Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-4066

[RFE] Support PriorityClass in file-integrity-operator

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • file-integrity-operator-1.3.8
    • File Integrity Operator
    • None
    • Security & Compliance
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      PROBLEM:

      In clusters under resource pressure, file-integrity daemon pods often fail to schedule because nodes don't have enough available resources. This leaves nodes without integrity checks. Currently there's no way to set pod priority for these pods. Without a PriorityClass, the scheduler cannot preempt lower-priority workloads to make room for the file integrity pods. REQUEST: Add an optional `priorityClassName` field to the FileIntegrity CR that sets the PriorityClass for daemon pods. REFERENCE: PriorityClass documentation:

      https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/

      The compliance-operator already has this feature (see

      https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/security_and_compliance/compliance-operator#compliance-priorityclass_compliance-advanced).

      PROPOSED SOLUTION:

      fileintegrity.openshift.io/v1alpha1

      kind: FileIntegrity metadata: name: worker-fileintegrity namespace: openshift-file-integrity spec: priorityClassName: system-node-critical nodeSelector:

      node-role.kubernetes.io/worker

      : ""

              wenshen@redhat.com Vincent Shen
              rhn-support-jortizpa Jose Ortiz Padilla
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: