Uploaded image for project: 'Machine Config Operator'
  1. Machine Config Operator
  2. MCO-1102

Add a ValidatingAdmissionPolicy for the opt-in boot images API

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • 5
    • False
    • None
    • False
    • OCPSTRAT-98 - Updated boot images: Phase 1 - GCP Tech Preview
    • MCO Sprint 252
    • 0
    • 0.0

      A ValidatingAdmissionPolicy should be implemented(via an MCO manifest) for changes to this new API object, so that the feature is not turned on in unsupported platforms. The only platform currently supported is GCP. The ValidationAdmissionPolicy is kube native and is behind its own feature gate, so this will have to be checked while applying these manifests. Here is what the YAML of what these manifests would look like:

      ---
      apiVersion: admissionregistration.k8s.io/v1beta1
      kind: ValidatingAdmissionPolicy
      metadata:
        name: "managed-bootimages-platform-check"
      spec:
        failurePolicy: Fail
        paramKind:
          apiVersion: config.openshift.io/v1
          kind: Infrastructure
        matchConstraints:
          resourceRules:
          - apiGroups:   ["operator.openshift.io"]
            apiVersions: ["v1"]
            operations:  ["CREATE", "UPDATE"]
            resources:   ["MachineConfiguration"]
        validations:
          - expression: "has(object.spec.ManagedBootImages) && param.status.platformStatus.Type == `GCP`"
            message: "This feature is only supported on these platforms: GCP" 
      ---
      apiVersion: admissionregistration.k8s.io/v1beta1
      kind: ValidatingAdmissionPolicyBinding
      metadata:
        name: "managed-bootimages-platform-check-binding"
      spec:
        policyName: "managed-bootimages-platform-check"
        validationActions: [Deny]
        paramRef:
          name: "cluster"     
          parameterNotFoundAction: "Deny"

       

            djoshy David Joshy
            djoshy David Joshy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: