	lowest, highest := apihelpers.FindLowestAndHighestNodePoolVersion(activeVersions)
+	err := ValidateNodePoolVersionSkew(desiredVersion, lowestCPVersion, highestCPVersion, allowMajorUpgrade)
+	if err != nil {
+		return err
+	}
+
+	// Cross-major change (upgrade or downgrade): gated behind FeatureExperimentalReleaseFeatures.
+	isCrossMajorUpgrade := lowest != nil && desiredVersion.Major > lowest.Major
+	isCrossMajorDowngrade := highest != nil && desiredVersion.Major < highest.Major
+	if isCrossMajorUpgrade || isCrossMajorDowngrade {
+		if !allowMajorUpgrade {
+			return fmt.Errorf("major version changes are not supported")
+		}
+		if isCrossMajorUpgrade {
+			return ValidateMajorUpgrade(*lowest, desiredVersion)
+		}
+		return ValidateCrossMajorNodePoolSkew(desiredVersion, *highestCPVersion)
+	}
+
+	// Minor skip validation (N-2 skew policy)
+	if lowest != nil && desiredVersion.Minor > lowest.Minor+2 {
+		return fmt.Errorf(
+			"invalid upgrade path from %s to %s: skipping more than 2 minor versions is not allowed",
+			lowest.String(), desiredVersion.String(),
+		)
+	}
+
+	return nil
+}
+
+func ValidateNodePoolVersionSkew(desiredVersion semver.Version, lowestCPVersion, highestCPVersion *semver.Version, allowMajorUpgrade bool) error {
+	if lowestCPVersion == nil || highestCPVersion == nil {
+		return nil
+	}
 
 	if desiredVersion.GT(*lowestCPVersion) {
 		return fmt.Errorf(
@@ -945,34 +978,11 @@ func ValidateNodePoolVersionChange(desiredVersion semver.Version, activeVersions
 	// This applies to both upgrades (4.21→4.22) and downgrades (4.22→4.21) within
 	// the same major. NP changes that cross majors (e.g., 5.0→4.22) skip this and
 	// go through the AFEC gate below.
-	isSameMajorNPChange := highest == nil || desiredVersion.Major == highest.Major
-	if desiredVersion.Major != highestCPVersion.Major && isSameMajorNPChange {
-		if !allowMajorUpgrade {
-			return fmt.Errorf("major version changes are not supported")
-		}
-		return ValidateCrossMajorNodePoolSkew(desiredVersion, *highestCPVersion)
-	}
-
-	// Cross-major change (upgrade or downgrade): gated behind FeatureExperimentalReleaseFeatures.
-	isCrossMajorUpgrade := lowest != nil && desiredVersion.Major > lowest.Major
-	isCrossMajorDowngrade := highest != nil && desiredVersion.Major < highest.Major
-	if isCrossMajorUpgrade || isCrossMajorDowngrade {
+	if desiredVersion.Major != highestCPVersion.Major {
 		if !allowMajorUpgrade {
 			return fmt.Errorf("major version changes are not supported")
 		}
-		if isCrossMajorUpgrade {
-			return ValidateMajorUpgrade(*lowest, desiredVersion)
-		}
 		return ValidateCrossMajorNodePoolSkew(desiredVersion, *highestCPVersion)
 	}
-
-	// Minor skip validation (N-2 skew policy)
-	if lowest != nil && desiredVersion.Minor > lowest.Minor+2 {
-		return fmt.Errorf(
-			"invalid upgrade path from %s to %s: skipping more than 2 minor versions is not allowed",
-			lowest.String(), desiredVersion.String(),
-		)
-	}
-
 	return nil
 }
diff --git a/...tifacts/FrontendCRUD/NodePool/invalid-version-update/04-httpCreate-nodepool/nodepool.json b/...tifacts/FrontendCRUD/NodePool/invalid-version-update/04-httpCreate-nodepool/nodepool.json
@@ -25,7 +25,7 @@
 		],
 		"version": {
 			"channelGroup": "stable",
-			"id": "4.20.8"
+			"id": "4.22.8"
 		}
 	},
 	"type": "Microsoft.RedHatOpenShift/hcpOpenShiftClusters/nodePools"

diff --git a/...Pool/reject-nodepool-creation-version-skew-minus-3/00-httpCreate-subscription/00-key.json b/...Pool/reject-nodepool-creation-version-skew-minus-3/00-httpCreate-subscription/00-key.json
@@ -0,0 +1,3 @@
+{
+	"resourceID": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7"
+}
diff --git a/...eject-nodepool-creation-version-skew-minus-3/00-httpCreate-subscription/subscription.json b/...eject-nodepool-creation-version-skew-minus-3/00-httpCreate-subscription/subscription.json
@@ -0,0 +1,6 @@
+{
+	"properties": null,
+	"registrationDate": "2025-12-19T19:53:15+00:00",
+	"resourceId": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7",
+	"state": "Registered"
+}
diff --git a/.../NodePool/reject-nodepool-creation-version-skew-minus-3/01-httpCreate-cluster/00-key.json b/.../NodePool/reject-nodepool-creation-version-skew-minus-3/01-httpCreate-cluster/00-key.json
@@ -0,0 +1,3 @@
+{
+	"resourceID": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/resourceGroupName/providers/Microsoft.RedHatOpenShift/hcpOpenShiftClusters/cluster-name"
+}
diff --git a/...NodePool/reject-nodepool-creation-version-skew-minus-3/01-httpCreate-cluster/cluster.json b/...NodePool/reject-nodepool-creation-version-skew-minus-3/01-httpCreate-cluster/cluster.json
@@ -0,0 +1,57 @@
+{
+	"identity": {
+		"type": "UserAssigned",
+		"userAssignedIdentities": {
+			"/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/different-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/service-managed-identity": {}
+		}
+	},
+	"name": "cluster-name",
+	"properties": {
+		"api": {
+			"visibility": "Public"
+		},
+		"clusterImageRegistry": {
+			"state": "Disabled"
+		},
+		"console": {},
+		"dns": {},
+		"etcd": {
+			"dataEncryption": {
+				"customerManaged": {
+					"encryptionType": "KMS",
+					"kms": {
+						"activeKey": {
+							"name": "encryptionKeyName",
+							"vaultName": "keyVaultName",
+							"version": "2024-12-01-preview"
+						}
+					}
+				},
+				"keyManagementMode": "CustomerManaged"
+			}
+		},
+		"network": {
+			"hostPrefix": 23,
+			"machineCidr": "10.0.0.0/16",
+			"networkType": "OVNKubernetes",
+			"podCidr": "10.128.0.0/14",
+			"serviceCidr": "172.30.0.0/16"
+		},
+		"platform": {
+			"managedResourceGroup": "managed-resource-group-name",
+			"networkSecurityGroupId": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/some-resource-group/providers/Microsoft.Network/networkSecurityGroups/nsg",
+			"operatorsAuthentication": {
+				"userAssignedIdentities": {
+					"serviceManagedIdentity": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/different-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/service-managed-identity"
+				}
+			},
+			"outboundType": "LoadBalancer",
+			"subnetId": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/different-resource-group/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet"
+		},
+		"version": {
+			"channelGroup": "stable",
+			"id": "4.22"
+		}
+	},
+	"type": "Microsoft.RedHatOpenShift/hcpOpenShiftClusters"
+}
diff --git a/...ol/reject-nodepool-creation-version-skew-minus-3/02-completeOperation-cluster/00-key.json b/...ol/reject-nodepool-creation-version-skew-minus-3/02-completeOperation-cluster/00-key.json
@@ -0,0 +1,3 @@
+{
+	"resourceID": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/resourceGroupName/providers/Microsoft.RedHatOpenShift/hcpOpenShiftClusters/cluster-name"
+}
diff --git a/...ion-version-skew-minus-3/03-loadCosmos-serviceProviderCluster/serviceProviderCluster.json b/...ion-version-skew-minus-3/03-loadCosmos-serviceProviderCluster/serviceProviderCluster.json
@@ -0,0 +1,23 @@
+{
+	"id": "|subscriptions|6b690bec-0c16-4ecb-8f67-781caf40bba7|resourcegroups|resourcegroupname|providers|microsoft.redhatopenshift|hcpopenshiftclusters|cluster-name|serviceproviderclusters|default",
+	"partitionKey": "6b690bec-0c16-4ecb-8f67-781caf40bba7",
+	"properties": {
+		"resourceId": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/resourceGroupName/providers/Microsoft.RedHatOpenShift/hcpOpenShiftClusters/cluster-name/serviceProviderClusters/default",
+		"spec": {
+			"control_plane_version": {
+				"desired_version": "4.22.0"
+			}
+		},
+		"status": {
+			"control_plane_version": {
+				"active_versions": [
+					{
+						"version": "4.22.0"
+					}
+				]
+			}
+		}
+	},
+	"resourceID": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/resourceGroupName/providers/Microsoft.RedHatOpenShift/hcpOpenShiftClusters/cluster-name/serviceProviderClusters/default",
+	"resourceType": "microsoft.redhatopenshift/hcpopenshiftclusters/serviceproviderclusters"
+}
diff --git a/...NodePool/reject-nodepool-creation-version-skew-minus-3/04-httpCreate-nodepool/00-key.json b/...NodePool/reject-nodepool-creation-version-skew-minus-3/04-httpCreate-nodepool/00-key.json
@@ -0,0 +1,3 @@
+{
+	"resourceID": "/subscriptions/6b690bec-0c16-4ecb-8f67-781caf40bba7/resourceGroups/resourceGroupName/providers/Microsoft.RedHatOpenShift/hcpOpenShiftClusters/cluster-name/nodePools/test-np"
+}