Abstract
Red Hat OpenShift Container Platform provides developers and IT organizations with a hybrid cloud application platform for deploying both new and existing applications on secure, scalable resources with minimal configuration and management overhead. OpenShift Container Platform supports a wide selection of programming languages and frameworks, such as Java, JavaScript, Python, Ruby, and PHP.
Built on Red Hat Enterprise Linux and Kubernetes, OpenShift Container Platform provides a more secure and scalable multi-tenant operating system for today’s enterprise-class applications, while delivering integrated application runtimes and libraries. OpenShift Container Platform enables organizations to meet security, privacy, compliance, and governance requirements.
Red Hat OpenShift Container Platform (RHBA-2020:4196) is now available. This release uses Kubernetes 1.19 with CRI-O runtime. New features, changes, and known issues that pertain to OpenShift Container Platform 4.6 are included in this topic.
Red Hat did not publicly release OpenShift Container Platform 4.6.0 as the GA version and, instead, is releasing OpenShift Container Platform 4.6.1 as the GA version.
OpenShift Container Platform 4.6 clusters are available at https://cloud.redhat.com/openshift. The Red Hat OpenShift Cluster Manager application for OpenShift Container Platform allows you to deploy OpenShift clusters to either on-premise or cloud environments.
OpenShift Container Platform 4.6 is supported on Red Hat Enterprise Linux 7.7 or later, as well as Red Hat Enterprise Linux CoreOS (RHCOS) 4.6.
You must use RHCOS for the control plane, which are also known as master machines, and can use either RHCOS or Red Hat Enterprise Linux 7.7 or later for compute machines, which are also known as worker machines.
Because only Red Hat Enterprise Linux version 7.7 or later is supported for compute machines, you must not upgrade the Red Hat Enterprise Linux compute machines to version 8.
OpenShift Container Platform 4.6 is an Extended Update Support (EUS) release. More information on Red Hat OpenShift EUS is available in OpenShift Life Cycle and OpenShift EUS Overview.
With the release of OpenShift Container Platform 4.6, version 4.3 is now end of life. For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy.
This release adds improvements related to the following components and concepts.
The PXE media and ISO available for RHCOS are now a fully live environment. Unlike the previous dedicated PXE media and ISO used for RHCOS installation for OpenShift Container Platform clusters on user-provisioned infrastructure, the RHCOS live environment can be configured with Ignition and contains all the same packages as the main RHCOS image, such as coreos-installer
, nmcli
, and podman
. This allows arbitrary scripting of pre- or post-installation workflows. For example, you could run coreos-installer
and then make an HTTP request to signal success to a provisioning server. PXE boots use the normal ignition.config.url
. The ISO can be configured with Ignition by using the following command:
$ coreos-installer iso ignition embed
coreos-installer
has been rewrittenThe coreos-installer
is now rewritten to support more features including:
coreos-installer iso ignition
command.RHCOS now uses Ignition spec v3 as the only supported spec version of Ignition. This allows for more complex disk configuration support in the future.
The change should be mostly transparent for those using installer-provisioned infrastructure. For user-provisioned infrastructure installations, you must adapt any custom Ignition configurations to use Ignition spec 3. The openshift-install
program now generates Ignition spec 3.
If you are creating Machine Configs for day 1 or day 2 operations that use Ignition snippets, they should be created using Ignition spec v3. However, the Machine Config Operator (MCO) still supports Ignition spec v2.
Because of the changes to the Ignition specification, if you want to add more nodes to your OpenShift Container Platform cluster by using the latest version of RHCOS boot media, you might need to manually modify your Ignition configuration as part of the process.
RHCOS and the MCO now support the following extensions to the default RHCOS installation.
kernel-devel
usbguard
RHCOS now supports installing to disks that use 4K sector sizes.
/var
partitions now supportedRHCOS now supports /var
being a separate partition, as well as any other subdirectory of /var
.
You can now override default Dynamic Host Configuration Protocol (DHCP) networking in vSphere. This requires setting the static IP configuration and then setting a guestinfo
property before booting a VM from an OVA in vSphere.
Set your static IP:
$ export IPCFG="ip=<ip>::<gateway>:<netmask>:<hostname>:<iface>:none nameserver=srv1 [nameserver=srv2 [nameserver=srv3 [...]]]"
Example command
$ export IPCFG="ip=192.168.100.101::192.168.100.254:255.255.255.0:::none nameserver=8.8.8.8"
Set the guestinfo.afterburn.initrd.network-kargs
property before booting a VM from an OVA in vSphere:
$ govc vm.change -vm "<vm_name>" -e "guestinfo.afterburn.initrd.network-kargs=${IPCFG}"
This lowers the barrier for automatic Red Hat Enterprise Linux CoreOS (RHCOS) deployment in environments without DHCP. This enhancement allows for higher-level automation to provision an RHCOS OVA in environments with static networking.
For more information, see BZ1785122.
You can now install a cluster on Amazon Web Services (AWS) into a GovCloud region. AWS GovCloud is designed for US government agencies, contractors, educational institutions, and other US customers that must run sensitive workloads.
Because GovCloud regions do not have RHCOS AMIs published by Red Hat, you must upload a custom AMI that belongs to that region.
For more information, see Installing a cluster on AWS into a government region.
You can now define a serviceEndpoints
field in the install-config.yaml
file, which lets you specify a list of custom endpoints to override the default service endpoints on AWS.
You can now install a cluster on Azure into a Microsoft Azure Government (MAG) region. Microsoft Azure Government (MAG) is designed for US government agencies and their partners that must run sensitive workloads.
For more information, see Installing a cluster on Azure into a government region.
You can now choose your own outbound routing for a cluster running on Azure to connect to the internet. This allows you to skip the creation of public IP addresses and public load balancers.
For more information, see User-defined outbound routing.
You can now deploy a cluster to VMware vSphere version 7.0. See VMware vSphere infrastructure requirements for more information.
OpenShift Container Platform 4.6 introduces support for installing a cluster on bare metal using installer-provisioned infrastructure.
For more information, see Installing a cluster on bare metal
There is now a new credentialsMode
field in the install-config.yaml
file that defines how `CredentialsRequest`s are handled for OpenShift Container Platform components requiring cloud API access on AWS, Azure, and GCP. There are three new modes that can be configured:
Azure and GCP do not support the Manual mode configuration by using the install-config.yaml
file due to a known issue found in BZ#1884691.
If the credentialsMode
field is set to any of the three modes, the installation program does not check the credential for proper permissions prior to installing OpenShift Container Platform. This is useful for when the supplied user credentials cannot be properly validated due to limitations in the cloud policy simulator.
For more information on these modes, see Cloud Credential Operator.
You can now configure the disk type and size on control plane and compute nodes for clusters running on Azure and GCP. This can be specified in the install-config.yaml
file with the following fields:
osDisk.diskSizeGB
osDisk.diskType
For example:
... compute: ... platform: - osDisk: diskSizeGB: 120 diskType: pd-standard replicas: 3 controlPlane: ... platform: - osDisk: diskSizeGB: 120 diskType: pd-ssd ...
The minimum disk size requirement for control plane nodes for Azure installations has increased from 512 GB to 1024 GB.
Starting in OpenShift Container Platform 4.6, the Red Hat-provided default catalogs used by Operator Lifecycle Manager (OLM) and OperatorHub are now shipped as index images specific to the minor version of OpenShift Container Platform. Cluster administrators must ensure all Operators previously installed through OLM are updated to their latest versions in their latest channels before upgrading to OpenShift Container Platform 4.6.
See Default Operator catalogs now shipped per cluster version for more details and important Operator upgrade prerequisites.
OpenShift Container Platform now supports deployment without a provisioning network and for RedFish Virtual Media.
See Setting up the environment for an OpenShift installation for more information.
Deployment now supports root device hints.
Deployment now performs introspection on nodes to ensure that nodes meet installation requirements instead of generating errors if they do not.
You can now select Red Hat OpenStack Platform (RHOSP) Compute (Nova) availability zones while installing a cluster on RHOSP.
For more information, see the OpenShift Container Platform on RHOSP installation documentation.
You no longer need floating IP addresses to complete a OpenShift Container Platform installation on RHOSP.
For more information, see the OpenShift Container Platform on RHOSP installation documentation.
Previously, when you used infrastructure that the installation program creates to deploy a bare metal cluster, you could not specify which disk to the deploy RHCOS on. Now, you can select the disk to install RHCOS on, and rootDeviceHints
provide guidance about selecting the target disk. (BZ#1805237)
M5 instances are now preferred for IPI and UPI installations on AWS. Thus, new clusters that are deployed on AWS now use M5 instances by default. If an M5 instance is not available, the installer uses an M4 instance. (BZ#1710981)
With this release, IBM Z and LinuxONE is now compatible with OpenShift Container Platform 4.6. See Installing a cluster on IBM Z and LinuxONE for installation instructions.
Note the following restrictions for OpenShift Container Platform on IBM Z and LinuxONE:
OpenShift Container Platform for IBM Z does not include the following Technology Preview features:
The following OpenShift Container Platform features are unsupported:
These features are available only for OpenShift Container Platform on IBM Z for 4.6:
With this release, the following features are supported on IBM Z and LinuxONE:
With this release, IBM Power Systems are now compatible with OpenShift Container Platform 4.6. See Installing a cluster on IBM Power Systems or Installing a cluster on IBM Power Systems in a restricted network.
Note the following restrictions for OpenShift Container Platform on IBM Power Systems:
OpenShift Container Platform for IBM Power Systems does not include the following Technology Preview features:
The following OpenShift Container Platform features are unsupported:
Filesystem
mode using local volumes, Network File System (NFS), OpenStack Cinder, or Container Storage Interface (CSI).Currently, four Operators are supported:
OpenShift Container Platform version 4.6 requires RHV version 4.4.2 or later.
If you are running OpenShift Container Platform version 4.5 on RHV version 4.3, upgrade RHV to version 4.4.2 or later before updating OpenShift Container Platform to version 4.6.
Reboot-based remediation of failed control plane nodes is now possible. The labels and annotations of those nodes are preserved when using the reboot-based remediation method.
The Compliance Operator is now available. This feature allows the use of OpenSCAP tools to check that a deployment complies with security standards and provides remediation options. See Understanding the Compliance Operator for more information.
You can now configure OAuth tokens to expire after a certain amount of time that they have been inactive. By default, there is no token inactivity timeout set. You can configure the timeout for the internal OAuth server and for OAuth clients.
See Configuring token inactivity timeout for the internal OAuth server and Configuring token inactivity timeout for an OAuth client for more information.
OAuth access token and OAuth authorize token object names are now stored as non-sensitive object names.
Previously, secret information was used as the OAuth access token and OAuth authorize token object names. When etcd is encrypted, only the value is encrypted, so this sensitive information was not encrypted.
If you are upgrading your cluster to OpenShift Container Platform 4.6, old tokens from OpenShift Container Platform 4.5 will still have the secret information exposed in the object name. By default, the expiration for tokens is 24 hours, but this setting can be changed by administrators. Sensitive data can still be exposed until all old tokens have either expired or have been deleted by an administrator.
The File Integrity Operator, an OpenShift Container Platform Operator that continually runs file integrity checks on the cluster nodes, is now available. It deploys a daemon set that initializes and runs privileged advanced intrusion detection environment (AIDE) containers on each node, providing a status object with a log of files that are modified during the initial run of the daemon set Pods.
The cluster-backup.sh
and cluster-restore.sh
scripts were updated to provide better feedback, so that users can better understand why a restore has failed.
The Machine API now supports multiple block device mappings for machines running on AWS. If more than one block device is given, you can now store logs, data in empty directory pods, and docker images in block devices that are separate from the root device on a machine.
providerSpec
Defaults and validation are now enabled on a particular cloud provider API before input from the providerSpec
is persisted to etcd. Validation is run against machines and MachineSets when they are created. Feedback is returned when the configuration is known to prevent machines from being created by the cloud provider. For example, a MachineSet is rejected if location information is required but is not provided.
MachineSets running on Azure now support Spot VMs. You can create a MachineSet that deploys machines as Spot VMs to save on costs compared to standard VM prices. For more information, see MachineSets that deploy machines as Spot VMs.
Configure Spot VMs by adding spotVMOptions
under the providerSpec
field in the MachineSet YAML file:
providerSpec: value: spotVMOptions: {}
MachineSets running on GCP now support preemptible VM instances. You can create a MachineSet that deploys machines as preemptible VM instances to save on costs compared to normal instance prices. For more information, see MachineSets that deploy machines as preemptible VM instances.
Configure preemptible VM instances by adding preemptible
under the providerSpec
field in the MachineSet YAML file:
providerSpec: value: preemptible: true
When administrators install Operators with OperatorHub, they now get immediate feedback to ensure that the Operator is installing properly.
You can now see the schema grouping of specDescriptor
fields and the status of your Operands on the operand’s details view, so that you can easily see the status and configure the spec
of the operand instance.
Previously, when viewing a cluster Operator, it was not clear what resources the Operator was associated with. When troubleshooting a cluster Operator, it could be challenging to locate the logs for all the resources that the Operator managed, which might be needed for troubleshooting. Now, with OpenShift Container Platform 4.6, you can expose a list of related objects of a cluster Operator and easily review one of the related objects’ details or YAML code for troubleshooting.
Some resources are managed, such an Operator managed by a deployment, route, service, or ConfigMap. Users are discouraged from editing these resources. Instead, users should edit the custom resources for the Operator and its operand, and expect the Operator to update its related resources. With this update:
k8sResourcePrefix
specDescriptor supports CRD instanceOperator authors, maintainers, and providers can now specify the k8sResourcePrefix
specDescriptor with Group/Version/Kind
for assigning a CRD resource type besides Kubernetes core API.
For more information, see OLM Descriptor Reference.
A Manage columns icon is now added to some resources pages, for example the Pods page. When you click on the icon, default column names are listed with check boxes on the left side of the modal and additional column names are listed on the right. Deselecting a check box will remove that column from the table view. Selecting a check box will add that column to the table view. A maximum combination of nine columns from both sides of the modal are available for display at one time. Clicking Save will save the changes that you make. Clicking Restore Default Columns will restore the default settings of the columns.
The Knative eventing workflow was enhanced:
Updated guidance around cluster maximums for OpenShift Container Platform 4.6 is now available.
Use the OpenShift Container Platform Limit Calculator to estimate cluster limits for your environment.
Partial Tuned real-time profile support became available in OpenShift Container Platform 4.4. Now, the real-time profiles are fully compatible with what the real-time profiles do in Tuned on Red Hat Enterprise Linux (RHEL).
The Performance Addon Operator helps the administrator with tuning worker nodes for low latency and real-time workloads. It takes a high-level tuning intent in the form of a PerformanceProfile
custom resource and translates it into all the actions necessary to configure the Linux kernel, operating system, huge pages, and kubelet for low latency purposes.
In addition to the features provided in the previous pre-releases, this version includes the following:
oc set probe
command has been extendedThe oc set probe
command was extended to support setting startup probes.
oc adm upgrade
command now mentions upgradeable conditionThe oc adm upgrade
command now mentions any Upgradeable=False
conditions, so that administrators are aware that a particular update might be rejected due to an Upgradeable=False
condition.
The OVN-Kubernetes cluster networking provider is now GA. The networking provider is implemented as a Kubernetes Container Network Interface (CNI) plug-in. For more information, including details on feature parity with OpenShift SDN, refer to About the OVN-Kubernetes Container Network Interface (CNI) network provider.
For this release, OpenShift SDN remains the default cluster networking provider.
OVN-Kubernetes is not supported on Red Hat Enterprise Linux (RHEL) 7.8 at OpenShift Container Platform 4.6 GA.
The node service port range is expandable beyond the default range of 30000-32767
. You can use this expanded range in your Service
objects. For more information, refer to Configuring the node port service range.
The Single Root I/O Virtualization (SR-IOV) Network Operator now supports InfiniBand (IB) network devices. For more information on configuring an IB network device for your cluster, refer to Configuring an SR-IOV InfiniBand network attachment.
To better support large deployments, the default DHCP range for the provisioning network is increased to include the remainder of the subnet in this release. Users who would like to use less of the subnet for DHCP can still configure it to their needs. (BZ#1841135)
Operators can now configure PodNetworkConnectivityCheck
resources to check each network connection from the Pods that are managed by the Operator. This allows you to more easily identify and troubleshoot issues with important network connections in your cluster.
This resource keeps track of the latest reachable condition, the last 10 successes, the last 10 failures, and details about detected outages. The results are also logged and events are created when outages are detected and resolved.
By default, the following network connections are checked:
Between the Kubernetes API server and:
Between the OpenShift API server and:
Secondary devices, or interfaces, are used for different purposes. It is important to have a way to classify them so that you can aggregate the metrics for secondary devices with the same classification.
The kubelet is already publishing a set of network-observable related metrics. The labels in these metrics contain, among others:
This works well until new interfaces are added to the Pod, for example via Multus, as it will not be clear what the interface names refer to. The interface label refers to the interface name, but it is not clear what that interface is meant for. In case of many different interfaces, it would be impossible to understand what network the metrics we are monitoring refer to. This is addressed by introducing the new pod_network_name_info
metric, which can be used to build queries containing both the values exposed by the kubelet and the name of the network attachment definition the metrics relates to, which identifies the type of network.
See Associating secondary interfaces metrics to network attachments for more information.
There is an optional mode where the Cloud-native Network Functions (CNF) tests try to look for configurations on the cluster instead of applying the new ones. The CNF tests image is a containerized version of the CNF conformance test suite. It is intended to be run against a CNF-enabled OpenShift Container Platform cluster where all the components required for running CNF workloads are installed.
The tests must perform an environment configuration every time they are executed. This involves items such as creating SR-IOV Node Policies, Performance Profiles, or PtpProfiles. Allowing the tests to configure an already configured cluster might affect the functionality of the cluster. Also, changes to configuration items such as SR-IOV Node Policy might result in the environment being temporarily unavailable until the configuration change is processed.
Discovery mode validates the functionality of a cluster without altering its configuration. Existing environment configurations are used for the tests. The tests attempt to find the configuration items needed and use those items to execute the tests. If resources needed to run a specific test are not found, the test is skipped, providing an appropriate message to the user. After the tests are finished, no cleanup of the pre-configured configuration items is done, and the test environment can be used immediately for another test run.
Ingress in OpenShift Container Platform 4.6 now uses HAProxy version 2.0.16.
Control over X-Forwarded headers is now possible by setting the forwardedHeaderPolicy
parameter.
Application and configuration of X-forwarded headers on a per-route basis is now supported with the introduction of the haproxy.router.openshift.io/set-forwarded-headers
route annotations.
See Using X-Forwarded headers for more information.
Modifying route paths for incoming requests is now supported with the haproxy.router.openshift.io/rewrite-target
variable.
See Route configuration for more information.
Termination policies can now be defined by using the route.openshift.io/termination
annotation for Ingress objects.
See Creating a route through an Ingress object for more information.
Configuration of an Ingress Controller Network Load Balancer (NLB) for new and existing AWS clusters is now supported.
See Configuring ingress cluster traffic on AWS using a Network Load Balancer for more information.
AWS Route53 endpoint configuration is now supported on the Ingress Operator.
See Ingress Operator endpoint configuration for AWS Route53 for more information.
The Container Storage Interface (CSI) Driver Operators and drivers for AWS Elastic Block Store (EBS), Red Hat Virtualization (oVirt), and OpenStack Manila shared file system service are now managed by the Cluster Storage Operator in OpenShift Container Platform.
For AWS EBS and oVirt, this feature installs the CSI Driver Operator and driver in the openshift-cluster-csi-drivers
namespace by default. For Manila, the CSI Driver Operator is installed in openshift-cluster-csi-drivers
and the driver is installed in the openshift-manila-csi-driver
namespace.
If you installed a CSI Driver Operator and driver on an OpenShift Container Platform 4.5 cluster:
The Local Storage Operator now has the ability to:
For more information, see Automating discovery and provisioning for local storage devices.
The image pruner now tolerates invalid image references by default on new installations of OpenShift Container Platform, which allows pruning to continue even if it finds invalid images.
Cluster administrators can now configure logLevel
in the Pruning Custom Resource to debug logs.
The image registry can now be set up and configured for Azure Government.
See Configuring registry storage for Azure Government for more information.
Cluster administrators can now configure logLevel
in the Image Registry Operator to debug logs.
The supported values for logLevel
are:
Normal
Debug
Trace
TraceAll
Example Image Registry Operator YAML file
spec: logLevel: Normal operatorLogLevel: Normal
spec.storage.managementState
The Image Registry Operator now sets the spec.storage.managementState
parameter to Managed
on new installations or upgrades of clusters using installer-provisioned infrastructure on AWS or Azure.
Managed
: Determines that the Image Registry Operator manages underlying storage. If the Image Registry Operator’s managementState
is set to Removed
, then the storage is deleted.
managementState
is set to Managed
, the Image Registry Operator attempts to apply some default configuration on the underlying storage unit. For example, if set to Managed
, the Operator tries to enable encryption on the S3 bucket before making it available to the registry. If you do not want the default settings to be applied on the storage you are providing, make sure the managementState
is set to Unmanaged
.Unmanaged
: Determines that the Image Registry Operator ignores the storage settings. If the Image Registry Operator’s managementState
is set to Removed
, then the storage is not deleted. If you provided an underlying storage unit configuration, such as a bucket or container name, and the spec.storage.managementState
is not yet set to any value, then the Image Registry Operator configures it to Unmanaged
.Operator developers can now ensure their Operators include dependencies on specific versions of other Operators by using the olm.package
type in the dependencies.yaml
file.
See Operator Lifecycle Manager dependency resolution for more information.
The Operator Bundle Format now supports the following additional Kubernetes objects:
See Operator Framework packaging formats for more information.
opm
Operator administrators can now to select which bundle images to mirror by using the opm index prune
command.
See Pruning an index image for more information.
Operator developers can now use conversion webhooks for Operators that target all namespaces, also known as global Operators.
See Defining webhooks for more information.
The Operator API introduced in OpenShift Container Platform 4.5 as a Technology Preview feature is now supported and enabled by default. Installing Operators using Operator Lifecycle Manager (OLM) has required cluster administrators to be aware of multiple APIs, including CatalogSources, Subscriptions, ClusterServiceVersions, and InstallPlans. This single Operator API resource is a first step towards a more simplified experience discovering and managing the lifecycle of Operators in a OpenShift Container Platform cluster.
Relevant resources are now automatically labeled accordingly for the new Operator API for any Operators where the CSV is installed using a Subscription. Cluster administrators can use the CLI with this single API to interact with installed Operators. For example:
$ oc get operators
$ oc describe operator <operator_name>
If you enabled the Technology Preview feature version of the Operator API in OpenShift Container Platform 4.5, you must disable it before upgrading to OpenShift Container Platform 4.6. Failure to do so blocks your cluster upgrade, because the feature required a Cluster Version Operator (CVO) override.
Prerequisites
Procedure
Because Operator API labels are applied to relevant resources automatically in OpenShift Container Platform 4.6, you must remove any operators.coreos.com/<name>
labels you previously applied manually.
You can check which resources are currently labeled for your Operator by running the following command and reviewing the status.components.refs
section:
$ oc describe operator <operator_name>
For example:
$ oc describe operator etcd-test
Example output
... Status: Components: Label Selector: Match Expressions: Key: operators.coreos.com/etcd-test Operator: Exists Refs: API Version: apiextensions.k8s.io/v1 Conditions: Last Transition Time: 2020-07-02T05:50:40Z Message: no conflicts found Reason: NoConflicts Status: True Type: NamesAccepted Last Transition Time: 2020-07-02T05:50:41Z Message: the initial names have been accepted Reason: InitialNamesAccepted Status: True Type: Established Kind: CustomResourceDefinition 1 Name: etcdclusters.etcd.database.coreos.com 2 ...
Remove the labels from all relevant resources. For example:
$ oc label sub etcd operators.coreos.com/etcd-test- -n test-project $ oc label ip install-6c5mr operators.coreos.com/etcd-test- -n test-project $ oc label csv etcdoperator.v0.9.4 operators.coreos.com/etcd-test- -n test-project $ oc label crd etcdclusters.etcd.database.coreos.com operators.coreos.com/etcd-test- $ oc label crd etcdbackups.etcd.database.coreos.com operators.coreos.com/etcd-test- $ oc label crd etcdrestores.etcd.database.coreos.com operators.coreos.com/etcd-test-
Delete the Operator custom resource definition (CRD):
$ oc delete crd operators.operators.coreos.com
Remove the OperatorLifecycleManagerV2=true
feature gate from the OLM Operator.
Edit the Deployment for the OLM Operator:
$ oc -n openshift-operator-lifecycle-manager \ edit deployment olm-operator
Remove the following flags from the args
section in the Deployment:
... spec: containers: - args: ... - --feature-gates 1 - OperatorLifecycleManagerV2=true 2
Re-enable CVO management of OLM:
$ oc patch clusterversion version \ --type=merge -p \ '{ "spec":{ "overrides":[ { "kind":"Deployment", "name":"olm-operator", "namespace":"openshift-operator-lifecycle-manager", "unmanaged":false, "group":"apps/v1" } ] } }'
Verify that the Operator resource is no longer available:
$ oc get operators
Example output
error: the server doesn't have a resource type "operators"
Your upgrade to OpenShift Container Platform 4.6 should now no longer be blocked by this feature.
The Node Maintenance Operator now validates maintenance requests for master nodes, preventing master (etcd) quorum violation. As a result, master nodes can only be set into maintenance if the etcd-quorum-guard
pod disruption budget (PDB) allows it. (BZ#1826914)
Users can now set log levels separately for the Image Registry Operator and operand. (BZ#1808118)
Builds now support Git clones behind an HTTPS proxy.
In addition to the existing default mode of operation, the Cloud Credential Operator (CCO) can now be explicitly configured to operate in the following modes: Mint
, Passthrough
, and Manual
. This feature provides transparency and flexibility in how the CCO uses cloud credentials to process CredentialRequests
in the cluster for installation and other tasks.
