Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.12
Component/s: Networking / multus
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:

4.12.z
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Cluster Network Operator managed components (multus-admission-controller) do not conform to hypershift control plane expectations. 

- Ability to run on vanilla kube management clusters
- ** Provide support for non-root security context default additions to all control plane components (highest priority)
  In the hypershift cpo, we set the security context of deployment containers when we detect that SCC's are not available:
  set here: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/support/config/deployment.go#L96-L100
  detected here: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/support/capabilities/management_cluster_capabilities.go#L102-L109
- resource request/limit preservation
  In our reconciliation loop we preserve any resource requests/limits that have been modified on deployments. This allows an external program to manage those and we don't fight them.
  example for kas: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L116-L120
- ability to pause reconciliation
  This should apply to the CNO so it doesn't reconcile anything on the control plane side. We honor this in any controller that reconciles things on the control plane side (on the data plane it's still ok to keep reconciling):
  https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go#L651-L656
- All secrets should be mounted to not have global read (change from 420 to 416)
  https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L586
- bring your own PKI (Cert/PKI adoption)
- Control Plane Components should not automount service tokens if not required
  https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L143
- Ability to set taint tolerations
  This should be covered by https://github.com/openshift/cluster-network-operator/pull/1738


Future Considerations

- Priority Classes enhancement https://github.com/openshift/enhancements/pull/1257

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1.
2.
3.

Actual results:

Expected results:

Additional info:

Assignee:: Nikhil Simha (Inactive)

Reporter:: Francisco Rodriguez

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2023/02/23 6:39 PM

Updated:: 2025/07/27 11:42 PM

Resolved:: 2024/01/10 6:47 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates