github/open-cluster-management
1
0
Fork 0
mirror of https://github.com/open-cluster-management-io/ocm.git synced 2026-02-14 18:09:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Fix PodSecurity Warnings (#250)" (#252)

Browse Source 
This reverts commit ecc541d186.

Signed-off-by: Zhiwei Yin <zyin@redhat.com>
This commit is contained in:
Zhiwei Yin
2023-08-21 11:28:12 +08:00
committed by GitHub
parent 88f6f4dd17
commit 4227c8f68c
20 changed files with 149 additions and 504 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Makefile
View File

@@ -13,15 +13,15 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
) )
OPERATOR_SDK?=$(PERMANENT_TMP_GOPATH)/bin/operator-sdk OPERATOR_SDK?=$(PERMANENT_TMP_GOPATH)/bin/operator-sdk
OPERATOR_SDK_VERSION?=v1.28.0 OPERATOR_SDK_VERSION?=v1.1.0
operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK)) operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK))
# CSV_VERSION is used to generate new CSV manifests # CSV_VERSION is used to generate new CSV manifests
CSV_VERSION?=0.12.0 CSV_VERSION?=0.12.0
OPERATOR_SDK_ARCHOS:=linux_amd64 OPERATOR_SDK_ARCHOS:=x86_64-linux-gnu
ifeq ($(GOHOSTOS),darwin) ifeq ($(GOHOSTOS),darwin)
ifeq ($(GOHOSTARCH),amd64) ifeq ($(GOHOSTARCH),amd64)
OPERATOR_SDK_ARCHOS:=darwin_amd64 OPERATOR_SDK_ARCHOS:=x86_64-apple-darwin
endif endif
endif endif
@@ -57,12 +57,12 @@ patch-crd: ensure-yaml-patch
update: patch-crd copy-crd update-csv update: patch-crd copy-crd update-csv
update-csv: ensure-operator-sdk update-csv: ensure-operator-sdk
cd deploy/cluster-manager && ../../$(OPERATOR_SDK) generate bundle --version $(CSV_VERSION) --package cluster-manager --input-dir config --output-dir olm-catalog/cluster-manager cd deploy/cluster-manager && ../../$(OPERATOR_SDK) generate bundle --manifests --deploy-dir config/ --crds-dir config/crds/ --output-dir olm-catalog/cluster-manager/ --version $(CSV_VERSION)
cd deploy/klusterlet && ../../$(OPERATOR_SDK) generate bundle --version $(CSV_VERSION) --package klusterlet --input-dir config --output-dir olm-catalog/klusterlet cd deploy/klusterlet && ../../$(OPERATOR_SDK) generate bundle --manifests --deploy-dir config/ --crds-dir config/crds/ --output-dir olm-catalog/klusterlet/ --version=$(CSV_VERSION)
# delete bundle.Dockerfile since we do not use it to build image. # delete useless serviceaccounts in manifests although they are copied from config by operator-sdk.
rm ./deploy/cluster-manager/bundle.Dockerfile rm ./deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager_v1_serviceaccount.yaml
rm ./deploy/klusterlet/bundle.Dockerfile rm ./deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet_v1_serviceaccount.yaml
verify-crds: patch-crd verify-crds: patch-crd
bash -x hack/verify-crds.sh bash -x hack/verify-crds.sh
@@ -93,7 +93,7 @@ ensure-operator-sdk:
ifeq "" "$(wildcard $(OPERATOR_SDK))" ifeq "" "$(wildcard $(OPERATOR_SDK))"
$(info Installing operator-sdk into '$(OPERATOR_SDK)') $(info Installing operator-sdk into '$(OPERATOR_SDK)')
mkdir -p '$(operatorsdk_gen_dir)' mkdir -p '$(operatorsdk_gen_dir)'
curl -s -f -L https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OPERATOR_SDK_ARCHOS) -o '$(OPERATOR_SDK)' curl -s -f -L https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk-$(OPERATOR_SDK_VERSION)-$(OPERATOR_SDK_ARCHOS) -o '$(OPERATOR_SDK)'
chmod +x '$(OPERATOR_SDK)'; chmod +x '$(OPERATOR_SDK)';
else else
$(info Using existing operator-sdk from "$(OPERATOR_SDK)") $(info Using existing operator-sdk from "$(OPERATOR_SDK)")

4
deploy/cluster-manager/PROJECT
View File

@@ -1,4 +1,2 @@
version: "3"
layout:
- go.kubebuilder.io/v3
projectName: cluster-manager projectName: cluster-manager
version: 2

5
deploy/cluster-manager/config/operator/operator.yaml
View File

@@ -37,10 +37,6 @@ spec:
values: values:
- cluster-manager - cluster-manager
serviceAccountName: cluster-manager serviceAccountName: cluster-manager
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: registration-operator - name: registration-operator
image: quay.io/open-cluster-management/registration-operator:latest image: quay.io/open-cluster-management/registration-operator:latest
@@ -53,6 +49,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

18
deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
View File

@@ -59,10 +59,10 @@ metadata:
categories: Integration & Delivery,OpenShift Optional categories: Integration & Delivery,OpenShift Optional
certified: "false" certified: "false"
containerImage: quay.io/open-cluster-management/registration-operator:latest containerImage: quay.io/open-cluster-management/registration-operator:latest
createdAt: "2023-08-15T09:59:52Z" createdAt: "2023-05-24T20:00:31Z"
description: Manages the installation and upgrade of the ClusterManager. description: Manages the installation and upgrade of the ClusterManager.
operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/builder: operator-sdk-v1.1.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 operators.operatorframework.io/project_layout: go
repository: https://github.com/open-cluster-management-io/registration-operator repository: https://github.com/open-cluster-management-io/registration-operator
support: Red Hat, Inc. support: Red Hat, Inc.
name: cluster-manager.v0.12.0 name: cluster-manager.v0.12.0
@@ -71,8 +71,7 @@ spec:
apiservicedefinitions: {} apiservicedefinitions: {}
customresourcedefinitions: customresourcedefinitions:
owned: owned:
- description: ClusterManager defines the configurations of controllers running - description: ClusterManager defines the configurations of controllers running hub that govern registration and work distribution for attached Klusterlets
hub that govern registration and work distribution for attached Klusterlets
displayName: ClusterManager displayName: ClusterManager
kind: ClusterManager kind: ClusterManager
name: clustermanagers.operator.open-cluster-management.io name: clustermanagers.operator.open-cluster-management.io
@@ -500,9 +499,7 @@ spec:
- get - get
serviceAccountName: cluster-manager serviceAccountName: cluster-manager
deployments: deployments:
- label: - name: cluster-manager
app: cluster-manager
name: cluster-manager
spec: spec:
replicas: 3 replicas: 3
selector: selector:
@@ -564,10 +561,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
securityContext: runAsNonRoot: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: cluster-manager serviceAccountName: cluster-manager
strategy: deployment strategy: deployment
installModes: installModes:

252
deploy/cluster-manager/olm-catalog/cluster-manager/manifests/operator.open-cluster-management.io_clustermanagers.yaml
View File

@@ -15,21 +15,13 @@ spec:
- name: v1 - name: v1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: ClusterManager configures the controllers on the hub that govern description: ClusterManager configures the controllers on the hub that govern registration and work distribution for attached Klusterlets. In Default mode, ClusterManager will only be deployed in open-cluster-management-hub namespace. In Hosted mode, ClusterManager will be deployed in the namespace with the same name as cluster manager.
registration and work distribution for attached Klusterlets. In Default
mode, ClusterManager will only be deployed in open-cluster-management-hub
namespace. In Hosted mode, ClusterManager will be deployed in the namespace
with the same name as cluster manager.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
@@ -37,24 +29,13 @@ spec:
default: default:
deployOption: deployOption:
mode: Default mode: Default
description: Spec represents a desired deployment configuration of controllers description: Spec represents a desired deployment configuration of controllers that govern registration and work distribution for attached Klusterlets.
that govern registration and work distribution for attached Klusterlets.
properties: properties:
addOnManagerConfiguration: addOnManagerConfiguration:
description: AddOnManagerConfiguration contains the configuration description: AddOnManagerConfiguration contains the configuration of addon manager
of addon manager
properties: properties:
featureGates: featureGates:
description: 'FeatureGates represents the list of feature gates description: 'FeatureGates represents the list of feature gates for addon manager If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates: 1. If featuregate/Foo does not exist, registration-operator will discard it 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true] 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false, he can set featuregate/Foo=false before upgrading. Let''s say the cluster-admin wants featuregate/Foo=false.'
for addon manager If it is set empty, default feature gates
will be used. If it is set, featuregate/Foo is an example of
one item in FeatureGates: 1. If featuregate/Foo does not exist,
registration-operator will discard it 2. If featuregate/Foo
exists and is false by default. It is now possible to set featuregate/Foo=[false|true]
3. If featuregate/Foo exists and is true by default. If a cluster-admin
upgrading from 1 to 2 wants to continue having featuregate/Foo=false,
he can set featuregate/Foo=false before upgrading. Let''s say
the cluster-admin wants featuregate/Foo=false.'
items: items:
properties: properties:
feature: feature:
@@ -62,11 +43,7 @@ spec:
type: string type: string
mode: mode:
default: Disable default: Disable
description: Mode is either Enable, Disable, "" where "" description: Mode is either Enable, Disable, "" where "" is Disable by default. In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
is Disable by default. In Enable mode, a valid feature
gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
In Disable mode, a valid feature gate `featuregate/Foo`
will be set to "--featuregate/Foo=false".
enum: enum:
- Enable - Enable
- Disable - Disable
@@ -78,33 +55,26 @@ spec:
type: object type: object
addOnManagerImagePullSpec: addOnManagerImagePullSpec:
default: quay.io/open-cluster-management/addon-manager default: quay.io/open-cluster-management/addon-manager
description: AddOnManagerImagePullSpec represents the desired image description: AddOnManagerImagePullSpec represents the desired image configuration of addon manager controller/webhook installed on hub.
configuration of addon manager controller/webhook installed on hub.
type: string type: string
deployOption: deployOption:
default: default:
mode: Default mode: Default
description: DeployOption contains the options of deploying a cluster-manager description: DeployOption contains the options of deploying a cluster-manager Default mode is used if DeployOption is not set.
Default mode is used if DeployOption is not set.
properties: properties:
hosted: hosted:
description: Hosted includes configurations we needs for clustermanager description: Hosted includes configurations we needs for clustermanager in the Hosted mode.
in the Hosted mode.
properties: properties:
registrationWebhookConfiguration: registrationWebhookConfiguration:
description: RegistrationWebhookConfiguration represents the description: RegistrationWebhookConfiguration represents the customized webhook-server configuration of registration.
customized webhook-server configuration of registration.
properties: properties:
address: address:
description: Address represents the address of a webhook-server. description: Address represents the address of a webhook-server. It could be in IP format or fqdn format. The Address must be reachable by apiserver of the hub cluster.
It could be in IP format or fqdn format. The Address
must be reachable by apiserver of the hub cluster.
pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
type: string type: string
port: port:
default: 443 default: 443
description: Port represents the port of a webhook-server. description: Port represents the port of a webhook-server. The default value of Port is 443.
The default value of Port is 443.
format: int32 format: int32
maximum: 65535 maximum: 65535
type: integer type: integer
@@ -112,19 +82,15 @@ spec:
- address - address
type: object type: object
workWebhookConfiguration: workWebhookConfiguration:
description: WorkWebhookConfiguration represents the customized description: WorkWebhookConfiguration represents the customized webhook-server configuration of work.
webhook-server configuration of work.
properties: properties:
address: address:
description: Address represents the address of a webhook-server. description: Address represents the address of a webhook-server. It could be in IP format or fqdn format. The Address must be reachable by apiserver of the hub cluster.
It could be in IP format or fqdn format. The Address
must be reachable by apiserver of the hub cluster.
pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
type: string type: string
port: port:
default: 443 default: 443
description: Port represents the port of a webhook-server. description: Port represents the port of a webhook-server. The default value of Port is 443.
The default value of Port is 443.
format: int32 format: int32
maximum: 65535 maximum: 65535
type: integer type: integer
@@ -134,14 +100,7 @@ spec:
type: object type: object
mode: mode:
default: Default default: Default
description: 'Mode can be Default or Hosted. In Default mode, description: 'Mode can be Default or Hosted. In Default mode, the Hub is installed as a whole and all parts of Hub are deployed in the same cluster. In Hosted mode, only crd and configurations are installed on one cluster(defined as hub-cluster). Controllers run in another cluster (defined as management-cluster) and connect to the hub with the kubeconfig in secret of "external-hub-kubeconfig"(a kubeconfig of hub-cluster with cluster-admin permission). Note: Do not modify the Mode field once it''s applied.'
the Hub is installed as a whole and all parts of Hub are deployed
in the same cluster. In Hosted mode, only crd and configurations
are installed on one cluster(defined as hub-cluster). Controllers
run in another cluster (defined as management-cluster) and connect
to the hub with the kubeconfig in secret of "external-hub-kubeconfig"(a
kubeconfig of hub-cluster with cluster-admin permission). Note:
Do not modify the Mode field once it''s applied.'
enum: enum:
- Default - Default
- Hosted - Hosted
@@ -150,89 +109,51 @@ spec:
- mode - mode
type: object type: object
nodePlacement: nodePlacement:
description: NodePlacement enables explicit control over the scheduling description: NodePlacement enables explicit control over the scheduling of the deployed pods.
of the deployed pods.
properties: properties:
nodeSelector: nodeSelector:
additionalProperties: additionalProperties:
type: string type: string
description: NodeSelector defines which Nodes the Pods are scheduled description: NodeSelector defines which Nodes the Pods are scheduled on. The default is an empty list.
on. The default is an empty list.
type: object type: object
tolerations: tolerations:
description: Tolerations is attached by pods to tolerate any taint description: Tolerations is attached by pods to tolerate any taint that matches the triple <key,value,effect> using the matching operator <operator>. The default is an empty list.
that matches the triple <key,value,effect> using the matching
operator <operator>. The default is an empty list.
items: items:
description: The pod this Toleration is attached to tolerates description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
any taint that matches the triple <key,value,effect> using
the matching operator <operator>.
properties: properties:
effect: effect:
description: Effect indicates the taint effect to match. description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Empty means match all taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule and NoExecute.
type: string type: string
key: key:
description: Key is the taint key that the toleration applies description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match
all values and all keys.
type: string type: string
operator: operator:
description: Operator represents a key's relationship to description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
the value. Valid operators are Exists and Equal. Defaults
to Equal. Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints of a particular
category.
type: string type: string
tolerationSeconds: tolerationSeconds:
description: TolerationSeconds represents the period of description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
time the toleration (which must be of effect NoExecute,
otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint
forever (do not evict). Zero and negative values will
be treated as 0 (evict immediately) by the system.
format: int64 format: int64
type: integer type: integer
value: value:
description: Value is the taint value the toleration matches description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string type: string
type: object type: object
type: array type: array
type: object type: object
placementImagePullSpec: placementImagePullSpec:
default: quay.io/open-cluster-management/placement default: quay.io/open-cluster-management/placement
description: PlacementImagePullSpec represents the desired image configuration description: PlacementImagePullSpec represents the desired image configuration of placement controller/webhook installed on hub.
of placement controller/webhook installed on hub.
type: string type: string
registrationConfiguration: registrationConfiguration:
description: RegistrationConfiguration contains the configuration description: RegistrationConfiguration contains the configuration of registration
of registration
properties: properties:
autoApproveUsers: autoApproveUsers:
description: AutoApproveUser represents a list of users that can description: AutoApproveUser represents a list of users that can auto approve CSR and accept client. If the credential of the bootstrap-hub-kubeconfig matches to the users, the cluster created by the bootstrap-hub-kubeconfig will be auto-registered into the hub cluster. This takes effect only when ManagedClusterAutoApproval feature gate is enabled.
auto approve CSR and accept client. If the credential of the
bootstrap-hub-kubeconfig matches to the users, the cluster created
by the bootstrap-hub-kubeconfig will be auto-registered into
the hub cluster. This takes effect only when ManagedClusterAutoApproval
feature gate is enabled.
items: items:
type: string type: string
type: array type: array
featureGates: featureGates:
description: 'FeatureGates represents the list of feature gates description: 'FeatureGates represents the list of feature gates for registration If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates: 1. If featuregate/Foo does not exist, registration-operator will discard it 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true] 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false, he can set featuregate/Foo=false before upgrading. Let''s say the cluster-admin wants featuregate/Foo=false.'
for registration If it is set empty, default feature gates will
be used. If it is set, featuregate/Foo is an example of one
item in FeatureGates: 1. If featuregate/Foo does not exist,
registration-operator will discard it 2. If featuregate/Foo
exists and is false by default. It is now possible to set featuregate/Foo=[false|true]
3. If featuregate/Foo exists and is true by default. If a cluster-admin
upgrading from 1 to 2 wants to continue having featuregate/Foo=false,
he can set featuregate/Foo=false before upgrading. Let''s say
the cluster-admin wants featuregate/Foo=false.'
items: items:
properties: properties:
feature: feature:
@@ -240,11 +161,7 @@ spec:
type: string type: string
mode: mode:
default: Disable default: Disable
description: Mode is either Enable, Disable, "" where "" description: Mode is either Enable, Disable, "" where "" is Disable by default. In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
is Disable by default. In Enable mode, a valid feature
gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
In Disable mode, a valid feature gate `featuregate/Foo`
will be set to "--featuregate/Foo=false".
enum: enum:
- Enable - Enable
- Disable - Disable
@@ -256,23 +173,13 @@ spec:
type: object type: object
registrationImagePullSpec: registrationImagePullSpec:
default: quay.io/open-cluster-management/registration default: quay.io/open-cluster-management/registration
description: RegistrationImagePullSpec represents the desired image description: RegistrationImagePullSpec represents the desired image of registration controller/webhook installed on hub.
of registration controller/webhook installed on hub.
type: string type: string
workConfiguration: workConfiguration:
description: WorkConfiguration contains the configuration of work description: WorkConfiguration contains the configuration of work
properties: properties:
featureGates: featureGates:
description: 'FeatureGates represents the list of feature gates description: 'FeatureGates represents the list of feature gates for work If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates: 1. If featuregate/Foo does not exist, registration-operator will discard it 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true] 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false, he can set featuregate/Foo=false before upgrading. Let''s say the cluster-admin wants featuregate/Foo=false.'
for work If it is set empty, default feature gates will be used.
If it is set, featuregate/Foo is an example of one item in FeatureGates:
