|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * scalability_and_performance/ztp_far_edge/ztp-configuring-managed-clusters-policies.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="ztp-removing-content-from-managed-clusters_{context}"] |
| 7 | += Changing applied managed cluster CRs using policies |
| 8 | + |
| 9 | +You can remove content from a custom resource (CR) that is deployed in a managed cluster through a policy. |
| 10 | + |
| 11 | +By default, all `Policy` CRs created from a `PolicyGenTemplate` CR have the `complianceType` field set to `musthave`. |
| 12 | +A `musthave` policy without the removed content is still compliant because the CR on the managed cluster has all the specified content. |
| 13 | +With this configuration, when you remove content from a CR, {cgu-operator} removes the content from the policy but the content is not removed from the CR on the managed cluster. |
| 14 | + |
| 15 | +With the `complianceType` field to `mustonlyhave`, the policy ensures that the CR on the cluster is an exact match of what is specified in the policy. |
| 16 | + |
| 17 | +.Prerequisites |
| 18 | + |
| 19 | +* You have installed the OpenShift CLI (`oc`). |
| 20 | +
|
| 21 | +* You have logged in to the hub cluster as a user with `cluster-admin` privileges. |
| 22 | +
|
| 23 | +* You have deployed a managed cluster from a hub cluster running {rh-rhacm}. |
| 24 | +
|
| 25 | +* You have installed {cgu-operator-full} on the hub cluster. |
| 26 | +
|
| 27 | +.Procedure |
| 28 | + |
| 29 | +. Remove the content that you no longer need from the affected CRs. In this example, the `disableDrain: false` line was removed from the `SriovOperatorConfig` CR. |
| 30 | ++ |
| 31 | +.Example CR |
| 32 | + |
| 33 | +[source,yaml] |
| 34 | +---- |
| 35 | +apiVersion: sriovnetwork.openshift.io/v1 |
| 36 | +kind: SriovOperatorConfig |
| 37 | +metadata: |
| 38 | + name: default |
| 39 | + namespace: openshift-sriov-network-operator |
| 40 | +spec: |
| 41 | + configDaemonNodeSelector: |
| 42 | + "node-role.kubernetes.io/$mcp": "" |
| 43 | + disableDrain: true |
| 44 | + enableInjector: true |
| 45 | + enableOperatorWebhook: true |
| 46 | +---- |
| 47 | + |
| 48 | +. Change the `complianceType` of the affected policies to `mustonlyhave` in the `group-du-sno-ranGen.yaml` file. |
| 49 | ++ |
| 50 | +.Example YAML |
| 51 | +[source,yaml] |
| 52 | +---- |
| 53 | +# ... |
| 54 | +- fileName: SriovOperatorConfig.yaml |
| 55 | + policyName: "config-policy" |
| 56 | + complianceType: mustonlyhave |
| 57 | +# ... |
| 58 | +---- |
| 59 | + |
| 60 | +. Create a `ClusterGroupUpdates` CR and specify the clusters that must receive the CR changes:: |
| 61 | ++ |
| 62 | +.Example ClusterGroupUpdates CR |
| 63 | +[source,yaml] |
| 64 | +---- |
| 65 | +apiVersion: ran.openshift.io/v1alpha1 |
| 66 | +kind: ClusterGroupUpgrade |
| 67 | +metadata: |
| 68 | + name: cgu-remove |
| 69 | + namespace: default |
| 70 | +spec: |
| 71 | + managedPolicies: |
| 72 | + - ztp-group.group-du-sno-config-policy |
| 73 | + enable: false |
| 74 | + clusters: |
| 75 | + - spoke1 |
| 76 | + - spoke2 |
| 77 | + remediationStrategy: |
| 78 | + maxConcurrency: 2 |
| 79 | + timeout: 240 |
| 80 | + batchTimeoutAction: |
| 81 | +---- |
| 82 | + |
| 83 | +. Create the `ClusterGroupUpgrade` CR by running the following command: |
| 84 | ++ |
| 85 | +[source,terminal] |
| 86 | +---- |
| 87 | +$ oc create -f cgu-remove.yaml |
| 88 | +---- |
| 89 | + |
| 90 | +. When you are ready to apply the changes, for example, during an appropriate maintenance window, change the value of the `spec.enable` field to `true` by running the following command: |
| 91 | ++ |
| 92 | +[source,terminal] |
| 93 | +---- |
| 94 | +$ oc --namespace=default patch clustergroupupgrade.ran.openshift.io/cgu-remove \ |
| 95 | +--patch '{"spec":{"enable":true}}' --type=merge |
| 96 | +---- |
| 97 | + |
| 98 | +.Verification |
| 99 | + |
| 100 | +. Check the status of the policies by running the following command: |
| 101 | ++ |
| 102 | +[source,terminal] |
| 103 | +---- |
| 104 | +$ oc get <kind> <changed_cr_name> |
| 105 | +---- |
| 106 | + |
| 107 | ++ |
| 108 | +.Example output |
| 109 | +[source,terminal] |
| 110 | +---- |
| 111 | +NAMESPACE NAME REMEDIATION ACTION COMPLIANCE STATE AGE |
| 112 | +default cgu-ztp-group.group-du-sno-config-policy enforce 17m |
| 113 | +default ztp-group.group-du-sno-config-policy inform NonCompliant 15h |
| 114 | +---- |
| 115 | + |
| 116 | ++ |
| 117 | +When the `COMPLIANCE STATE` of the policy is `Compliant`, it means that the CR is updated and the unwanted content is removed. |
| 118 | + |
| 119 | +. Check that the policies are removed from the targeted clusters by running the following command on the managed clusters: |
| 120 | ++ |
| 121 | +[source,terminal] |
| 122 | +---- |
| 123 | +$ oc get <kind> <changed_cr_name> |
| 124 | +---- |
| 125 | + |
| 126 | ++ |
| 127 | +If there are no results, the CR is removed from the managed cluster. |
0 commit comments