Details
-
Bug
-
Resolution: Won't Do
-
Critical
-
None
-
4.12
-
None
-
Moderate
-
No
-
Rejected
-
False
-
Description
Description of problem:
Cluster Network Operator managed components (multus-admission-controller) do not conform to hypershift control plane expectations. - Ability to run on vanilla kube management clusters - ** Provide support for non-root security context default additions to all control plane components (highest priority) In the hypershift cpo, we set the security context of deployment containers when we detect that SCC's are not available: set here: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/support/config/deployment.go#L96-L100 detected here: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/support/capabilities/management_cluster_capabilities.go#L102-L109 - resource request/limit preservation In our reconciliation loop we preserve any resource requests/limits that have been modified on deployments. This allows an external program to manage those and we don't fight them. example for kas: https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L116-L120 - ability to pause reconciliation This should apply to the CNO so it doesn't reconcile anything on the control plane side. We honor this in any controller that reconciles things on the control plane side (on the data plane it's still ok to keep reconciling): https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go#L651-L656 - All secrets should be mounted to not have global read (change from 420 to 416) https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L586 - bring your own PKI (Cert/PKI adoption) - Control Plane Components should not automount service tokens if not required https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/control-plane-operator/controllers/hostedcontrolplane/kas/deployment.go#L143 - Ability to set taint tolerations This should be covered by https://github.com/openshift/cluster-network-operator/pull/1738 Future Considerations - Priority Classes enhancement https://github.com/openshift/enhancements/pull/1257
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info: