# Physical worker node labeling in Red Hat OpenShift cluster

This section describes the scripts to automate the process of retrieving the hardware properties from physical worker nodes of the Red Hat OpenShift cluster and using the Red Hat OpenShift Node Labeling capability to label the physical worker node with the retrieved properties. These node labels along with Red Hat OpenShift node selector capability can be used by the user for defining the pod deployment configuration in order to ensure pod is running on the physical node with desired hardware properties.

Nodes can be labelled for the following properties:

  1. Overall Health Status of the node : If current status health status of following components "BIOS, Fans, Temperature Sensors, Battery, Processor, Memory, Network and Storage" of the HPE Synergy compute is ok, physical node health status is considered "Ok" else "Degraded"
  2. Overall Security Status of the node : If the current status of the following BIOS security configuration (which are important for the compute security) is as listed "secure boot status: enabled, asset tag: locked, UEFI Shell Script Verification: enabled, UEFI Shell Startup: disabled, Processor AES: enabled" then the overall security status of the physical node is considered "Ok" else "degraded".
  3. Custom labeling : User defined labels (key, value) is assigned to desired physical worker node.

Prerequisites

  • Ansible engine with Ansible 2.9.x and Python 3.6.x

  • Red Hat OpenShift 4.x is up and running.

  • The RedHat OpenShift cluster must have physical worker node to use the "Node labeling" functionality.

  • The playbook under this repository needs to be run from Ansible Installer Machine with the Python virtual environment as non-root user.

  • Python module "proliantutils" is installed on the OpenShift Installer Machine.

    • "proliantutils" is a set of utility libraries for interfacing and managing various components (like iLO) for HPE ProLiant Servers.

      • Use the following command to install proliantutils.
    	$ pip install ansible==2.9.0
    
    • Verify the version of proliantutils.
  $ pip freeze | grep proliantutils
  • Output
  $ proliantutils==2.9.2
  • Install the "sushy" python library. In case "sushy" module is already installed, please ensure its version is 3.0.0.

    • Use the following command to install sushy module.

      $ pip install sushy==3.0.0
      
    • Verify the version of proliantutils.

      $ pip freeze | grep sushy
      
    • Output:

      $ sushy==3.0.0
      

Note

Refer to Non-root user access section to know more about the non-root user details.

# Software requirements

Software Version
HPE OneView 5

# Input files

  • Playbook for RedHat OpenShift Container Platform Physical Worker Node labeling are available under $BASE_DIR/platform/physical-physical-workerlabeling/

Note

BASE_DIR is defined and set in Installer machine section in deployment guide.

  • It is mandatory to update all the input files (hosts, secrets.yml, sysdig-agent-configmap.yaml) with appropriate values before running the playbook available in this repository.

    • Input file name: hosts.json

      1. This file is an inventory of host details.
      2. This file contains sensitive information like iLO IP and credentials, Worker IP and labels. So, data inside this file is encrypted.
      3. To edit this vault file, use the following command and provide the default "ansible vault" password.
      $ ansible-vault edit hosts.json
      
      1. For each of the physical worker node that is part of RedHat OpenShift cluster, the user needs to provide the following information:
      "host_fqdn": "replace_with_physical_worker_node1_fqdn",
      "ilo_ip": "replace_with_ilo_ip_of_physical_worker_node1",
      "username": "replace_with_ilo_username",
      "password": "replace_with_ilo_password",
      "custom_label_required": "replace_with_No_or_Yes",
      "label_name": "replace_with_desired_label_key",
      "label_val": "replace_with_desired_label_value"
      

      Note

      Information inside hosts.json is available in a nested JSON format, which means user can add any number of physical worker node by creating the sections as "server 1, server 2, server 3, ...server N" and can also add any number of "custom labels" as "label 1, label 2, label 3 to label N". Refer to "hosts.json" to understand this nested JSON structure. "N" represent the Nth number server.

    • Input file name: config.json

      1. Provide the path information about "kubeconfig" and "oc" command.

        • kubeconfig_path: The value of this key is the path of kubeconfig and this path is used by "oc" command at runtime.
        • oc_command_path: The value of this key is the oc command path and this path is used to run the "oc" command.
        "kubeconfig_path": "replace_with_path_of_ocp_kubeconfig",
        "oc_command_path": "replace_with_path_of_ocp_installation_dir"
        

    # Steps to run the Node Labeling automation scripts

    • Execute the following commands from the Ansible installer VM in the python virtual environment as a non-root user. The python virtual environment is defined and set in the Installer machine section.

      $ cd $BASE_DIR/platform/physical-workerlabelling/
      $ python physical_node_labeling.py
      

      Note

      BASE_DIR is defined and set in Installer machine section.

    • Next, the user will be prompted to enter the Ansible vault password or key. This credential is the default "Ansible vault" password.

      $ Enter key for encrypted variables:
      

    Note

    Default key value for Ansible vault is "changeme".

    • Output of the command will prompt following options.

      $ 1: Get the physical worker node details that user wishes to configure.
      
      $ 2: Get current health status of the physical worker node
      
      $ 3: Get security parameters of the physical worker node
      
      $ 4: Label the physical worker with health status
      
      $ 5: Label the physical worker with security status
      
      $ 6: Custom labels
      
      $ 7: Display current labels on the node
      
      $ 8: Quit
      
      $ Enter the choice number:
      ​
      
    • Next, the user will be prompted to enter the Ansible vault password or key. This credential is the default "Ansible vault" password.

      $ Enter key for encrypted variables:
      
    • If user selects option 1, then they will see all the information available within the hosts.json file

    • If user selects option 2, then aggregated health status of the physical worker nodes will be shown to the user as:

      $ {'worker1.newocs.twentynet.local': 'OK', 'worker2.newocs.twentynet.local': 'OK'}
      
    • If user selects option 3, then this playbook will show the aggregated security status of the physical worker node as:

       $ {'worker1.newocs.twentynet.local': 'OK', 'worker2.newocs.twentynet.local': 'Degraded'}
      
    • If user selects option 4, then the physical worker node will be labelled with its respective "aggregated health status" as given by option 2:

      $ worker1.newocs.twentynet.local
        NAME                             STATUS   ROLES    AGE   VERSION   LABELS
        worker1.newocs.twentynet.local   Ready    worker   64d   v1.17.1   app=sysdig-agent,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,health=OK,kubernetes.io/arch=amd64,kubernetes.io/hostname=worker1.newocs.twentynet.local,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,node.openshift.io/os_id=rhcos
       Verified - Label  health=OK is added to the node worker1.newocs.twentynet.local
       
       worker2.newocs.twentynet.local
       NAME                             STATUS   ROLES    AGE   VERSION   LABELS
       worker2.newocs.twentynet.local   Ready    worker   64d   v1.17.1   app=sysdig-agent,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,health=OK,kubernetes.io/arch=amd64,kubernetes.io/hostname=worker2.newocs.twentynet.local,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,node.openshift.io/os_id=rhcos,replace_with_desired_label_key=replace_with_desired_label_value,security=Degraded
       Verified - Label  health=OK is added to the node worker2.newocs.twentynet.local
      
    • If user selects option 5, then the physical worker node will be labelled with its respective "aggregated security status" as given by option 3:

      $ NAME                             STATUS   ROLES    AGE   VERSION   LABELS
      worker1.newocs.twentynet.local   Ready    worker   64d   v1.17.1   app=sysdig-agent,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,health=OK,kubernetes.io/arch=amd64,kubernetes.io/hostname=worker1.newocs.twentynet.local,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,node.openshift.io/os_id=rhcos,security=OK
      Verified - Label  security=OK is added to the node worker1.newocs.twentynet.local
      
      NAME                             STATUS   ROLES    AGE   VERSION   LABELS
      worker2.newocs.twentynet.local   Ready    worker   64d   v1.17.1   app=sysdig-agent,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,health=OK,kubernetes.io/arch=amd64,kubernetes.io/hostname=worker2.newocs.twentynet.local,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,node.openshift.io/os_id=rhcos,replace_with_desired_label_key=replace_with_desired_label_value,security=Degraded
      Verified - Label  security=Degraded is added to the node    worker2.newocs.twentynet.local
      
    • If user selects option 6, then the physical worker node will be labelled with the custom labels defined by user in the hosts.json file

      Note

      Custom labels will be applied on if user has selected "yes" or "no" in the json file for "custom_labels.

    • "If user selects option 7, then all the labels like security, health and custom labels along with default labels for each of the physical worker node will be shown.

    • If user selects option 8, Node labeling utility will exit.