From 75510c3c34329d7f406aae671ca97042709be53b Mon Sep 17 00:00:00 2001 From: origin-release-container Date: Mon, 28 Oct 2024 17:52:55 +0000 Subject: [PATCH] update api validation on minimumKubeletVersion Signed-off-by: Peter Hunt --- .../MinimumKubeletVersion.yaml | 19 +++++++++++++++++++ config/v1/types_node.go | 16 +++++++++++++--- ...operator_01_nodes-CustomNoUpgrade.crd.yaml | 17 +++++++++++++++-- ...ator_01_nodes-DevPreviewNoUpgrade.crd.yaml | 17 +++++++++++++++-- ...tor_01_nodes-TechPreviewNoUpgrade.crd.yaml | 17 +++++++++++++++-- .../MinimumKubeletVersion.yaml | 17 +++++++++++++++-- .../v1/zz_generated.swagger_doc_generated.go | 2 +- kubecontrolplane/v1/types.go | 16 ++++++++++++++-- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 6 ++++-- openapi/openapi.json | 10 ++++++---- ...operator_01_nodes-CustomNoUpgrade.crd.yaml | 17 +++++++++++++++-- ...ator_01_nodes-DevPreviewNoUpgrade.crd.yaml | 17 +++++++++++++++-- ...tor_01_nodes-TechPreviewNoUpgrade.crd.yaml | 17 +++++++++++++++-- 14 files changed, 163 insertions(+), 27 deletions(-) diff --git a/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml index 41ed1e8c072..8c8ff0fa327 100644 --- a/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml +++ b/config/v1/tests/nodes.config.openshift.io/MinimumKubeletVersion.yaml @@ -1,6 +1,7 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this name: "Node" crdName: nodes.config.openshift.io +featureGate: MinimumKubeletVersion tests: onCreate: - name: Should be able to create a minimal Node @@ -12,3 +13,21 @@ tests: apiVersion: config.openshift.io/v1 kind: Node spec: {} + - name: Should be able to create a minimumKubeletVersion + initial: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: 1.30.0 + expected: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: 1.30.0 + - name: Should fail to create a bogus version + initial: | + apiVersion: config.openshift.io/v1 + kind: Node + spec: + minimumKubeletVersion: bogus + expectedError: "Invalid value: \"string\": minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" diff --git a/config/v1/types_node.go b/config/v1/types_node.go index 20b536a2bf2..a50328c91f6 100644 --- a/config/v1/types_node.go +++ b/config/v1/types_node.go @@ -47,14 +47,24 @@ type NodeSpec struct { // +optional WorkerLatencyProfile WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"` - // MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. // Specifically, the apiserver will deny most authorization requests of kubelets that are older // than the specified version, only allowing the kubelet to get and update its node object, and perform // subjectaccessreviews. - // +kubebuilder:validation:Pattern=`^[0-9]*\.[0-9]*\.[0-9]*$` + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 // +openshift:enable:FeatureGate=MinimumKubeletVersion // +optional - MinimumKubeletVersion string `json:"minimumKubeletVersion,omitempty"` + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } type NodeStatus struct { diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 121a47ac41a..469400577ae 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 3b6f33dffaa..99b124d5728 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 3e92f0df978..8db838df772 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml index 2a9d9f372a9..ffce7121a41 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 2ce5ea99f67..145a7e4c041 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2090,7 +2090,7 @@ func (NodeList) SwaggerDoc() map[string]string { var map_NodeSpec = map[string]string{ "cgroupMode": "CgroupMode determines the cgroups version on the node", "workerLatencyProfile": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", - "minimumKubeletVersion": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (NodeSpec) SwaggerDoc() map[string]string { diff --git a/kubecontrolplane/v1/types.go b/kubecontrolplane/v1/types.go index 31a0a8b7826..6d29f42e3fc 100644 --- a/kubecontrolplane/v1/types.go +++ b/kubecontrolplane/v1/types.go @@ -63,12 +63,24 @@ type KubeAPIServerConfig struct { // TODO this needs to be removed. APIServerArguments map[string]Arguments `json:"apiServerArguments"` - // MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + // minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. // Specifically, the apiserver will deny most authorization requests of kubelets that are older // than the specified version, only allowing the kubelet to get and update its node object, and perform // subjectaccessreviews. + // This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + // and will eventually be marked as not ready. + // Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + // Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + // the underlying kubernetes version this version of Openshift is based off of. + // In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + // they should set the minimumKubeletVersion to 1.30.0. + // When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + // Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" + // +kubebuilder:validation:MaxLength:=8 // +openshift:enable:FeatureGate=MinimumKubeletVersion - MinimumKubeletVersion string `json:"minimumKubeletVersion,omitempty"` + // +optional + MinimumKubeletVersion string `json:"minimumKubeletVersion"` } // Arguments masks the value so protobuf can generate diff --git a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go index 75264a69bff..5ecdd058392 100644 --- a/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go +++ b/kubecontrolplane/v1/zz_generated.swagger_doc_generated.go @@ -33,7 +33,7 @@ var map_KubeAPIServerConfig = map[string]string{ "projectConfig": "projectConfig feeds an admission plugin", "serviceAccountPublicKeyFiles": "serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. (If any file contains a private key, the public portion of the key is used) The list of public keys is used to verify presented service account tokens. Each key is tried in order until the list is exhausted or verification succeeds. If no keys are specified, no service account authentication will be available.", "oauthConfig": "oauthConfig, if present start the /oauth endpoint in this process", - "minimumKubeletVersion": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + "minimumKubeletVersion": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", } func (KubeAPIServerConfig) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index ae21056c5d5..d500ddeee7e 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -15554,7 +15554,8 @@ func schema_openshift_api_config_v1_NodeSpec(ref common.ReferenceCallback) commo }, "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + Default: "", Type: []string{"string"}, Format: "", }, @@ -26508,7 +26509,8 @@ func schema_openshift_api_kubecontrolplane_v1_KubeAPIServerConfig(ref common.Ref }, "minimumKubeletVersion": { SchemaProps: spec.SchemaProps{ - Description: "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", + Description: "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + Default: "", Type: []string{"string"}, Format: "", }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 19ac8961af7..5decc918e27 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -8271,8 +8271,9 @@ "type": "string" }, "minimumKubeletVersion": { - "description": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", - "type": "string" + "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + "type": "string", + "default": "" }, "workerLatencyProfile": { "description": "WorkerLatencyProfile determins the how fast the kubelet is updating the status and corresponding reaction of the cluster", @@ -14791,8 +14792,9 @@ "$ref": "#/definitions/com.github.openshift.api.kubecontrolplane.v1.KubeletConnectionInfo" }, "minimumKubeletVersion": { - "description": "MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews.", - "type": "string" + "description": "minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready. Its max length is 8, so maximum version allowed is either \"9.999.99\" or \"99.99.99\". Since the kubelet reports the version of the kubernetes release, not Openshift, this field references the underlying kubernetes version this version of Openshift is based off of. In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then they should set the minimumKubeletVersion to 1.30.0. When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. Thus, a kubelet with version \"1.0.0-ec.0\" will be compatible with minimumKubeletVersion \"1.0.0\" or earlier.", + "type": "string", + "default": "" }, "oauthConfig": { "description": "oauthConfig, if present start the /oauth endpoint in this process", diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml index 121a47ac41a..469400577ae 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml index 3b6f33dffaa..99b124d5728 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating diff --git a/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml index 3e92f0df978..8db838df772 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml @@ -55,12 +55,25 @@ spec: type: string minimumKubeletVersion: description: |- - MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. + minimumKubeletVersion is the lowest version of a kubelet that can join the cluster. Specifically, the apiserver will deny most authorization requests of kubelets that are older than the specified version, only allowing the kubelet to get and update its node object, and perform subjectaccessreviews. - pattern: ^[0-9]*\.[0-9]*\.[0-9]*$ + This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads, + and will eventually be marked as not ready. + Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99". + Since the kubelet reports the version of the kubernetes release, not Openshift, this field references + the underlying kubernetes version this version of Openshift is based off of. + In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then + they should set the minimumKubeletVersion to 1.30.0. + When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version. + Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier. + maxLength: 8 type: string + x-kubernetes-validations: + - message: minmumKubeletVersion must be in a semver compatible format + of x.y.z, or empty + rule: self == "" || self.matches('^[0-9]*.[0-9]*.[0-9]*$') workerLatencyProfile: description: |- WorkerLatencyProfile determins the how fast the kubelet is updating