Extract from: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume
A token served for a TokenRequest expires either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The kubelet also refreshes that token before the token expires. The token is bound to the specific Pod and has the kube-apiserver as its audience.
See https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#tokenrequest-api
Undocumented, and debug log are not useful "openshift-install destroy -h" does not help
Having a look at the code it seems it stop and then remove the VMs. See https://github.com/openshift/installer/blob/master/cmd/openshift-install/destroy.go and https://github.com/openshift/installer/blob/dd15963db02cabddf2c26870d230bd1fbbaddb0c/pkg/destroy/ovirt/destroyer.go#L63C2-L63C24
Extract from https://docs.openshift.com/container-platform/4.14/updating/understanding_updates/intro-to-updates.html
The CVO monitors the state of each applied resource and the states reported by all cluster Operators. The CVO only proceeds with the update when all manifests and cluster Operators in the active Runlevel reach a stable condition. After the CVO updates the entire control plane through this process, the Machine Config Operator (MCO) updates the operating system and configuration of every node in the cluster.
Explanation for the "orphan machine" use case (creation of of machine using the export of an existing machine in a machineset) is available here.
Controllers are in namespaces openshift-machine-api (machineset, machine) and openshift-cloud-controller-manager (cloud vm).
https://github.com/openshift/machine-api-operator/tree/master#readme
See https://stackoverflow.com/questions/57661494/list-of-kubernetes-rbac-rule-verbs
kubectl proxy --port=8080
curl -s http://localhost:8080/api/v1 | jq '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")' -rAmong the components of a DR plan are two key parameters that define how long your business can afford to be offline and how much data loss it can tolerate. These are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
RTO is the goal your organization sets for the maximum length of time it should take to restore normal operations following an outage or data loss.
RPO is your goal for the maximum amount of data the organization can tolerate losing. This parameter is measured in time: from the moment a failure occurs to your last valid data backup. For example, if you experience a failure now and your last full data backup was 24 hours ago, the RPO is 24 hours.
replacing unhealthy etcd member
disaster recovery : restoring cluster state
hosted control plane : backup-restore
With respect to the inline documentation:
kubectl explain pod.spec.containers.ports | head -n 10
KIND: Pod
VERSION: v1
FIELD: ports <[]ContainerPort>
DESCRIPTION:
List of ports to expose from the container. Not specifying a port here DOES
NOT prevent that port from being exposed. Any port which is listening on the
default "0.0.0.0" address inside a container will be accessible from the
network. Modifying this array with strategic merge patch may corrupt the