Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Labels:
- workloads

Work Type:
BU Product Work
Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
prevent application workload to be schedule to master nodes
Feature Link:
OCPSTRAT-790 - prevent workload to be schedule in master node
Intelligence Requested:
Market:

Original story points:
3

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

As discussed in

https://redhat-internal.slack.com/archives/CC3CZCQHM/p1714068850544919?thread_ts=1713794008.195589&cid=CC3CZCQHM

Something like

rules: - apiGroups: [""] resources: ["node-role.kubernetes.io/control-plane"] verbs: ["NoExecute"] - apiGroups: [""] resources: ["node.kubernetes.io/not-ready"] verbs: ["NoExecute"] - apiGroups: [""] resources: ["node.kubernetes.io/unreachable"] verbs: ["NoExecute"] [...]
not using the composite variables, just the expression

expression: "object.spec.tolerations.all(toleration, ( toleration.effect != 'NoExecute' || (toleration.effect == 'NoExecute' && (auhorizer.serviceAccount(object.metadata.namespace, object.spec.serviceAccountName).group('').resource(toleration.key).namespace(object.metadata.namespace).check(toleration.effect).allowed()))))"

And rovide it as a static file through https://github.com/openshift/cluster-kube-scheduler-operator/blob/master/pkg/operator/starter.go#L108-L123

clones

WRKLDS-1148 [Spike] Find and list projects that are running on a control plane nodes and need tolerations to the node-role.kubernetes.io/control-plane:NoExecute taint

To Do

Assignee:: Lucas Severo Alves (Inactive)

Reporter:: Jan Chaloupka

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/05/06 10:05 AM

Updated:: 2024/09/04 10:12 PM

Resolved:: 2024/07/02 10:45 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates