{"id":"virt-validates-full-governed-platform","text":"OpenShift Virtualization is the most demanding consumer of the governed platform model: live migration requires the full CNI+storage infrastructure stack operating under operator-driven governance (singleton CRs, immutable nodes), and both application images and VM disk images flow through governed supply chains — making virtualization a comprehensive validation that all platform layers are functioning correctly.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["virt-requires-governed-infrastructure-stack","governed-immutable-image-and-operator-platform"],"outlist":[],"label":"Combines virt infrastructure demands (depth-5) with governed image/operator model (depth-5) — virt stress-tests the entire platform"}],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"virt-validates-full-governed-platform","truth_value":"IN","reason":"SL justification valid","antecedents":["virt-requires-governed-infrastructure-stack","governed-immutable-image-and-operator-platform"],"label":"Combines virt infrastructure demands (depth-5) with governed image/operator model (depth-5) — virt stress-tests the entire platform"},{"node":"virt-requires-governed-infrastructure-stack","truth_value":"IN","reason":"SL justification valid","antecedents":["virt-migration-requires-full-stack-and-topology","operator-driven-immutable-platform-model"],"label":"VM live migration is the strongest validation of the platform model — it requires every infrastructure layer to be operator-managed and correctly provisioned."},{"node":"virt-migration-requires-full-stack-and-topology","truth_value":"IN","reason":"SL justification valid","antecedents":["virt-migration-depends-on-cni-and-storage-stack","virt-migration-excluded-on-constrained-topologies"],"label":"depth-3 — migration feasibility is the intersection of infrastructure completeness and topology constraints"},{"node":"virt-migration-depends-on-cni-and-storage-stack","truth_value":"IN","reason":"SL justification valid","antecedents":["virt-live-migration-storage-and-network-prerequisites","multi-cni-network-architecture"],"label":"The migration network is a Multus secondary interface — connecting the virt prerequisite to the broader CNI architecture reveals migration as a consumer of the full networking stack"},{"node":"virt-live-migration-storage-and-network-prerequisites","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-virt-rwx-pvc-required-live-migration","ocp-virt-rwo-no-live-migrate","ocp-virt-dedicated-multus-network-recommended"],"label":"Storage and network prerequisites must both be met for live migration"},{"node":"ocp-virt-rwx-pvc-required-live-migration","truth_value":"IN","reason":"premise"},{"node":"ocp-virt-rwo-no-live-migrate","truth_value":"IN","reason":"premise"},{"node":"ocp-virt-dedicated-multus-network-recommended","truth_value":"IN","reason":"premise"},{"node":"multi-cni-network-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-default-cni-shifted-to-ovn-kubernetes","ocp-multus-cni-multiple-interfaces","multus-cni-enables-multiple-network-attachments","pods-reference-nads-via-annotation"],"label":"Primary + meta-plugin + secondary plugin layering defines the network model"},{"node":"ocp-default-cni-shifted-to-ovn-kubernetes","truth_value":"IN","reason":"premise"},{"node":"ocp-multus-cni-multiple-interfaces","truth_value":"IN","reason":"premise"},{"node":"multus-cni-enables-multiple-network-attachments","truth_value":"IN","reason":"premise"},{"node":"pods-reference-nads-via-annotation","truth_value":"IN","reason":"premise"},{"node":"virt-migration-excluded-on-constrained-topologies","truth_value":"IN","reason":"SL justification valid","antecedents":["virt-live-migration-storage-and-network-prerequisites","sno-reduced-capability-profile"],"label":"Storage/network prerequisites combine with topology constraints to gate virt capabilities"},{"node":"virt-live-migration-storage-and-network-prerequisites","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-virt-rwx-pvc-required-live-migration","ocp-virt-rwo-no-live-migrate","ocp-virt-dedicated-multus-network-recommended"],"label":"Storage and network prerequisites must both be met for live migration"},{"node":"ocp-virt-rwx-pvc-required-live-migration","truth_value":"IN","reason":"premise"},{"node":"ocp-virt-rwo-no-live-migrate","truth_value":"IN","reason":"premise"},{"node":"ocp-virt-dedicated-multus-network-recommended","truth_value":"IN","reason":"premise"},{"node":"sno-reduced-capability-profile","truth_value":"IN","reason":"SL justification valid","antecedents":["ocpvirt-sno-no-live-migration-ha","sriov-sno-disable-drain","sno-worker-requires-ocp-411"],"label":"SNO trades operational features for minimal footprint"},{"node":"ocpvirt-sno-no-live-migration-ha","truth_value":"IN","reason":"premise"},{"node":"sriov-sno-disable-drain","truth_value":"IN","reason":"premise"},{"node":"sno-worker-requires-ocp-411","truth_value":"IN","reason":"premise"},{"node":"operator-driven-immutable-platform-model","truth_value":"IN","reason":"SL justification valid","antecedents":["immutable-nodes-with-singleton-operator-control","operator-delivery-through-console-integration"],"label":"depth-3 — both platform delivery and node management converge on operators as the universal control plane"},{"node":"immutable-nodes-with-singleton-operator-control","truth_value":"IN","reason":"SL justification valid","antecedents":["node-config-immutable-delivery-pipeline","singleton-resource-naming-convention","mco-rollout-process"],"label":"The MCO pipeline delivers changes to immutable nodes, and the singleton pattern ensures exactly one configuration authority — together they prevent configuration drift and split-brain"},{"node":"node-config-immutable-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-immutable-update-model","image-mirror-configuration-pipeline"],"label":"Both OS updates and registry configuration use the same MCO-mediated immutable delivery pattern"},{"node":"rhcos-immutable-update-model","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-nodes-immutable","rhcos-rpm-ostree-updates","image-layering-verify-rpm-ostree-status"],"label":"Three facets of the same immutable-OS operational model"},{"node":"rhcos-nodes-immutable","truth_value":"IN","reason":"premise"},{"node":"rhcos-rpm-ostree-updates","truth_value":"IN","reason":"premise"},{"node":"image-layering-verify-rpm-ostree-status","truth_value":"IN","reason":"premise"},{"node":"image-mirror-configuration-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["oc-mirror-generates-idms","mirror-config-applied-via-mco-registries-conf","icsp-deprecated-in-favor-of-idms"],"label":"End-to-end mirror configuration from generation to node application"},{"node":"oc-mirror-generates-idms","truth_value":"IN","reason":"premise"},{"node":"mirror-config-applied-via-mco-registries-conf","truth_value":"IN","reason":"premise"},{"node":"icsp-deprecated-in-favor-of-idms","truth_value":"IN","reason":"premise"},{"node":"singleton-resource-naming-convention","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","flowcollector-must-be-named-cluster","clusterautoscaler-singleton-named-default","storage-operator-singleton-named-cluster","powermonitor-must-be-named-power-monitor"],"label":"A recurring platform pattern worth capturing as a cross-cutting architectural constraint"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"flowcollector-must-be-named-cluster","truth_value":"IN","reason":"premise"},{"node":"clusterautoscaler-singleton-named-default","truth_value":"IN","reason":"premise"},{"node":"storage-operator-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"powermonitor-must-be-named-power-monitor","truth_value":"IN","reason":"premise"},{"node":"mco-rollout-process","truth_value":"IN","reason":"premise"},{"node":"operator-delivery-through-console-integration","truth_value":"IN","reason":"SL justification valid","antecedents":["operator-catalog-to-deployment-pipeline","console-plugin-integration-model"],"label":"OLM is the shared dependency — it drives both operator deployment and console plugin registration, revealing OLM as the universal operator delivery bus"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"console-plugin-integration-model","truth_value":"IN","reason":"SL justification valid","antecedents":["consoleplugin-backend-must-use-https","console-plugins-registered-via-olm","console-config-singleton-named-cluster","consoleplugin-compat-level-1"],"label":"Console plugin architecture with security, registration, and stability guarantees"},{"node":"consoleplugin-backend-must-use-https","truth_value":"IN","reason":"premise"},{"node":"console-plugins-registered-via-olm","truth_value":"IN","reason":"premise"},{"node":"console-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"},{"node":"governed-immutable-image-and-operator-platform","truth_value":"IN","reason":"SL justification valid","antecedents":["image-governed-from-build-through-lifecycle","operator-driven-immutable-platform-model"],"label":"Image governance and operator-driven immutability are two faces of the same platform guarantee; combining reveals the universal pipeline-delivery constraint."},{"node":"image-governed-from-build-through-lifecycle","truth_value":"IN","reason":"SL justification valid","antecedents":["image-supply-chain-end-to-end","image-lifecycle-management-model"],"label":"depth-3 supply chain covers creation/delivery while depth-1 lifecycle covers pruning/cleanup; combining shows that image governance is a closed loop, not a one-way pipeline"},{"node":"image-supply-chain-end-to-end","truth_value":"IN","reason":"SL justification valid","antecedents":["build-and-image-delivery-pipeline","operator-catalog-to-deployment-pipeline"],"label":"depth-3 — application and operator image delivery are structurally parallel managed pipelines"},{"node":"build-and-image-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["build-system-openshift-native-duality","imagestream-controlled-access-model","image-registry-external-access-model"],"label":"Build systems, ImageStream access control, and registry exposure form a complete image delivery chain"},{"node":"build-system-openshift-native-duality","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-build-systems-shipwright-buildconfig","ocp-buildconfigs-not-in-upstream-k8s","imagestream-buildconfig-openshift-native"],"label":"The build system is entirely OpenShift-native — both build mechanisms and their image output target (ImageStream) have no K8s equivalents"},{"node":"ocp-two-build-systems-shipwright-buildconfig","truth_value":"IN","reason":"premise"},{"node":"ocp-buildconfigs-not-in-upstream-k8s","truth_value":"IN","reason":"premise"},{"node":"imagestream-buildconfig-openshift-native","truth_value":"IN","reason":"premise"},{"node":"imagestream-controlled-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-objects-immutable-content-addressed","end-users-access-images-via-imagestreamtag-or-imagestreamimage","imagestream-pull-requires-get-layers-permission","ocp-imagestreammapping-privileged-only"],"label":"Four beliefs collectively enforce a layered access control