OpenShift changes

OpenShift_changes.md

An opinionated collection of notable OpenShift changes

OpenShift 4.18

Sources:

• https://www.youtube.com/watch?v=l78rXvu3zgU
• https://developers.redhat.com/products/openshift/getting-started-with-openshift-virtualization

Changes:

• Kubernetes components upgraded to 1.31
• OpenShift has a new edition / license level: "Red Hat OpenShift Virtualization Engine". This supports only bare metal, 128 cores per socket pair and can not run containers.
• The cluster observability operator (COO) release 1.0.0 (based on Konflux) is now GA. With the COO, you can create standalone monitoring stacks independent of the default in-cluster monitoring.
• User Defined Networks (UDNs) are GA now. Pod networks are L3, UDN enables custom L2 / L3 and localnet network segments that act as either primary or secondary networks for container pods and VMs. UDNs uniquely provide support for common VM networking use cases, such as providing a VM static IP assignment for its lifetime, and a layer 2 primary pod network for the live migration of VMs between nodes UDN segments are isolated for stronger multi-tenant environments without requiring Kubernetes (Admin) Network Policy, but network policy is still supported with UDN for finer-grained microsegmentation. Users can leverage UDN to create networks with overlapping subnets, and primary UDNs have full support for services, egressIPs and routes.
• OVN-Kubernetes fully support BGP, which enables dynamically exposing cluster-scoped network entities into a provider’s network, as well as programming BGP-learned routes from the provider’s network into OVN. Example: third-party load balancer needs direct access to backend OpenShift pods. Ethernet VPN (EVPN) support is planned, allowing for the extension of a UDN segment into another OpenShift or a provider network.
• oc-mirror v2 is GA, supports Helm charts and proxies (use oc-mirror --v2 ...)
• Operator Lifecycle Management (OLM) has changed, new approach is v1, old is "classic"

OpenShift 4.17

Sources:

• https://www.youtube.com/watch?v=DvKHwz-c11c
• https://www.armosec.io/blog/kubernetes-1-30-security/

Changes:

• Kubernetes 1.30 changes

  • Reduction of Secret-Based Service Account Tokens (KEP #2799). When you create a new service account, the token and its secret will not be generated automatically.
    https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

  • Support for User Namespaces in Pods (Beta, KEP #127)
    Remap UIDs and GIDs in a pod to different values in the host system

  • AppArmor Support (Stable, KEP #24)
    kubernetes/enhancements#3298

  • Node Log Query (Beta, KEP #2258). Example: get kubelet logs on node1 without ssh:
    kubectl get --raw "/api/v1/nodes/worker/proxy/logs/?query=kubelet&pattern=error"

  • Structured auth (JWT providers) moves to beta, apiserver auth parameters are deprecated.
    https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/

• OpenShift specific

  • Full drop of OpenShift SDN CNI in favor of OVNKubernetes
    No new installs since 4.15, upgrade possible until 4.16

  • 4-node and 5-node control plane (Bare Metal only)
    2-DC active-active deployments (eg virtualization) can have now more than 1 control plane node at each site

  • Native Network Isolation for NameSpaces (UDN support in OVNKubernetes) Traditional single L3 Pod network does not cover all use cases. Multus can do secondary networks but missing features of native / primary networks. Default network + VRF support for additional UDNs: supports Network Policy, Cluster IP services, isolated by default -> same Pod IP can be used in different UDNs, BGP + EVPN support is coming (direct addressing w/o NAT eg for VMS).
    Example use case: flat l2 network across Nodes for VMs in Pod migration; attach VM/Pod to existing physical network/VLAN.

  • Node disruption policies: now you can mark changes which does not require a reboot

  • OpenShift Virtualization (Kubevirt)

    • Memory oversubscription, VM memory hot-plug
    • Automatic VM workload balancing (descheduler now handles VMs also)
    • Native EBS support for VMs
    • VM storage live migration between Storage Classes (Tech Preview, eg change storage provider due to physical storage arry lifecycle event)
    • Dedicated Virtualization view of dashboard (addition to Admin and Developer views)

  • RH Advanced Cluster Management

    • Multicluster VM observability
    • Select VMs across clusters by labels, and manage (start / stop / restart ...)

  • Console: support import from Gitea in Developer console (ODC-7590)

  • Automatic recovery from expired Control Plane certificates
    (resume after long shutdown, from a snapshot or restored from backup)

  • Optimize CRI-O storage wipe after reboot
    Wipe only corrupted image layers, not full images with a corrupted layer

  • Network Observability Operator 1.7 upgrades: Open Telemetry support, no need for Loki (some features will be missing)

  • SMB / CIFS CSI support in tech preview

  • OpenShift Data Foundation

    • 2-replica Block and FileSystem (finally :) )
    • NFS support

  • Edge deployments

    • Single Node OpenShift: Image Based Install (Telco request)
    • Red Hat Device Edge with MicroShift: RHEL Image Mode (announced at RH Summit 2024, bootc + bootable container image, Tech Preview)
    • Red Hat Device Edge with MicroShift: Full IPv6 support (Dual-Stack, Single-Stack, works with lack of available IPv4 address)
    • Red Hat Device Edge with MicroShift: Realtime / low-latency workloads (official announcement will be at KubeCon NAM 2024-11-12)