Imagestreams and templates for Power and Z architectures are now available and installed by the Cluster Samples Operator by default.
If samples do not import, the Cluster Samples Operator now notifies you with an alert instead of moving to a degraded status.
See Using Cluster Samples Operator imagestreams with alternate or mirrored registries for more information.
You can now set a retention period on a metering Report. The metering Report custom resource has a new expiration
field. If the expiration
duration value is set on a Report, and no other Reports or ReportQueries depend on the expiring Report, the Metering Operator removes the Report from your cluster at the end of its retention period. For more information, see metering Reports expiration.
You can now control the amount of information that is logged to the node audit logs by choosing the audit log policy profile to use.
See Configuring the node audit log policy for more information.
You can now configure pod topology spread constraints for more fine-grained control the placement of your pods across nodes, zones, regions, or other user-defined topology domains. This can help you improve high availability and resource utilization.
See Controlling pod placement by using pod topology spread constraints for more information.
The descheduler now allows you to configure the PodLifeTime
strategy. This strategy evicts pods after they reach a certain, configurable age.
See Descheduler strategies for more information.
You can now configure whether descheduler strategies should consider pods for eviction based on their namespace and priority.
See Filtering pods by namespace and Filtering pods by priority for more information.
RemoveDuplicates
descheduler strategy (Technology Preview)The RemoveDuplicates
strategy now provides an optional parameter, ExcludeOwnerKinds
, that allows you to specify a list of Kind
types. If a pod has any of these types listed as an OwnerRef
, that pod is not considered for eviction.
See Descheduler strategies for more information.
The oc adm catalog mirror
command generates an ImageContentSourcePolicy
(ICSP) that maps the original container image repository to a new location where it will be mirrored, typically inside a disconnected environment. When a new or modified ICSP is applied to a cluster, it is converted to a config file for CRI-O and placed onto each node. The process of placing the config file on a node includes rebooting that node.
This enhancement adds the --icsp-scope
flag to oc adm catalog mirror
. Scopes can be registry or repository. By default, the oc adm catalog mirror
command generates an ICSP where each entry is specific to a repository. For example, it would map registry.redhat.io/cloud/test-db
to mirror.internal.customer.com/cloud/test-db
. Widening the mirror to registry scope in the ICSP file minimizes the number of times the cluster must reboot its nodes. Using the same example, registry.redhat.io
would map to mirror.internal.customer.com
.
Having a widely scoped ICSP reduces the number of times the ICSP might need to change in the future and, thus, reduces the number of times a cluster must reboot all of its nodes.
The Log Forwarding API is now generally available. The Log Forwarding API allows you to send container, infrastructure, and audit logs to specific endpoints within and outside your cluster by configuring a custom resource with the endpoints to forward the logs. The Log Forwarding API now supports forwarding to Kafka brokers and supports syslog RFC 3164 and RFC 5424 including TLS. You can also forward application logs from a specific projects to an endpoint.
With the GA, the Log Forwarding API has a number of changes, including changes to parameter names in the Log Forwarding custom resource (CR). If you used the Log Forwarding Technology Preview, you need to manually make the needed changes to your existing Log Forwarding CR.
The Log Forwarding API allows you to add free-text labels to log messages that are affixed to outbound log messages. For example, you could label logs by data center or label the logs by type. Labels added to objects are also forwarded with the log message.
Two new dashboards have been added to the OpenShift Container Platform web console that display charts with important, low-level metrics for detailed investigation and troubleshooting of your cluster logging and Elasticsearch instances.
The OpenShift Logging dashboard contains charts that show details about your Elasticsearch instance at a cluster-level, including cluster resources, garbage collection, shards in the cluster, and Fluentd statistics.
The Logging/Elasticsearch Nodes dashboard contains charts that show details about your Elasticsearch instance, many at node-level, including details on indexing, shards, resources, and so forth.
New Fluentd parameters allow you to performance-tune your Fluentd log collector. With these parameters, you can change:
These parameters can help you determine the trade-offs between latency and throughput in your cluster logging instance.
In OpenShift Container Platform 4.6, you can enable monitoring for user-defined projects in addition to the default platform monitoring. You can now monitor your own projects in OpenShift Container Platform without the need for an additional monitoring solution. Using this new feature centralizes monitoring for core platform components and user-defined projects.
With this new feature, you can perform the following tasks:
For more information, see Understanding the monitoring stack.
OpenShift Container Platform 4.6 includes the following alerting rule changes:
PrometheusOperatorListErrors
alert is added. The alert provides notification of errors when running list operations on controllers.PrometheusOperatorWatchErrors
alert is added. The alert provides notification of errors when running watch operations on controllers.KubeQuotaExceeded
alert is replaced by KubeQuotaFullyUsed
. Previously, the KubeQuotaExceeded
alert fired if a resource quota exceeded a 90% threshold. The KubeQuotaFullyUsed
alert fires if a resource quota is fully used.KubeAPILatencyHigh
and KubeAPIErrorsHigh
alerts are replaced by the KubeAPIErrorBudgetBurn
alert. KubeAPIErrorBudgetBurn
combines API error and latency alerts and fires only when the conditions are severe enough.KubeStatefulSetUpdateNotRolledOut
alert is updated so that it does not fire when a stateful set is being deployed.KubeDaemonSetRolloutStuck
alert is updated to account for daemon set roll out progress.Red Hat does not guarantee backward compatibility for metrics, recording rules, or alerting rules.
OpenShift Container Platform 4.6 introduces validation of Prometheus rules through a webhook that calls the validating admission plug-in. With this enhancement, PrometheusRule custom resources in all projects are checked against the Prometheus Operator rule validation API.
The Thanos Querier aggregates and optionally deduplicates core OpenShift Container Platform metrics and metrics for user-defined projects under a single, multi-tenant interface. In OpenShift Container Platform 4.6, a service monitor and alerting rules are now deployed for the Thanos Querier, which enables monitoring of the Thanos Querier by the monitoring stack.
Pending Changes
alert updatesThe Virtual Machine Pending Changes
alert is now more informative. (BZ#1862801)
In OpenShift Container Platform 4.6, the Insights Operator collects the following additional information:
default
and openshift-*
projects and their countAdditionally, with this release the Insights Operator collects information about all cluster nodes, while previous versions only collected information about unhealthy nodes.
With this additional information, Red Hat can provide improved remediation steps in Red Hat OpenShift Cluster Manager.
OpenShift Container Platform 4.6 introduces the following notable technical changes.
Starting in OpenShift Container Platform 4.6, the Red Hat-provided default catalogs used by Operator Lifecycle Manager (OLM) and OperatorHub are now shipped as index images specific to the minor version of OpenShift Container Platform. This allows Operator providers to ship intentional ranges of Operator versions per cluster version.
These index images, based on the Bundle Format, replace the App Registry catalog images, based on the deprecated Package Manifest Format, that are distributed for previous versions of OpenShift Container Platform 4. OpenShift Container Platform 4.1 through 4.5 will continue to share a single App Registry catalog.
While App Registry catalog images are not distributed by Red Hat for OpenShift Container Platform 4.6 and later, custom catalog images based on the Package Manifest Format are still supported.
See Operator Framework packaging formats for more information on the Bundle Format and index images.
Cluster administrators must ensure all Operators previously installed through Operator Lifecycle Manager (OLM) are updated to their latest versions in their latest channels before upgrading to OpenShift Container Platform 4.6. Updating the Operators ensures that they have a valid upgrade path when the default OperatorHub catalogs switch from using the App Registry catalogs in OpenShift Container Platform 4.5 to the new index image-based catalogs in OpenShift Container Platform 4.6 during the cluster upgrade.
See Upgrading installed Operators for more information on ensuring installed Operators are on the latest channels and upgraded either using automatic or manual approval strategies.
Additional resources
See the following Red Hat Knowledgebase Article for a list of minimum versions of deployed Red Hat Integration components (including Red Hat Fuse, Red Hat AMQ, and Red Hat 3scale) that are required for OpenShift Container Platform 4.6:
Both the OpenShift SDN and OVN-Kubernetes Container Network Interface (CNI) cluster networking providers now use the Open vSwitch (OVS) version installed on the cluster nodes. Previously, OVS ran in a container on each node, managed by a DaemonSet. Using the host OVS eliminates any possible downtime from upgrading the containerized version of OVS.
Warnings are now visible in client-go
and oc
on every invocation against a deprecated API. Calling a deprecated API returns a warning message containing the target Kubernetes removal release and replacement API, if applicable.
For example:
warnings.go:67] batch/v1beta1 CronJob is deprecated in v1.22+, unavailable in v1.25+
This is new functionality included with Kubernetes 1.19.
