diff --git a/nfd/aggregate/overlays/kata/kustomization.yaml b/nfd/aggregate/overlays/kata/kustomization.yaml new file mode 100644 index 00000000..4d95486b --- /dev/null +++ b/nfd/aggregate/overlays/kata/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +namespace: openshift-nfd + +resources: + - ../../../operator/overlays/stable + - ../../../instance/overlays/kata diff --git a/openshift-sandboxed-containers/instance/base/kustomization.yaml b/nfd/instance/overlays/kata/kustomization.yaml similarity index 63% rename from openshift-sandboxed-containers/instance/base/kustomization.yaml rename to nfd/instance/overlays/kata/kustomization.yaml index 5581e0b1..a0a718b1 100644 --- a/openshift-sandboxed-containers/instance/base/kustomization.yaml +++ b/nfd/instance/overlays/kata/kustomization.yaml @@ -1,6 +1,6 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - cluster-kataconfig-kataconfig.yaml + - ../../base + - nfd.yaml diff --git a/nfd/instance/overlays/kata/nfd.yaml b/nfd/instance/overlays/kata/nfd.yaml new file mode 100644 index 00000000..a5a9e5f6 --- /dev/null +++ b/nfd/instance/overlays/kata/nfd.yaml @@ -0,0 +1,20 @@ +apiVersion: nfd.openshift.io/v1 +kind: NodeFeatureDiscovery +metadata: + name: nfd-kata + namespace: openshift-nfd +spec: + operand: + image: quay.io/openshift/origin-node-feature-discovery:4.12 + imagePullPolicy: Always + servicePort: 12000 + workerConfig: + configData: | + sources: + custom: + - name: "feature.node.kubernetes.io/runtime.kata" + matchOn: + - cpuId: ["SSE4", "VMX"] + loadedKMod: ["kvm", "kvm_intel"] + - cpuId: ["SSE4", "SVM"] + loadedKMod: ["kvm", "kvm_amd"] diff --git a/openshift-sandboxed-containers b/openshift-sandboxed-containers new file mode 120000 index 00000000..d38167b1 --- /dev/null +++ b/openshift-sandboxed-containers @@ -0,0 +1 @@ +sandboxed-containers-operator \ No newline at end of file diff --git a/openshift-sandboxed-containers/README.md b/openshift-sandboxed-containers/README.md deleted file mode 100644 index 20a70580..00000000 --- a/openshift-sandboxed-containers/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# OpenShift sandboxed containers - -This kustomization installs the OpenShift sandboxed containers operator. The official documentation for the operator can be found [here](https://docs.openshift.com/container-platform/4.10/sandboxed_containers/understanding-sandboxed-containers.html). - -OpenShift sandboxed containers requires OpenShift Container Platform >= 4.10. - -Note that the operator will install a MachineConfig resource to enable the sandboxed containers extension on the cluster node. This will cause the cluster nodes to restart. - -Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use. - -The current *overlays* available are for the following channels: - -* [preview-1.1](operator/overlays/preview-1.1) -* [stable-1.2](operator/overlays/stable-1.2) -* [stable-1.3](operator/overlays/stable-1.3) - -## Usage - -Install the OpenShift sandboxed containers operator: - -``` -$ oc apply -k oc apply -k operator/overlays/ -``` - -Create cluster-wide kataconfig resource: - -``` -$ oc apply -k instance/base -``` - -Optionally, deploy a example workload that runs in a sandboxed container: - -``` -$ oc apply -k example-workload/base -``` diff --git a/openshift-sandboxed-containers/example-workload/base/example-deploy.yaml b/openshift-sandboxed-containers/example-workload/base/example-deploy.yaml deleted file mode 100644 index 7610cd25..00000000 --- a/openshift-sandboxed-containers/example-workload/base/example-deploy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: example -spec: - selector: - matchLabels: - app: httpd - replicas: 1 - template: - metadata: - labels: - app: httpd - spec: - runtimeClassName: kata - containers: - - name: httpd - image: image-registry.openshift-image-registry.svc:5000/openshift/httpd:latest - ports: - - containerPort: 8080 diff --git a/openshift-sandboxed-containers/instance/base/cluster-kataconfig-kataconfig.yaml b/openshift-sandboxed-containers/instance/base/cluster-kataconfig-kataconfig.yaml deleted file mode 100644 index e447ea2e..00000000 --- a/openshift-sandboxed-containers/instance/base/cluster-kataconfig-kataconfig.