Skip to content

Add Windows VMs vCPU overcommit prevention VAP #2535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Windows VMs vCPU overcommit prevention VAP #2535

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
178 changes: 178 additions & 0 deletions deploy/acm-policies/50-GENERATED-srep-vap-vcpu-overcommit.Policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
name: srep-vap-vcpu-overcommit
namespace: openshift-acm-policies
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: srep-vap-vcpu-overcommit
spec:
evaluationInterval:
compliant: 2h
noncompliant: 45s
object-templates:
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: instancetype.kubevirt.io/v1beta1
kind: VirtualMachineClusterPreference
metadata:
annotations:
iconClass: icon-windows
openshift.io/display-name: Microsoft Windows 11 (virtio dedicated vCPU)
openshift.io/documentation-url: https://access.redhat.com
openshift.io/provider-display-name: Red Hat
openshift.io/support-url: https://access.redhat.com
tags: hidden,kubevirt,windows
labels:
instancetype.kubevirt.io/os-type: windows
instancetype.kubevirt.io/vendor: redhat.com
name: windows.11.virtio.dedicated
spec:
annotations:
vm.kubevirt.io/os: windows
clock:
preferredClockOffset:
utc: {}
preferredTimer:
hpet:
present: false
hyperv: {}
pit:
tickPolicy: delay
rtc:
tickPolicy: catchup
cpu:
dedicatedCpuPlacement: true
preferredCPUTopology: sockets
devices:
preferredAutoattachInputDevice: true
preferredDiskBus: virtio
preferredInputBus: virtio
preferredInputType: tablet
preferredInterfaceModel: virtio
preferredTPM:
persistent: true
features:
preferredAcpi: {}
preferredApic: {}
preferredHyperv:
frequencies: {}
ipi: {}
reenlightenment: {}
relaxed: {}
reset: {}
runtime: {}
spinlocks:
spinlocks: 8191
synic: {}
synictimer:
direct: {}
tlbflush: {}
vapic: {}
vpindex: {}
preferredSmm: {}
firmware:
preferredEfi:
persistent: true
secureBoot: true
preferredTerminationGracePeriodSeconds: 3600
requirements:
cpu:
guest: 2
memory:
guest: 4Gi
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: windows-vcpu-overcommit
spec:
failurePolicy: Fail
matchConditions:
- expression: (('kubevirt.io/preference-name' in object.metadata.annotations) && (object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('windows'))) || (('kubevirt.io/cluster-preference-name' in object.metadata.annotations) && (object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('windows'))) || (('vm.kubevirt.io/os' in object.metadata.annotations) && (object.metadata.annotations['vm.kubevirt.io/os'].lowerAscii().contains('windows')))
name: windows-vcpu-overcommit
matchConstraints:
resourceRules:
- apiGroups:
- kubevirt.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- virtualmachineinstances
validations:
- expression: |-
(
'kubevirt.io/cluster-preference-name' in object.metadata.annotations &&
object.metadata.annotations['kubevirt.io/cluster-preference-name'].lowerAscii().contains('dedicated')
) ||
(
'kubevirt.io/preference-name' in object.metadata.annotations &&
object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('dedicated')
)
message: Windows VM are required to use *dedicated preferences.
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: windows-vcpu-overcommit-binding
spec:
policyName: windows-vcpu-overcommit
validationActions:
- Deny
pruneObjectBehavior: DeleteIfCreated
remediationAction: enforce
severity: low
remediationAction: enforce
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-srep-vap-vcpu-overcommit
namespace: openshift-acm-policies
spec:
clusterSelector:
matchExpressions:
- key: hypershift.open-cluster-management.io/hosted-cluster
operator: In
values:
- "true"
- key: openshiftVersion-major-minor
operator: NotIn
values:
- "4.14"
- "4.15"
- "4.16"
- "4.17"
- "4.18"
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-srep-vap-vcpu-overcommit
namespace: openshift-acm-policies
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: placement-srep-vap-vcpu-overcommit
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: srep-vap-vcpu-overcommit
3 changes: 3 additions & 0 deletions deploy/srep-vap/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
deploymentMode: "SelectorSyncSet"
selectorSyncSet:
resourceApplyMode: "Sync"
69 changes: 69 additions & 0 deletions deploy/srep-vap/vcpu-overcommit/101-windows-11-vcpu-restrict.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
apiVersion: instancetype.kubevirt.io/v1beta1
kind: VirtualMachineClusterPreference
metadata:
annotations:
iconClass: icon-windows
openshift.io/display-name: Microsoft Windows 11 (virtio dedicated vCPU)
openshift.io/documentation-url: https://access.redhat.com
openshift.io/provider-display-name: Red Hat
openshift.io/support-url: https://access.redhat.com
tags: hidden,kubevirt,windows
labels:
instancetype.kubevirt.io/os-type: windows
instancetype.kubevirt.io/vendor: redhat.com
name: windows.11.virtio.dedicated
spec:
annotations:
vm.kubevirt.io/os: windows
clock:
preferredClockOffset:
utc: {}
preferredTimer:
hpet:
present: false
hyperv: {}
pit:
tickPolicy: delay
rtc:
tickPolicy: catchup
cpu:
preferredCPUTopology: sockets
dedicatedCpuPlacement: true
devices:
preferredAutoattachInputDevice: true
preferredDiskBus: virtio
preferredInputBus: virtio
preferredInputType: tablet
preferredInterfaceModel: virtio
preferredTPM:
persistent: true
features:
preferredAcpi: {}
preferredApic: {}
preferredHyperv:
frequencies: {}
ipi: {}
reenlightenment: {}
relaxed: {}
reset: {}
runtime: {}
spinlocks:
spinlocks: 8191
synic: {}
synictimer:
direct: {}
tlbflush: {}
vapic: {}
vpindex: {}
preferredSmm: {}
firmware:
preferredEfi:
persistent: true
secureBoot: true
preferredTerminationGracePeriodSeconds: 3600
requirements:
cpu:
guest: 2
memory:
guest: 4Gi

32 changes: 32 additions & 0 deletions deploy/srep-vap/vcpu-overcommit/102-vcpu-overcommit-vap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: windows-vcpu-overcommit
spec:
failurePolicy: Fail
matchConditions:
- expression: (('kubevirt.io/preference-name' in object.metadata.annotations) &&
(object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('windows'))) ||
(('kubevirt.io/cluster-preference-name' in object.metadata.annotations) &&
(object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('windows'))) ||
(('vm.kubevirt.io/os' in object.metadata.annotations) &&
(object.metadata.annotations['vm.kubevirt.io/os'].lowerAscii().contains('windows')))
name: windows-vcpu-overcommit
matchConstraints:
resourceRules:
- apiGroups: ["kubevirt.io"]
apiVersions: ["*"]
operations: ["CREATE", "UPDATE"]
resources: ["virtualmachineinstances"]
validations:
- expression: |-
(
'kubevirt.io/cluster-preference-name' in object.metadata.annotations &&
object.metadata.annotations['kubevirt.io/cluster-preference-name'].lowerAscii().contains('dedicated')
) ||
(
'kubevirt.io/preference-name' in object.metadata.annotations &&
object.metadata.annotations['kubevirt.io/preference-name'].lowerAscii().contains('dedicated')
)
message: "Windows VM are required to use *dedicated preferences."

9 changes: 9 additions & 0 deletions deploy/srep-vap/vcpu-overcommit/103-vcpu-overcommit-vapb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "windows-vcpu-overcommit-binding"
spec:
policyName: "windows-vcpu-overcommit"
validationActions: [Deny]

Empty file added deploy/srep-vap/vcpu-overcommit/README.md
View file
Open in desktop
Empty file.
16 changes: 16 additions & 0 deletions deploy/srep-vap/vcpu-overcommit/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
deploymentMode: Policy
clusterSelectors:
matchExpressions:
- key: hypershift.open-cluster-management.io/hosted-cluster
operator: In
values:
- "true"
- key: openshiftVersion-major-minor
operator: NotIn
values:
- "4.14"
- "4.15"
- "4.16"
- "4.17"
- "4.18"

Loading