Skip to content

OCM-20625 | feat: Managed Policy additions for Karpenter on ROSA HCP #2581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
robpblake wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

OCM-20625 | feat: Managed Policy additions for Karpenter on ROSA HCP #2581

robpblake wants to merge 1 commit into from

Conversation

@robpblake
Copy link

@robpblake robpblake commented Nov 11, 2025
edited by rafael-azevedo
Loading

What type of PR is this?

Feature

What this PR does / why we need it?

This PR adds the following:

  • A new Managed Policy for the Karpenter Controller on ROSA HCP
  • Additions to the Control Plane Operator managed policy to allow for tagging of SecurityGroups as a day-2 operation
  • Additions to the installer role managed policy to allow for validation of user provided SQS queue URLs when configuring Karpenter Spot instance interruptions

Which Jira/Github issue(s) this PR fixes?

Fixes #

Special notes for your reviewer:

Pre-checks (if applicable):

  • Tested latest changes against a cluster

  • Included documentation changes with PR

  • If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

@robpblake robpblake marked this pull request as draft November 11, 2025 15:48
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 11, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 11, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: robpblake
Once this PR has been reviewed and has the lgtm label, please assign iamkirkbater for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

robpblake
robpblake commented Nov 11, 2025
View reviewed changes
resources/sts/hypershift/openshift_hcp_control_plane_operator_credentials_policy.json
}
}
},
{
Copy link
Author

@robpblake robpblake Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Required because the Control Plane Operator adds the karpenter.sh/discovery tags to the SecurityGroup of the cluster when AutoNode is enabled as a day-2 operation on a cluster.

robpblake
robpblake commented Nov 11, 2025
View reviewed changes
resources/sts/hypershift/sts_hcp_installer_permission_policy.json
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
Copy link
Author

@robpblake robpblake Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will allow Cluster Service to validate that the user provided SQS queue for spot interruption handling exists in the account, preventing basic misconfiguration errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rafael-azevedo rafael-azevedo Awaiting requested review from rafael-azevedo

@zmird-r zmird-r Awaiting requested review from zmird-r

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robpblake