Merge pull request #112757 from mburke5678/cqa-nodes-9-1

OSDOCS CQA NODES-9: Autoscaling and Miscellaneous I

Author: mburke5678

modules/nodes-pods-adjust-resources-in-place-about.adoc

@@ -6,7 +6,10 @@
 [id="nodes-pods-adjust-resources-in-place-about_{context}"]
 = About in-place pod resizing
 
-In-place pod resizing allows you to change the CPU and memory resources for containers within a running pod without application disruption. The standard methods for changing pod CPU and memory resources cause the pod to be re-created, potentially causing disruption. In-place pod resizing allows you to scale pod resources up or down without suffering the downtime or state loss associated with a pod restart.
+[role="_abstract"]
+You can use in-place pod resizing to change the CPU and memory resources for containers within a running pod without suffering the downtime or state loss associated with a pod restart.
+
+The standard methods for changing pod CPU and memory resources cause the pod to be re-created, potentially causing disruption. You can use in-place pod resizing to scale pod resources up or down without application disruption. 
 
 When using in-place pod resizing to change CPU or memory resources, you can control whether a pod is restarted by configuring a resize policy in the pod specification. The following example resize policy requires a pod restart upon changing the memory resources, but prevents a restart for CPU resource changes.
 
@@ -25,13 +28,15 @@ spec:
   containers:
   - name: pause
 # ...
-    resizePolicy: <1>
+    resizePolicy:
     - resourceName: cpu
       restartPolicy: NotRequired
     - resourceName: memory
       restartPolicy: RestartContainer
 ----
-<1> Specifies a resize policy. 
+where:
+
+`spec.containers.resizePolicy`:: Specifies a resize policy. 
 
 [NOTE]
 ====

modules/nodes-pods-adjust-resources-in-place-configuring.adoc

@@ -6,7 +6,8 @@
 [id="nodes-pods-adjust-resources-in-place-configuring_{context}"]
 = Configuring in-place pod resizing
 
-In-place pod resizing requires that you add a resize policy to a pod specification. 
+[role="_abstract"]
+You can use in-place pod resizing to scale pod resources up or down without application disruption by adding a resize policy to a pod specification. 
 
 You cannot add or modify a resize policy in an existing pod, but you can add or edit the policy in the pod's owner object, such as a deployment, if the pod has an owner object. 
 
@@ -26,14 +27,16 @@ spec:
 # ...
   containers:
   - name: pause
-    resizePolicy: <1>
+    resizePolicy:
     - resourceName: cpu
       restartPolicy: NotRequired
     - resourceName: memory
       restartPolicy: RestartContainer
 # ...
 ----
-<1> Specifies a resize policy. For CPU and/or memory resources specify one of the following values:
+where:
+
+`spec.containers.resizePolicy`:: Specifies a resize policy. For CPU and/or memory resources specify one of the following values:
 +
 * `NotRequired`: Apply any resource changes without restarting the pod. This is the default when using a resize policy.
 * `RestartContainer`: Apply any resource changes and restart the pod.

modules/nodes-pods-image-volume-about.adoc

@@ -7,7 +7,9 @@
 = Understanding image volumes
 
 [role="_abstract"]
-You can you use an _image volume_ to mount an Open Container Initiative (OCI)-compliant container image or artifact directly into a pod as a native volume source, making the OCI object accessible to the containers without the need to include them in the base image. OCI objects enable users to store and distribute arbitrary files and metadata through OCI-compliant container registries.
+You can you use an _image volume_ to mount an Open Container Initiative (OCI)-compliant container image or artifact directly into a pod as a native volume source, making the OCI object accessible to the containers without the need to include them in the base image. 
+
+OCI objects enable users to store and distribute arbitrary files and metadata through OCI-compliant container registries.
 
 By using an image volume in a pod, you can take advantage of the OCI image and distribution specification standards to accomplish several tasks including the following use cases: 
 

modules/nodes-pods-image-volume-adding.adoc

@@ -7,7 +7,9 @@
 = Adding an image volume to a pod
 
 [role="_abstract"]
-To mount an Open Container Initiative (OCI)-compliant container image or artifact, use the `volume` parameter in your pod spec to include a path to the image or artifact, along with an optional pull policy. You can create the pod directly or use a controlling object, such as a deployment or replica set. 
+To mount an Open Container Initiative (OCI)-compliant container image or artifact, use the `volume` parameter in your pod spec to include a path to the image or artifact, along with an optional pull policy. 
+
+You can create the pod directly or use a controlling object, such as a deployment or replica set. 
 
 .Procedure
 

modules/nodes-sigstore-configure-cluster-policy.adoc

@@ -7,7 +7,9 @@
 = Creating a cluster image policy CR
 
 [role="_abstract"]
-A `ClusterImagePolicy` custom resource (CR) enables a cluster administrator to configure a sigstore signature verification policy for the entire cluster. When enabled, the Machine Config Operator (MCO) watches the `ClusterImagePolicy` object and updates the `/etc/containers/policy.json` and `/etc/containers/registries.d/sigstore-registries.yaml` files on all the nodes in the cluster.
+A cluster administrator can use a `ClusterImagePolicy` custom resource (CR) to configure a sigstore signature verification policy for the entire cluster. 
+
+When enabled, the Machine Config Operator (MCO) watches the `ClusterImagePolicy` object and updates the `/etc/containers/policy.json` and `/etc/containers/registries.d/sigstore-registries.yaml` files on all the nodes in the cluster.
 
 The following example shows general guidelines on how to configure a `ClusterImagePolicy` object. For more details on the parameters, see "About cluster and image policy parameters."
 
@@ -35,117 +37,126 @@ mirror.com/image/repo:sha256-1234567890abcdef1234567890abcdef1234567890abcdef123
 
 . Create a cluster image policy object similar to the following examples. See "About image policy parameters" for specific details on these parameters.
 +
---
-.Example cluster image policy object with a public key policy and the `MatchRepoDigestOrExact` match policy
+The following example cluster image policy object uses a public key policy and the `MatchRepoDigestOrExact` match policy:
++
 [source,yaml]
 ----
 apiVersion: config.openshift.io/v1
-kind: ClusterImagePolicy <1>
+kind: ClusterImagePolicy
 metadata:
   name: p1
 spec:
-  scopes: <2>
+  scopes:
     - example.com
-  policy: <3>
-    rootOfTrust: <4>
-      policyType: PublicKey <5>
+  policy:
+    rootOfTrust:
+      policyType: PublicKey
       publicKey:
-        keyData: a2V5RGF0YQ== <6>
-        rekorKeyData: cmVrb3JLZXlEYXRh <7>
-    signedIdentity: <8>
+        keyData: a2V5RGF0YQ==
+        rekorKeyData: cmVrb3JLZXlEYXRh
+    signedIdentity:
       matchPolicy: MatchRepoDigestOrExact
 ----
-<1> Creates a `ClusterImagePolicy` object.
-<2> Defines a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
-<3> Specifies the parameters that define how the images are verified.
-<4> Defines a root of trust for the policy.
-<5> Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a link:https://docs.sigstore.dev/certificate_authority/overview/[Fulcio certificate]. This example uses a public key with Rekor verification.
-<6> For a public key policy, specifies a base64-encoded public key in the PEM format. The maximum length is 8192 characters.
-<7> Optional: Specifies a base64-encoded Rekor public key in the PEM format. The maximum length is 8192 characters.
-<8> Optional: Specifies one of the following processes to verify the identity in the signature and the actual image identity:
+where:
++
+--
+`kind`:: Specifies that the configuration is for a `ClusterImagePolicy` object.
+`spec.scopes`:: Specifies a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
+`spec.policy`:: Specifies the parameters that define how the images are verified.
+`spec.policy.rootOfTrust`:: Specifies a root of trust for the policy.
+`spec.policy.rootOfTrust.policyType`:: Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a link:https://docs.sigstore.dev/certificate_authority/overview/[Fulcio certificate]. This example uses a public key with Rekor verification.
+`spec.policy.rootOfTrust.publicKey.keyData`:: For a public key policy, specifies a base64-encoded public key in the PEM format. The maximum length is 8192 characters.
+`spec.policy.rootOfTrust.publicKey.rekorKeyData`:: Specifies a base64-encoded Rekor public key in the PEM format. The maximum length is 8192 characters. This parameter is optional.
+`spec.policy.signedIdentity`:: Specifies the process to verify the identity in the signature and the actual image identity. This parameter is optional. Specify one of the following processes:
 * `MatchRepoDigestOrExact`.
 * `MatchRepository`.
 * `ExactRepository`. The `exactRepository` parameter must be specified.
 * `RemapIdentity`. The `prefix` and `signedPrefix` parameters must be specified.
 --
 +
---
-.Example cluster image policy object for a BYOPKI policy and the `MatchRepository` match policy
+The following example cluster image policy object uses a BYOPKI policy and the `MatchRepository` match policy:
++
 [source,yaml]
 ----
 apiVersion: config.openshift.io/v1alpha1
-kind: ClusterImagePolicy <1>
+kind: ClusterImagePolicy
 metadata:
   name: pki-policy
 spec:
   scopes:
-  - example.io <2>
-  policy: <3>
-    rootOfTrust: <4>
-      policyType: PKI <5>
-      pki: <6>
+  - example.io
+  policy:
+    rootOfTrust:
+      policyType: PKI
+      pki:
         caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk....URS0tLS0t
         caIntermediatesData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J....lDQVRFLS0tLS0=
-        pkiCertificateSubject: <7>
+        pkiCertificateSubject:
           email: email@example.com
           hostname: myhost.example.com
     signedIdentity:
-      matchPolicy: MatchRepository <8>
+      matchPolicy: MatchRepository
 ----
-<1> Creates a `ClusterImagePolicy` object.
-<2> Defines a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
-<3> Specifies the parameters that define how the images are verified.
-<4> Defines a root of trust for the policy.
-<5> Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a link:https://docs.sigstore.dev/certificate_authority/overview/[Fulcio certificate]. This example uses a BYOPKI certificate.
-<6> For a BYOPKI certificate, specify `caRootsData`. This parameter specifies a base64-encoded CA root certificate in the PEM format. The maximum length is 8192 characters. Optionally with `caIntermediatesData`, specifies a base64-encoded intermediate CA root certificate in the PEM format. The maximum length is 8192 characters.
-<7> Specifies a subject alternative name (SAN) to authenticate the user’s identity by using a hostname and an email address: 
+where:
++
+--
+`kind`:: Specifies that the configuration is for a `ClusterImagePolicy` object.
+`spec.scopes`:: Specifies a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
+`spec.policy`:: Specifies the parameters that define how the images are verified.
+`spec.policy.rootOfTrust`:: Specifies a root of trust for the policy.
+`spec.policy.rootOfTrust.policyType`:: Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a Fulcio certificate. This example uses a BYOPKI certificate.
+`spec.policy.rootOfTrust.pki`:: For a BYOPKI certificate, specifies `caRootsData`. This parameter specifies a base64-encoded CA root certificate in the PEM format. The maximum length is 8192 characters. Optionally with `caIntermediatesData`, specifies a base64-encoded intermediate CA root certificate in the PEM format. The maximum length is 8192 characters.
+`spec.policy.rootOfTrust.pki.pkiCertificateSubject`:: Specifies a subject alternative name (SAN) to authenticate the user’s identity by using a hostname and an email address: 
 * `email`. Specifies the email address specified when the certificate was generated.
 * `hostname`. Specifies the hostname specified when the certificate was generated.
-<8> For a BYOPKI certificate, specify the `MatchRepository` parameter to verify the identity in the signature and the actual image identity. The default signed identity is `matchRepoDigestOrExact`, which requires a digest reference in the signature identity for verification. The signature identity in this case uses a repository reference, and does not include the image digest.
+`spec.policy.signedIdentity.matchPolicy`:: For a BYOPKI certificate, specifies the `MatchRepository` parameter to verify the identity in the signature and the actual image identity. The default signed identity is `matchRepoDigestOrExact`, which requires a digest reference in the signature identity for verification. The signature identity in this case uses a repository reference, and does not include the image digest.
 --
 +
---
-.Example cluster image policy object with a Fulcio certificate policy and the `remapIdentity` match policy
+The following example cluster image policy object uses a Fulcio certificate policy and the `remapIdentity` match policy:
++
 [source,yaml]
 ----
 apiVersion: config.openshift.io/v1
-kind: ClusterImagePolicy <1>
+kind: ClusterImagePolicy
 metadata:
   name: p1
 spec:
-  scopes: <2>
+  scopes:
     - example.com
-  policy: <3>
-    rootOfTrust: <4>
-      policyType: FulcioCAWithRekor <5>
-      fulcioCAWithRekor: <6>
+  policy:
+    rootOfTrust:
+      policyType: FulcioCAWithRekor
+      fulcioCAWithRekor:
         fulcioCAData: a2V5RGF0YQ==
         fulcioSubject:
           oidcIssuer: "https://expected.OIDC.issuer/"
           signedEmail: "expected-signing-user@example.com"
-        rekorKeyData: cmVrb3JLZXlEYXRh <7>
+        rekorKeyData: cmVrb3JLZXlEYXRh
     signedIdentity:
-      matchPolicy: RemapIdentity <8>
+      matchPolicy: RemapIdentity
       remapIdentity:
-        prefix: example.com <9>
-        signedPrefix: mirror-example.com <10>
+        prefix: example.com
+        signedPrefix: mirror-example.com
 ----
-<1> Creates a `ClusterImagePolicy` object.
-<2> Defines a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
-<3> Specifies the parameters that define how the images are verified.
-<4> Defines a root of trust for the policy.
-<5> Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a link:https://docs.sigstore.dev/certificate_authority/overview/[Fulcio certificate]. This example uses a Fulcio certificate with required Rekor verification.
-<6> For a Fulcio certificate policy, the following parameters are required:
+where:
++
+--
+`kind`:: Specifies that the configuration is for a `ClusterImagePolicy` object.
+`spec.scopes`:: Specifies a list of repositories or images assigned to this policy. In a cluster image policy, make sure that the policy does not block the deployment of the {product-title} images in the `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev` repositories. Images in these repositories are required for cluster operation.
+`spec.policy`:: Specifies the parameters that define how the images are verified.
+`spec.policy.rootOfTrust`:: Specifies a root of trust for the policy.
+`spec.policy.rootOfTrust.policyType`:: Specifies the policy types that define the root of trust, either a public key, a BYOPKI certificate, or a Fulcio certificate. This example uses a Fulcio certificate with required Rekor verification.
+`spec.policy.rootOfTrust.fulcioCAWithRekor`:: For a Fulcio certificate policy, the following parameters are required:
 * `fulcioCAData`: Specifies a base64-encoded Fulcio certificate in the PEM format. The maximum length is 8192 characters.
 * `fulcioSubject`: Specifies the OIDC issuer and the email of the Fulcio authentication configuration.
-<7> Specifies a base64-encoded Rekor public key in the PEM format. This parameter is required when the `policyType` is `FulcioCAWithRekor`. The maximum length is 8192 characters.
-<8> Optional: Specifies one of the following processes to verify the identity in the signature and the actual image identity.
+* `rekorKeyData`: Specifies a base64-encoded Rekor public key in the PEM format. This parameter is required when the `policyType` is `FulcioCAWithRekor`. The maximum length is 8192 characters.
+`spec.policy.signedIdentity.matchPolicy`:: Specifies one of the following processes to verify the identity in the signature and the actual image identity. This parameter is optional.
 * `MatchRepoDigestOrExact`.
 * `MatchRepository`.
 * `ExactRepository`. The `exactRepository` parameter must be specified.
 * `RemapIdentity`. The `prefix` and `signedPrefix` parameters must be specified.
-<9> For the `remapIdentity` match policy, specifies the prefix that should be matched against the scoped image prefix. If the two match, the scoped image prefix is replaced with the value of `signedPrefix`. The maximum length is 512 characters.
-<10> For the `remapIdentity` match policy, specifies the image prefix to be remapped, if needed. The maximum length is 512 characters.
+`spec.policy.signedIdentity.remapIdentity.prefix`:: For the `remapIdentity` match policy, specifies the prefix that should be matched against the scoped image prefix. If the two match, the scoped image prefix is replaced with the value of `signedPrefix`. The maximum length is 512 characters.
+`spec.policy.signedIdentity.remapIdentity.signedPrefix`:: For the `remapIdentity` match policy, specifies the image prefix to be remapped, if needed. The maximum length is 512 characters.
 --
 
 . Create the cluster image policy object:
@@ -263,9 +274,11 @@ sh-5.1# cat /etc/containers/registries.d/sigstore-registries.yaml
 ----
 docker:
   example.com:
-    use-sigstore-attachments: true <1>
+    use-sigstore-attachments: true
   quay.io/openshift-release-dev/ocp-release:
     use-sigstore-attachments: true
 ----
-<1> When `true`, specifies that sigstore signatures are going to be read along with the image.
+where:
+
+`docker.example.com.use-sigstore-attachments`:: When `true`, specifies that sigstore signatures are going to be read along with the image.
 // https://github.com/openshift/api/blob/master/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml