Release Notes
This page lists notable changes in OpenShift releases which we find important. Reading release notes for you as a service. |
OpenShift 4.14
OpenShift version 4.14 is available since 2023-11-06. This version is based on Kubernetes 1.27 and CRI-O 1.27. The RHCOS image uses RHEL 9.2 packages. Find the release notes in the upstream documentation as OpenShift Container Platform 4.14 release notes. The Red Hat OpenShift 4.14 is now available blog post is also a valuable resource.
- API deprecations
-
An API has been removed in Kubernetes 1.27. Before updating a cluster to OpenShift 4.14, check for usage of the following API:
-
CSIStorageCapacity
Resource,storage.k8s.io/v1beta1
migrates tostorage.k8s.io/v1
-
See the upstream documentation on preparing to update to OpenShift Container Platform 4.14 for detailed instructions to check for usage of these APIs. If any of the APIs are used, inform the affected users and ask them to update their workloads to use the APIs indicated in the upstream documentation.
- Logging in to the CLI using a web browser
-
With OpenShift Container Platform 4.14, a new oc command-line interface (CLI) flag,
--web
is now available for the oc login command.With this enhancement, you can log in by using a web browser, so that you don’t need to insert your access token into the command line.
This feature has been backported to OpenShift 4.13 and can already be used on APPUiO Managed OpenShift 4 clusters. - Update to HAProxy 2.6
-
With this release, OpenShift Container Platform is updated to HAProxy 2.6.
- New option to deploy monitoring web console plugin resources
-
With this release, the monitoring pages in the Observe section of the OpenShift Container Platform web console are deployed as a dynamic plugin. With this change, the Cluster Monitoring Operator (CMO) is now the component that deploys the OpenShift Container Platform web console monitoring plugin resources.
- New option to specify resource limits for all monitoring components
-
With this release, you can now specify resource requests and limits for all monitoring components, including the following:
-
Alertmanager
-
kube-state-metrics
-
monitoring-plugin
-
node-exporter
-
openshift-state-metrics
-
Prometheus
-
Prometheus Adapter
-
Prometheus Operator and its admission webhook service
-
Telemeter Client
-
Thanos Querier
-
Thanos Ruler
In previous versions of OpenShift Container Platform, you could only set options for Prometheus, Alertmanager, Thanos Querier, and Thanos Ruler.
-
- DeploymentConfig resources are now deprecated
-
As of OpenShift Container Platform 4.14,
DeploymentConfig
objects are deprecated.DeploymentConfig
objects are still supported, but aren’t recommended for new installations. Only security-related and critical issues will be fixed.Instead, use
Deployment
objects or another alternative to provide declarative updates for pods. - Deprecation of the OpenShift SDN network plugin
-
OpenShift SDN CNI is deprecated as of OpenShift Container Platform 4.14. It’s currently planned that the network plugin won’t be an option for new installations in the next minor release of OpenShift Container Platform. In a subsequent future release, the OpenShift SDN network plugin is planned to be be removed and no longer supported. Red Hat will provide bug fixes and support for this feature until removed, but this feature will no longer receive enhancements. As an alternative to OpenShift SDN CNI, you can use OVN Kubernetes CNI instead.
New APPUiO Managed OpenShift 4 clusters are installed with Cilium, a fully certified and supported 3rd party CNI plugin for OpenShift 4.
OpenShift 4.13
OpenShift version 4.13 is available since 2023-03-17. This version is based on Kubernetes 1.26. The RHCOS image now uses RHEL 9.2 packages. Find the release notes in the upstream documentation as OpenShift Container Platform 4.13 release notes. The Red Hat OpenShift 4.13 is now available blog post is also a valuable resource.
- API deprecations
-
Multiple APIs are deprecated in Kubernetes 1.26. Before updating a cluster to OpenShift 4.13, check for usage of the following APIs:
-
flowschemas.flowcontrol.apiserver.k8s.io/v1beta1
-
horizontalpodautoscalers.autoscaling/v2beta2
-
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta1
See the upstream documentation on preparing to update to OpenShift Container Platform 4.13 for detailed instructions to check for usage of these APIs. If any of the APIs are used, inform the affected users and ask them to update their workloads to use the APIs indicated in the upstream documentation.
-
- Zone aware OpenShift in VMware vSphere
-
OpenShift 4.13 supports installation across multiple vSphere datacenters and clusters. Defining logic failure domains allows reducing the risk of data loss and downtime.
Additionally vSphere persistent disks encryption is now generally available.
- Cgroup v2 GA improves node stability
-
Cgroup v2 is now generally available in OpenShift 4.13. It provides a more robust and flexible mechanism for allocating resources to containers.
RedHat reports better node stability when there is I/O pressure due to throttling. On cgroup v1 such nodes will go not ready but the node stays stable on v2.
- New web console features
-
The developer view in the OpenShift web console provides multiple new features. Serverless functions can now be added to the cluster by either importing them from a Git repository or by creating them from a template. The topology view, the pod details and the pod list now shows which pods receive traffic.
If using Loki for logging, the web console now allows to visualize log based alerts.
- OpenShift managed cert-manager
-
OpenShift 4.13 includes an operated version of cert-manager.
- RHCOS image layering is generally available
-
The RHCOS image layering feature is now generally available. This feature should make it easier to add additional packages and configuration to the RHCOS image.
- Reminder: Pod Security Admission is enabled
-
Pod Security Admission runs globally with restricted audit logging and API warnings. This means while everything should still run as it did before, if users rely on security contexts being set by OpenShift’s SCCs they’ll encounter warnings like the following:
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Users need to explicitly set security contexts in their manifests to avoid these warnings.
Red Hat plans to switch Pod Security Admission to restricted enforcement globally in a future minor release. When restricted enforcement will be enabled, pods with pod security violations will be rejected.