MachineConfigs in OSD/ROSA clusters

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • Red Hat Enterprise Linux CoreOS (RHCOS)

Issue

  • How to create/edit MachineConfig in OSD/ROSA?
  • Is it possible to add the kernel-devel and/or the usbguard extension to nodes in OSD/ROSA clusters?
  • Can RHCOS extensions be added to nodes in OSD/ROSA?

  • The following message is shown when trying to apply a MachineConfig in OSD/ROSA cluster to enable RHCOS extensions:

    Error from server (Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support): error when creating "machine-config.yaml": admission webhook "regular-user-validation.managed.openshift.io" denied the request: Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support

Resolution

It's not supported to create or modify MachineConfigs in OSD and ROSA, so it's also not possible to add extensions to the RHCOS nodes.

Root Cause

The RHCOS extensions are added through MachineConfigs, which usually required a reboot of the affected nodes. In OSD and ROSA, infra nodes share MachineConfig with worker nodes. As the infra nodes are managed by SRE, it's not supported to create/modify MachineConfigs in OSD/ROSA.

Diagnostic Steps

Create a file called kernel-devel.yaml with the following content:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-openshift-machineconfig-kernel-devel
spec:
  extensions:
    - kernel-devel

Try to apply the above MachineConfig in OSD/ROSA

$ oc apply -f kernel-devel.yaml
Error from server (Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support): error when creating "kernel-devel.yaml": admission webhook "regular-user-validation.managed.openshift.io" denied the request: Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments