From 9f5fb4abf2994b04b9925d0ee1d98ca6052fc16f Mon Sep 17 00:00:00 2001 From: aabughosh Date: Mon, 1 Dec 2025 11:10:46 +0200 Subject: [PATCH 1/3] Add hostIP 127.0.0.1 to machine-config-daemon port 8798 - Added `hostIP: 127.0.0.1` to the containerPort 8798 to explicitly indicate that the health port is only bound to localhost. - Matches the existing behavior in logs: "Starting health listener on 127.0.0.1:8798" and address config: Addr: "127.0.0.1:8798" - This is informational and clarifies that this port is not externally exposed. --- manifests/machineconfigdaemon/daemonset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/machineconfigdaemon/daemonset.yaml b/manifests/machineconfigdaemon/daemonset.yaml index 1d32e44348..6900e81346 100644 --- a/manifests/machineconfigdaemon/daemonset.yaml +++ b/manifests/machineconfigdaemon/daemonset.yaml @@ -24,6 +24,7 @@ spec: image: {{.Images.MachineConfigOperator}} ports: - containerPort: 8798 + hostIP: 127.0.0.1 name: health protocol: TCP command: ["/usr/bin/machine-config-daemon"] From 0a9871c057257a6642418af9713fea9d2f9517a6 Mon Sep 17 00:00:00 2001 From: aabughosh Date: Wed, 3 Dec 2025 15:46:44 +0200 Subject: [PATCH 2/3] add a relevant svc to the crio port --- .../0000_80_machine-config_00_service.yaml | 47 ++++++++++++++++++- .../_base/files/criometricsproxy.yaml | 2 + .../_base/files/criometricsproxy.yaml | 2 + .../_base/files/criometricsproxy.yaml | 2 + 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/install/0000_80_machine-config_00_service.yaml b/install/0000_80_machine-config_00_service.yaml index 639a1c406f..68e5009562 100644 --- a/install/0000_80_machine-config_00_service.yaml +++ b/install/0000_80_machine-config_00_service.yaml @@ -63,4 +63,49 @@ spec: - name: health port: 8798 protocol: TCP - +--- +apiVersion: v1 +kind: Service +metadata: + name: machine-config-server + namespace: openshift-machine-config-operator + labels: + k8s-app: machine-config-server + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + type: ClusterIP + selector: + k8s-app: machine-config-server + ports: + - name: https + port: 22623 + targetPort: 22623 + protocol: TCP + - name: http + port: 22624 + targetPort: 22624 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-rbac-proxy-crio + namespace: openshift-machine-config-operator + labels: + k8s-app: kube-rbac-proxy-crio + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +spec: + type: ClusterIP + selector: + k8s-app: kube-rbac-proxy-crio + ports: + - name: metrics + port: 9637 + targetPort: 9637 + protocol: TCP diff --git a/templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml b/templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml index bcdf704c09..8f8cae587d 100644 --- a/templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml +++ b/templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml @@ -7,6 +7,8 @@ contents: metadata: name: kube-rbac-proxy-crio namespace: openshift-machine-config-operator + labels: + k8s-app: kube-rbac-proxy-crio annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' openshift.io/required-scc: privileged diff --git a/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml b/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml index bcdf704c09..8f8cae587d 100644 --- a/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml +++ b/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml @@ -7,6 +7,8 @@ contents: metadata: name: kube-rbac-proxy-crio namespace: openshift-machine-config-operator + labels: + k8s-app: kube-rbac-proxy-crio annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' openshift.io/required-scc: privileged diff --git a/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml b/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml index bcdf704c09..8f8cae587d 100644 --- a/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml +++ b/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml @@ -7,6 +7,8 @@ contents: metadata: name: kube-rbac-proxy-crio namespace: openshift-machine-config-operator + labels: + k8s-app: kube-rbac-proxy-crio annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' openshift.io/required-scc: privileged From 507dbb2adf09d83c180f573afe032592798bb796 Mon Sep 17 00:00:00 2001 From: aabughosh Date: Tue, 9 Dec 2025 11:44:00 +0200 Subject: [PATCH 3/3] add missing ports in contaiterport on the daemoset --- manifests/machineconfigserver/daemonset.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/machineconfigserver/daemonset.yaml b/manifests/machineconfigserver/daemonset.yaml index 602875e0d2..53df274631 100644 --- a/manifests/machineconfigserver/daemonset.yaml +++ b/manifests/machineconfigserver/daemonset.yaml @@ -26,6 +26,13 @@ spec: - "--payload-version={{.ReleaseVersion}}" - "--tls-cipher-suites={{join .TLSCipherSuites ","}}" - "--tls-min-version={{.TLSMinVersion}}" + ports: + - containerPort: 22623 + name: https + protocol: TCP + - containerPort: 22624 + name: http + protocol: TCP resources: requests: cpu: 20m