diff --git a/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml
new file mode 100644
index 00000000000..f57370016b0
--- /dev/null
+++ b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml
@@ -0,0 +1,44 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "Node"
+crdName: nodes.config.openshift.io
+featureGate: MinimumKubeletVersion
+tests:
+ onCreate:
+ - name: Should be able to create a minimal Node
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec: {} # No spec is required for a Node
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec: {}
+ - name: Should be able to create an empty minimumKubeletVersion
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec:
+ minimumKubeletVersion: ""
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec:
+ minimumKubeletVersion: ""
+ - name: Should be able to create a minimumKubeletVersion
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec:
+ minimumKubeletVersion: 1.30.0
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec:
+ minimumKubeletVersion: 1.30.0
+ - name: Should fail to create a bogus version
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: Node
+ spec:
+ minimumKubeletVersion: bogus
+ expectedError: "Invalid value: \"string\": minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty"
diff --git a/config/v1/types_node.go b/config/v1/types_node.go
index b3b1b62c4df..a50328c91f6 100644
--- a/config/v1/types_node.go
+++ b/config/v1/types_node.go
@@ -46,6 +46,25 @@ type NodeSpec struct {
// the status and corresponding reaction of the cluster
// +optional
WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"`
+
+ // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ // Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ // than the specified version, only allowing the kubelet to get and update its node object, and perform
+ // subjectaccessreviews.
+ // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ // and will eventually be marked as not ready.
+ // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ // the underlying kubernetes version this version of Openshift is based off of.
+ // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ // they should set the minimumKubeletVersion to 1.30.0.
+ // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty"
+ // +kubebuilder:validation:MaxLength:=8
+ // +openshift:enable:FeatureGate=MinimumKubeletVersion
+ // +optional
+ MinimumKubeletVersion string `json:"minimumKubeletVersion"`
}
type NodeStatus struct {
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..469400577ae
--- /dev/null
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: CustomNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml
similarity index 99%
rename from config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes.crd.yaml
rename to config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml
index 87de7f1b93d..b79a394c6e1 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml
@@ -7,6 +7,7 @@ metadata:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: Default
name: nodes.config.openshift.io
spec:
group: config.openshift.io
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..99b124d5728
--- /dev/null
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: DevPreviewNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..8db838df772
--- /dev/null
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: TechPreviewNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml
index 6b8dfd3f007..abfea5eaf0e 100644
--- a/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -383,7 +383,8 @@ nodes.config.openshift.io:
CRDName: nodes.config.openshift.io
Capability: ""
Category: ""
- FeatureGates: []
+ FeatureGates:
+ - MinimumKubeletVersion
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml
new file mode 100644
index 00000000000..ffce7121a41
--- /dev/null
+++ b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/filename-cvo-runlevel: "0000_10"
+ api.openshift.io/filename-operator: config-operator
+ api.openshift.io/filename-ordering: "01"
+ feature-gate.release.openshift.io/MinimumKubeletVersion: "true"
+ release.openshift.io/bootstrap-required: "true"
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go
index ea3a424046c..145a7e4c041 100644
--- a/config/v1/zz_generated.swagger_doc_generated.go
+++ b/config/v1/zz_generated.swagger_doc_generated.go
@@ -2088,8 +2088,9 @@ func (NodeList) SwaggerDoc() map[string]string {
}
var map_NodeSpec = map[string]string{
- "cgroupMode": "CgroupMode determines the cgroups version on the node",
- "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster",
+ "cgroupMode": "CgroupMode determines the cgroups version on the node",
+ "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster",
+ "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
}
func (NodeSpec) SwaggerDoc() map[string]string {
diff --git a/features.md b/features.md
index ba175a0c146..e7fb01bc075 100644
--- a/features.md
+++ b/features.md
@@ -29,6 +29,7 @@
| ManagedBootImagesAWS| | | Enabled | Enabled | Enabled | Enabled |
| MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled |
| MetricsCollectionProfiles| | | Enabled | Enabled | Enabled | Enabled |
+| MinimumKubeletVersion| | | Enabled | Enabled | Enabled | Enabled |
| MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled |
| NetworkSegmentation| | | Enabled | Enabled | Enabled | Enabled |
| NewOLM| | | Enabled | Enabled | Enabled | Enabled |
diff --git a/features/features.go b/features/features.go
index 60dc3182ab8..2eba54e2c53 100644
--- a/features/features.go
+++ b/features/features.go
@@ -654,4 +654,12 @@ var (
enhancementPR(legacyFeatureGateWithoutEnhancement).
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()
+
+ FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion").
+ reportProblemsToJiraComponent("Node").
+ contactPerson("haircommander").
+ productScope(ocpSpecific).
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ enhancementPR("https://github.com/openshift/enhancements/pull/1697").
+ mustRegister()
)
diff --git a/kubecontrolplane/v1/types.go b/kubecontrolplane/v1/types.go
index b9cdcc213b8..6d29f42e3fc 100644
--- a/kubecontrolplane/v1/types.go
+++ b/kubecontrolplane/v1/types.go
@@ -62,6 +62,25 @@ type KubeAPIServerConfig struct {
// TODO this needs to be removed.
APIServerArguments map[string]Arguments `json:"apiServerArguments"`
+
+ // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ // Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ // than the specified version, only allowing the kubelet to get and update its node object, and perform
+ // subjectaccessreviews.
+ // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ // and will eventually be marked as not ready.
+ // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ // the underlying kubernetes version this version of Openshift is based off of.
+ // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ // they should set the minimumKubeletVersion to 1.30.0.
+ // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty"
+ // +kubebuilder:validation:MaxLength:=8
+ // +openshift:enable:FeatureGate=MinimumKubeletVersion
+ // +optional
+ MinimumKubeletVersion string `json:"minimumKubeletVersion"`
}
// Arguments masks the value so protobuf can generate
diff --git a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go
index 906bb271b00..5ecdd058392 100644
--- a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go
+++ b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go
@@ -33,6 +33,7 @@ var map_KubeAPIServerConfig = map[string]string{
"projectConfig": "projectConfig feeds an admission plugin",
"serviceAccountPublicKeyFiles": "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.",
"oauthConfig": "oauthConfig, if present start the /oauth endpoint in this process",
+ "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
}
func (KubeAPIServerConfig) SwaggerDoc() map[string]string {
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index 53d69dce110..d500ddeee7e 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -15552,6 +15552,14 @@ func schema_openshift_api_config_v1_NodeSpec(ref common.ReferenceCallback) commo
Format: "",
},
},
+ "minimumKubeletVersion": {
+ SchemaProps: spec.SchemaProps{
+ Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
},
},
},
@@ -26499,6 +26507,14 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref
},
},
},
+ "minimumKubeletVersion": {
+ SchemaProps: spec.SchemaProps{
+ Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
+ Default: "",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
},
Required: []string{"servingInfo", "corsAllowedOrigins", "auditConfig", "storageConfig", "admission", "kubeClientConfig", "authConfig", "aggregatorConfig", "kubeletClientInfo", "servicesSubnet", "servicesNodePortRange", "consolePublicURL", "userAgentMatchingConfig", "imagePolicyConfig", "projectConfig", "serviceAccountPublicKeyFiles", "oauthConfig", "apiServerArguments"},
},
diff --git a/openapi/openapi.json b/openapi/openapi.json
index 4fe157bf21e..5decc918e27 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -8270,6 +8270,11 @@
"description": "CgroupMode determines the cgroups version on the node",
"type": "string"
},
+ "minimumKubeletVersion": {
+ "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
+ "type": "string",
+ "default": ""
+ },
"workerLatencyProfile": {
"description": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster",
"type": "string"
@@ -14786,6 +14791,11 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.kubecontrolplane.v1.KubeletConnectionInfo"
},
+ "minimumKubeletVersion": {
+ "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.",
+ "type": "string",
+ "default": ""
+ },
"oauthConfig": {
"description": "oauthConfig, if present start the /oauth endpoint in this process",
"$ref": "#/definitions/com.github.openshift.api.osin.v1.OAuthConfig"
diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..469400577ae
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: CustomNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-Default.crd.yaml
similarity index 99%
rename from payload-manifests/crds/0000_10_config-operator_01_nodes.crd.yaml
rename to payload-manifests/crds/0000_10_config-operator_01_nodes-Default.crd.yaml
index 87de7f1b93d..b79a394c6e1 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_nodes.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-Default.crd.yaml
@@ -7,6 +7,7 @@ metadata:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: Default
name: nodes.config.openshift.io
spec:
group: config.openshift.io
diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..99b124d5728
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: DevPreviewNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..8db838df772
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,158 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/1107
+ api.openshift.io/merged-by-featuregates: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"
+ include.release.openshift.io/self-managed-high-availability: "true"
+ release.openshift.io/bootstrap-required: "true"
+ release.openshift.io/feature-set: TechPreviewNoUpgrade
+ name: nodes.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: Node
+ listKind: NodeList
+ plural: nodes
+ singular: node
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Node holds cluster-wide information about node specific features.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ cgroupMode:
+ description: CgroupMode determines the cgroups version on the node
+ enum:
+ - v1
+ - v2
+ - ""
+ type: string
+ minimumKubeletVersion:
+ description: |-
+ minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+ Specifically, the apiserver will deny most authorization requests of kubelets that are older
+ than the specified version, only allowing the kubelet to get and update its node object, and perform
+ subjectaccessreviews.
+ This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+ and will eventually be marked as not ready.
+ Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+ Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+ the underlying kubernetes version this version of Openshift is based off of.
+ In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+ they should set the minimumKubeletVersion to 1.30.0.
+ When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+ Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+ maxLength: 8
+ type: string
+ x-kubernetes-validations:
+ - message: minmumKubeletVersion must be in a semver compatible format
+ of x.y.z, or empty
+ rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')
+ workerLatencyProfile:
+ description: |-
+ WorkerLatencyProfile determins the how fast the kubelet is updating
+ the status and corresponding reaction of the cluster
+ enum:
+ - Default
+ - MediumUpdateAverageReaction
+ - LowUpdateSlowReaction
+ type: string
+ type: object
+ status:
+ description: status holds observed values.
+ properties:
+ conditions:
+ description: conditions contain the details and the current state
+ of the nodes.config object
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
index 69580a44def..7b55f2621b0 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
@@ -97,6 +97,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
index 3194eb13a60..b369d077324 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
@@ -149,6 +149,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
index 0a28367e4d5..6d51a62ab78 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
@@ -149,6 +149,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
index 470103706a9..086b456cf36 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
@@ -100,6 +100,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
index 3fbc04b059f..8ae7a62f460 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -149,6 +149,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
index ca83b159207..d29348d6199 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -149,6 +149,9 @@
{
"name": "MetricsCollectionProfiles"
},
+ {
+ "name": "MinimumKubeletVersion"
+ },
{
"name": "MixedCPUsAllocation"
},