Description of problem: The machineconfig for enable fips could not be applied to rhel worker by MCO Version-Release number of selected component (if applicable): 4.2.0-0.nightly-2019-08-19-201622 Red Hat Enterprise Linux Server 7.6 (Maipo) How reproducible: always Steps to Reproduce: 1.Setup upi on aws cluster, scale up rhel worker node 2.create machineconfig to enable fips on worker: $ oc create -f - <<EOF apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: worker name: 99-fips-worker spec: fips: true EOF 3. Actual results: The rhel worker could not be enable fips by MCO: $ oc describe node ip-10-0-49-29.us-east-2.compute.internal | grep -A6 Annotations Annotations: machineconfiguration.openshift.io/currentConfig: rendered-worker-6ef5ccd601e982a620b612d01ad4fa56 machineconfiguration.openshift.io/desiredConfig: rendered-worker-c09fee3aed63a40028076de64e4e0caa machineconfiguration.openshift.io/reason: enable FIPS: : fork/exec /usr/libexec/rhcos-tools/coreos-fips: no such file or directory machineconfiguration.openshift.io/ssh: accessed machineconfiguration.openshift.io/state: Degraded volumes.kubernetes.io/controller-managed-attach-detach: true CreationTimestamp: Tue, 20 Aug 2019 16:40:21 +0800 $ oc describe co machine-config | grep -A2 Extension Extension: Master: all 3 nodes are at latest configuration rendered-master-6c0938b762a7a9936aebff2255d860a9 Worker: pool is degraded because nodes fail with "1 nodes are reporting degraded status on sync": "Node ip-10-0-49-29.us-east-2.compute.internal is reporting: \"enable FIPS: : fork/exec /usr/libexec/rhcos-tools/coreos-fips: no such file or directory\"" Expected results: The rhel worker could be enable fips by MCO Additional info:
FIPS mode isn't a target for rhel workers afaict, but we should play nicer in case we can't enable it I guess.
Created a patch to make it clear that FIPS isn't supported on RHEL. To reconcile the cluster, just delete the MachineConfig that you've created with FIPS enabled.
This is absolutely outside the scope of the MCO. RHEL customers are responsible for "managing" their servers, and configuring FIPs and other things like crypto policies definitely falls into the space that the end user should be setting on their RHEL nodes.