COPY
and ADD
build instructions improvedThe performance of COPY
and ADD
instructions in OpenShift Container Platform builds are improved. The initial implementation of COPY
and ADD
instructions in buildah
had noticeable performance regressions compared to docker
. With this enhancement, builds now run more quickly, especially with large source repositories. (BZ#1833328)
OpenShift Container Platform supports Operator SDK v0.19.4, which introduces the following notable technical changes:
run --local
is deprecated in favor of run local
.run --olm
and --kubeconfig
are deprecated in favor of run packagemanifests
.apiextensions.k8s.io/v1beta1
to apiextensions.k8s.io/v1
for commands that create or generate CRDs.--kubeconfig
flag is added to the <run|cleanup> packagemanifests
command.Ansible-based Operator enhancements include:
healthz
endpoint and liveness
probe.Helm-based Operator enhancements include:
helm.operator-sdk/v1alpha1
.All images in OpenShift Container Platform now use universal base image (UBI) version 8 by default.
The default Jenkins Node.js agent has been upgraded to Node.js version 12.
oc adm must-gather
commandThe oc adm must-gather
command no longer collects audit logs by default. You must include an additional parameter to gather audit logs using the oc
command. For example:
$ oc adm must-gather -- /usr/bin/gather_audit_logs
sha256sum.txt.sig
file has been renamed for OpenShift Container Platform releasesThe sha256sum.txt.sig
file included in OpenShift Container Platform releases has been renamed to sha256sum.txt.gpg
. This binary file contains a hash of each of the installer and client binaries, which are used to verify their integrity.
The renamed binary file allows for GPG to correctly verify sha256sum.txt
, which was not possible previously due to naming conflicts.
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed within OpenShift Container Platform 4.6, refer to the table below. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
In the table, features are marked with the following statuses:
Table 1.1. Deprecated and removed features tracker
Feature | OCP 4.4 | OCP 4.5 | OCP 4.6 |
---|---|---|---|
Service Catalog | DEP | REM | REM |
Template Service Broker | DEP | REM | REM |
OperatorSources | DEP | DEP | REM |
CatalogSourceConfigs | DEP | REM | REM |
Package Manifest Format (Operator Framework) | DEP | DEP | DEP |
| DEP | DEP | DEP |
v1beta1 CRDs | GA | DEP | DEP |
Metering Operator | GA | GA | DEP |
The strategy to bring your own (BYO) Red Hat Enterprise Linux (RHEL) 7 compute machines is now deprecated. Support for using RHEL 7 compute machines is planned for removal in OpenShift Container Platform 4.9.
The behavior of falling back to the Common Name field on X.509 certificates as a host name when no Subject Alternative Names are present is deprecated. In a future release, this behavior will be removed, and certificates must properly set the Subject Alternative Names field.
The Metering Operator is deprecated and will be removed in a future release.
The OperatorSources resource, part of the Marketplace API for the Operator Framework, has been deprecated for several OpenShift Container Platform releases and is now removed. In OpenShift Container Platform 4.6, the default catalogs for OperatorHub in the openshift-marketplace
namespace now only use CatalogSources with the polling
feature enabled. The default catalogs poll for new updates in their referenced index images every 15 minutes.
All MongoDB-based samples have been replaced, deprecated, or removed.
apiserver-auth
router-certs
secret, so the Cluster Authentication Operator could not construct a trust chain to the certificate in its health checks, causing it to go Degraded and prevent an upgrade. The CA is now always included from the default-ingress-cert
ConfigMap during the default router CA check, so the Cluster Authentication Operator no longer blocks upgrades. (BZ#1866818)Accept: application/json
when a login flow that they do not support is requested, because the Operator was expecting a JSON response. As a result, the Operator failed to honor the IDP configuration. The Cluster Authentication Operator no longer fails with an error when an HTML page is returned from an OIDC server because it does not support the requested flow. (BZ#1877803)Bare Metal Hardware Provisioning
ironic-image
container configuration was missing the setting to enable the idrac-redfish-virtual-media
boot driver. Because of this, users were unable to select the idrac-virtual-media
boot URL for Metal3. The missing ironic-image
container configuration is now included, so users are able to select the idrac-virtual-media
URL for Metal3. (BZ#1853302)metal3
pod in the openshift-machine-api
namespace that is used for serving bare metal ironic images allowed directory listings. With this release, directory listings are no longer allowed in this container. (BZ#1859334)”Build
buildah
libraries could ignore certain HTTP errors. Builds could fail to push images due to temporary issues with the target registry. This bug fix updates buildah
to respect these errors when pushing image blobs. As a result, buildah
now fails to push an image if the upstream registry is temporarily unavailable. (BZ#1816578)COPY –from
Dockerfile instructions. As a result, multistage Dockerfile builds that contained COPY –from=<image>
failed. Buildah has been updated to a version that supports COPY –from
instructions. Builds that contain these instructions can now succeed. (BZ#1844596)Cloud Compute
balanceSimilarNodeGroups
, ignoreDaemonSetsUtilization
, or skipNodesWithLocalStorage
to false
did not register when the cluster autoscaler was deployed. These values are now read properly when the cluster autoscaler is deployed. (BZ#1854907)Creating
state are identified as being created already. Logs contain fewer errors, and machines are less likely to fail. (BZ#1836141)spec.maxUnhealthy
. As a result, at negative values, numerous events were produced for each reconciliation attempt. Negative values for spec.maxUnhealthy
. Are now treated as 0
, which reduces spurious log messages. (BZ#1862556)Cloud Credential Operator
controller-runtime
and as a result, wrote to etcd
every two seconds. This release implements custom leader election, which now writes only every 90 seconds and releases the lock immediately on normal shutdown. (BZ#1858403)Cluster Version Operator
trustedCA
property. The referenced ConfigMag is user-maintained, and a user setting corrupted certificates would interrupt the Operator’s access to the Proxy. Now, the Operator loads the trustedCAs from the openshift-config-managed/trusted-ca-bundle
, which the Network Operator populates when the Proxy configuration’s referenced trustedCA
ConfigMap is valid. (BZ#1797123)--to-image
, for example oc adm upgrade --to-image
, the Cluster Version Operator was using the cluster version being upgraded to, rather than the current cluster version for validation purposes. This caused z-stream upgrades to fail. Now z-stream cluster upgrades using the option --to-image
are allowed even when Cluster Version Operator has Upgradeable=false
. (BZ#1822513)Console Kubevirt Plugin
virtualmachineimports
data to render. Now, the VM list is rendered correctly. (BZ#1843780)datavolume
disks from a different namespace. Now, the disk modal properly registers the correct namespace of datavolume
disks. (BZ#1859518)datavolume
name was hard coded. Now, an auto generated unique string is added to the datavolume
name and new virtual machines and templates can have the same name. (BZ#1860936)Not Available
due to an empty array of data. Now, a check has been implemented and empty arrays are interpreted as no data. (BZ#1850438)Console Metal3 Plugin
Containers
.dockerignore
file was present. COPY and ADD would be noticeably slowed by the cumulative overhead of evaluating whether each item in the source location needed to be copied to the destination. This bug fix rewrote the logic and the presence of a .dockerignore
file will no longer noticeably slow the speed at which COPY and ADD instructions are handled during a build. (BZ#1828119, BZ#1813258)Web console (Developer perspective)
Git repository is not reachable
for private repositories reachable by the cluster. This was fixed by adding information on making the private repository available to the cluster in the error message. (BZ#1877739)build-tools
and incorrectly configured ports. The issue has been fixed by picking either the user-provided port or the default port 8080 as the target port. (BZ#1874817)@
character in their user names, like user@example.com
, could not start a Pipeline from the Developer Console. This was caused by a limitation in Kubernetes labels. The issue was fixed by moving the “Started by” metadata from a Kubernetes label to a Kubernetes annotation. (BZ#1868653)DNS
etcd
ETCDCTL_ENDPOINTS
was not removed after the bootstrap node was removed, so etcdctl
commands showed unexpected errors. The bootstrap endpoint is no longer added to ETCDCTL_ENDPOINTS
, so etcdctl
commands do not show errors related to the bootstrap endpoint. (BZ#1835238)Image
Image Registry
httpSecrets
when empty, causing the value to not set correctly. Now, the Operator generates the httpSecret
and uses it for all replicas when the configuration file is created. (BZ#1824834)storageManaged
setting was set to true, causing conflicts if the user manually updated the configuration file. Now, an additional configuration field, spec.storage.storageManagementState
has been created. Users can indicate Managed
or Unmanaged
and the Operator will respect the setting. (BZ#1833109)client-go
library is updated to fix the reflector so that the Operator can recover from “Too large resource version” errors. (BZ#1880354)spec.requests.read/write.maxWaitInQueue
in the Image Registry Operator configuration file was not validated. If the provided value was a string that could not be parsed as a duration, the change was not applied, and a message informing about the incorrect value was repeatedly logged. This release adds validation so that a user cannot provide invalid values for this field. (BZ#1833245)Installer
resourcePoolPath
, it found multiple resource pools and was unable to resolve the correct one. With this release, a property added to the machine sets with the resourcePoolPath
information helps resolve the correct one. (BZ#1852545)ovirt-engine-sdk-go
API error that affected oVirt network parsing. The issue is now resolved. (BZ#1838559)Network
and DistributedVirtualPortgroup
were displayed even though OpaqueNetwork
is also a valid option. OpaqueNetwork
is now an option in the wizard, so that type of network can be selected. (BZ#1844103)platform.aws.userTags
parameter to add name
or kubernetes.io/cluster/
tags to resources that the installation program creates caused the machine-api to fail to identify existing control plane machines and create another set of control plane hosts, which created problems with etcd cluster membership. Now you can no longer set error-prone tags in the platform.aws.userTags
parameter, and your cluster is less likely to have extra control plane hosts and broken etcd clusters. (BZ#1862209)*
as a valid value for the proxy.noProxy
field, so you could not create a cluster with no proxy set to *
during installation. Now, the installation program accepts *
as a valid value for that parameter, so you can set no proxy to *
during installation. (BZ#1877486)US
was always used as the location, and it was not possible to install a cluster in some regions outside of US. Now, the installation program sets the right location for the region that you specify, and installations succeed in other locations. (BZ#1871030)local-dns-prepender
did not update the resolv.conf
file to include all the required resolvers for the cluster. Now, the dhcp4-change
and dhcp6-change
action types always make the local-dns-prepender
start updates.(BZ#1866534)asia-northeast3
, asia-southeast-2
, us-west3
, and us-west4
. You can now use these regions. (BZ#1847549)InstanceID()
function. It obtained the instance ID from either metadata or by sending requests to the server. In the latter case, the result always had ‘/’ prefix, which is the correct format. If the instance ID came from the metadata, the system failed to verify its node existence and failed because of the error. Because, the metadata format now also contains the ‘/’ prefix there, the ID format is always correct, and the system can always successfully verify node existence. (BZ#1850149)ExternalNetwork
for the cluster, all possible network choices were listed, which included invalid options. With this update, the interactive installer now filters the possible options and lists only external networks. (BZ#1881532)kube-apiserver
health check probe used a hardcoded IPv4 address to communicate with the load balancer. This update fixes the health check to use localhost
, which covers both IPv4 and IPv6 cases. Additionally, the readyz
endpoint for the API server is checked rather than healthz
. (BZ#1847082)depends_on
to avoid the race condition. (BZ#1734460)DiskPostCloneOperation
function in the Terraform vSphere provider checked the thin_provisioned
and eagerly_scrub
properties of virtual machines cloned from Red Hat CoreOS OVA images. The check failed because the provisioning type changed during cloning and did not match the source provisioning type. The DiskPostCloneOperation
function now ignores those properties and the Red Hat CoreOS OVA cloning succeeds. (BZ#1862290)./openshift-install destroy cluster
, the installer attempted to remove installer tags before the resources using those tags were removed. The installer subsequently failed to remove the tags. With this update, the installer removes the tags after the corresponding resources are deleted. (BZ#1846125)kube-apiserver
LatencySensitive
Feature Gate was in use. With this update, the CVO no longer considers LatencySensitive
Feature Gate as a block for cluster upgrades. To resolve the issue, force the upgrade to the latest 4.5.z or stable version, which include the solution. (BZ#1861431)kube-controller-manager
kube-controller-manager
pod is periodically restarted, which triggers the repair procedure and clears the UID range. (BZ#1808588)kube-scheduler
Logging
x-frame-options:deny
, which blocks the use of iframes. (BZ#1832783)Machine Config Operator
In bare metal environments, an infra-dns
container runs on each host to support node name resolutions and other internal DNS records. A NetworkManager script also updates the /etc/resolv.conf
on the host to point to the infra-dns
container. Additionally, when pods are created, they receive their DNS configuration file (the /etc/resolv.conf
file) from their hosts.
If an HAProxy pod was created before NetworkManager scripts update the /etc/resolv.conf
file on the host, the pod can repeatedly fail because the api-int
internal DNS record is not resolvable. This bug fix updates the Machine Config Operator (MCO) to now verify that the /etc/resolv.conf
file of the HAProxy pod is identical to the host /etc/resolv.conf
file. As a result, the HAProxy pod no longer experiences these errors. (BZ#1849432)
Keepalived is used to provide high availability (HA) for both the API and default router. The Keepalived instance in each node monitors local health by curling the health endpoint of the local entity, for example the local kube-apiserver
. Previously, the curl
command failed only when the TCP connection failed, and not on HTTP non-200 errors. This caused Keepalived to sometimes not failover to another healthy node, even when the local entity was unhealthy, which lead to errors in API requests.
This bug fix updates the Machine Config Operator (MCO) to modify the curl
command to now also fail when the server replies with a non-200 retcode. As a result, the API and Ingress router now correctly failover to a healthy node in case of failure in a local entity. (BZ#1844387)
rpm-ostree
command. Multiple kernel arguments concatenated using a space, as allowed in a single line in the kernel command line, would create an invalid rpm-ostree
command. This bug fix updates the MachineConfigController to parse each kernelArgument
item in a similar manner as the kernel. As a result, users can supply multiple arguments concatenated using a space without errors. (BZ#1812649)NoSchedule
in a typical deployment with workers. (BZ#1828250)Web console (Administrator perspective)
[0,1]
when all data sets are all-zero. Now, Y-axis tick marks for all-zero data sets are 0
and 1
. (BZ#1856352)valueMaps
for singlestat panels, so singlestat panels were unable to display Grafana valueMaps. Support is now added and singlestat panels can display Grafana valueMaps
. (BZ#1866928)oc debug
was updated with BZ#1812813 to create a new debug project with an empty node selector in order to work around a problem where oc debug
only works against worker nodes. The web console avoided this problem by asking users to choose a namespace when visiting the Node > Terminal page before the terminal is opened, resulting in inconsistency in the user experience compared to oc
. The web console now creates a new debug project with an empty node selector upon visiting the Node > Terminal page. The behavior of the web console Node > Terminal page now aligns with the behavior of oc debug
. (BZ#1881953)Map.getIn
function on the resource requirement widget current value. Use optional chaining when referencing the immutablejs Map.getIn
function. No runtime error is thrown and the widget is rendered without a value. (BZ#1883679)imagemanifestvuln
resource. The component was using props.match.params.ns
, which was sometimes undefined. As a result, there was a runtime error. This issue is now resolved. (BZ#1859256)e is undefined
when a new Pod was starting up. The issue has been resolved in this release. (BZ#1853705)metadata.namespace
entries for all resources. An error was returned when namespace: <namespace>
was added for resources that did not take a namespace value. metadata.namespace
entries are now removed when a configuration is saved, if a resource does not take a namespace value. (BZ#1846894)-
) for the name value editor did not provide a tooltip, so it was not clear to users what this icon did. The the delete icon (-
) now provides a tooltip to make its action easier to understand. (BZ#1853706)(
and )
, could prevent resource details from being displayed in the OpenShift Container Platform console. Resource details are now displayed properly when resource names have special characters. (BZ#1845624)Monitoring
PrometheusNotIngestingSamples
and PrometheusNotConnectedToAlertmanagers
alerts because there were no scrape or alerting targets. The configuration reload process now ensures that the configuration on disk is valid before reloading Prometheus, and the alerts are not fired. (BZ#1845561)AlertmanagerConfigInconsistent
alert could fire during an upgrade because some of the Alertmanager pods were temporarily not running due to a rolling update of the stateful set. Even though the alert resolved itself, this could cause confusion for cluster administrators. The AlertmanagerConfigInconsistent
no longer considers the number of running Alertmanager pods, so it no longer fires during upgrades when some of the Alertmanager pods are in a not-running, transient state. (BZ#1846397)KubeStatefulSetUpdateNotRolledOut
