Pause and Unpause MCP Rollouts
Temporarily pause MachineConfigPool rollouts to batch multiple MachineConfig changes or coordinate with maintenance windows. Unpause to resume node updates.
π‘ Quick Answer:
oc patch mcp worker --type merge -p '{"spec":{"paused":true}}'stops the MCO from draining/rebooting nodes. Apply multiple MachineConfigs while paused, then unpause to roll out all changes in a single reboot per node.
The Problem
Each MachineConfig change triggers a rolling reboot across all nodes in the MCP. If you need to apply 3 changes (chrony, sysctl, registries), thatβs 3 separate rounds of drain-reboot-uncordon per node. You want to batch them into one round.
The Solution
Pause the MCP
oc patch mcp worker --type merge -p '{"spec":{"paused":true}}'
# Verify
oc get mcp worker -o jsonpath='{.spec.paused}'
# trueApply Multiple Changes While Paused
# Change 1: NTP servers
oc apply -f 99-worker-chrony.yaml
# Change 2: Kernel parameters
oc apply -f 99-worker-sysctl.yaml
# Change 3: Registry mirrors
oc apply -f 99-worker-registries.yaml
# MCO renders a new config but does NOT start rolling it out
oc get mcp worker
# UPDATED=False, UPDATING=False (paused!)Unpause to Start Rollout
# All 3 changes will be applied in ONE reboot per node
oc patch mcp worker --type merge -p '{"spec":{"paused":false}}'
# Monitor
watch oc get mcp workerVerify All Changes Applied
# After rollout completes
oc debug node/worker-1 -- chroot /host bash -c '
echo "=== Chrony ==="
chronyc sources | head -5
echo ""
echo "=== Sysctl ==="
sysctl net.core.somaxconn vm.max_map_count
echo ""
echo "=== Registries ==="
head -20 /etc/containers/registries.conf
'Common Issues
Paused Too Long β Forgot to Unpause
Nodes accumulate config drift. The longer you wait, the bigger the change set:
# Check if any MCP is paused
oc get mcp -o custom-columns='NAME:.metadata.name,PAUSED:.spec.paused'Pausing Doesnβt Stop In-Progress Updates
If a node is already being drained when you pause, that node finishes. Pause only prevents the NEXT node from starting.
Security Patches Delayed
Paused MCPs donβt receive security-related MachineConfig changes until unpaused. Donβt leave MCPs paused for extended periods.
Best Practices
- Pause before batching changes β one reboot instead of many
- Unpause within the same maintenance window β donβt leave paused overnight
- Monitor for drift β paused MCPs show
UPDATED=Falsewhich may trigger alerts - Coordinate with ITMS changes β pause, sync mirrors, apply ITMS, unpause
- Document when and why you paused β helps the next operator
Key Takeaways
- Pausing batches multiple MachineConfig changes into one rollout
- MCO renders the combined config but waits to roll out until unpaused
- One reboot per node applies ALL queued changes β much faster than sequential
- Donβt leave MCPs paused indefinitely β security patches wonβt apply
- Useful before ITMS changes: pause β sync mirrors β apply ITMS β verify β unpause
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.