USHIFT-6951: Add kube-state-metrics as optional MicroShift component

[copejon]

Add kube-state-metrics as an optional MicroShift component deployed via kustomize manifests and packaged as microshift-metrics-kube-state-metrics RPM sub-package.

This is PR 2/3 splitting #6763 into independently-mergeable patches. The three PRs can merge in any order.
Sibling: #6808 (metrics-server)

What's included

• Kustomize manifests (assets/optional/kube-state-metrics/) — Deployment with kube-rbac-proxy sidecars, ClusterRole with extensive RBAC, custom-resource-state ConfigMap (VPA, Gateway metrics), service-ca TLS, and own 00-namespace.yaml for independent deployability
• Healthcheck registration — kube-state-metrics map entry and mergeWorkloads() function (identical to sibling PRs; git auto-merges)
• RPM sub-package — %package metrics-kube-state-metrics with per-file installs to 081-microshift-kube-state-metrics/
• Otel-collector drop-in — microshift-metrics-kube-state-metrics.yaml scrape config using Kubernetes endpoints SD
• Test infra — RPM name added to test/bin/common.sh

Summary by CodeRabbit

• New Features

  • Added an optional kube-state-metrics component: namespace, service account, RBAC, deployment (with TLS proxies), headless service, TLS secret, configmap for extended CR metrics, architecture-specific image overrides, and an OTEL Collector drop-in to scrape its HTTPS endpoint.

• Chores

  • Packaging adds an optional RPM subpackage to ship manifests and OTEL config; build asset listings updated for kube-state-metrics.

• Tests

  • Test configs updated to include the new optional RPM in test lists.

[openshift-ci-robot]

@copejon: This pull request references USHIFT-6951 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add kube-state-metrics as an optional MicroShift component deployed via kustomize manifests and packaged as microshift-metrics-kube-state-metrics RPM sub-package.

This is PR 2/3 splitting #6763 into independently-mergeable patches. The three PRs can merge in any order.
Sibling: #6808 (metrics-server)

What's included

• Kustomize manifests (assets/optional/kube-state-metrics/) — Deployment with kube-rbac-proxy sidecars, ClusterRole with extensive RBAC, custom-resource-state ConfigMap (VPA, Gateway metrics), service-ca TLS, and own 00-namespace.yaml for independent deployability
• Healthcheck registration — kube-state-metrics map entry and mergeWorkloads() function (identical to sibling PRs; git auto-merges)
• RPM sub-package — %package metrics-kube-state-metrics with per-file installs to 081-microshift-kube-state-metrics/
• Otel-collector drop-in — microshift-metrics-kube-state-metrics.yaml scrape config using Kubernetes endpoints SD
• Test infra — RPM name added to test/bin/common.sh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds optional kube-state-metrics: Kubernetes manifests, kustomize overlays and release JSONs, OTEL Collector scrape config, RPM packaging/install rules, and test/healthcheck wiring.

Changes

kube-state-metrics metrics collection feature

Layer / File(s)	Summary
Namespace, ServiceAccount, ClusterRole, ClusterRoleBinding assets/optional/kube-state-metrics/00-namespace.yaml, assets/optional/kube-state-metrics/01-service-account.yaml, assets/optional/kube-state-metrics/01-cluster-role-binding.yaml, assets/optional/kube-state-metrics/01-cluster-role.yaml	Creates openshift-monitoring namespace with pod-security labels, adds kube-state-metrics ServiceAccount, ClusterRole (broad list/watch/create rules), and ClusterRoleBinding.
CustomResourceState ConfigMap and kube-rbac-proxy secret assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml, assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml	Adds CustomResourceStateMetrics templates (VPA and Gateway API metrics) and a kube-rbac-proxy static policy secret allowing GET on /metrics for prometheus-k8s.
Deployment and Service assets/optional/kube-state-metrics/03-deployment.yaml, assets/optional/kube-state-metrics/04-service.yaml	Deployment runs kube-state-metrics plus two kube-rbac-proxy sidecars (8443 and 9443), mounts TLS/config volumes, sets pod constraints; headless Service exposes HTTPS ports and selectors.
Kustomize overlays & release JSONs assets/optional/kube-state-metrics/kustomization.yaml, kustomization.aarch64.yaml, kustomization.x86_64.yaml, release-kube-state-metrics-*.json	Kustomization base lists resources and per-architecture image remaps from quay.io to registry.redhat.io RHEL9 images pinned to SHA256 digests; per-arch release descriptors added.
OTEL Collector drop-in & RPM packaging packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml, packaging/rpm/microshift.spec	Prometheus receiver configured to scrape kube-state-metrics over HTTPS with kubeconfig-based discovery scoped to openshift-monitoring; spec changes add metrics-kube-state-metrics subpackages, install manifests and OTEL drop-in, and update file lists.
Workload registration, auto-rebase, and tests pkg/healthcheck/microshift_optional_workloads.go, scripts/auto-rebase/assets.yaml, test/bin/common.sh	Registers 081-microshift-kube-state-metrics optional workload and merges per-namespace expectations, adds asset block for auto-rebase, and includes the new RPM in test optional RPM lists.

Sequence Diagram(s)

sequenceDiagram
  participant OTEL as OTELCollector
  participant KubeAPI as KubernetesAPI
  participant KSM as kube-state-metrics
  participant RBAC as kube-rbac-proxy
  KubeAPI->>KSM: apply manifests (Namespace, SA, ClusterRole/Binding, ConfigMap, Secret, Deployment, Service)
  OTEL->>KubeAPI: discover endpoints in openshift-monitoring via kubeconfig
  OTEL->>RBAC: HTTPS scrape to kube-state-metrics (https-main)
  RBAC->>KSM: forward proxied request to localhost upstream (127.0.0.1:8081)
  KSM-->>RBAC: metrics response
  RBAC-->>OTEL: proxied metrics response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels: ready-for-human-review

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding kube-state-metrics as an optional MicroShift component, matching the substantial manifest additions and RPM packaging.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds no Ginkgo tests. The sole test file (workloads_test.go) uses Go's standard testing with hardcoded, static test names ("empty", "none", "only controller") that are stable and deterministic.
Test Structure And Quality	✅ Passed	This PR adds kube-state-metrics as an optional component with manifests, RPM packaging, and configuration files. No Ginkgo test code was added or modified, so the test quality check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. Changes are YAML manifests, RPM spec, healthcheck code, and test infrastructure—check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are infrastructure/manifests only (Kubernetes YAML, RPM spec, shell scripts, configuration files). The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Deployment uses no topology-sensitive constraints: replicas: 1, nodeSelector only for OS, no affinity/anti-affinity/spread rules, no control-plane targeting. Compatible with all topologies.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found. PR adds kube-state-metrics via manifests, RPM packaging, and healthcheck utility functions that don't violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added. PR only adds Kubernetes manifests, configs, healthcheck code, and RPM packaging—not test code subject to this check.
No-Weak-Crypto	✅ Passed	No weak cryptography found. TLS uses strong ciphers only (ECDHE with AES-GCM/ChaCha20-Poly1305). No weak hash/cipher patterns detected. Go code contains no crypto vulnerabilities.
Container-Privileges	✅ Passed	No privileged containers, hostPID/Network/IPC, SYS_ADMIN caps, or allowPrivilegeEscalation: true found. All containers run non-root with restrictive security contexts.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive logging found. Metrics exclude secrets, no debug flags enabled, TLS/kubeconfig use safe file paths only, logging limited to non-sensitive deployment names.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [copejon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

assets/optional/kube-state-metrics/kustomization.aarch64.yaml (1)

2-4: 💤 Low value

Consider adding version comments for maintainability.

While digest pinning is secure, adding a comment with the human-readable version would improve maintainability when updating images.

📝 Example with version comment

 images:
+  # kube-state-metrics v2.x.x
   - name: quay.io/openshift/kube-state-metrics
     newName: registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9
     digest: sha256:c84d67c1427187b67a8eecde93ed964ffd390afbdac58eb9d943489ee7729b1a

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/optional/kube-state-metrics/kustomization.aarch64.yaml` around lines 2
- 4, Add a human-readable version comment next to the image entry for
quay.io/openshift/kube-state-metrics / newName
registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9 so maintainers can
see the tagged version alongside the digest; edit the kube-state-metrics image
block to include a short comment (e.g., "# vX.Y.Z" or "# openshift X.Y" )
immediately above or beside the newName/digest lines and ensure the comment is
kept in sync when updating the digest.

assets/optional/kube-state-metrics/kustomization.x86_64.yaml (1)

2-4: 💤 Low value

Consider adding version comments for maintainability.

As with the aarch64 file, adding human-readable version comments would ease future updates and troubleshooting.

📝 Example with version comment

 images:
+  # kube-state-metrics v2.x.x
   - name: quay.io/openshift/kube-state-metrics
     newName: registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9
     digest: sha256:cc300698b3f0abd36267e740e1669f83ca17aa4b710218c5f5b2ee71994af9ba

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/optional/kube-state-metrics/kustomization.x86_64.yaml` around lines 2
- 4, Add a human-readable version comment above the image mapping that documents
the component and version for future maintainers; specifically, annotate the
block referencing "quay.io/openshift/kube-state-metrics" /
"registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9" and its "digest"
with a comment like a version or release tag (mirroring the approach used in the
aarch64 file) so updates and troubleshooting can quickly identify which upstream
release this digest corresponds to.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml`:
- Line 433: The help text for metrics that read from the maxAllowed field is
incorrect: change the wording from "Minimum" to "Maximum" for the metrics that
reference maxAllowed (e.g., the cpu metric whose help currently reads "Minimum
cpu resources the VerticalPodAutoscaler can set for containers matching the
name."). Update the help strings for both occurrences (the cpu maxAllowed metric
at the line shown and the second occurrence around line 470) to say "Maximum cpu
resources the VerticalPodAutoscaler can set for containers matching the name."
so they accurately describe maxAllowed.

In `@assets/optional/kube-state-metrics/03-deployment.yaml`:
- Around line 64-67: The manifest sets only resource requests; add corresponding
resource limits for cpu and memory on the three containers named
"kube-state-metrics", "kube-rbac-proxy-main", and "kube-rbac-proxy-self" (add a
"limits" block with appropriate cpu and memory values alongside the existing
"requests"). Update each container's spec where requests are defined (there are
additional identical request blocks for the same containers elsewhere in the
file) so that every container includes both resources.requests and
resources.limits (cpu and memory) to satisfy the "Resource limits on every
container" guideline.
- Around line 35-120: Add proper liveness and readiness probes for each
container (kube-state-metrics, kube-rbac-proxy-main, kube-rbac-proxy-self): for
kube-state-metrics add an httpGet readiness and liveness probe against the
metrics/health endpoint on port 8081 (and telemetry port 8082 for self-probe if
applicable) with sensible defaults (initialDelaySeconds, periodSeconds,
timeoutSeconds, failureThreshold); for both kube-rbac-proxy containers add
httpGet probes against their secure ports (8443 for kube-rbac-proxy-main, 9443
for kube-rbac-proxy-self) pointing to a health or /ready endpoint and similar
timeout/period settings; ensure probes are added under each container spec using
the field names readinessProbe and livenessProbe so Kubernetes can correctly
manage restarts and traffic routing.
- Line 68: Replace the empty securityContext maps with explicit hardened
settings at both pod and container scope: for the PodSpec-level securityContext
set runAsNonRoot: true and runAsUser (e.g. 1000), and for each container's
securityContext set allowPrivilegeEscalation: false, readOnlyRootFilesystem:
true, runAsNonRoot: true (and runAsUser if needed), capabilities: drop: ["ALL"]
(and add only specific capabilities if required), and seccompProfile: type:
RuntimeDefault; apply these changes for the securityContext entries referenced
(pod-level and container-level occurrences around the empty maps) so containers
run non-root, cannot escalate privileges, have a read-only rootfs, dropped
capabilities, and use the default seccomp profile.
- Around line 42-50: The deployment args contain duplicate --metric-denylist
flags so the later one overrides the earlier denylist; merge all denylist
regexes into a single --metric-denylist=... value (comma-separated) that
includes ^kube_secret_labels$, ^kube_.+_annotations$,
^kube_customresource_.+_annotations_info$, ^kube_customresource_.+_labels_info$
and remove the second --metric-denylist entry; ensure the existing
--metric-labels-allowlist entry remains unchanged and that only one
--metric-denylist flag is present in the container args.

In
`@packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml`:
- Around line 10-19: For the scrape block using kubernetes_sd_configs with role:
endpoints that keeps kube-state-metrics;https-main (the relabel_configs regex),
add a tls_config.server_name set to the kube-state-metrics Service DNS name
(e.g., kube-state-metrics.openshift-monitoring.svc) so TLS hostname verification
succeeds against the serving cert SANs; update the scrape_config that contains
kubernetes_sd_configs/role: endpoints and the relabel_configs regex
"kube-state-metrics;https-main" to include tls_config.server_name with the
appropriate service DNS (or make it configurable if needed).

---

Nitpick comments:
In `@assets/optional/kube-state-metrics/kustomization.aarch64.yaml`:
- Around line 2-4: Add a human-readable version comment next to the image entry
for quay.io/openshift/kube-state-metrics / newName
registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9 so maintainers can
see the tagged version alongside the digest; edit the kube-state-metrics image
block to include a short comment (e.g., "# vX.Y.Z" or "# openshift X.Y" )
immediately above or beside the newName/digest lines and ensure the comment is
kept in sync when updating the digest.

In `@assets/optional/kube-state-metrics/kustomization.x86_64.yaml`:
- Around line 2-4: Add a human-readable version comment above the image mapping
that documents the component and version for future maintainers; specifically,
annotate the block referencing "quay.io/openshift/kube-state-metrics" /
"registry.redhat.io/openshift4/ose-kube-state-metrics-rhel9" and its "digest"
with a comment like a version or release tag (mirroring the approach used in the
aarch64 file) so updates and troubleshooting can quickly identify which upstream
release this digest corresponds to.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 060e9c6c-3fbf-4e9a-8297-183b2c97e1bc

📥 Commits

Reviewing files that changed from the base of the PR and between 93e835e and ee20850.

📒 Files selected for processing (15)

• assets/optional/kube-state-metrics/00-namespace.yaml
• assets/optional/kube-state-metrics/01-cluster-role-binding.yaml
• assets/optional/kube-state-metrics/01-cluster-role.yaml
• assets/optional/kube-state-metrics/01-service-account.yaml
• assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml
• assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml
• assets/optional/kube-state-metrics/03-deployment.yaml
• assets/optional/kube-state-metrics/04-service.yaml
• assets/optional/kube-state-metrics/kustomization.aarch64.yaml
• assets/optional/kube-state-metrics/kustomization.x86_64.yaml
• assets/optional/kube-state-metrics/kustomization.yaml
• packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml
• packaging/rpm/microshift.spec
• pkg/healthcheck/microshift_optional_workloads.go
• test/bin/common.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/optional/kube-state-metrics/03-deployment.yaml`:
- Around line 96-98: Change the TLS secret volume mounts for the kube-rbac-proxy
containers to be read-only: locate the Deployment definition that contains the
containers named kube-rbac-proxy-main and kube-rbac-proxy-self and update their
volumeMount entry with mountPath /etc/tls/private and name
kube-state-metrics-tls to set readOnly: true (replace the current readOnly:
false) for both containers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dea0740c-1242-46ec-88b5-a58fdbe5dbe4

📥 Commits

Reviewing files that changed from the base of the PR and between ee20850 and 93e8e18.

📒 Files selected for processing (16)

• assets/optional/kube-state-metrics/00-namespace.yaml
• assets/optional/kube-state-metrics/01-cluster-role-binding.yaml
• assets/optional/kube-state-metrics/01-cluster-role.yaml
• assets/optional/kube-state-metrics/01-service-account.yaml
• assets/optional/kube-state-metrics/02-custom-resource-state-configmap.yaml
• assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml
• assets/optional/kube-state-metrics/03-deployment.yaml
• assets/optional/kube-state-metrics/04-service.yaml
• assets/optional/kube-state-metrics/kustomization.aarch64.yaml
• assets/optional/kube-state-metrics/kustomization.x86_64.yaml
• assets/optional/kube-state-metrics/kustomization.yaml
• packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml
• packaging/rpm/microshift.spec
• pkg/healthcheck/microshift_optional_workloads.go
• scripts/auto-rebase/assets.yaml
• test/bin/common.sh

✅ Files skipped from review due to trivial changes (3)

• assets/optional/kube-state-metrics/kustomization.aarch64.yaml
• scripts/auto-rebase/assets.yaml
• assets/optional/kube-state-metrics/01-service-account.yaml

🚧 Files skipped from review as they are similar to previous changes (11)

• assets/optional/kube-state-metrics/kustomization.x86_64.yaml
• assets/optional/kube-state-metrics/00-namespace.yaml
• packaging/observability/otelcol.d/microshift-metrics-kube-state-metrics.yaml
• assets/optional/kube-state-metrics/kustomization.yaml
• assets/optional/kube-state-metrics/04-service.yaml
• pkg/healthcheck/microshift_optional_workloads.go
• assets/optional/kube-state-metrics/01-cluster-role-binding.yaml
• assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml
• test/bin/common.sh
• packaging/rpm/microshift.spec
• assets/optional/kube-state-metrics/01-cluster-role.yaml

[copejon]

@CodeRabbit re-evaluate past comments against current code and resolve those that have been satisfied

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch all review comments by coderabbitai on PR `#6809`
gh pr view 6809 --repo openshift/microshift --json reviews,reviewDecision

echo "---COMMENTS---"
gh api repos/openshift/microshift/pulls/6809/comments \
  --jq '.[] | select(.user.login == "coderabbitai") | {id: .id, body: .body, path: .path, line: .line, resolved: .position}'

echo "---REVIEW_THREADS---"
gh api graphql -f query='
{
  repository(owner: "openshift", name: "microshift") {
    pullRequest(number: 6809) {
      reviewThreads(first: 50) {
        nodes {
          id
          isResolved
          comments(first: 5) {
            nodes {
              author { login }
              body
              path
              line
            }
          }
        }
      }
    }
  }
}'

Length of output: 32315

---

---

@copejon Here's the status after re-evaluation:

Already resolved (5 threads — no action needed):

Comment	Fix	Commit
maxAllowed help text "Minimum" → "Maximum"	✅	6324907
Duplicate --metric-denylist args	✅	76e287e
Empty securityContext hardening	✅	3631f72
tls_config.server_name for HTTPS endpoint scraping	✅	db84aaa
TLS volume mounts readOnly: false → true	✅	6324907

Still open (2 threads — unresolved in current code):

1. Liveness/readiness probes (03-deployment.yaml) — no probes defined for kube-state-metrics, kube-rbac-proxy-main, or kube-rbac-proxy-self.
2. Resource limits (03-deployment.yaml) — only requests set, no limits for any of the three containers.

These two are still flagged by the coding guidelines. Let me know if you'd like to defer them or address them in this PR.

---

🧠 Learnings used

Learnt from: pmtk
Repo: openshift/microshift PR: 6729
File: assets/crd/microshift.io_remoteclusters.yaml:43-47
Timestamp: 2026-05-28T07:47:50.413Z
Learning: In the MicroShift C2CC feature (PR `#6729`), the `remoteclusters.microshift.io` CRD (`assets/crd/microshift.io_remoteclusters.yaml`) is controller-managed and never directly edited by users. The `spec.probeInterval` duration validation (1s–5m) is intentionally enforced only in the Go config layer (`pkg/config/c2cc.go`), not as CRD-level schema validation, because the CRD is only written by the C2CC controller.