diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go
index 31d8881858e..6f116fc9b5d 100644
--- a/config/v1/types_apiserver.go
+++ b/config/v1/types_apiserver.go
@@ -62,6 +62,30 @@ type APIServerSpec struct {
// The current default is the Intermediate profile.
// +optional
TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+ // tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ // configured on this APIServer resource.
+ //
+ // Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+ //
+ // When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ // API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ // TLS profile. Other components continue to use their individual TLS configurations.
+ //
+ // When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ // This mode is recommended for security-conscious deployments and is required for
+ // certain compliance frameworks.
+ //
+ // Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ // as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ // IngressController CRs respectively.
+ //
+ // Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ // and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+ //
+ // When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ // +openshift:enable:FeatureGate=TLSAdherence
+ // +optional
+ TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
// API servers in the cluster.
// +optional
@@ -237,6 +261,23 @@ const (
type APIServerStatus struct {
}
+// TLSAdherencePolicy defines which components adhere to the TLS security profile.
+// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
+type TLSAdherencePolicy string
+
+const (
+ // TLSAdherenceLegacyExternalAPIServerComponentsOnly means only the externally exposed
+ // API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor
+ // the configured TLS profile. Other components continue to use their individual TLS
+ // configurations.
+ TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly"
+
+ // TLSAdherenceStrictAllComponents means all components must honor the configured TLS
+ // profile. This mode is recommended for security-conscious deployments and is required
+ // for certain compliance frameworks.
+ TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
+)
+
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
index 86a51460699..7654aebf490 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
index f4dec273978..824b8321364 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
index d436a75b809..9c8f9b72f23 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
@@ -224,6 +224,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml
index 576fd510c61..01ba76b8889 100644
--- a/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -8,6 +8,7 @@ apiservers.config.openshift.io:
FeatureGates:
- KMSEncryption
- KMSEncryptionProvider
+ - TLSAdherence
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml
new file mode 100644
index 00000000000..37753e49a84
--- /dev/null
+++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml
@@ -0,0 +1,405 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/470
+ api.openshift.io/filename-cvo-runlevel: "0000_10"
+ api.openshift.io/filename-operator: config-operator
+ api.openshift.io/filename-ordering: "01"
+ feature-gate.release.openshift.io/TLSAdherence: "true"
+ release.openshift.io/bootstrap-required: "true"
+ name: apiservers.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: APIServer
+ listKind: APIServerList
+ plural: apiservers
+ singular: apiserver
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ APIServer holds configuration (like serving certificates, client CA and CORS domains)
+ shared by all API servers in the system, among them especially kube-apiserver
+ and openshift-apiserver. The canonical name of an instance is 'cluster'.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ additionalCORSAllowedOrigins:
+ description: |-
+ additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
+ API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
+ server from JavaScript applications.
+ The values are regular expressions that correspond to the Golang regular expression language.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ audit:
+ default:
+ profile: Default
+ description: |-
+ audit specifies the settings for audit configuration to be applied to all OpenShift-provided
+ API servers in the cluster.
+ properties:
+ customRules:
+ description: |-
+ customRules specify profiles per group. These profile take precedence over the
+ top-level profile field if they apply. They are evaluation from top to bottom and
+ the first one that matches, applies.
+ items:
+ description: |-
+ AuditCustomRule describes a custom rule for an audit profile that takes precedence over
+ the top-level profile.
+ properties:
+ group:
+ description: group is a name of group a request user must
+ be member of in order to this profile to apply.
+ minLength: 1
+ type: string
+ profile:
+ description: |-
+ profile specifies the name of the desired audit policy configuration to be deployed to
+ all OpenShift-provided API servers in the cluster.
+
+ The following profiles are provided:
+ - Default: the existing default policy.
+ - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+ write requests (create, update, patch).
+ - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+ HTTP payloads for read requests (get, list).
+ - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+
+ If unset, the 'Default' profile is used as the default.
+ enum:
+ - Default
+ - WriteRequestBodies
+ - AllRequestBodies
+ - None
+ type: string
+ required:
+ - group
+ - profile
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - group
+ x-kubernetes-list-type: map
+ profile:
+ default: Default
+ description: |-
+ profile specifies the name of the desired top-level audit profile to be applied to all requests
+ sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver,
+ openshift-apiserver and oauth-apiserver), with the exception of those requests that match
+ one or more of the customRules.
+
+ The following profiles are provided:
+ - Default: default policy which means MetaData level logging with the exception of events
+ (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody
+ level).
+ - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+ write requests (create, update, patch).
+ - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+ HTTP payloads for read requests (get, list).
+ - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+
+ Warning: It is not recommended to disable audit logging by using the `None` profile unless you
+ are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues.
+ If you disable audit logging and a support situation arises, you might need to enable audit logging
+ and reproduce the issue in order to troubleshoot properly.
+
+ If unset, the 'Default' profile is used as the default.
+ enum:
+ - Default
+ - WriteRequestBodies
+ - AllRequestBodies
+ - None
+ type: string
+ type: object
+ clientCA:
+ description: |-
+ clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
+ incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
+ You usually only have to set this if you have your own PKI you wish to honor client certificates from.
+ The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
+ - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced config
+ map
+ type: string
+ required:
+ - name
+ type: object
+ encryption:
+ description: encryption allows the configuration of encryption of
+ resources at the datastore layer.
+ properties:
+ type:
+ description: |-
+ type defines what encryption type should be used to encrypt resources at the datastore layer.
+ When this field is unset (i.e. when it is set to the empty string), identity is implied.
+ The behavior of unset can and will change over time. Even if encryption is enabled by default,
+ the meaning of unset may change to a different encryption type based on changes in best practices.
+
+ When encryption is enabled, all sensitive resources shipped with the platform are encrypted.
+ This list of sensitive resources can and will change over time. The current authoritative list is:
+
+ 1. secrets
+ 2. configmaps
+ 3. routes.route.openshift.io
+ 4. oauthaccesstokens.oauth.openshift.io
+ 5. oauthauthorizetokens.oauth.openshift.io
+ type: string
+ type: object
+ servingCerts:
+ description: |-
+ servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
+ will be used for serving secure traffic.
+ properties:
+ namedCertificates:
+ description: |-
+ namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
+ If no named certificates are provided, or no named certificates match the server name as understood by a client,
+ the defaultServingCertificate will be used.
+ items:
+ description: APIServerNamedServingCert maps a server DNS name,
+ as understood by a client, to a certificate.
+ properties:
+ names:
+ description: |-
+ names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
+ serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
+ Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
+ items:
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ servingCertificate:
+ description: |-
+ servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
+ The secret must exist in the openshift-config namespace and contain the following required fields:
+ - Secret.Data["tls.key"] - TLS private key.
+ - Secret.Data["tls.crt"] - TLS certificate.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ secret
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
+ tlsSecurityProfile:
+ description: |-
+ tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
+
+ When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+ The current default is the Intermediate profile.
+ properties:
+ custom:
+ description: |-
+ custom is a user-defined TLS security profile. Be extremely careful using a custom
+ profile as invalid configurations can be catastrophic. An example custom profile
+ looks like this:
+
+ minTLSVersion: VersionTLS11
+ ciphers:
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+ - ECDHE-RSA-CHACHA20-POLY1305
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ nullable: true
+ properties:
+ ciphers:
+ description: |-
+ ciphers is used to specify the cipher algorithms that are negotiated
+ during the TLS handshake. Operators may remove entries their operands
+ do not support. For example, to use DES-CBC3-SHA (yaml):
+
+ ciphers:
+ - DES-CBC3-SHA
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ minTLSVersion:
+ description: |-
+ minTLSVersion is used to specify the minimal version of the TLS protocol
+ that is negotiated during the TLS handshake. For example, to use TLS
+ versions 1.1, 1.2 and 1.3 (yaml):
+
+ minTLSVersion: VersionTLS11
+ enum:
+ - VersionTLS10
+ - VersionTLS11
+ - VersionTLS12
+ - VersionTLS13
+ type: string
+ type: object
+ intermediate:
+ description: |-
+ intermediate is a TLS profile for use when you do not need compatibility with
+ legacy clients and want to remain highly secure while being compatible with
+ most clients currently in use.
+
+ The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+ by the "intermediate" profile ciphers.
+
+ This profile is equivalent to a Custom profile specified as:
+ minTLSVersion: VersionTLS12
+ ciphers:
+ - TLS_AES_128_GCM_SHA256
+ - TLS_AES_256_GCM_SHA384
+ - TLS_CHACHA20_POLY1305_SHA256
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+ - ECDHE-RSA-CHACHA20-POLY1305
+ - DHE-RSA-AES128-GCM-SHA256
+ - DHE-RSA-AES256-GCM-SHA384
+ nullable: true
+ type: object
+ modern:
+ description: |-
+ modern is a TLS security profile for use with clients that support TLS 1.3 and
+ do not need backward compatibility for older clients.
+
+ This profile is equivalent to a Custom profile specified as:
+ minTLSVersion: VersionTLS13
+ ciphers:
+ - TLS_AES_128_GCM_SHA256
+ - TLS_AES_256_GCM_SHA384
+ - TLS_CHACHA20_POLY1305_SHA256
+ nullable: true
+ type: object
+ old:
+ description: |-
+ old is a TLS profile for use when services need to be accessed by very old
+ clients or libraries and should be used only as a last resort.
+
+ The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+ by the "old" profile ciphers.
+
+ This profile is equivalent to a Custom profile specified as:
+ minTLSVersion: VersionTLS10
+ ciphers:
+ - TLS_AES_128_GCM_SHA256
+ - TLS_AES_256_GCM_SHA384
+ - TLS_CHACHA20_POLY1305_SHA256
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+ - ECDHE-RSA-CHACHA20-POLY1305
+ - DHE-RSA-AES128-GCM-SHA256
+ - DHE-RSA-AES256-GCM-SHA384
+ - DHE-RSA-CHACHA20-POLY1305
+ - ECDHE-ECDSA-AES128-SHA256
+ - ECDHE-RSA-AES128-SHA256
+ - ECDHE-ECDSA-AES128-SHA
+ - ECDHE-RSA-AES128-SHA
+ - ECDHE-ECDSA-AES256-SHA384
+ - ECDHE-RSA-AES256-SHA384
+ - ECDHE-ECDSA-AES256-SHA
+ - ECDHE-RSA-AES256-SHA
+ - DHE-RSA-AES128-SHA256
+ - DHE-RSA-AES256-SHA256
+ - AES128-GCM-SHA256
+ - AES256-GCM-SHA384
+ - AES128-SHA256
+ - AES256-SHA256
+ - AES128-SHA
+ - AES256-SHA
+ - DES-CBC3-SHA
+ nullable: true
+ type: object
+ type:
+ description: |-
+ type is one of Old, Intermediate, Modern or Custom. Custom provides the
+ ability to specify individual TLS security profile parameters.
+
+ The profiles are currently based on version 5.0 of the Mozilla Server Side TLS
+ configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for
+ forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
+
+ The profiles are intent based, so they may change over time as new ciphers are
+ developed and existing ciphers are found to be insecure. Depending on
+ precisely which ciphers are available to a process, the list may be reduced.
+ enum:
+ - Old
+ - Intermediate
+ - Modern
+ - Custom
+ type: string
+ type: object
+ type: object
+ status:
+ description: status holds observed values from the cluster. They may not
+ be overridden.
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go
index 7f0018950a9..5b491725d2b 100644
--- a/config/v1/zz_generated.swagger_doc_generated.go
+++ b/config/v1/zz_generated.swagger_doc_generated.go
@@ -319,6 +319,7 @@ var map_APIServerSpec = map[string]string{
"additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.",
"encryption": "encryption allows the configuration of encryption of resources at the datastore layer.",
"tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.",
+ "tlsAdherence": "tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), only the externally exposed API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured TLS profile. Other components continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".",
"audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.",
}
diff --git a/features.md b/features.md
index feed2f307d2..196ee1fbd2e 100644
--- a/features.md
+++ b/features.md
@@ -59,7 +59,6 @@
| IrreconcilableMachineConfig| | | Enabled | Enabled | | | Enabled | Enabled |
| KMSEncryption| | | Enabled | Enabled | | | Enabled | Enabled |
| MachineAPIMigration| | | Enabled | Enabled | | | Enabled | Enabled |
-| ManagedBootImagesCPMS| | | Enabled | Enabled | | | Enabled | Enabled |
| MaxUnavailableStatefulSet| | | Enabled | Enabled | | | Enabled | Enabled |
| MinimumKubeletVersion| | | Enabled | Enabled | | | Enabled | Enabled |
| MixedCPUsAllocation| | | Enabled | Enabled | | | Enabled | Enabled |
@@ -75,6 +74,7 @@
| OnPremDNSRecords| | | Enabled | Enabled | | | Enabled | Enabled |
| SELinuxMount| | | Enabled | Enabled | | | Enabled | Enabled |
| SignatureStores| | | Enabled | Enabled | | | Enabled | Enabled |
+| TLSAdherence| | | Enabled | Enabled | | | Enabled | Enabled |
| VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled |
| VSphereHostVMGroupZonal| | | Enabled | Enabled | | | Enabled | Enabled |
| VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled |
@@ -98,6 +98,7 @@
| ManagedBootImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| ManagedBootImagesAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| ManagedBootImagesAzure| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
+| ManagedBootImagesCPMS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| ManagedBootImagesvSphere| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| MetricsCollectionProfiles| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
diff --git a/features/features.go b/features/features.go
index 73e90c07618..6d04012fe41 100644
--- a/features/features.go
+++ b/features/features.go
@@ -358,7 +358,7 @@ var (
contactPerson("djoshy").
productScope(ocpSpecific).
enhancementPR("https://github.com/openshift/enhancements/pull/1818").
- enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()
FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement").
@@ -978,4 +978,12 @@ var (
enhancementPR("https://github.com/openshift/enhancements/pull/1465").
enableIn(configv1.DevPreviewNoUpgrade).
mustRegister()
+
+ FeatureGateTLSAdherence = newFeatureGate("TLSAdherence").
+ reportProblemsToJiraComponent("kube-apiserver").
+ contactPerson("joelanford").
+ productScope(ocpSpecific).
+ enhancementPR("https://github.com/openshift/enhancements/pull/1910").
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ mustRegister()
)
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index 83a9e5b0375..c6868d4cfb3 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -9099,6 +9099,13 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback)
Ref: ref("github.com/openshift/api/config/v1.TLSSecurityProfile"),
},
},
+ "tlsAdherence": {
+ SchemaProps: spec.SchemaProps{
+ Description: "tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), only the externally exposed API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured TLS profile. Other components continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
"audit": {
SchemaProps: spec.SchemaProps{
Description: "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.",
diff --git a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
index 3de28dcdf34..2e65e97c84d 100644
--- a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
+++ b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
@@ -108,6 +108,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
diff --git a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
index 6c763ea479e..1d160022849 100644
--- a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
+++ b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
@@ -108,6 +108,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
index 86a51460699..7654aebf490 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
index f4dec273978..824b8321364 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
index d436a75b809..9c8f9b72f23 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
@@ -224,6 +224,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
+ tlsAdherence:
+ description: |-
+ tlsAdherence controls which components in the cluster adhere to the TLS security profile
+ configured on this APIServer resource.
+
+ Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+ When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+ API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+ TLS profile. Other components continue to use their individual TLS configurations.
+
+ When set to "StrictAllComponents", all components must honor the configured TLS profile.
+ This mode is recommended for security-conscious deployments and is required for
+ certain compliance frameworks.
+
+ Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+ as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+ IngressController CRs respectively.
+
+ Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+ and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+ When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+ enum:
+ - LegacyExternalAPIServerComponentsOnly
+ - StrictAllComponents
+ type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
index 3de28dcdf34..2e65e97c84d 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
@@ -108,6 +108,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
index 6c763ea479e..1d160022849 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
@@ -108,6 +108,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
enum:
- machinesets
+ - controlplanemachinesets
type: string
selection:
description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
- resource
- selection
type: object
+ x-kubernetes-validations:
+ - message: Only All or None selection mode is permitted for
+ ControlPlaneMachineSets
+ rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+ == 'All' || self.selection.mode == 'None'
maxItems: 5
type: array
x-kubernetes-list-map-keys:
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
index e9ab2c71f85..db98a4987a3 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
@@ -162,9 +162,6 @@
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
- {
- "name": "ManagedBootImagesCPMS"
- },
{
"name": "MaxUnavailableStatefulSet"
},
@@ -234,6 +231,9 @@
{
"name": "SignatureStores"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -308,6 +308,9 @@
{
"name": "ManagedBootImagesAzure"
},
+ {
+ "name": "ManagedBootImagesCPMS"
+ },
{
"name": "ManagedBootImagesvSphere"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
index 9d89a5fbb0b..9839db0160f 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
@@ -340,6 +340,9 @@
{
"name": "StoragePerformantSecurityPolicy"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "UpgradeStatus"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml
index 9254ff74cd1..1b1aba4feb3 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml
@@ -164,9 +164,6 @@
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
- {
- "name": "ManagedBootImagesCPMS"
- },
{
"name": "MaxUnavailableStatefulSet"
},
@@ -236,6 +233,9 @@
{
"name": "SignatureStores"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -310,6 +310,9 @@
{
"name": "ManagedBootImagesAzure"
},
+ {
+ "name": "ManagedBootImagesCPMS"
+ },
{
"name": "ManagedBootImagesvSphere"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
index a0aaa4af862..16ef4ff2cd1 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
@@ -340,6 +340,9 @@
{
"name": "StoragePerformantSecurityPolicy"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "UpgradeStatus"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
index bb0c6114535..66fcd0634eb 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
@@ -165,9 +165,6 @@
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
- {
- "name": "ManagedBootImagesCPMS"
- },
{
"name": "MaxUnavailableStatefulSet"
},
@@ -228,6 +225,9 @@
{
"name": "SignatureStores"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -299,6 +299,9 @@
{
"name": "ManagedBootImagesAzure"
},
+ {
+ "name": "ManagedBootImagesCPMS"
+ },
{
"name": "ManagedBootImagesvSphere"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
index 19cbcc48622..6cc84ea9b18 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -340,6 +340,9 @@
{
"name": "StoragePerformantSecurityPolicy"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "UpgradeStatus"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml
index d01874b21c3..857ea5cbfd6 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml
@@ -167,9 +167,6 @@
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
- {
- "name": "ManagedBootImagesCPMS"
- },
{
"name": "MaxUnavailableStatefulSet"
},
@@ -230,6 +227,9 @@
{
"name": "SignatureStores"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -301,6 +301,9 @@
{
"name": "ManagedBootImagesAzure"
},
+ {
+ "name": "ManagedBootImagesCPMS"
+ },
{
"name": "ManagedBootImagesvSphere"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
index 4cdee108736..0f81ba69ce2 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -340,6 +340,9 @@
{
"name": "StoragePerformantSecurityPolicy"
},
+ {
+ "name": "TLSAdherence"
+ },
{
"name": "UpgradeStatus"
},