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kataconfiguration.openshift.io/v1 -kind: KataConfig -metadata: - name: cluster-kataconfig diff --git a/openshift-sandboxed-containers/operator/base/namespace.yaml b/openshift-sandboxed-containers/operator/base/namespace.yaml deleted file mode 100644 index 28d8d311..00000000 --- a/openshift-sandboxed-containers/operator/base/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-sandboxed-containers-operator diff --git a/openshift-sandboxed-containers/operator/overlays/preview-1.1/kustomization.yaml b/openshift-sandboxed-containers/operator/overlays/preview-1.1/kustomization.yaml deleted file mode 100644 index 7479d01f..00000000 --- a/openshift-sandboxed-containers/operator/overlays/preview-1.1/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: openshift-sandboxed-containers-operator - -resources: - - ../../base - -patches: - - path: openshift-sandboxed-containers-operator-sub.yaml diff --git a/openshift-sandboxed-containers/operator/overlays/preview-1.1/openshift-sandboxed-containers-operator-sub.yaml b/openshift-sandboxed-containers/operator/overlays/preview-1.1/openshift-sandboxed-containers-operator-sub.yaml deleted file mode 100644 index 303e6c18..00000000 --- a/openshift-sandboxed-containers/operator/overlays/preview-1.1/openshift-sandboxed-containers-operator-sub.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: sandboxed-containers-operator -spec: - channel: preview-1.1 diff --git a/openshift-sandboxed-containers/operator/overlays/stable-1.2/kustomization.yaml b/openshift-sandboxed-containers/operator/overlays/stable-1.2/kustomization.yaml deleted file mode 100644 index 7479d01f..00000000 --- a/openshift-sandboxed-containers/operator/overlays/stable-1.2/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: openshift-sandboxed-containers-operator - -resources: - - ../../base - -patches: - - path: openshift-sandboxed-containers-operator-sub.yaml diff --git a/openshift-sandboxed-containers/operator/overlays/stable-1.2/openshift-sandboxed-containers-operator-sub.yaml b/openshift-sandboxed-containers/operator/overlays/stable-1.2/openshift-sandboxed-containers-operator-sub.yaml deleted file mode 100644 index d0b3067e..00000000 --- a/openshift-sandboxed-containers/operator/overlays/stable-1.2/openshift-sandboxed-containers-operator-sub.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: sandboxed-containers-operator -spec: - channel: stable-1.2 diff --git a/openshift-sandboxed-containers/operator/overlays/stable-1.3/kustomization.yaml b/openshift-sandboxed-containers/operator/overlays/stable-1.3/kustomization.yaml deleted file mode 100644 index 7479d01f..00000000 --- a/openshift-sandboxed-containers/operator/overlays/stable-1.3/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: openshift-sandboxed-containers-operator - -resources: - - ../../base - -patches: - - path: openshift-sandboxed-containers-operator-sub.yaml diff --git a/openshift-sandboxed-containers/operator/overlays/stable-1.3/openshift-sandboxed-containers-operator-sub.yaml b/openshift-sandboxed-containers/operator/overlays/stable-1.3/openshift-sandboxed-containers-operator-sub.yaml deleted file mode 100644 index 504db328..00000000 --- a/openshift-sandboxed-containers/operator/overlays/stable-1.3/openshift-sandboxed-containers-operator-sub.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: sandboxed-containers-operator -spec: - channel: stable-1.3 diff --git a/sandboxed-containers-operator/INFO.md b/sandboxed-containers-operator/INFO.md new file mode 100644 index 00000000..8d2a1232 --- /dev/null +++ b/sandboxed-containers-operator/INFO.md @@ -0,0 +1,68 @@ +# sandboxed-containers-operator + +# Requirements +Your cluster must be installed on bare metal infrastructure with Red Hat Enterprise Linux CoreOS workers. + +# Details +OpenShift sandboxed containers based on the Kata Containers open source +project, provides an Open Container Initiative (OCI) compliant container +runtime using lightweight virtual machines, running your workloads in their own +isolated kernel and therefore contributing an additional layer of isolation +back to OpenShift’s Defense-in-Depth strategy. For more information +[see](https://catalog.redhat.com/software/operators/detail/5ee0d499fdbe7cddc2c91cf5). + +# Features & benefits +- **Isolated Developer Environments & Priviliges Scoping** + As a developer working on debugging an application using state-of-the-art + tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With + OpenShift sandboxed containers, any impact will be limited to a separate + dedicated kernel. + +- **Legacy Containerized Workload Isolation** + You are mid-way in converting a containerized monolith into cloud-native + microservices. However, the monolith still runs on your cluster unpatched and + unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel + to reduce risk. + +- **Safe Multi-tenancy & Resource Sharing (CI/CD Jobs, CNFs, ..)** + If you are providing a service to multiple tenants, it could mean that the + service workloads are sharing the same resources (e.g., worker node). By + deploying in a dedicated kernel, the impact of these workloads have on one + another is greatly reduced. + +- **Additional Isolation with Native Kubernetes User Experience** + OpenShift sandboxed containers is used as a compliant OCI runtime. + Therefore, many operational patterns used with normal containers are still + preserved including but not limited to image scanning, GitOps, Imagestreams, + and so on. + +# How to install + Read the information about the Operator and click Install. + + On the Install Operator page: + + - Select preview-1.0 from the list of available Update Channel options. + This ensures that you install the version of OpenShift sandboxed containers + that is compatible with your OpenShift Container Platform version. + + - For Installed Namespace, ensure that the Operator recommended namespace + option is selected. This installs the Operator in the mandatory + openshift-sandboxed-containers-operator namespace, which is automatically + created if it does not exist. Attempting to install the OpenShift + sandboxed containers Operator in a namespace other than + openshift-sandboxed-containers-operator causes the installation to fail. + + - For Approval Strategy, ensure that Automatic, which is the default value, + is selected. OpenShift sandboxed containers automatically updates when a new + z-stream release is available. + + - Click Install to make the Operator available to the OpenShift sandboxed + containers namespace. + + - The OpenShift sandboxed containers Operator is now installed on your + cluster. You can trigger the Operator by enabling the runtime on your cluster. + You can do this by creating a KataConfig CRD instance. For this click + on "create instance" on the operator overview page. + +# Documentation +See the official documentation [here](https://docs.openshift.com/container-platform/4.8/sandboxed_containers/understanding-sandboxed-containers.html). \ No newline at end of file diff --git a/sandboxed-containers-operator/NOTES.md b/sandboxed-containers-operator/NOTES.md new file mode 100644 index 00000000..0f84a899 --- /dev/null +++ b/sandboxed-containers-operator/NOTES.md @@ -0,0 +1,5 @@ +# Notes + +## Links + +- https://cloud.redhat.com/blog/openshift-sandboxed-containers-101 diff --git a/sandboxed-containers-operator/README.md b/sandboxed-containers-operator/README.md new file mode 100644 index 00000000..82b54d16 --- /dev/null +++ b/sandboxed-containers-operator/README.md @@ -0,0 +1,36 @@ +# OpenShift sandboxed containers Operator + +Install OpenShift sandboxed containers Operator. + +Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use. + +The current *overlays* available are for the following channels: + +* [preview-1.0](operator/overlays/preview-1.0) +* [preview-1.1](operator/overlays/preview-1.1) +* [stable](operator/overlays/stable) +* [stable-1.2](operator/overlays/stable-1.2) +* [stable-1.3](operator/overlays/stable-1.3) + +## Usage + +If you have cloned the `gitops-catalog` repository, you can install OpenShift sandboxed containers Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory. + +``` +oc apply -k sandboxed-containers-operator/operator/overlays/ +``` + +Or, without cloning: + +``` +oc apply -k https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/ +``` + +As part of a different overlay in your own GitOps repo: + +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/?ref=main +``` diff --git a/sandboxed-containers-operator/aggregate/aws/kustomization.yaml b/sandboxed-containers-operator/aggregate/aws/kustomization.yaml new file mode 100644 index 00000000..50e5c43a --- /dev/null +++ b/sandboxed-containers-operator/aggregate/aws/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +resources: + - ../../operator/overlays/stable + - ../../instance/overlays/aws diff --git a/sandboxed-containers-operator/aggregate/default/kustomization.yaml b/sandboxed-containers-operator/aggregate/default/kustomization.yaml new file mode 100644 index 00000000..84ab10e6 --- /dev/null +++ b/sandboxed-containers-operator/aggregate/default/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +resources: + - ../../operator/overlays/stable + - ../../instance/overlays/default diff --git a/sandboxed-containers-operator/example/base/kustomization.yaml b/sandboxed-containers-operator/example/base/kustomization.yaml new file mode 100644 index 00000000..ae1be880 --- /dev/null +++ b/sandboxed-containers-operator/example/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- pod-kata.yaml +- pod-normal.yaml diff --git a/sandboxed-containers-operator/example/base/pod-kata.yaml b/sandboxed-containers-operator/example/base/pod-kata.yaml new file mode 100644 index 00000000..75164188 --- /dev/null +++ b/sandboxed-containers-operator/example/base/pod-kata.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: http-kata +spec: + containers: + - name: http + image: registry.fedoraproject.org/fedora + ports: + - containerPort: 8080 + command: + - "python3" + args: + - "-m" + - "http.server" + - "8080" + resources: {} + runtimeClassName: kata diff --git a/sandboxed-containers-operator/example/base/pod-normal.yaml b/sandboxed-containers-operator/example/base/pod-normal.yaml new file mode 100644 index 00000000..2dd5de0d --- /dev/null +++ b/sandboxed-containers-operator/example/base/pod-normal.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: http-normal +spec: + containers: + - name: http + image: registry.fedoraproject.org/fedora + ports: + - containerPort: 8080 + command: + - "python3" + args: + - "-m" + - "http.server" + - "8080" + resources: {} diff --git a/sandboxed-containers-operator/example/overlays/default/kustomization.yaml b/sandboxed-containers-operator/example/overlays/default/kustomization.yaml new file mode 100644 index 00000000..2b87e6b1 --- /dev/null +++ b/sandboxed-containers-operator/example/overlays/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base diff --git a/sandboxed-containers-operator/example/overlays/with-namespace/kustomization.yaml b/sandboxed-containers-operator/example/overlays/with-namespace/kustomization.yaml new file mode 100644 index 00000000..bd8f4353 --- /dev/null +++ b/sandboxed-containers-operator/example/overlays/with-namespace/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kata-verification + +resources: +- ../../base +- namespace.yaml diff --git a/sandboxed-containers-operator/example/overlays/with-namespace/namespace.yaml b/sandboxed-containers-operator/example/overlays/with-namespace/namespace.yaml new file mode 100644 index 00000000..ad5c826f --- /dev/null +++ b/sandboxed-containers-operator/example/overlays/with-namespace/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kata-verification + annotations: + openshift.io/display-name: "Sandboxed Containers Verification" + argocd.argoproj.io/sync-wave: "0" diff --git a/openshift-sandboxed-containers/example-workload/base/kustomization.yaml b/sandboxed-containers-operator/instance/base/aws/kustomization.yaml similarity index 82% rename from openshift-sandboxed-containers/example-workload/base/kustomization.yaml rename to sandboxed-containers-operator/instance/base/aws/kustomization.yaml index 138bb4eb..7da5d967 100644 --- a/openshift-sandboxed-containers/example-workload/base/kustomization.yaml +++ b/sandboxed-containers-operator/instance/base/aws/kustomization.yaml @@ -1,8 +1,7 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: openshift-sandboxed-containers-operator resources: - - example-deploy.yaml + - setup-machineset.yaml diff --git a/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml b/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml new file mode 100644 index 00000000..62ebff75 --- /dev/null +++ b/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml @@ -0,0 +1,144 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-metal-machineset-setup +rules: +- apiGroups: + - machine.openshift.io + resources: + - machinesets + verbs: + - '*' +- apiGroups: + - autoscaling.openshift.io + resources: + - machineautoscalers + verbs: + - '*' +- apiGroups: + - '' + resources: + - secrets + resourceNames: + - aws-creds + verbs: + - get + - list +# - nonResourceURLs: +# - '*' +# verbs: +# - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-metal-machineset-setup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-metal-machineset-setup +subjects: + - kind: ServiceAccount + name: aws-metal-machineset-setup + namespace: openshift-sandboxed-containers-operator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-metal-machineset-setup +--- +apiVersion: batch/v1 +kind: Job +metadata: + generateName: aws-metal-machineset-setup- + name: aws-metal-machineset-setup + annotations: + argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: + template: + spec: + containers: + - name: aws-metal-machineset-setup + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - /bin/bash + - -c + - | + #!/usr/bin/env bash + + ocp_aws_cluster(){ + oc -n kube-system get secret/aws-creds -o name > /dev/null 2>&1 || return 1 + } + + ocp_aws_create_metal_machineset(){ + # https://aws.amazon.com/ec2/instance-types/m5zn + # m5.metal + # m5n.metal + INSTANCE_TYPE=${1:-m5zn.metal} + MACHINE_SET=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep worker | head -n1) + + # check for an existing metal machine set + if oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal; then + echo "Exists: METAL machineset" + else + echo "Creating: METAL machineset" + oc -n openshift-machine-api get "${MACHINE_SET}" -o yaml | \ + sed '/machine/ s/-worker/-metal/g + /name/ s/-worker/-metal/g + s/instanceType.*/instanceType: '"${INSTANCE_TYPE}"'/ + s/replicas.*/replicas: 0/' | \ + oc apply -f - + fi + + MACHINE_SET_METAL=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal | head -n1) + + echo "Patching: Metal machineset" + + # cosmetic + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"metadata":{"labels":{"node-role.kubernetes.io/metal":""}}}}}}' + + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"providerSpec":{"value":{"instanceType":"'"${INSTANCE_TYPE}"'"}}}}}}' + } + + ocp_create_machineset_autoscale(){ + MACHINE_MIN=${1:-0} + MACHINE_MAX=${2:-4} + MACHINE_SETS=${3:-$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | sed 's@.*/@@' )} + + for set in ${MACHINE_SETS} + do + cat << YAML | oc apply -f - + apiVersion: "autoscaling.openshift.io/v1beta1" + kind: "MachineAutoscaler" + metadata: + name: "${set}" + namespace: "openshift-machine-api" + spec: + minReplicas: ${MACHINE_MIN} + maxReplicas: ${MACHINE_MAX} + scaleTargetRef: + apiVersion: machine.openshift.io/v1beta1 + kind: MachineSet + name: "${set}" + YAML + done + } + + ocp_aws_cluster || exit 0 + ocp_aws_create_metal_machineset + + restartPolicy: Never + terminationGracePeriodSeconds: 30 + serviceAccount: aws-metal-machineset-setup + serviceAccountName: aws-metal-machineset-setup diff --git a/sandboxed-containers-operator/instance/base/kataconfig.yaml b/sandboxed-containers-operator/instance/base/kataconfig.yaml new file mode 100644 index 00000000..d2a6e5d1 --- /dev/null +++ b/sandboxed-containers-operator/instance/base/kataconfig.yaml @@ -0,0 +1,9 @@ +apiVersion: kataconfiguration.openshift.io/v1 +kind: KataConfig +metadata: + name: kataconfig +spec: + checkNodeEligibility: true + enablePeerPods: false + kataConfigPoolSelector: null + logLevel: info diff --git a/sandboxed-containers-operator/instance/base/kustomization.yaml b/sandboxed-containers-operator/instance/base/kustomization.yaml new file mode 100644 index 00000000..35ab09be --- /dev/null +++ b/sandboxed-containers-operator/instance/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- kataconfig.yaml diff --git a/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml b/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml new file mode 100644 index 00000000..880b1ce2 --- /dev/null +++ b/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - ../../base/aws + +patches: + - target: + group: kataconfiguration.openshift.io + kind: KataConfig + patch: |- + - op: add + path: /spec/kataConfigPoolSelector + value: + matchExpressions: + - operator: Exists + key: node-role.kubernetes.io/metal diff --git a/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml b/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml new file mode 100644 index 00000000..774a422d --- /dev/null +++ b/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base diff --git a/openshift-sandboxed-containers/operator/base/kustomization.yaml b/sandboxed-containers-operator/operator/base/kustomization.yaml similarity index 100% rename from openshift-sandboxed-containers/operator/base/kustomization.yaml rename to sandboxed-containers-operator/operator/base/kustomization.yaml diff --git a/sandboxed-containers-operator/operator/base/namespace.yaml b/sandboxed-containers-operator/operator/base/namespace.yaml new file mode 100644 index 00000000..247a42ba --- /dev/null +++ b/sandboxed-containers-operator/operator/base/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/display-name: "OpenShift sandboxed containers Operator" + labels: + openshift.io/cluster-monitoring: 'true' + name: openshift-sandboxed-containers-operator diff --git a/openshift-sandboxed-containers/operator/base/operator-group.yaml b/sandboxed-containers-operator/operator/base/operator-group.yaml similarity index 58% rename from openshift-sandboxed-containers/operator/base/operator-group.yaml rename to sandboxed-containers-operator/operator/base/operator-group.yaml index 87b1d9d1..29059eb9 100644 --- a/openshift-sandboxed-containers/operator/base/operator-group.yaml +++ b/sandboxed-containers-operator/operator/base/operator-group.yaml @@ -1,7 +1,8 @@ apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: openshift-sandboxed-containers-operator + name: sandboxed-containers-operator-group + namespace: openshift-sandboxed-containers-operator spec: targetNamespaces: - openshift-sandboxed-containers-operator diff --git a/openshift-sandboxed-containers/operator/base/subscription.yaml b/sandboxed-containers-operator/operator/base/subscription.yaml similarity index 84% rename from openshift-sandboxed-containers/operator/base/subscription.yaml rename to sandboxed-containers-operator/operator/base/subscription.yaml index 3fde1f96..f2479a6c 100644 --- a/openshift-sandboxed-containers/operator/base/subscription.yaml +++ b/sandboxed-containers-operator/operator/base/subscription.yaml @@ -2,6 +2,7 @@ apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: sandboxed-containers-operator + namespace: openshift-sandboxed-containers-operator spec: channel: patch-me-see-overlays-dir installPlanApproval: Automatic diff --git a/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml b/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml b/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml new file mode 100644 index 00000000..a520a0bb --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: preview-1.0 diff --git a/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml b/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml b/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml new file mode 100644 index 00000000..18301a95 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: preview-1.1 diff --git a/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml b/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml b/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml new file mode 100644 index 00000000..ea083d36 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable-1.2 diff --git a/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml b/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml b/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml new file mode 100644 index 00000000..c788d4e1 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable-1.3 diff --git a/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml b/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml b/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml new file mode 100644 index 00000000..6642eb17 --- /dev/null +++ b/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable