Skip to content

K8s ‐ Verify web console disabled

Jump to bottom Edit New page
Elyasaf Halle edited this page May 6, 2026 · 2 revisions

Description

This rule verifies that the OpenShift web console is properly disabled on edge/SNO (Single Node OpenShift) clusters. It checks two conditions:

  1. The console operator managementState is explicitly set to Removed or Unmanaged
  2. No pods remain running in the openshift-console namespace

On edge clusters, the web console should be disabled to reduce resource usage and minimize the attack surface.

Prerequisites

  • Access to the OpenShift cluster with permissions to read the console operator configuration and list pods
  • The oc command-line tool configured and authenticated
  • The console operator must be explicitly disabled (managementState set to Removed or Unmanaged)

If the console operator is in Managed state, the rule is marked as Not Applicable since the web console is intentionally enabled.

Impact

If the web console is supposed to be disabled but pods remain in the openshift-console namespace:

  • Resource waste: Console pods consume CPU and memory on resource-constrained edge/SNO nodes
  • Security exposure: An unnecessary web interface increases the attack surface
  • Configuration drift: Indicates the console operator removal did not complete cleanly

Root Cause

Common scenarios that may lead to leftover console pods:

  • The console operator managementState was changed to Removed but the operator failed to clean up pods
  • A previous rollback or upgrade left orphaned resources in the openshift-console namespace
  • Manual intervention created pods in the namespace after the console was disabled
  • Network or API server issues prevented the operator from completing the teardown

Diagnostics

1. Check console operator state

oc get console.operator.openshift.io cluster -o jsonpath='{.spec.managementState}'

Expected output for a disabled console: Removed or Unmanaged

2. Check for pods in the openshift-console namespace

oc get pods -n openshift-console

Expected output when console is properly disabled: No resources found in openshift-console namespace.

3. Check console operator status and events

oc describe console.operator.openshift.io cluster

Look for:

  • managementState in the spec
  • Conditions indicating errors during removal
  • Recent events related to console teardown

4. Check for other resources in the namespace

oc get all -n openshift-console

Solution

If console should be disabled and pods remain:

Force removal of console pods:

# Delete remaining pods
oc delete pods --all -n openshift-console

# Verify pods are gone
oc get pods -n openshift-console

If pods keep reappearing, ensure the operator state is correct:

# Verify managementState is Removed
oc get console.operator.openshift.io cluster -o jsonpath='{.spec.managementState}'

# If not, set it to Removed
oc patch console.operator.openshift.io cluster --type merge -p '{"spec":{"managementState":"Removed"}}'

If the operator itself is stuck:

# Check the console-operator pod in openshift-console-operator namespace
oc get pods -n openshift-console-operator
oc logs -n openshift-console-operator deployment/console-operator

If console should actually be enabled:

# Re-enable the console
oc patch console.operator.openshift.io cluster --type merge -p '{"spec":{"managementState":"Managed"}}'

# Verify console pods come up
oc get pods -n openshift-console -w

Verify the fix:

# Confirm no pods in openshift-console namespace
oc get pods -n openshift-console

# Confirm operator state
oc get console.operator.openshift.io cluster -o jsonpath='{.spec.managementState}'

Resources

Add a custom footer
Add a custom sidebar

Clone this wiki locally