1. If featuregate/Foo does not exist, registration-operator
will discard it 2. If featuregate/Foo exists and is false by
default. It is now possible to set featuregate/Foo=[false|true]
3. If featuregate/Foo exists and is true by default. If a cluster-admin
upgrading from 1 to 2 wants to continue having featuregate/Foo=false,
he can set featuregate/Foo=false before upgrading. Let''s say
the cluster-admin wants featuregate/Foo=false.'
items: items:
properties: properties:
feature: feature:
@@ -280,11 +187,7 @@ spec:
type: string type: string
mode: mode:
default: Disable default: Disable
description: Mode is either Enable, Disable, "" where "" description: Mode is either Enable, Disable, "" where "" is Disable by default. In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
is Disable by default. In Enable mode, a valid feature
gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
In Disable mode, a valid feature gate `featuregate/Foo`
will be set to "--featuregate/Foo=false".
enum: enum:
- Enable - Enable
- Disable - Disable
@@ -296,60 +199,32 @@ spec:
type: object type: object
workImagePullSpec: workImagePullSpec:
default: quay.io/open-cluster-management/work default: quay.io/open-cluster-management/work
description: WorkImagePullSpec represents the desired image configuration description: WorkImagePullSpec represents the desired image configuration of work controller/webhook installed on hub.
of work controller/webhook installed on hub.
type: string type: string
type: object type: object
status: status:
description: Status represents the current status of controllers that description: Status represents the current status of controllers that govern the lifecycle of managed clusters.
govern the lifecycle of managed clusters.
properties: properties:
conditions: conditions:
description: 'Conditions contain the different condition statuses description: 'Conditions contain the different condition statuses for this ClusterManager. Valid condition types are: Applied: Components in hub are applied. Available: Components in hub are available and ready to serve. Progressing: Components in hub are in a transitioning state. Degraded: Components in hub do not match the desired configuration and only provide degraded service.'
for this ClusterManager. Valid condition types are: Applied: Components
in hub are applied. Available: Components in hub are available and
ready to serve. Progressing: Components in hub are in a transitioning
state. Degraded: Components in hub do not match the desired configuration
and only provide degraded service.'
items: items:
description: "Condition contains details for one aspect of the current description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties: properties:
lastTransitionTime: lastTransitionTime:
description: lastTransitionTime is the last time the condition description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time format: date-time
type: string type: string
message: message:
description: message is a human readable message indicating description: message is a human readable message indicating details about the transition. This may be an empty string.
details about the transition. This may be an empty string.
maxLength: 32768 maxLength: 32768
type: string type: string
observedGeneration: observedGeneration:
description: observedGeneration represents the .metadata.generation description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64 format: int64
minimum: 0 minimum: 0
type: integer type: integer
reason: reason:
description: reason contains a programmatic identifier indicating description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024 maxLength: 1024
minLength: 1 minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -362,11 +237,7 @@ spec:
- Unknown - Unknown
type: string type: string
type: type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316 maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string type: string
@@ -379,54 +250,42 @@ spec:
type: object type: object
type: array type: array
generations: generations:
description: Generations are used to determine when an item needs description: Generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.
to be reconciled or has changed in a way that needs a reaction.
items: items:
description: GenerationStatus keeps track of the generation for description: GenerationStatus keeps track of the generation for a given resource so that decisions about forced updates can be made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1
a given resource so that decisions about forced updates can be
made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1
properties: properties:
group: group:
description: group is the group of the resource that you're description: group is the group of the resource that you're tracking
tracking
type: string type: string
lastGeneration: lastGeneration:
description: lastGeneration is the last generation of the resource description: lastGeneration is the last generation of the resource that controller applies
that controller applies
format: int64 format: int64
type: integer type: integer
name: name:
description: name is the name of the resource that you're tracking description: name is the name of the resource that you're tracking
type: string type: string
namespace: namespace:
description: namespace is where the resource that you're tracking description: namespace is where the resource that you're tracking is
is
type: string type: string
resource: resource:
description: resource is the resource type of the resource that description: resource is the resource type of the resource that you're tracking
you're tracking
type: string type: string
version: version:
description: version is the version of the resource that you're description: version is the version of the resource that you're tracking
tracking
type: string type: string
type: object type: object
type: array type: array
observedGeneration: observedGeneration:
description: ObservedGeneration is the last generation change you've description: ObservedGeneration is the last generation change you've dealt with
dealt with
format: int64 format: int64
type: integer type: integer
relatedResources: relatedResources:
description: RelatedResources are used to track the resources that description: RelatedResources are used to track the resources that are related to this ClusterManager.
are related to this ClusterManager.
items: items:
description: RelatedResourceMeta represents the resource that is description: RelatedResourceMeta represents the resource that is managed by an operator
managed by an operator
properties: properties:
group: group:
description: group is the group of the resource that you're description: group is the group of the resource that you're tracking
tracking
type: string type: string
name: name:
description: name is the name of the resource that you're tracking description: name is the name of the resource that you're tracking
@@ -435,8 +294,7 @@ spec:
description: namespace is where the thing you're tracking is description: namespace is where the thing you're tracking is
type: string type: string
resource: resource:
description: resource is the resource type of the resource that description: resource is the resource type of the resource that you're tracking
you're tracking
type: string type: string
version: version:
description: version is the version of the thing you're tracking description: version is the version of the thing you're tracking

15
deploy/cluster-manager/olm-catalog/cluster-manager/metadata/annotations.yaml
View File

@@ -1,10 +1,7 @@
annotations: annotations:
# Core bundle annotations. operators.operatorframework.io.bundle.channel.default.v1: stable
operators.operatorframework.io.bundle.mediatype.v1: registry+v1 operators.operatorframework.io.bundle.channels.v1: stable
operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.mediatype.v1: registry+v1
operators.operatorframework.io.bundle.package.v1: cluster-manager operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.channels.v1: alpha operators.operatorframework.io.bundle.package.v1: cluster-manager
operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3

4
deploy/klusterlet/PROJECT
View File

@@ -1,4 +1,2 @@
version: "3"
layout:
- go.kubebuilder.io/v3
projectName: klusterlet projectName: klusterlet
version: 2

10
deploy/klusterlet/config/operator/operator.yaml
View File

@@ -39,22 +39,12 @@ spec:
values: values:
- klusterlet - klusterlet
serviceAccountName: klusterlet serviceAccountName: klusterlet
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: klusterlet - name: klusterlet
image: quay.io/open-cluster-management/registration-operator:latest image: quay.io/open-cluster-management/registration-operator:latest
args: args:
- "/registration-operator" - "/registration-operator"
- "klusterlet" - "klusterlet"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

23
deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml
View File

@@ -39,10 +39,10 @@ metadata:
categories: Integration & Delivery,OpenShift Optional categories: Integration & Delivery,OpenShift Optional
certified: "false" certified: "false"
containerImage: quay.io/open-cluster-management/registration-operator:latest containerImage: quay.io/open-cluster-management/registration-operator:latest
createdAt: "2023-08-15T09:59:53Z" createdAt: "2023-05-24T20:00:31Z"
description: Manages the installation and upgrade of the Klusterlet. description: Manages the installation and upgrade of the Klusterlet.
operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/builder: operator-sdk-v1.1.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 operators.operatorframework.io/project_layout: go
repository: https://github.com/open-cluster-management-io/registration-operator repository: https://github.com/open-cluster-management-io/registration-operator
support: Red Hat, Inc. support: Red Hat, Inc.
name: klusterlet.v0.12.0 name: klusterlet.v0.12.0
@@ -51,8 +51,7 @@ spec:
apiservicedefinitions: {} apiservicedefinitions: {}
customresourcedefinitions: customresourcedefinitions:
owned: owned:
- description: Klusterlet defines the configurations of agents running on the - description: Klusterlet defines the configurations of agents running on the managed cluster
managed cluster
displayName: Klusterlet displayName: Klusterlet
kind: Klusterlet kind: Klusterlet
name: klusterlets.operator.open-cluster-management.io name: klusterlets.operator.open-cluster-management.io
@@ -238,9 +237,7 @@ spec:
- patch - patch
serviceAccountName: klusterlet serviceAccountName: klusterlet
deployments: deployments:
- label: - name: klusterlet
app: klusterlet
name: klusterlet
spec: spec:
replicas: 3 replicas: 3
selector: selector:
@@ -298,16 +295,6 @@ spec:
requests: requests:
cpu: 100m cpu: 100m
memory: 128Mi memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: klusterlet serviceAccountName: klusterlet
strategy: deployment strategy: deployment
installModes: installModes:

244
deploy/klusterlet/olm-catalog/klusterlet/manifests/operator.open-cluster-management.io_klusterlets.yaml
View File

@@ -15,33 +15,21 @@ spec:
- name: v1 - name: v1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: Klusterlet represents controllers to install the resources for description: Klusterlet represents controllers to install the resources for a managed cluster. When configured, the Klusterlet requires a secret named bootstrap-hub-kubeconfig in the agent namespace to allow API requests to the hub for the registration protocol. In Hosted mode, the Klusterlet requires an additional secret named external-managed-kubeconfig in the agent namespace to allow API requests to the managed cluster for resources installation.
a managed cluster. When configured, the Klusterlet requires a secret named
bootstrap-hub-kubeconfig in the agent namespace to allow API requests to
the hub for the registration protocol. In Hosted mode, the Klusterlet requires
an additional secret named external-managed-kubeconfig in the agent namespace
to allow API requests to the managed cluster for resources installation.
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
spec: spec:
description: Spec represents the desired deployment configuration of Klusterlet description: Spec represents the desired deployment configuration of Klusterlet agent.
agent.
properties: properties:
clusterName: clusterName:
description: ClusterName is the name of the managed cluster to be description: ClusterName is the name of the managed cluster to be created on hub. The Klusterlet agent generates a random name if it is not set, or discovers the appropriate cluster name on OpenShift.
created on hub. The Klusterlet agent generates a random name if
it is not set, or discovers the appropriate cluster name on OpenShift.
maxLength: 63 maxLength: 63
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string type: string
@@ -49,43 +37,25 @@ spec:
description: DeployOption contains the options of deploying a klusterlet description: DeployOption contains the options of deploying a klusterlet
properties: properties:
mode: mode:
description: 'Mode can be Default, Hosted or Singleton. It is description: 'Mode can be Default, Hosted or Singleton. It is Default mode if not specified In Default mode, all klusterlet related resources are deployed on the managed cluster. In Hosted mode, only crd and configurations are installed on the spoke/managed cluster. Controllers run in another cluster (defined as management-cluster) and connect to the mangaged cluster with the kubeconfig in secret of "external-managed-kubeconfig"(a kubeconfig of managed-cluster with cluster-admin permission). In Singleton mode, registration/work agent is started as a single deployment. Note: Do not modify the Mode field once it''s applied.'
Default mode if not specified In Default mode, all klusterlet
related resources are deployed on the managed cluster. In Hosted
mode, only crd and configurations are installed on the spoke/managed
cluster. Controllers run in another cluster (defined as management-cluster)
and connect to the mangaged cluster with the kubeconfig in secret
of "external-managed-kubeconfig"(a kubeconfig of managed-cluster
with cluster-admin permission). In Singleton mode, registration/work
agent is started as a single deployment. Note: Do not modify
the Mode field once it''s applied.'
type: string type: string
type: object type: object
externalServerURLs: externalServerURLs:
description: ExternalServerURLs represents the a list of apiserver description: ExternalServerURLs represents the a list of apiserver urls and ca bundles that is accessible externally If it is set empty, managed cluster has no externally accessible url that hub cluster can visit.
urls and ca bundles that is accessible externally If it is set empty,
managed cluster has no externally accessible url that hub cluster
can visit.
items: items:
description: ServerURL represents the apiserver url and ca bundle description: ServerURL represents the apiserver url and ca bundle that is accessible externally
that is accessible externally
properties: properties:
caBundle: caBundle:
description: CABundle is the ca bundle to connect to apiserver description: CABundle is the ca bundle to connect to apiserver of the managed cluster. System certs are used if it is not set.
of the managed cluster. System certs are used if it is not
set.
format: byte format: byte
type: string type: string
url: url:
description: URL is the url of apiserver endpoint of the managed description: URL is the url of apiserver endpoint of the managed cluster.
cluster.
type: string type: string
type: object type: object
type: array type: array
hubApiServerHostAlias: hubApiServerHostAlias:
description: HubApiServerHostAlias contains the host alias for hub description: HubApiServerHostAlias contains the host alias for hub api server. registration-agent and work-agent will use it to communicate with hub api server.
api server. registration-agent and work-agent will use it to communicate
with hub api server.
properties: properties:
hostname: hostname:
description: Hostname for the above IP address. description: Hostname for the above IP address.
@@ -100,108 +70,59 @@ spec:
- ip - ip
type: object type: object
imagePullSpec: imagePullSpec:
description: ImagePullSpec represents the desired image configuration description: ImagePullSpec represents the desired image configuration of agent, it takes effect only when singleton mode is set. quay.io/open-cluster-management.io/registration-operator:latest will be used if unspecified
of agent, it takes effect only when singleton mode is set. quay.io/open-cluster-management.io/registration-operator:latest
will be used if unspecified
type: string type: string
namespace: namespace:
description: Namespace is the namespace to deploy the agent on the description: Namespace is the namespace to deploy the agent on the managed cluster. The namespace must have a prefix of "open-cluster-management-", and if it is not set, the namespace of "open-cluster-management-agent" is used to deploy agent. In addition, the add-ons are deployed to the namespace of "{Namespace}-addon". In the Hosted mode, this namespace still exists on the managed cluster to contain necessary resources, like service accounts, roles and rolebindings, while the agent is deployed to the namespace with the same name as klusterlet on the management cluster.
managed cluster. The namespace must have a prefix of "open-cluster-management-",
and if it is not set, the namespace of "open-cluster-management-agent"
is used to deploy agent. In addition, the add-ons are deployed to
the namespace of "{Namespace}-addon". In the Hosted mode, this namespace
still exists on the managed cluster to contain necessary resources,
like service accounts, roles and rolebindings, while the agent is
deployed to the namespace with the same name as klusterlet on the
management cluster.
maxLength: 63 maxLength: 63
pattern: ^open-cluster-management-[-a-z0-9]*[a-z0-9]$ pattern: ^open-cluster-management-[-a-z0-9]*[a-z0-9]$
type: string type: string
nodePlacement: nodePlacement:
description: NodePlacement enables explicit control over the scheduling description: NodePlacement enables explicit control over the scheduling of the deployed pods.
of the deployed pods.
properties: properties:
nodeSelector: nodeSelector:
additionalProperties: additionalProperties:
type: string type: string
description: NodeSelector defines which Nodes the Pods are scheduled description: NodeSelector defines which Nodes the Pods are scheduled on. The default is an empty list.
on. The default is an empty list.
type: object type: object
tolerations: tolerations:
description: Tolerations is attached by pods to tolerate any taint description: Tolerations is attached by pods to tolerate any taint that matches the triple <key,value,effect> using the matching operator <operator>. The default is an empty list.
that matches the triple <key,value,effect> using the matching
operator <operator>. The default is an empty list.
items: items:
description: The pod this Toleration is attached to tolerates description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
any taint that matches the triple <key,value,effect> using
the matching operator <operator>.
properties: properties:
effect: effect:
description: Effect indicates the taint effect to match. description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Empty means match all taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule and NoExecute.
type: string type: string
key: key:
description: Key is the taint key that the toleration applies description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match
all values and all keys.
type: string type: string
operator: operator:
description: Operator represents a key's relationship to description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
the value. Valid operators are Exists and Equal. Defaults
to Equal. Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints of a particular
category.
type: string type: string
tolerationSeconds: tolerationSeconds:
description: TolerationSeconds represents the period of description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
time the toleration (which must be of effect NoExecute,
otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint
forever (do not evict). Zero and negative values will
be treated as 0 (evict immediately) by the system.
format: int64 format: int64
type: integer type: integer
value: value:
description: Value is the taint value the toleration matches description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string type: string
type: object type: object
type: array type: array
type: object type: object
registrationConfiguration: registrationConfiguration:
description: RegistrationConfiguration contains the configuration description: RegistrationConfiguration contains the configuration of registration
of registration
properties: properties:
clientCertExpirationSeconds: clientCertExpirationSeconds:
description: clientCertExpirationSeconds represents the seconds description: clientCertExpirationSeconds represents the seconds of a client certificate to expire. If it is not set or 0, the default duration seconds will be set by the hub cluster. If the value is larger than the max signing duration seconds set on the hub cluster, the max signing duration seconds will be set.
of a client certificate to expire. If it is not set or 0, the
default duration seconds will be set by the hub cluster. If
the value is larger than the max signing duration seconds set
on the hub cluster, the max signing duration seconds will be
set.
format: int32 format: int32
type: integer type: integer
clusterAnnotations: clusterAnnotations:
additionalProperties: additionalProperties:
type: string type: string
description: ClusterAnnotations is annotations with the reserve description: ClusterAnnotations is annotations with the reserve prefix "agent.open-cluster-management.io" set on ManagedCluster when creating only, other actors can update it afterwards.
prefix "agent.open-cluster-management.io" set on ManagedCluster
when creating only, other actors can update it afterwards.
type: object type: object
featureGates: featureGates:
description: 'FeatureGates represents the list of feature gates description: 'FeatureGates represents the list of feature gates for registration If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates: 1. If featuregate/Foo does not exist, registration-operator will discard it 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true] 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false, he can set featuregate/Foo=false before upgrading. Let''s say the cluster-admin wants featuregate/Foo=false.'
for registration If it is set empty, default feature gates will
be used. If it is set, featuregate/Foo is an example of one
item in FeatureGates: 1. If featuregate/Foo does not exist,
registration-operator will discard it 2. If featuregate/Foo
exists and is false by default. It is now possible to set featuregate/Foo=[false|true]
3. If featuregate/Foo exists and is true by default. If a cluster-admin
upgrading from 1 to 2 wants to continue having featuregate/Foo=false,
he can set featuregate/Foo=false before upgrading. Let''s say
the cluster-admin wants featuregate/Foo=false.'
items: items:
properties: properties:
feature: feature:
@@ -209,11 +130,7 @@ spec:
type: string type: string
mode: mode:
default: Disable default: Disable
description: Mode is either Enable, Disable, "" where "" description: Mode is either Enable, Disable, "" where "" is Disable by default. In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
is Disable by default. In Enable mode, a valid feature
gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
In Disable mode, a valid feature gate `featuregate/Foo`
will be set to "--featuregate/Foo=false".
enum: enum:
- Enable - Enable
- Disable - Disable
@@ -224,24 +141,13 @@ spec:
type: array type: array
type: object type: object
registrationImagePullSpec: registrationImagePullSpec:
description: RegistrationImagePullSpec represents the desired image description: RegistrationImagePullSpec represents the desired image configuration of registration agent. quay.io/open-cluster-management.io/registration:latest will be used if unspecified.
configuration of registration agent. quay.io/open-cluster-management.io/registration:latest
will be used if unspecified.
type: string type: string
workConfiguration: workConfiguration:
description: WorkConfiguration contains the configuration of work description: WorkConfiguration contains the configuration of work
properties: properties:
featureGates: featureGates:
description: 'FeatureGates represents the list of feature gates description: 'FeatureGates represents the list of feature gates for work If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates: 1. If featuregate/Foo does not exist, registration-operator will discard it 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true] 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false, he can set featuregate/Foo=false before upgrading. Let''s say the cluster-admin wants featuregate/Foo=false.'
for work If it is set empty, default feature gates will be used.
If it is set, featuregate/Foo is an example of one item in FeatureGates:
1. If featuregate/Foo does not exist, registration-operator
will discard it 2. If featuregate/Foo exists and is false by
default. It is now possible to set featuregate/Foo=[false|true]
3. If featuregate/Foo exists and is true by default. If a cluster-admin
upgrading from 1 to 2 wants to continue having featuregate/Foo=false,
he can set featuregate/Foo=false before upgrading. Let''s say
the cluster-admin wants featuregate/Foo=false.'
items: items:
properties: properties:
feature: feature:
@@ -249,11 +155,7 @@ spec:
type: string type: string
mode: mode:
default: Disable default: Disable
description: Mode is either Enable, Disable, "" where "" description: Mode is either Enable, Disable, "" where "" is Disable by default. In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
is Disable by default. In Enable mode, a valid feature
gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
In Disable mode, a valid feature gate `featuregate/Foo`
will be set to "--featuregate/Foo=false".
enum: enum:
- Enable - Enable
- Disable - Disable
@@ -264,61 +166,32 @@ spec:
type: array type: array
type: object type: object
workImagePullSpec: workImagePullSpec:
description: WorkImagePullSpec represents the desired image configuration description: WorkImagePullSpec represents the desired image configuration of work agent. quay.io/open-cluster-management.io/work:latest will be used if unspecified.
of work agent. quay.io/open-cluster-management.io/work:latest will
be used if unspecified.
type: string type: string
type: object type: object
status: status:
description: Status represents the current status of Klusterlet agent. description: Status represents the current status of Klusterlet agent.
properties: properties:
conditions: conditions:
description: 'Conditions contain the different condition statuses description: 'Conditions contain the different condition statuses for this Klusterlet. Valid condition types are: Applied: Components have been applied in the managed cluster. Available: Components in the managed cluster are available and ready to serve. Progressing: Components in the managed cluster are in a transitioning state. Degraded: Components in the managed cluster do not match the desired configuration and only provide degraded service.'
for this Klusterlet. Valid condition types are: Applied: Components
have been applied in the managed cluster. Available: Components
in the managed cluster are available and ready to serve. Progressing:
Components in the managed cluster are in a transitioning state.
Degraded: Components in the managed cluster do not match the desired
configuration and only provide degraded service.'
items: items:
description: "Condition contains details for one aspect of the current description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties: properties:
lastTransitionTime: lastTransitionTime:
description: lastTransitionTime is the last time the condition description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time format: date-time
type: string type: string
message: message:
description: message is a human readable message indicating description: message is a human readable message indicating details about the transition. This may be an empty string.
details about the transition. This may be an empty string.
maxLength: 32768 maxLength: 32768
type: string type: string
observedGeneration: observedGeneration:
description: observedGeneration represents the .metadata.generation description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64 format: int64
minimum: 0 minimum: 0
type: integer type: integer
reason: reason:
description: reason contains a programmatic identifier indicating description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024 maxLength: 1024
minLength: 1 minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -331,11 +204,7 @@ spec:
- Unknown - Unknown
type: string type: string
type: type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316 maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string type: string
@@ -348,54 +217,42 @@ spec:
type: object type: object
type: array type: array
generations: generations:
description: Generations are used to determine when an item needs description: Generations are used to determine when an item needs to be reconciled or has changed in a way that needs a reaction.
to be reconciled or has changed in a way that needs a reaction.
items: items:
description: GenerationStatus keeps track of the generation for description: GenerationStatus keeps track of the generation for a given resource so that decisions about forced updates can be made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1
a given resource so that decisions about forced updates can be
made. The definition matches the GenerationStatus defined in github.com/openshift/api/v1
properties: properties:
group: group:
description: group is the group of the resource that you're description: group is the group of the resource that you're tracking
tracking
type: string type: string
lastGeneration: lastGeneration:
description: lastGeneration is the last generation of the resource description: lastGeneration is the last generation of the resource that controller applies
that controller applies
format: int64 format: int64
type: integer type: integer
name: name:
description: name is the name of the resource that you're tracking description: name is the name of the resource that you're tracking
type: string type: string
namespace: namespace:
description: namespace is where the resource that you're tracking description: namespace is where the resource that you're tracking is
is
type: string type: string
resource: resource:
description: resource is the resource type of the resource that description: resource is the resource type of the resource that you're tracking
you're tracking
type: string type: string
version: version:
description: version is the version of the resource that you're description: version is the version of the resource that you're tracking
tracking
type: string type: string
type: object type: object
type: array type: array
observedGeneration: observedGeneration:
description: ObservedGeneration is the last generation change you've description: ObservedGeneration is the last generation change you've dealt with
dealt with
format: int64 format: int64
type: integer type: integer
relatedResources: relatedResources:
description: RelatedResources are used to track the resources that description: RelatedResources are used to track the resources that are related to this Klusterlet.
are related to this Klusterlet.
items: items:
description: RelatedResourceMeta represents the resource that is description: RelatedResourceMeta represents the resource that is managed by an operator
managed by an operator
properties: properties:
group: group:
description: group is the group of the resource that you're description: group is the group of the resource that you're tracking
tracking
type: string type: string
name: name:
description: name is the name of the resource that you're tracking description: name is the name of the resource that you're tracking
@@ -404,8 +261,7 @@ spec:
description: namespace is where the thing you're tracking is description: namespace is where the thing you're tracking is
type: string type: string
resource: resource:
description: resource is the resource type of the resource that description: resource is the resource type of the resource that you're tracking
you're tracking
type: string type: string
version: version:
description: version is the version of the thing you're tracking description: version is the version of the thing you're tracking

15
deploy/klusterlet/olm-catalog/klusterlet/metadata/annotations.yaml
View File

@@ -1,10 +1,7 @@
annotations: annotations:
# Core bundle annotations. operators.operatorframework.io.bundle.channel.default.v1: stable
operators.operatorframework.io.bundle.mediatype.v1: registry+v1 operators.operatorframework.io.bundle.channels.v1: stable
operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.mediatype.v1: registry+v1
operators.operatorframework.io.bundle.package.v1: klusterlet operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.channels.v1: alpha operators.operatorframework.io.bundle.package.v1: klusterlet
operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3

5
manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: addon-manager-controller-sa serviceAccountName: addon-manager-controller-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: addon-manager-controller - name: addon-manager-controller
image: {{ .AddOnManagerImage }} image: {{ .AddOnManagerImage }}
@@ -63,6 +59,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: work-controller-sa serviceAccountName: work-controller-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: {{ .ClusterManagerName }}-work-controller - name: {{ .ClusterManagerName }}-work-controller
image: {{ .WorkImage }} image: {{ .WorkImage }}
@@ -59,6 +55,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: placement-controller-sa serviceAccountName: placement-controller-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: placement-controller - name: placement-controller
image: {{ .PlacementImage }} image: {{ .PlacementImage }}
@@ -58,6 +54,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: registration-controller-sa serviceAccountName: registration-controller-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: hub-registration-controller - name: hub-registration-controller
image: {{ .RegistrationImage }} image: {{ .RegistrationImage }}
@@ -66,6 +62,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: registration-webhook-sa serviceAccountName: registration-webhook-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: {{ .ClusterManagerName }}-webhook - name: {{ .ClusterManagerName }}-webhook
image: {{ .RegistrationImage }} image: {{ .RegistrationImage }}
@@ -70,6 +66,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml
View File

@@ -39,10 +39,6 @@ spec:
{{ if not .HostedMode }} {{ if not .HostedMode }}
serviceAccountName: work-webhook-sa serviceAccountName: work-webhook-sa
{{ end }} {{ end }}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: {{ .ClusterManagerName }}-webhook - name: {{ .ClusterManagerName }}-webhook
image: {{ .WorkImage }} image: {{ .WorkImage }}
@@ -64,6 +60,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

5
manifests/klusterlet/management/klusterlet-agent-deployment.yaml
View File

@@ -46,10 +46,6 @@ spec:
values: values:
- klusterlet-registration-agent - klusterlet-registration-agent
serviceAccountName: {{ .KlusterletName }}-agent-sa serviceAccountName: {{ .KlusterletName }}-agent-sa
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: klusterlet-agent - name: klusterlet-agent
image: {{ .SingletonImage }} image: {{ .SingletonImage }}
@@ -88,6 +84,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
volumeMounts: volumeMounts:
- name: bootstrap-secret - name: bootstrap-secret
mountPath: "/spoke/bootstrap" mountPath: "/spoke/bootstrap"

5
manifests/klusterlet/management/klusterlet-registration-deployment.yaml
View File

@@ -46,10 +46,6 @@ spec:
values: values:
- klusterlet-registration-agent - klusterlet-registration-agent
serviceAccountName: {{ .KlusterletName }}-registration-sa serviceAccountName: {{ .KlusterletName }}-registration-sa
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: registration-controller - name: registration-controller
image: {{ .RegistrationImage }} image: {{ .RegistrationImage }}
@@ -86,6 +82,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
volumeMounts: volumeMounts:
- name: bootstrap-secret - name: bootstrap-secret
mountPath: "/spoke/bootstrap" mountPath: "/spoke/bootstrap"

5
manifests/klusterlet/management/klusterlet-work-deployment.yaml
View File

@@ -46,10 +46,6 @@ spec:
values: values:
- klusterlet-manifestwork-agent - klusterlet-manifestwork-agent
serviceAccountName: {{ .KlusterletName }}-work-sa serviceAccountName: {{ .KlusterletName }}-work-sa
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: klusterlet-manifestwork-agent - name: klusterlet-manifestwork-agent
image: {{ .WorkImage }} image: {{ .WorkImage }}
@@ -78,6 +74,7 @@ spec:
drop: drop:
- ALL - ALL
privileged: false privileged: false
runAsNonRoot: true
volumeMounts: volumeMounts:
- name: hub-kubeconfig-secret - name: hub-kubeconfig-secret
mountPath: "/spoke/hub-kubeconfig" mountPath: "/spoke/hub-kubeconfig"