Machine Config Pool — OpenShift Container Platform 4.x

Kamlesh Prajapati
5 min readFeb 3, 2023

When it comes to OpenShift Container Platform 3, you are usually working with three roles for nodes: master, compute, and infrastructure (infra). OpenShift Container Platform 4 instead, by default, provides master and worker roles. There is no infra node in OpenShift 4 out-of-box(by default). When migrating from OpenShift 3 to OpenShift 4, OpenShift users might have questions how to convert OpenShift 3 infra nodes to OpenShift 4 infra nodes. In this post I will try to explain.

Common mistake that most people make is just applying the infra label to the worker nodes:

oc label node $NODE_NAME

After applying the label on the node, there is no output to suggest that this is a problem. However, when you upgrade the OpenShift cluster, you will notice that the worker nodes that you applied the label to do not get upgraded and This is the expected behavior.

In this blog we will discuss what Machine Config Pool is ? and how you should use it for OpenShift 4 infra nodes.

In order to understand the situation, we should understand the concept of operators in openshift container platform 4.x

As you know, OpenShift Container Platform 4 is an operator-focused platform. On Red Hat CoreOS, the Machine Config Operator handles the operating system, managing OS updates and configuration changes. Understanding the Machine Config Operator is central to managing master and worker nodes properly according to the new architectural design of OpenShift Container Platform 4.

What is a Machine Config Operator?

Short form of machine Config Operator is MCO and this is cluster level operator like any other operator in OpenShift Container Platform, but it is a special one from an OCP infrastructure perspective. It manages the operating system and keeps the cluster up to date and configured. By using MCO platform administrators can configure and update systemd, cri-o/kubelet, kernel, NetworkManager, etc. on the Nodes. To do so, the MCO creates a statically rendered MachineConfig file which includes the MachineConfigs for each node. It then applies that configuration to each node.

Sub Components of Machine Config Operator

The MCO is a complex component. There are several sub-components and each sub-component performs a different task. This article does not explain components in detail instead adding the name of the component along with hyperlink, so you can go through with them based on your interest by clicking on the hyerlink.

What does Machine Config Controller do?

I think its good to know about Machine Config Controller as it is relevant for what we are discussing. The Machine Config Controller starts to play a role after OpenShift Container Platform 4 is installed.

Machine Config Controller Goals:

  • Coordinate upgrade of machines to the desired configuration defined by a MachineConfig Object.
  • Provide options to control upgrades for sets of machines individually.

In other words, Config controller generates Machine Configs for pre-defined roles (master and worker) and monitors whether an existing Machine Config CR (custom resource) is modified or new Machine Config CRs are created. Whenever controller detects any of those events, it will generate a new rendered Machine Config object that contains all of the Machine Configs based on MachineConfigSelector from each MachineConfigPool.

Below are the controllers role description:

Template Controller:

  • Generate the MachineConfigs for predefined roles of machines (master, worker).
  • Watch controllerconfig to generate OpenShift-owned MachineConfigs.

Render Controller:

  • Watch MachineConfigPool object to find all the MachineConfig objects.
  • Update CurrentMachineConfig with the rendered MachineConfig.
  • Detect changes on all the MachineConfigs and syncs all the MachineConfigPool objects with a new CurrentMachineConfig.

Update Controller:

  • Watch if MachineConfigPool .Status.CurrentMachineConfig is updated.
  • Upgrade machines to the desired MachineConfig by coordinating with a daemon running on each machine.

What is Machine Config ?

Machine config is the source of machine configuration and it is also used for installation and first-boot, as well as upgrades.
The Machine Config should be static, i.e. it should not contain links or remote locations to generate configuration dynamically. In short, it defines OS level configuration if the machine uses RHCOS.

What is Machine Config Pool ?

The main objective of the mcp is to resolve the situation. The Machine Config Pool operates similarly to the rolebinding object, And rolebinding job is to associate the roles with users. The Machine Config Pool associates nodes with Machine Configs.

The Machine Config Pool maps between nodes and Machine Configs. The Machine Config Pool has two selectors, and each selector matches machine configs with nodes.

The Render controller in the Machine Config Controller monitors the Machine Config Pool and generates static machine config objects named rendered-master-XXXX and rendered-worker-xxx. These objects can include multiple machine configs. The Render controller then checks whether the nodes in the pool have applied the latest rendered-xxxx machine config. If the machine config pool changes, then the render controller creates a new rendered-xxx and applies it.

Infra worker node group

Now its time to solve the infra role worker nodes issue. As I mentioned in beginning that there are only 2 roles in OpenShift 4.x by default(master and worker).
To resolve this problem, all that is needed is a node label added to a particular node, set of nodes, or machines and machineset.

Our node label and matching selector for infrastructure components will be "".

To prevent other workloads from also being scheduled on those infrastructure nodes, we need one of two solutions:

  • Apply a taint to the infrastructure nodes and tolerations to the desired infrastructure workloads.
  • Apply a completely separate label to your other nodes and matching node selector to your other workloads such that they are mutually exclusive from infrastructure nodes.

Happy Learning…

Sources :



Kamlesh Prajapati

DevOps Practitioner (CKA certified , RHOCP Certified, Azure Certified on az-104,az-400,az-303.)