and KubeDaemonSetRolloutStuck
alerts were adjusted, and the KubeAPILatencyHigh
and KubeAPIErrorsHigh
alerts were removed. These alerts are now correct and should not cause upgrade issues. (BZ#1824988)KubeTooManyPods
alert used the kubelet_running_pod_count
, which includes completed pods, so was incorrect for the KubeTooManyPods
alert. Now, container_memory_rss
is leveraged to find the actual number of pods running on a node for the KubeTooManyPods
alert. (BZ#1846805)node_exporter
daemon set defaulted to a maxUnavailable
of 1
, so the rollout was entirely serialized and slow on large clusters. Since the node_exporter
daemon set does not affect workload availability, the maxUnavailable
now scales with the cluster size, which allows for a faster rollout. (BZ#1867603)Networking
kuryr.conf
. This approach supports cases when VMs call the interface without using a value set in kuryr.conf
. (BZ#1829517)externalIPs
set. Now pods can reach services with a service external IP address configured. (BZ#1762580)Node
oauth-apiserver
Accept: application/json
header, the Operator logged an error about the payload. Now the Operator includes the URL of the page that it requested to aid in troubleshooting the OIDC server response. (BZ#1861789)oc
oc project
command required the privileges of a self-provisioner
role to switch projects, which meant that some users could not switch projects if they did not have that role. The self-provisioner
role requirement was removed, so anyone with access to a project can now switch projects using oc project
. (BZ#1849983)lastTimestamp
could cause an error when sorting an event that has an empty lastTimestamp
. Sorting is now resistant to empty elements, and works properly when sorting by lastTimestamp
. (BZ#1880283)oc create job
command was missing logic for the --save-config
flag, so the --save-config
option did not work as expected. Logic was added for the --save-logic
flag, and it now works properly. (BZ#1844998)OLM
subscription.spec.config.nodeSelector
field in the subscription CRD, but previously did not apply nodeSelectors
labels to the deployments defined in the ClusterServiceVersion (CSV). This made users unable to set nodeSelectors
on their CSV deployments. This bug fix updates OLM to now propagate nodeSelector
labels defined in the subscription.spec.config.nodeSelector
field to deployments in the CSV. As a result, the field now works as expected. (BZ#1860035)installing
phase multiple times. OLM applied a new webhook hash to the deployment, causing a new replica set to be created. The running Operator then redeployed, possibly many times during an installation. This bug fix updates OLM to now check if the CA already exists and reuses it if valid. As a result, if OLM detects existing valid CAs, OLM now reuses the CAs. (BZ#1868712)OwnerReferences
metadata to service resources installed for Operators that provide API services. Previously, whenever an Operator of this class was redeployed by OLM, for example during a certificate rotation, a duplicate OwnerReference
was appended to the related service, causing the number of OwnerReferences
to grow unbounded. With this bug fix, when adding OwnerReferences
, OLM now updates an existing OwnerReference
if found. As a result, the number of OwnerReferences
appended to a service by OLM is bounded. (BZ#1842399)opm alpha bundle validate
command to fail with “image not found” or similar errors. This bug fix updates OLM to now pull bundle images before attempting to unpack in the bundle validator. As a result, the opm alpha bundle validate
command successfully pulls and unpacks images before performing validation. (BZ#1857502)podman
or docker
tooling options. With this release, whiteout files are no longer present after unpacking with podman
and docker
tooling options. (BZ#1841178)openshift-controller-manager
RHCOS
Previously, it was not possible to modify kernel arguments during installation. Now, kernel arguments can be modified on an installed system using the coreos-installer
command. For example, you can configure the installed system to use a different serial console argument using:
$ coreos-installer install ... \ --delete-karg console=ttyS0,115200n8 \ --append-karg console=ttyS1,115200n8
Routing
When the Ingress Operator reconciles an IngressController object configured for the NodePortService endpoint publishing strategy type, the Operator gets the ingresscontroller’s NodePort service from the API to determine whether the operator needs to create or update the service. If the service does not exist, the operator creates it, with an empty value for the spec.sessionAffinity
field. If the service does exist, the operator compares it with what the Ingress Operator expects in order to determine whether an update is needed for that service. In this comparison, if the API has set the default value, None
, for the service spec.sessionAffinity
field, the Operator detects the update and tries to set the spec.sessionAffinity
field back to the empty value.
As a result, the Ingress Operator repeatedly attempts to update the NodePort Services in response to the blank. The Ingress Operator was changed to consider unspecified values and default values to be equal when comparing NodePort service. The operator no longer updates an IngressController NodePort service in response to API defaulting. (BZ#1842742)
Samples
Storage
Upgradable=False
on v1alpha1 CRDs. As a result, the Cluster Storage Operator could not perform z-stream upgrades when these CRDs were detected on the cluster. This fix changed the order of the reconciliation loop. Now, z-stream upgrades complete successfully and v1alpha1 CRDs are detected without errors. (BZ#1873299)Insights Operator
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:
Technology Preview Features Support Scope
In the table below, features are marked with the following statuses:
Table 1.2. Technology Preview tracker
Feature | OCP 4.4 | OCP 4.5 | OCP 4.6 |
---|---|---|---|
Precision Time Protocol (PTP) | TP | TP | TP |
| TP | TP | TP |
experimental-qos-reserved | TP | TP | TP |
Pod Unidler | TP | GA | GA |
Ephemeral Storage Limit/Requests | TP | TP | TP |
Descheduler | TP | TP | TP |
Podman | TP | TP | TP |
Sharing Control of the PID Namespace | TP | GA | GA |
OVN-Kubernetes cluster networking provider | TP | TP | GA |
HPA custom metrics adapter based on Prometheus | TP | TP | TP |
HPA for memory utilization | TP | TP | TP |
Three-node bare metal deployments | TP | GA | GA |
Service Binding | TP | TP | TP |
Log forwarding | TP | TP | GA |
Monitoring for user-defined projects | TP | TP | GA |
Compute Node Topology Manager | TP | GA | GA |
Raw Block with Cinder | TP | TP | TP |
External provisioner for AWS EFS | TP | TP | TP |
CSI volume snapshots | TP | TP | TP |
CSI volume cloning | TP | TP | GA |
CSI AWS EBS Driver Operator | – | TP | TP |
OpenStack Manila CSI Driver Operator | – | GA | GA |
Red Hat Virtualization (oVirt) CSI Driver Operator | – | – | GA |
CSI inline ephemeral volumes | – | TP | TP |
Automatic device discovery and provisioning with Local Storage Operator | – | – | TP |
OpenShift Pipelines | TP | TP | TP |
Vertical Pod Autoscaler | – | TP | TP |
Operator API | – | TP | GA |
Adding kernel modules to nodes | TP | TP | TP |
Docker Registry v1 API | DEP |
ovs-configuration
service fails and nodes becomes unreachable. This will be resolved in a future 4.6.z release. (BZ#1887545)Pending
and be incorrectly tested. (BZ#1890088)ose-egress-dns-proxy
image has a known defect that prevents the container from starting. This image is also broken in earlier releases, so this is not considered a regression in 4.6. (BZ#1888024)In OpenShift Container Platform 4.1, anonymous users could access discovery endpoints. Later releases revoked this access to reduce the possible attack surface for security exploits because some discovery endpoints are forwarded to aggregated API servers. However, unauthenticated access is preserved in upgraded clusters so that existing use cases are not broken.
If you are a cluster administrator for a cluster that has been upgraded from OpenShift Container Platform 4.1 to 4.6, you can either revoke or continue to allow unauthenticated access. It is recommended to revoke unauthenticated access unless there is a specific need for it. If you do continue to allow unauthenticated access, be aware of the increased risks.
If you have applications that rely on unauthenticated access, they might receive HTTP 403 errors if you revoke unauthenticated access.
Use the following script to revoke unauthenticated access to discovery endpoints:
## Snippet to remove unauthenticated group from all the cluster role bindings $ for clusterrolebinding in cluster-status-binding discovery system:basic-user system:discovery system:openshift:discovery ; do ### Find the index of unauthenticated group in list of subjects index=$(oc get clusterrolebinding ${clusterrolebinding} -o json | jq 'select(.subjects!=null) | .subjects | map(.name=="system:unauthenticated") | index(true)'); ### Remove the element at index from subjects array oc patch clusterrolebinding ${clusterrolebinding} --type=json --patch "[{'op': 'remove','path': '/subjects/$index'}]"; done
This script removes unauthenticated subjects from the following cluster role bindings:
cluster-status-binding
discovery
system:basic-user
system:discovery
system:openshift:discovery
Running the operator-sdk new
or operator-sdk create api
commands without the --helm-chart
flag builds a Helm-based Operator that uses the default boilerplate Nginx chart. While this example chart works correctly on upstream Kubernetes, it fails to deploy successfully on OpenShift Container Platform.
To work around this issue, use the --helm-chart
flag to provide a Helm chart that deploys successfully on OpenShift Container Platform. For example:
$ operator-sdk new <operator_name> --type=helm \ --helm-chart=<repo>/<name>
install-config.yaml
file on GCP and Azure due to a known issue. Instead, you must manually insert a ConfigMap into the manifest directory during the manifest generation stage of the cluster installation process as documented in Manually creating IAM for Azure and Manually creating IAM for GCP. (BZ#1884691)ContainerCreating state
. (BZ#1887026)us-gov-east-1
region due to a known issue. (BZ#1881262).Firewall rules used by machines not prefixed with the infrastructure ID are preserved when destroying a cluster running on Google Cloud Platform (GCP) with installer-provisioned infrastructure. This causes the destroy process of the installation program to fail. As a workaround, you must manually delete the firewall rule of the machine in the GCP web console:
$ gcloud compute firewall-rules delete <firewall_rule_name>
Once the firewall rule of the machine with the missing infrastructure ID is removed, the cluster can be destroyed. (BZ#1801968)
opm alpha bundle build
command fails on Windows 10. (BZ#1883773)In OpenShift Container Platform 4.6, the resource metrics API server provides support for custom metrics. The resource metrics API server does not implement the OpenAPI specification, and the following messages are sent to the kube-apiserver
logs:
controller.go:114] loading OpenAPI spec for "v1beta1.metrics.k8s.io" failed with: OpenAPI spec does not exist controller.go:127] OpenAPI AggregationController: action for item v1beta1.metrics.k8s.io: Rate Limited Requeue.
In some cases, these errors might cause the KubeAPIErrorsHigh
alert to fire, but the underlying issue is not known to degrade OpenShift Container Platform functionality. (BZ#1819053)
If an AWS account is configured to use AWS Organizations service control policies (SCPs) that use a global condition to deny all actions or require a specific permission, the AWS policy simulator API that validates permissions produces a false negative. When the permissions cannot be validated, OpenShift Container Platform AWS installations fail, even if the provided credentials have the required permissions for installation.
To work around this issue, you can bypass the AWS policy simulator permissions check by setting a value for the credentialsMode
parameter in the install-config.yaml
configuration file. The value of credentialsMode
changes the behavior of the Cloud Credential Operator (CCO) to one of three supported modes.
Example install-config.yaml
configuration file
apiVersion: v1 baseDomain: cluster1.example.com credentialsMode: Mint 1 compute: - architecture: amd64 hyperthreading: Enabled ...
credentialsMode
parameter to Mint
.When bypassing this check, ensure that the credentials you provide have the permissions that are required for the specified mode.
hostNetworking
pod. You can delete these ports safely. Automatic port deletion is planned for a future release of OpenShift Container Platform. (BZ#1888318)NetlinkError: (17, 'File exists')
error. As a workaround, you must reboot the node. A fix is planned to resolve this issue in a future release of OpenShift Container Platform. (BZ#1869606)To increase security, the NET_RAW
and SYS_CHROOT
capabilities are no longer available in the default list of CRI-O capabilities.
NET_RAW
: If unprotected, this capability enables pods to craft packets that can change header fields, such as low ports, source IP address, and source MAC address. This functionality could allow malicious hacking attempts.SYS_CHROOT
: Normal workloads should not require chroot
. Access to privileged operations should be granted only when required.The NET_RAW
and SYS_CHROOT
capabilities were removed as default capabilities in OpenShift Container Platform 4.5.16. To reduce impact to clusters created in releases before 4.5.16, the default capabilities list is now contained in separate machine configs: 99-worker-generated-crio-capabilities
and 99-master-generated-crio-capabilities
. OpenShift Container Platform creates the new machine configs when you upgrade from a previous release.
After upgrading, it is recommended to disable the NET_RAW
and SYS_CHROOT
capabilities, and then test your workloads. When you are ready to remove these capabilities, delete the 99-worker-generated-crio-capabilities
and 99-master-generated-crio-capabilities
machine configs.
Important: If you are upgrading from an earlier release, upgrade to 4.5.16 before you upgrade to 4.6. (BZ#1874671).
For oc
commands that require TLS verification, if the certificates do not set a Subject Alternative Name, verification does not fall back to the Common Name field and the command fails with the following error:
x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
As a workaround, you can either use a certificate with a proper Subject Alternative Name set, or precede the oc
command with GODEBUG=x509ignoreCN=0
to temporarily override this behavior.
A future 4.6 z-stream might return a warning instead of an error, to allow more time for users to update their certificates to be compliant.
Deployment
YAML file overwrites or removes the volume mounts in the Pod Template spec
. (BZ#1867965)error reserving pod name …: name is reserved
. CRI-O’s context for the CNI executable ends and it kills the process. Pod creation succeeds eventually, but it takes a lot of time. Therefore, the kubelet thinks that CRI-O did not create the Pod. The kubelet sends the request again and a name conflict occurs. This issue is currently under investigation. (BZ#1785399)Administrators can mirror the redhat-operators
catalog to use Operator Lifecycle Manager (OLM) on OpenShift Container Platform 4.6 clusters in restricted network environments (also known as disconnected clusters). However, the following Operators return entries in the mapping.txt
file with the private host name registry-proxy.engineering.redhat.com
instead of the expected public host name registry.redhat.io
:
This causes image pulls to fail against the inaccessible private registry, normally intended for internal Red Hat testing. To work around this issue, run the following command after generating your mapping.txt
file:
$ sed -i -e 's/registry-proxy.engineering.redhat.com/registry.redhat.io/g' \ -e 's/rh-osbs\/amq7-/amq7\//g' \ -e 's/amq7\/tech-preview-/amq7-tech-preview\//g' \ ./redhat-operator-index-manifests/imageContentSourcePolicy.yaml \ ./redhat-operator-index-manifests/mapping.txt
For OpenShift Container Platform on IBM Power Systems on PowerVM, the following requirements are preferred:
Security, bug fix, and enhancement updates for OpenShift Container Platform 4.6 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.6 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.
Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified via email whenever new errata relevant to their registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.
This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift Container Platform 4.6. Versioned asynchronous releases, for example with the form OpenShift Container Platform 4.6.z, will be detailed in subsections. In addition, releases in which the errata text cannot fit in the space provided by the advisory will be detailed in subsections that follow.
For any OpenShift Container Platform release, always review the instructions on updating your cluster properly.
Issued: 2020-10-27
OpenShift Container Platform release 4.6 is now available. The list of bug fixes that are included in the update is documented in the RHBA-2020:4196 advisory. The RPM packages that are included in the update are provided by the RHBA-2020:4197 advisory.
Space precluded documenting all of the container images for this release in the advisory. See the following article for notes on the container images in this release:
Issued: 2020-10-27
An update for jenkins-2-plugins
, openshift-clients
, podman
, runc
, and skopeo
is now available for OpenShift Container Platform 4.6. Details of the update are documented in the RHSA-2020:4297 advisory.
Issued: 2020-10-27
An update for several images is now available for OpenShift Container Platform 4.6. Details of the update are documented in the RHSA-2020:4298 advisory.
Issued: 2020-11-09
OpenShift Container Platform release 4.6.3 is now available. The list of bug fixes that are included in the update is documented in the RHBA-2020:4339 advisory. The RPM packages that are included in the update are provided by the RHBA-2020:4340 advisory.
Space precluded documenting all of the container images for this release in the advisory. See the following article for notes on the container images in this release:
OpenShift Container Platform 4.6.3 container image list
To upgrade an existing OpenShift Container Platform 4.6 cluster to this latest release, see Updating a cluster by using the CLI for instructions.
Issued: 2020-11-16
OpenShift Container Platform release 4.6.4 is now available. The list of bug fixes that are included in the update is documented in the RHBA-2020:4987 advisory. There are no RPM packages for this release.
Space precluded documenting all of the container images for this release in the advisory. See the following article for notes on the container images in this release:
OpenShift Container Platform 4.6.4 container image list
To upgrade an existing OpenShift Container Platform 4.6 cluster to this latest release, see Updating a cluster by using the CLI for instructions.
OpenShift Container Platform provides strict backwards compatibility guarantees for all supported APIs, excluding alpha APIs (which may be changed without notice) and beta APIs (which may occasionally be changed in a non-backwards compatible manner).
Red Hat did not publicly release OpenShift Container Platform 4.0 and, instead, released OpenShift Container Platform 4.1 directly after version 3.11.
The OpenShift Container Platform version must match between master and node hosts, excluding temporary mismatches during cluster upgrades. For example, in a 4.6 cluster, all masters must be 4.6 and all nodes must be 4.6. If you installed an earlier version of oc
, you cannot use it to complete all of the commands in OpenShift Container Platform 4.6. You must download and install the new version of oc
.
Changes of APIs for non-security related reasons will involve, at minimum, two minor releases (4.1 to 4.2 to 4.3, for example) to allow older oc
to update. Using new capabilities may require newer oc
. A 4.3 server may have additional capabilities that a 4.2 oc
cannot use and a 4.3 oc
may have additional capabilities that are not supported by a 4.2 server.
Table 2.1. Compatibility Matrix
X.Y ( | X.Y+N footnote:versionpolicyn[Where N is a number greater than 1.] ( | |
X.Y (Server) | ||
X.Y+N footnote:versionpolicyn[] (Server) |
Fully compatible.
oc
client may not be able to access server features.
oc
client may provide options and features that may not be compatible with the accessed server.
PCC-IT International, Division of Power Capital Management, Inc. © 2024 All rights reserved.