Background and Goal

Currently in OpenShift we do not support adding 3rd party agents and other software to cluster nodes. While rpm-ostree supports adding packages, we have no way today to do that in a sane, scalable way across machineconfigpools and clusters. Some customers may not be able to meet their IT policies due to this.

In addition to third party content, some customers may want to use the layering process as a point to inject configuration. The build process allows for simple copying of config files and the ability to run arbitrary scripts to set user config files (e.g. through an Ansible playbook). This should be a supported use case, except where it conflicts with OpenShift (for example, the MCO must continue to manage Cri-O and Kubelet configs).

Example Use Cases

• Bare metal firmware update software that is packaged as an RPM
• Host security monitors
• Forensic tools
• SEIM logging agents
• SSH Key management
• Device Drivers from OEM/ODM partners

Acceptance Criteria

1. Administrators can deploy 3rd party repositories and packages to MachineConfigPools.
2. Administrators can easily remove added packages and repository files.
3. Administrators can manage system configuration files by copying files into the RHCOS build. [Note: if the same file is managed by the MCO, the MachineConfig version of the file is expected to "win" over the OS image version.]