Skip to content

USHIFT-6951: Add metrics-server as optional MicroShift component #6808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
copejon wants to merge 6 commits into
base: main
Choose a base branch
from
Open

USHIFT-6951: Add metrics-server as optional MicroShift component #6808

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
261c1a0
USHIFT-6951: Add metrics-server as optional MicroShift component
copejon Jun 5, 2026
4aa1099
USHIFT-6951: elevate cert failure to Error, split release JSONs per c…
copejon Jun 5, 2026
df4382a
USHIFT-6951: harden deployment security and fix rebase asset tracking
copejon Jun 5, 2026
6ab794d
USHIFT-6951: validate pullspec lookups in rebase.sh
copejon Jun 5, 2026
81264bb
USHIFT-6951: fail fast on non-NotFound errors in namespace poll
copejon Jun 5, 2026
f70198d
USHIFT-6951: use OCP payload images instead of registry.redhat.io
copejon Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions assets/optional/metrics-server/00-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: openshift-monitoring
labels:
name: openshift-monitoring
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
Comment on lines +7 to +9
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Namespace-level privileged Pod Security is overly permissive.

Setting enforce/audit/warn to privileged at Line 7-Line 9 weakens namespace isolation for all workloads. Prefer baseline/restricted unless a strict exception is required.

Suggested tightening 
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted

As per coding guidelines, "**/*.{yaml,yml,json}: Flag privileged: true ... in container/Kubernetes manifests".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/optional/metrics-server/00-namespace.yaml` around lines 7 - 9, The
namespace-level PodSecurity labels pod-security.kubernetes.io/enforce,
pod-security.kubernetes.io/audit, and pod-security.kubernetes.io/warn are set to
"privileged" which is too permissive; change their values to a safer profile
(e.g., "baseline" or "restricted") unless you have a documented exception, and
ensure the three keys (enforce, audit, warn) are updated consistently to the
chosen profile so namespace-wide policies default to the tightened posture.

17 changes: 17 additions & 0 deletions assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: auth-delegator
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: openshift-monitoring
18 changes: 18 additions & 0 deletions assets/optional/metrics-server/01-cluster-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: openshift-monitoring
- kind: User
name: system:metrics-server
25 changes: 25 additions & 0 deletions assets/optional/metrics-server/01-cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
18 changes: 18 additions & 0 deletions assets/optional/metrics-server/01-role-binding-auth-reader.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server-auth-reader
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: openshift-monitoring
10 changes: 10 additions & 0 deletions assets/optional/metrics-server/01-service-account.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server
namespace: openshift-monitoring
45 changes: 45 additions & 0 deletions assets/optional/metrics-server/02-configmap-audit-profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: v1
data:
metadata-profile.yaml: |-
"apiVersion": "audit.k8s.io/v1"
"kind": "Policy"
"metadata":
"name": "Metadata"
"omitStages":
- "RequestReceived"
"rules":
- "level": "Metadata"
none-profile.yaml: |-
"apiVersion": "audit.k8s.io/v1"
"kind": "Policy"
"metadata":
"name": "None"
"omitStages":
- "RequestReceived"
"rules":
- "level": "None"
request-profile.yaml: |-
"apiVersion": "audit.k8s.io/v1"
"kind": "Policy"
"metadata":
"name": "Request"
"omitStages":
- "RequestReceived"
"rules":
- "level": "Request"
requestresponse-profile.yaml: |-
"apiVersion": "audit.k8s.io/v1"
"kind": "Policy"
"metadata":
"name": "RequestResponse"
"omitStages":
- "RequestReceived"
"rules":
- "level": "RequestResponse"
Comment on lines +2 to +38
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Malformed YAML syntax in embedded audit profiles.

All four audit policy documents use JSON-style quoted keys ("apiVersion", "kind", etc.) instead of proper YAML syntax. Kubernetes audit policies should be written in standard YAML format without quoted keys.

🔧 Proposed fix 
 data:
   metadata-profile.yaml: |-
-    "apiVersion": "audit.k8s.io/v1"
-    "kind": "Policy"
-    "metadata":
-      "name": "Metadata"
-    "omitStages":
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    metadata:
+      name: Metadata
+    omitStages:
     - "RequestReceived"
-    "rules":
-    - "level": "Metadata"
+    rules:
+    - level: Metadata
   none-profile.yaml: |-
-    "apiVersion": "audit.k8s.io/v1"
-    "kind": "Policy"
-    "metadata":
-      "name": "None"
-    "omitStages":
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    metadata:
+      name: None
+    omitStages:
     - "RequestReceived"
-    "rules":
-    - "level": "None"
+    rules:
+    - level: None
   request-profile.yaml: |-
-    "apiVersion": "audit.k8s.io/v1"
-    "kind": "Policy"
-    "metadata":
-      "name": "Request"
-    "omitStages":
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    metadata:
+      name: Request
+    omitStages:
     - "RequestReceived"
-    "rules":
-    - "level": "Request"
+    rules:
+    - level: Request
   requestresponse-profile.yaml: |-
-    "apiVersion": "audit.k8s.io/v1"
-    "kind": "Policy"
-    "metadata":
-      "name": "RequestResponse"
-    "omitStages":
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    metadata:
+      name: RequestResponse
+    omitStages:
     - "RequestReceived"
-    "rules":
-    - "level": "RequestResponse"
+    rules:
+    - level: RequestResponse
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/optional/metrics-server/02-configmap-audit-profiles.yaml` around lines
2 - 38, The embedded audit policy YAMLs are malformed because keys and values
are written with JSON-style quoted strings; update metadata-profile.yaml,
none-profile.yaml, request-profile.yaml and requestresponse-profile.yaml inside
the ConfigMap data to valid YAML by removing the unnecessary quotes around keys
(apiVersion, kind, metadata, name, omitStages, rules, level) and unquoting list
items (e.g., RequestReceived), and ensure each rule is a proper mapping (e.g., -
level: Metadata) with correct indentation so each policy is valid Kubernetes
audit policy YAML.

