TELCODOCS-1109: First draft

Author: StephenJamesSmith

hardware_enablement/kmm-kernel-module-management.adoc

@@ -83,6 +83,29 @@ include::modules/kmm-building-and-signing-a-moduleloader-container-image.adoc[le
 .Additional resources
 For information on creating a service account, see link:https://docs.openshift.com/container-platform/4.12/authentication/understanding-and-creating-service-accounts.html#service-accounts-managing_understanding-service-accounts[Creating service accounts].
 
+// Added for TELCODOCS-1109
+include::modules/kmm-hub-hub-and-spoke.adoc[leveloffset=+1]
+[role="_additional-resources"]
+.Additional resources
+* link:https://www.redhat.com/en/technologies/management/advanced-cluster-management[Red{nbsp}Hat Advanced Cluster Management (RHACM)]
+
+include::modules/kmm-hub-kmm-hub.adoc[leveloffset=+2]
+[role="_additional-resources"]
+.Additional resources
+* link:https://openshift-kmm.netlify.app/documentation/install/[Installing KMM]
+
+include::modules/kmm-hub-installing-kmm-hub.adoc[leveloffset=+2]
+[role="_additional-resources"]
+.Additional resources
+* link:https://catalog.redhat.com/software/containers/kmm/kernel-module-management-hub-operator-bundle/63d84cc33862da54bb19b8c6?architecture=amd64&image=654273ac86f7e537ae452f6ehttps://catalog.redhat.com/software/containers/kmm/kernel-module-management-hub-operator-bundle/63d84cc33862da54bb19b8c6?architecture=amd64&image=654273ac86f7e537ae452f6e[KMM Operator bundle]
+
+include::modules/kmm-hub-installing-kmm-hub-olm.adoc[leveloffset=+3]
+include::modules/kmm-hub-installing-kmm-hub-creating-resources.adoc[leveloffset=+3]
+
+include::modules/kmm-hub-using-the-managedclustermodule.adoc[leveloffset=+2]
+include::modules/kmm-hub-running-kmm-on-the-spoke.adoc[leveloffset=+2]
+
+
 // Added for TELCODOCS-1277
 include::modules/kmm-customizing-upgrades-for-kernel-modules.adoc[leveloffset=+1]
 

modules/kmm-hub-hub-and-spoke.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: CONCEPT
+[id="kmm-hub-hub-and-spoke_{context}"]
+= KMM hub and spoke
+
+In hub and spoke scenarios, many spoke clusters are connected to a central, powerful hub cluster. Kernel Module Management (KMM) depends on Red{nbsp}Hat Advanced Cluster Management (RHACM) to operate in hub and spoke environments.
+
+KMM is compatible with hub and spoke environments through decoupling KMM features. A `ManagedClusterModule` Custom Resource Definition (CRD) is provided to wrap the existing `Module` CRD and extend it to select Spoke clusters. Also provided is KMM-Hub, a new standalone controller that builds images and signs modules on the hub cluster.
+
+In hub and spoke setups, spokes are focused, resource-constrained clusters that are centrally managed by a hub cluster. Spokes run the single-cluster edition of KMM, with those resource-intensive features disabled. To adapt KMM to this environment, you should reduce the workload running on the spokes to the minimum, while the hub takes care of the expensive tasks.
+
+Building kernel module images and signing the `.ko` files, should run on the hub. The scheduling of the Module Loader and Device Plugin `DaemonSets` can only happen on the spokes.

modules/kmm-hub-installing-kmm-hub-creating-resources.adoc

@@ -0,0 +1,39 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: PROCEDURE
+[id="kmm-hub-installing-kmm-hub-creating-resources_{context}"]
+= Installing KMM-Hub by creating KMM resources
+
+.Procedure
+
+* If you want to install KMM-Hub programmatically, you can use the following resources to create
+the `Namespace`, `OperatorGroup` and `Subscription` resources:
+
+[source,yaml]
+----
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-kmm-hub
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: kernel-module-management-hub
+  namespace: openshift-kmm-hub
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: kernel-module-management-hub
+  namespace: openshift-kmm-hub
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: kernel-module-management-hub
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+----

modules/kmm-hub-installing-kmm-hub-olm.adoc

@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: PROCEDURE
+[id="kmm-hub-installing-kmm-hub-olm_{context}"]
+= Installing KMM-Hub using the Operator Lifecycle Manager
+
+Use the *Operators* section of the OpenShift console to install KMM-Hub.

modules/kmm-hub-installing-kmm-hub.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: PROCEDURE
+[id="kmm-hub-installing-kmm-hub_{context}"]
+= Installing KMM-Hub
+
+You can use one of the following methods to install KMM-Hub:
+
+* Using the Operator Lifecycle Manager (OLM)
+* Creating KMM resources

modules/kmm-hub-kmm-hub.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: CONCEPT
+[id="kmm-hub-kmm-hub_{context}"]
+= KMM-Hub
+
+The KMM project provides KMM-Hub, an edition of KMM dedicated to hub clusters. KMM-Hub monitors all kernel versions running on the spokes and determines the nodes on the cluster that should receive a kernel module.
+
+KMM-Hub runs all compute-intensive tasks such as image builds and kmod signing, and prepares the trimmed-down `Module` to be transferred to the spokes through RHACM.
+
+[NOTE]
+====
+KMM-Hub cannot be used to load kernel modules on the hub cluster. Install the regular edition of KMM to load kernel modules.
+====

modules/kmm-hub-running-kmm-on-the-spoke.adoc

@@ -0,0 +1,117 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: PROCEDURE
+[id="kmm-hub-running-kmm-on-the-spoke_{context}"]
+= Running KMM on the spoke
+
+After installing KMM on the spoke, no further action is required. Create a `ManagedClusterModule` object from the hub to deploy kernel modules on spoke clusters.
+
+.Procedure
+
+You can install KMM on the spokes cluster through a RHACM `Policy` object.
+In addition to installing KMM from the Operator hub and running it in a lightweight spoke mode,
+the `Policy` configures additional RBAC required for the RHACM agent to be able to manage `Module` resources.
+
+* Use the following RHACM policy to install KMM on spoke clusters:
++
+[source.yaml]
+[%collapsible]
+----
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: install-kmm
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: install-kmm
+        spec:
+          severity: high
+          object-templates:
+          - complianceType: mustonlyhave
+            objectDefinition:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: openshift-kmm
+          - complianceType: mustonlyhave
+            objectDefinition:
+              apiVersion: operators.coreos.com/v1
+              kind: OperatorGroup
+              metadata:
+                name: kmm
+                namespace: openshift-kmm
+              spec:
+                upgradeStrategy: Default
+          - complianceType: mustonlyhave
+            objectDefinition:
+              apiVersion: operators.coreos.com/v1alpha1
+              kind: Subscription
+              metadata:
+                name: kernel-module-management
+                namespace: openshift-kmm
+              spec:
+                channel: stable
+                config:
+                  env:
+                    - name: KMM_MANAGED
+                      value: "1"
+                installPlanApproval: Automatic
+                name: kernel-module-management
+                source: redhat-operators
+                sourceNamespace: openshift-marketplace
+          - complianceType: mustonlyhave
+            objectDefinition:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: kmm-module-manager
+              rules:
+                - apiGroups: [kmm.sigs.x-k8s.io]
+                  resources: [modules]
+                  verbs: [create, delete, get, list, patch, update, watch]
+          - complianceType: mustonlyhave
+            objectDefinition:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: klusterlet-kmm
+              subjects:
+              - kind: ServiceAccount
+                name: klusterlet-work-sa
+                namespace: open-cluster-management-agent
+              roleRef:
+                kind: ClusterRole
+                name: kmm-module-manager
+                apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: all-managed-clusters
+spec:
+  clusterSelector: <1>
+    matchExpressions: []
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: install-kmm
+placementRef:
+  apiGroup: apps.open-cluster-management.io
+  kind: PlacementRule
+  name: all-managed-clusters
+subjects:
+  - apiGroup: policy.open-cluster-management.io
+    kind: Policy
+    name: install-kmm
+----
+<1> The `spec.clusterSelector` field can be customized to target select clusters only.

modules/kmm-hub-using-the-managedclustermodule.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_content-type: PROCEDURE
+[id="kmm-hub-using-the-managedclustermodule_{context}"]
+= Using the `ManagedClusterModule` CRD
+
+Use the `ManagedClusterModule` Custom Resource Definition (CRD) to configure the deployment of kernel modules on spoke clusters.
+This CRD is cluster-scoped, wraps a `Module` spec and adds the following additional fields:
+
+[source,yaml]
+----
+apiVersion: hub.kmm.sigs.x-k8s.io/v1beta1
+kind: ManagedClusterModule
+metadata:
+  name: <my-mcm>
+  # No namespace, because this resource is cluster-scoped.
+spec:
+  moduleSpec: <1>
+    selector: <2>
+      node-wants-my-mcm: 'true'
+
+  spokeNamespace: <some-namespace> <3>
+
+  selector: <4>
+    wants-my-mcm: 'true'
+----
+<1> `moduleSpec`: Contains `moduleLoader` and `devicePlugin` sections, similar to a `Module` resource.
+
+<2> Selects nodes within the `ManagedCluster`.
+<3> Specifies in which namespace the `Module` should be created.
+<4> Selects `ManagedCluster` objects.
+
+If build or signing instructions are present in `.spec.moduleSpec`, those pods are run on the hub cluster in the operator's namespace.
+
+When the `.spec.selector matches` one or more `ManagedCluster` resources, then KMM-Hub creates a `ManifestWork` resource in the corresponding namespace(s). `ManifestWork` contains a trimmed-down `Module` resource, with kernel mappings preserved but all `build` and `sign` subsections are removed. `containerImage` fields that contain image names ending with a tag are replaced with their digest equivalent.