OpenShift Container Platform 4.15 introduces the following notable technical changes.
Cluster metrics ports secured
With this release, the ports that serve metrics for the Cluster Machine Approver Operator and Cluster Cloud Controller Manager Operator use the Transport Layer Security (TLS) protocol for additional security. (OCPCLOUD-2272, OCPCLOUD-2271)
Cloud controller manager for Google Cloud Platform
The Kubernetes community plans to deprecate the use of the Kubernetes controller manager to interact with underlying cloud platforms in favor of using cloud controller managers. As a result, there is no plan to add Kubernetes controller manager support for any new cloud platforms.
This release introduces the General Availability of using a cloud controller manager for Google Cloud Platform.
To manage the cloud controller manager and cloud node manager deployments and lifecycles, use the Cluster Cloud Controller Manager Operator.
Future restricted enforcement for pod security admission
Currently, pod security violations are shown as warnings in the audit logs without resulting in the rejection of the pod.
Global restricted enforcement for pod security admission is currently planned for the next minor release of OpenShift Container Platform. When this restricted enforcement is enabled, pods with pod security violations will be rejected.
To prepare for this upcoming change, ensure that your workloads match the pod security admission profile that applies to them. Workloads that are not configured according to the enforced security standards defined globally or at the namespace level will be rejected. The restricted-v2
SCC admits workloads according to the Restricted Kubernetes definition.
If you are receiving pod security violations, see the following resources:
-
See Identifying pod security violations for information about how to find which workloads are causing pod security violations.
-
See About pod security admission synchronization to understand when pod security admission label synchronization is performed. Pod security admission labels are not synchronized in certain situations, such as the following situations:
-
If necessary, you can set a custom admission profile on the namespace or pod by setting the pod-security.kubernetes.io/enforce
label.
Secrets are no longer automatically generated when the integrated OpenShift image registry is disabled
If you disable the ImageRegistry
cluster capability or if you disable the integrated OpenShift image registry in the Cluster Image Registry Operator’s configuration, a service account token secret and image pull secret are no longer generated for each service account.
Open Virtual Network Infrastructure Controller default range
Previously, the IP address range 168.254.0.0/16
was the default IP address range that the Open Virtual Network Infrastructure Controller used for the transit switch subnet. With this update, the Controller uses 100.88.0.0/16
as the default IP address range. Do not use this IP range in your production infrastructure network. (OCPBUGS-20178)
Introduction of haproxy no strict-limits variable
The transition to haproxy 2.6 included enforcement for the strict-limits
configuration, which resulted in unrecoverable errors when maxConnections
requirements could not be met. The strict-limits
setting is not configurable by end users and remains under the control of the haproxy template.
This release introduces a configuration adjustment in response to the migration to the maxConnections
issues. Now, the haproxy configuration switches to using no strict-limits
. As a result, haproxy no longer fatally exits when the maxConnection
configuration cannot be satisfied. Instead, it emits warnings and continues running. When maxConnection
limitations cannot be met, warnings such as the following examples might be returned:
-
[WARNING] (50) : [/usr/sbin/haproxy.main()] Cannot raise FD limit to 4000237, limit is 1048576.
-
[ALERT] (50) : [/usr/sbin/haproxy.main()] FD limit (1048576) too low for maxconn=2000000/maxsock=4000237. Please raise 'ulimit-n' to 4000237 or more to avoid any trouble.
To resolve these warnings, we recommend specifying -1
or auto
for the maxConnections
field when tuning an IngressController. This choice allows haproxy to dynamically calculate the maximum value based on the available resource limitations in the running container, which eliminates these warnings. (OCPBUGS-21803)
The deployer service account is no longer created if the DeploymentConfig cluster capability is disabled
If you disable the DeploymentConfig
cluster capability, the deployer
service account and its corresponding secrets are no longer created.
Must-gather storage limit default
A default limit of 30% of the storage capacity of the node for the container has been added for data collected by the oc adm must-gather
command. If necessary, you can use the --volume-percentage
flag to adjust the default storage limit.
Agent-based Installer interactive network configuration displays on the serial console
With this update, when an Agent ISO is booted on a server with no graphical console, interactive network configuration is possible on the serial console.
Status displays are paused on all other consoles while the interactive network configuration is active.
Previously, the displays could be shown only on a graphical console.
(OCPBUGS-19688)