Objective

Verify kernel-level isolation for HyperShift Hosted Control Planes on KubeVirt platform with version skew between management and hosted clusters. This validates ANSSI BP-028 compliance requirements for kernel-level isolation.

Parent Work Item

This task is part of CNTRLPLANE-2630: E2E test for OCPSTRAT-2217 VM-level and Hosted Cluster Isolation levels

Implementation

PR: openshift/release#74326

Automated CI test implemented as a periodic Prow job:

• Job: periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-kubevirt-metal-conformance-calico-version-skew-y2
• Workflow: hypershift-kubevirt-baremetalds-conformance-calico-version-skew
• Test step: hypershift-kubevirt-check-kernel-isolation

Version Skew Configuration

• Management cluster: OCP 4.20 (release:latest)
• Hosted cluster: OCP 4.18 (release:latest-4-18)
• Skew: y-2 (maximum allowed for even releases per OCPSTRAT-1707)

What the Test Validates

Test Results (2026-02-07)

Cluster: build05.ci.devcluster.openshift.com | Namespace: ci-op-4605ih94

Management Cluster (OCP 4.20)

Hosted Cluster (OCP 4.18)

Version Skew Evidence

Field	Management (4.20)	Hosted (4.18)	Different?
Kubernetes	v1.33.6	v1.31.14
Kernel	5.14.0-570.86.1.el9_6	5.14.0-427.110.1.el9_4
RHCOS	9.6	418.94
Boot ID	d7aa7795...	2e35c9b5...

VM Boundaries

Key Findings

Kernel isolation confirmed: Different boot IDs prove management and hosted clusters run separate kernel instances, satisfying ANSSI BP-028 requirements.

Version skew working: Management uses kernel 5.14.0-570 (RHEL 9.6) vs Hosted uses 5.14.0-427 (RHEL 9.4), confirming the hosted cluster runs a different OCP version.

VM-based isolation: 3 VirtLauncher pods and 3 VMIs confirm hosted cluster nodes run inside KubeVirt VMs.

Bug Found & Fixed During Testing

The hosted cluster was initially created with OCP 4.20 instead of 4.18 due to incorrect release image propagation:

• Root cause: The create script (hypershift-kubevirt-create-commands.sh line 98) uses HYPERSHIFT_HC_RELEASE_IMAGE → fallback to RELEASE_IMAGE_LATEST. The CI config only set HOSTEDCLUSTER_RELEASE_IMAGE_LATEST which is not used by the script directly (only via support_np_skew() which requires MCE).
• Fix: Added RELEASE_IMAGE_LATEST: release:latest-4-18 as a dependency override in the CI config.

Files

• ci-operator/step-registry/hypershift/kubevirt/check-kernel-isolation/hypershift-kubevirt-check-kernel-isolation-commands.sh — test script
• ci-operator/step-registry/hypershift/kubevirt/check-kernel-isolation/hypershift-kubevirt-check-kernel-isolation-ref.yaml — step reference
• ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico-version-skew/hypershift-kubevirt-baremetalds-conformance-calico-version-skew-workflow.yaml — workflow
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml — CI job config

Acceptance Criteria

• Hosted cluster created on KubeVirt with version skew (4.20 mgmt + 4.18 hosted)
• VirtualMachineInstances confirmed running (3 VMIs)
• Different boot IDs between management and hosted clusters
• Different kernel versions confirming version skew
• VirtLauncher pods running (3 pods)
• Automated CI test implemented as periodic Prow job
• Test results documented

References

• OCPSTRAT-2217 — VM-level and Hosted Cluster Isolation levels for HCP
• OCPSTRAT-1707 — Align HCP NodePool minor-version skew limits
• PR #74326 — Implementation PR