|
| 1 | +# Preflight validition of the cluster with installed KMM Module |
| 2 | + |
| 3 | +Before executing upgrade on the cluster with applied KMM Modules, admin needs to verify that installed kernel modules (via KMM) |
| 4 | +will be able to be installed on the nodes after the cluster upgrade and possible kernel upgrade. |
| 5 | +Preflight will try to validate every Module loaded in the cluster, in parallel (it does not wait for validation of one Module to complete, before starting |
| 6 | +validation of another Module). |
| 7 | + |
| 8 | +### Validation kick-off |
| 9 | +Preflight validation is triggered by uploading PreflightValidation CR into the cluster. This CR's Spec contains 2 fields: |
| 10 | +``` |
| 11 | +type PreflightValidationSpec struct { |
| 12 | + // KernelVersion describes the kernel image that all Modules need to be checked against. |
| 13 | + // +kubebuilder:validation:Required |
| 14 | + KernelVersion string `json:"kernelVersion"` |
| 15 | +
|
| 16 | + // Boolean flag that determines whether images build during preflight must also |
| 17 | + // be pushed to a defined repository |
| 18 | + // +optional |
| 19 | + PushBuiltImage bool `json:"pushBuiltImage"` |
| 20 | +} |
| 21 | +``` |
| 22 | + |
| 23 | +1. KernelVersion - the version of the kernel that the cluster will be upgraded to. Manadatory field |
| 24 | +2. PushBuiltImage - if true, then the images created during the Build and Sign validation will be pushed to their repositories (false by default). |
| 25 | + |
| 26 | +### Validation lifecycle |
| 27 | +Preflight validation will try to validate every module loaded in the cluster. Preflight will stop running validation on a module, once its validation |
| 28 | +has been successfull. In case module validation has failed, admin can change the module definitions , and Preflight will try to validate the module again in the next loop. |
| 29 | +If admin want to run Preflight validation for additional kernel, then another Preflight CR should be created. |
| 30 | +Once all the modules has been validated, it is recommended to delete Preflight CR |
| 31 | + |
| 32 | +### Validation status |
| 33 | +Preflight will report that status and progress of each module in the cluster that it tries/tried to validate. |
| 34 | + |
| 35 | +``` |
| 36 | +type CRStatus struct { |
| 37 | + // Status of Module CR verification: true (verified), false (verification failed), |
| 38 | + // error (error during verification process), unknown (verification has not started yet) |
| 39 | + // +required |
| 40 | + // +kubebuilder:validation:Required |
| 41 | + // +kubebuilder:validation:Enum=True;False |
| 42 | + VerificationStatus string `json:"verificationStatus"` |
| 43 | +
|
| 44 | + // StatusReason contains a string describing the status source. |
| 45 | + // +optional |
| 46 | + StatusReason string `json:"statusReason,omitempty"` |
| 47 | +
|
| 48 | + // Current stage of the verification process: |
| 49 | + // image (image existence verification), build(build process verification) |
| 50 | + // +required |
| 51 | + // +kubebuilder:validation:Required |
| 52 | + // +kubebuilder:validation:Enum=Image;Build;Sign;Requeued;Done |
| 53 | + VerificationStage string `json:"verificationStage"` |
| 54 | +
|
| 55 | + // LastTransitionTime is the last time the CR status transitioned from one status to another. |
| 56 | + // This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable. |
| 57 | + // +required |
| 58 | + // +kubebuilder:validation:Required |
| 59 | + // +kubebuilder:validation:Type=string |
| 60 | + // +kubebuilder:validation:Format=date-time |
| 61 | + LastTransitionTime metav1.Time `json:"lastTransitionTime" protobuf:"bytes,4,opt,name=lastTransitionTime"` |
| 62 | +} |
| 63 | +``` |
| 64 | + |
| 65 | + |
| 66 | +Per each module you will see the following fields: |
| 67 | +1. Verification status - true or false, validated or not |
| 68 | +2. Status reason - verbal explanation reagrding the status. Why it is not validated, etc' |
| 69 | +3. Verification stage - describe the validation stage being executed (Image, Build, Sign) |
| 70 | +4. Last transition time - the tinme of the last update to the status |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +### Preflight validation stages per Module |
| 75 | + |
| 76 | +On every KMM Module present in the cluster, preflight will run the following validations: |
| 77 | +1. [Image validation](#Image-validation-stage) |
| 78 | +2. [Build validation](#Build-validation-stage) |
| 79 | +3. [Sign validation](#Sign-validation-stage) |
| 80 | + |
| 81 | +### Image validation stage |
| 82 | + |
| 83 | +Image validation is always the first stage of the preflight validation that is being executed. In case image validation |
| 84 | +is successful, no other validations will be run on that specific module. |
| 85 | +Image validation consists of 2 stages: |
| 86 | +1. image existences and accessability. The code tries to access the image defined for the upgraded kernel in the module, and get its manifests |
| 87 | +2 verify the presence of the kernel module defined in the Module in the correct path for future modprobe execution. If this validation is successfull |
| 88 | + it probably means that the kernel module was compiled with the correct linux headers. The correct path is: |
| 89 | + <DirName>/lib/modules/<UpgradedKernel>/ |
| 90 | + |
| 91 | +### Build validation stage |
| 92 | + |
| 93 | +Build validation is executed only in case image validation has failed, and there is a Build section in the Module that is relevent for the |
| 94 | +upgraded kernel. Build validation will try to run build job and validate that it finishes successfully. In case "Push" flag is defined in the Preflight CR, |
| 95 | +it will also try to push the resulting image into its repo. The resulting image name is taken from the definition of the ContainerImage field of the Module CR |
| 96 | +Note: if Sign section is defined for the upgraded kernel, then the resulting image will not be ContainerImage field of the Module CR, but a temporary image name, |
| 97 | +since the resulting image should be the product of Sign flow |
| 98 | + |
| 99 | +### Sign validation stage |
| 100 | +Sign validation is executed only in case image validation has failed, there is a Sign section in the Module that is relevent for the upgrade kernel, and build validation finished successfully in case there was a Build section in the Module relevent for the upgraded kernel. Sign validation will try to run sign job and validate that it finishes successfully. In case "Push" flag is defined in the Preflight CR, it will also try to push the resulting image into its repo.The result image is always the image defined in the ContainerImage field of the Module. The input image is either the output of the Build stage, or an image defined in the UnsignedImage field |
| 101 | + |
| 102 | + |
| 103 | +### Example CR |
| 104 | +Below is an example of the Preflight Validation CR in a yaml format. In the example, we want to verify all the currently present modules vesrsus the 5.8.18-101.fc31.x86_64 |
| 105 | +kernel, and push the resulting images of Build/Sign into the defined repositores |
| 106 | +``` |
| 107 | +apiVersion: kmm.sigs.x-k8s.io/v1beta1 |
| 108 | +kind: PreflightValidation |
| 109 | +metadata: |
| 110 | + name: preflight |
| 111 | +spec: |
| 112 | + kernelVersion: 5.8.18-101.fc31.x86_64 |
| 113 | + pushBuiltImage: true |
| 114 | +``` |
0 commit comments