model over image content"},{"node":"image-objects-immutable-content-addressed","truth_value":"IN","reason":"premise"},{"node":"end-users-access-images-via-imagestreamtag-or-imagestreamimage","truth_value":"IN","reason":"premise"},{"node":"imagestream-pull-requires-get-layers-permission","truth_value":"IN","reason":"premise"},{"node":"ocp-imagestreammapping-privileged-only","truth_value":"IN","reason":"premise"},{"node":"image-registry-external-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-registry-default-route-true-exposes-externally","default-route-uses-reencrypt","registry-credential-secret-name","image-registry-storage-backends"],"label":"Four beliefs that together describe how the registry is configured, secured, and exposed"},{"node":"image-registry-default-route-true-exposes-externally","truth_value":"IN","reason":"premise"},{"node":"default-route-uses-reencrypt","truth_value":"IN","reason":"premise"},{"node":"registry-credential-secret-name","truth_value":"IN","reason":"premise"},{"node":"image-registry-storage-backends","truth_value":"IN","reason":"premise"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"image-lifecycle-management-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-managed-image-annotation-required","imagepruner-managed-by-image-registry-operator","ocp-image-pruning-requires-registry-restart"],"label":"Three base beliefs about image pruning combine into a complete image lifecycle management model"},{"node":"ocp-managed-image-annotation-required","truth_value":"IN","reason":"premise"},{"node":"imagepruner-managed-by-image-registry-operator","truth_value":"IN","reason":"premise"},{"node":"ocp-image-pruning-requires-registry-restart","truth_value":"IN","reason":"premise"},{"node":"operator-driven-immutable-platform-model","truth_value":"IN","reason":"SL justification valid","antecedents":["immutable-nodes-with-singleton-operator-control","operator-delivery-through-console-integration"],"label":"depth-3 — both platform delivery and node management converge on operators as the universal control plane"},{"node":"immutable-nodes-with-singleton-operator-control","truth_value":"IN","reason":"SL justification valid","antecedents":["node-config-immutable-delivery-pipeline","singleton-resource-naming-convention","mco-rollout-process"],"label":"The MCO pipeline delivers changes to immutable nodes, and the singleton pattern ensures exactly one configuration authority — together they prevent configuration drift and split-brain"},{"node":"node-config-immutable-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-immutable-update-model","image-mirror-configuration-pipeline"],"label":"Both OS updates and registry configuration use the same MCO-mediated immutable delivery pattern"},{"node":"rhcos-immutable-update-model","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-nodes-immutable","rhcos-rpm-ostree-updates","image-layering-verify-rpm-ostree-status"],"label":"Three facets of the same immutable-OS operational model"},{"node":"rhcos-nodes-immutable","truth_value":"IN","reason":"premise"},{"node":"rhcos-rpm-ostree-updates","truth_value":"IN","reason":"premise"},{"node":"image-layering-verify-rpm-ostree-status","truth_value":"IN","reason":"premise"},{"node":"image-mirror-configuration-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["oc-mirror-generates-idms","mirror-config-applied-via-mco-registries-conf","icsp-deprecated-in-favor-of-idms"],"label":"End-to-end mirror configuration from generation to node application"},{"node":"oc-mirror-generates-idms","truth_value":"IN","reason":"premise"},{"node":"mirror-config-applied-via-mco-registries-conf","truth_value":"IN","reason":"premise"},{"node":"icsp-deprecated-in-favor-of-idms","truth_value":"IN","reason":"premise"},{"node":"singleton-resource-naming-convention","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","flowcollector-must-be-named-cluster","clusterautoscaler-singleton-named-default","storage-operator-singleton-named-cluster","powermonitor-must-be-named-power-monitor"],"label":"A recurring platform pattern worth capturing as a cross-cutting architectural constraint"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"flowcollector-must-be-named-cluster","truth_value":"IN","reason":"premise"},{"node":"clusterautoscaler-singleton-named-default","truth_value":"IN","reason":"premise"},{"node":"storage-operator-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"powermonitor-must-be-named-power-monitor","truth_value":"IN","reason":"premise"},{"node":"mco-rollout-process","truth_value":"IN","reason":"premise"},{"node":"operator-delivery-through-console-integration","truth_value":"IN","reason":"SL justification valid","antecedents":["operator-catalog-to-deployment-pipeline","console-plugin-integration-model"],"label":"OLM is the shared dependency — it drives both operator deployment and console plugin registration, revealing OLM as the universal operator delivery bus"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"console-plugin-integration-model","truth_value":"IN","reason":"SL justification valid","antecedents":["consoleplugin-backend-must-use-https","console-plugins-registered-via-olm","console-config-singleton-named-cluster","consoleplugin-compat-level-1"],"label":"Console plugin architecture with security, registration, and stability guarantees"},{"node":"consoleplugin-backend-must-use-https","truth_value":"IN","reason":"premise"},{"node":"console-plugins-registered-via-olm","truth_value":"IN","reason":"premise"},{"node":"console-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"}]}}