From ccf214d0f58248d140a80a9a9f66e86e8306a29d Mon Sep 17 00:00:00 2001 From: nirichar Date: Tue, 3 Feb 2026 10:13:45 -0500 Subject: [PATCH] Update TLSAderence behavior description --- config/v1/types_apiserver.go | 31 ++++++++++--------- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 15 +++++---- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 27 ++++++++++++++++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 27 ++++++++++++++++ .../TLSAdherence.yaml | 15 +++++---- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 2 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 15 +++++---- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 27 ++++++++++++++++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 27 ++++++++++++++++ 10 files changed, 154 insertions(+), 34 deletions(-) diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index 8e717b51f1d..6f116fc9b5d 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -62,20 +62,23 @@ type APIServerSpec struct { // The current default is the Intermediate profile. // +optional TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` - // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile + // tlsAdherence controls which components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // // Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". // - // When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor - // the configured TLS profile but may fall back to their individual defaults if conflicts arise. - // This mode is intended for clusters that need to maintain compatibility with existing - // configurations during migration. + // When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + // API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + // TLS profile. Other components continue to use their individual TLS configurations. // - // When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. + // When set to "StrictAllComponents", all components must honor the configured TLS profile. // This mode is recommended for security-conscious deployments and is required for // certain compliance frameworks. // + // Note: The Kubelet and IngressController components are excluded from tlsAdherence control + // as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + // IngressController CRs respectively. + // // Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" // and log a warning to ensure forward compatibility while defaulting to the more secure behavior. // @@ -258,20 +261,20 @@ const ( type APIServerStatus struct { } -// TLSAdherencePolicy defines how strictly components adhere to the TLS security profile. +// TLSAdherencePolicy defines which components adhere to the TLS security profile. // +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents type TLSAdherencePolicy string const ( - // TLSAdherenceLegacyExternalAPIServerComponentsOnly provides backward-compatible behavior - // where components attempt to honor the configured TLS profile but may fall back to their - // individual defaults if conflicts arise. This mode is intended for clusters that need to - // maintain compatibility with existing configurations during migration. + // TLSAdherenceLegacyExternalAPIServerComponentsOnly means only the externally exposed + // API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor + // the configured TLS profile. Other components continue to use their individual TLS + // configurations. TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly" - // TLSAdherenceStrictAllComponents enforces strict adherence to the TLS configuration. - // All components must honor the configured profile. This mode is recommended for - // security-conscious deployments and is required for certain compliance frameworks. + // TLSAdherenceStrictAllComponents means all components must honor the configured TLS + // profile. This mode is recommended for security-conscious deployments and is required + // for certain compliance frameworks. TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents" ) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 5e1731ee88a..7654aebf490 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -294,20 +294,23 @@ spec: type: object tlsAdherence: description: |- - tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile + tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource. Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". - When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor - the configured TLS profile but may fall back to their individual defaults if conflicts arise. - This mode is intended for clusters that need to maintain compatibility with existing - configurations during migration. + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. - When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. + When set to "StrictAllComponents", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks. + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" and log a warning to ensure forward compatibility while defaulting to the more secure behavior. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..824b8321364 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -292,6 +292,33 @@ spec: type: array x-kubernetes-list-type: atomic type: object + tlsAdherence: + description: |- + tlsAdherence controls which components in the cluster adhere to the TLS security profile + configured on this APIServer resource. + + Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. + + When set to "StrictAllComponents", all components must honor the configured TLS profile. + This mode is recommended for security-conscious deployments and is required for + certain compliance frameworks. + + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" + and log a warning to ensure forward compatibility while defaulting to the more secure behavior. + + When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". + enum: + - LegacyExternalAPIServerComponentsOnly + - StrictAllComponents + type: string tlsSecurityProfile: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..9c8f9b72f23 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -224,6 +224,33 @@ spec: type: array x-kubernetes-list-type: atomic type: object + tlsAdherence: + description: |- + tlsAdherence controls which components in the cluster adhere to the TLS security profile + configured on this APIServer resource. + + Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. + + When set to "StrictAllComponents", all components must honor the configured TLS profile. + This mode is recommended for security-conscious deployments and is required for + certain compliance frameworks. + + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" + and log a warning to ensure forward compatibility while defaulting to the more secure behavior. + + When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". + enum: + - LegacyExternalAPIServerComponentsOnly + - StrictAllComponents + type: string tlsSecurityProfile: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml index e488f074e9f..37753e49a84 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml @@ -220,20 +220,23 @@ spec: type: object tlsAdherence: description: |- - tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile + tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource. Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". - When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor - the configured TLS profile but may fall back to their individual defaults if conflicts arise. - This mode is intended for clusters that need to maintain compatibility with existing - configurations during migration. + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. - When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. + When set to "StrictAllComponents", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks. + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" and log a warning to ensure forward compatibility while defaulting to the more secure behavior. diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 5d164375c29..5b491725d2b 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -319,7 +319,7 @@ var map_APIServerSpec = map[string]string{ "additionalCORSAllowedOrigins": "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.", "encryption": "encryption allows the configuration of encryption of resources at the datastore layer.", "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", - "tlsAdherence": "tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration.\n\nWhen set to \"StrictAllComponents\", all components must strictly honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".", + "tlsAdherence": "tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), only the externally exposed API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured TLS profile. Other components continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".", "audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 85146e7ac2a..c6868d4cfb3 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -9101,7 +9101,7 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback) }, "tlsAdherence": { SchemaProps: spec.SchemaProps{ - Description: "tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration.\n\nWhen set to \"StrictAllComponents\", all components must strictly honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".", + Description: "tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyExternalAPIServerComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyExternalAPIServerComponentsOnly\" (the default), only the externally exposed API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured TLS profile. Other components continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nWhen omitted, the default value is \"LegacyExternalAPIServerComponentsOnly\".", Type: []string{"string"}, Format: "", }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 5e1731ee88a..7654aebf490 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -294,20 +294,23 @@ spec: type: object tlsAdherence: description: |- - tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile + tlsAdherence controls which components in the cluster adhere to the TLS security profile configured on this APIServer resource. Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". - When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor - the configured TLS profile but may fall back to their individual defaults if conflicts arise. - This mode is intended for clusters that need to maintain compatibility with existing - configurations during migration. + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. - When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. + When set to "StrictAllComponents", all components must honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks. + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" and log a warning to ensure forward compatibility while defaulting to the more secure behavior. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..824b8321364 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -292,6 +292,33 @@ spec: type: array x-kubernetes-list-type: atomic type: object + tlsAdherence: + description: |- + tlsAdherence controls which components in the cluster adhere to the TLS security profile + configured on this APIServer resource. + + Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. + + When set to "StrictAllComponents", all components must honor the configured TLS profile. + This mode is recommended for security-conscious deployments and is required for + certain compliance frameworks. + + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" + and log a warning to ensure forward compatibility while defaulting to the more secure behavior. + + When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". + enum: + - LegacyExternalAPIServerComponentsOnly + - StrictAllComponents + type: string tlsSecurityProfile: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..9c8f9b72f23 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -224,6 +224,33 @@ spec: type: array x-kubernetes-list-type: atomic type: object + tlsAdherence: + description: |- + tlsAdherence controls which components in the cluster adhere to the TLS security profile + configured on this APIServer resource. + + Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + + When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed + API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured + TLS profile. Other components continue to use their individual TLS configurations. + + When set to "StrictAllComponents", all components must honor the configured TLS profile. + This mode is recommended for security-conscious deployments and is required for + certain compliance frameworks. + + Note: The Kubelet and IngressController components are excluded from tlsAdherence control + as they have their own dedicated TLS configuration mechanisms via KubeletConfig and + IngressController CRs respectively. + + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" + and log a warning to ensure forward compatibility while defaulting to the more secure behavior. + + When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". + enum: + - LegacyExternalAPIServerComponentsOnly + - StrictAllComponents + type: string tlsSecurityProfile: description: |- tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.