kind: ConfigMap
metadata:
labels:
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server-audit-profiles
namespace: openshift-monitoring
114 changes: 114 additions & 0 deletions assets/optional/metrics-server/03-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server
namespace: openshift-monitoring
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
strategy:
type: Recreate
template:
metadata:
annotations:
openshift.io/required-scc: restricted-v2
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
spec:
containers:
- args:
- --secure-port=10250
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
- --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt
- --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt
- --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- --shutdown-send-retry-after=true
- --shutdown-delay-duration=150s
- --disable-http2-serving=true
image: quay.io/openshift/kube-metrics-server
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 10250
name: https
protocol: TCP
readinessProbe:
failureThreshold: 6
httpGet:
path: /readyz
port: https
scheme: HTTPS
initialDelaySeconds: 20
periodSeconds: 20
resources:
requests:
cpu: 1m
memory: 40Mi
Comment on lines +67 to +70
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add container resource limits.

Only requests are set; limits are missing for metrics-server. Add CPU/memory limits to enforce predictable runtime behavior.

As per coding guidelines, "Resource limits (cpu, memory) on every container".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/optional/metrics-server/03-deployment.yaml` around lines 67 - 70, The
metrics-server container currently only specifies resource requests; add a
matching limits block under the same resources section for the metrics-server
container to enforce CPU and memory caps (e.g., limits.cpu: 100m and
limits.memory: 100Mi). Update the Deployment's container resources block (the
metrics-server container in the manifest) to include both requests and limits so
it conforms to the "Resource limits (cpu, memory) on every container" guideline.

securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
terminationMessagePolicy: FallbackToLogsOnError
Comment thread
coderabbitai[bot] marked this conversation as resolved.
volumeMounts:
- mountPath: /etc/tls/private
name: secret-metrics-server-tls
- mountPath: /etc/tls/metrics-server-client-certs
name: secret-metrics-server-client-certs
- mountPath: /etc/tls/kubelet-serving-ca-bundle
name: configmap-kubelet-serving-ca-bundle
- mountPath: /etc/audit
name: metrics-server-audit-profiles
readOnly: true
- mountPath: /var/log/metrics-server
name: audit-log
readOnly: false
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
terminationGracePeriodSeconds: 170
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- name: secret-metrics-server-client-certs
secret:
secretName: metrics-server-client-certs
- name: secret-metrics-server-tls
secret:
secretName: metrics-server-tls
- configMap:
name: kubelet-serving-ca-bundle
name: configmap-kubelet-serving-ca-bundle
- emptyDir: {}
name: audit-log
- configMap:
name: metrics-server-audit-profiles
name: metrics-server-audit-profiles
21 changes: 21 additions & 0 deletions assets/optional/metrics-server/04-api-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
service.beta.openshift.io/inject-cabundle: "true"
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: false
service:
name: metrics-server
namespace: openshift-monitoring
port: 443
version: v1beta1
versionPriority: 100
22 changes: 22 additions & 0 deletions assets/optional/metrics-server/04-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
annotations:
openshift.io/description: Expose the metrics-server web server on port 443. This port is for internal use, and no other usage is guaranteed.
service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls
labels:
app.kubernetes.io/component: metrics-server
app.kubernetes.io/managed-by: cluster-monitoring-operator
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
name: metrics-server
namespace: openshift-monitoring
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: metrics-server
app.kubernetes.io/part-of: openshift-monitoring
4 changes: 4 additions & 0 deletions assets/optional/metrics-server/kustomization.aarch64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
images:
- name: quay.io/openshift/kube-metrics-server
newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
digest: sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d
4 changes: 4 additions & 0 deletions assets/optional/metrics-server/kustomization.x86_64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
images:
- name: quay.io/openshift/kube-metrics-server
newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
digest: sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7
13 changes: 13 additions & 0 deletions assets/optional/metrics-server/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 00-namespace.yaml
- 01-service-account.yaml
- 01-cluster-role.yaml
- 01-cluster-role-binding.yaml
- 01-cluster-role-binding-auth-delegator.yaml
- 01-role-binding-auth-reader.yaml
- 02-configmap-audit-profiles.yaml
- 03-deployment.yaml
- 04-service.yaml
- 04-api-service.yaml
Comment thread
coderabbitai[bot] marked this conversation as resolved.
8 changes: 8 additions & 0 deletions assets/optional/metrics-server/release-metrics-server-aarch64.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"release": {
"base": "placeholder"
},
"images": {
"metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d"
}
}
8 changes: 8 additions & 0 deletions assets/optional/metrics-server/release-metrics-server-x86_64.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"release": {
"base": "placeholder"
},
"images": {
"metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7"
}
}
18 changes: 18 additions & 0 deletions etcd/vendor/github.com/openshift/microshift/pkg/config/config.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading