Release Notes

This page lists notable changes in OpenShift releases which we find important. Reading release notes for you as a service.

OpenShift 4.11

OpenShift version 4.11 is available since 2022-08-10. This version is based on Kubernetes 1.24. Find the release notes at the upstream documentation as OpenShift Container Platform 4.11 release notes. The What’s New in Red Hat OpenShift 4.11 blog post is also a valuable resource.

More flexible alert routing for User Workload Monitoring

You can now enable alert routing as well as spin up a dedicated Alertmanager for User Workload Monitoring.

Disk usage base metrics retention

Metrics retention can now be defined based on disk usage.

New subcommand to work with tokens

oc create token replaces several existing commands. Check your aliases, scripts and other convenience tools you use.

The oc create token command generates a token with a limited lifetime. Use command line argument --duration to adjust the token lifetime to suit your purposes. Please be aware that the API server may return a token with a shorter or longer lifetime than you requested.

If you need a token which doesn’t expire, we recommend that you manually create a ServiceAccount API token secret. After creating a secret as described, you can extract the token with oc get secret <my-token-secret> -ogo-template='{{.data.token|base64decode}}'.
Deprecation of snapshot.storage.k8s.io/v1beta1

Before update a cluster, check for usage of snapshot.storage.k8s.io/v1beta1. If used, inform the affected users and ask them to update to snapshot.storage.k8s.io/v1.

Pod Security Admission is now enabled

Pod Security Admission now runs globally with restricted audit logging and API warnings. This means while everything should still run as it did before, if users rely on security contexts being set by OpenShift’s SCCs they’ll most likely encounter warnings like the following:

Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Users will need to explicitly set security contexts in their manifests to avoid these warnings.

Support for configuring maximum number of connections for Ingress Controller

You can now set the maximum number of simultaneous connections that can be established per HAProxy process in the Ingress Controller to any value between 2000 and 2,000,000.

…​

From the blog post we learn:

Automatic fail-forward updates for failed operator installations

In the context of the Operator Lifecycle Manager (OLM), a failed operator update always required manual clean up. With OpenShift 4.11, one can enable an option to automatically recover failed updates. If enabled and a newer patch version is available, the update gets started even if a previous update failed.

Partial updates

OpenShift 4.11 allows updating the control plane and individual node groups individually. They, however, must be updated all within a time window of 60 days.

Conditional updates

OpenShift always only listed newer versions available to the cluster. Available means, it’s safe to update to that version. OpenShift 4.11 on the Web Console now explains the risks of a certain update. Cluster administrators can then decide to do the update anyway and accept that risk.

Web Console integrated observability

Red Hat decided to remove the individual observability UIs. In OpenShift 4.11 they have removed the UIs for Prometheus and Grafana. The metrics and graphs are still available and can now be found within the OpenShift Web Console.

OpenShift 4.10

The generally available version 4.10.3 got released on 2022-03-10. The release notes are available in the upstream documentation under OpenShift Container Platform 4.10 release notes.

CSI on vShpere

CSI on vShpere is now generally available but requires some minimal versions of vSphere software.

Change cluster network MTU after cluster installation

Changing the MTU for the cluster network

Ingress Controller router compression

Using router compression

Using fsGroup to reduce pod timeouts

If a storage volume contains many files (~1,000,000 or greater), you may experience pod timeouts.

OpenShift Container Platform 4.10 introduces the ability to use fsGroup and fsGroupChangePolicy to skip recursive permission change for the storage volume, therefore helping to avoid pod timeout problems.

— Upstream OpenShift 4.10 Release Notes

See Using fsGroup to reduce pod timeouts.

Changed alert rule names

Some alert rules got renamed. Check if your cluster configuration alters any of those alerts and update it accordingly.

TLS X.509 certificates must have a Subject Alternative Name

X.509 certificates must have a properly set the Subject Alternative Name field. If you update your cluster without this, you risk breaking your cluster or rendering it inaccessible.

— Upstream OpenShift 4.10 Release Notes

See TLS X.509 certificates must have a Subject Alternative Name.

Upgraded clusters might have insecure RBAC rules

Clusters upgraded from version before 4.8 might allow unauthenticated API requests to certain resources. Check the OpenShift 4.10 release notes for details on which clusters are affected. There you will also find a snippet on how to resolve this.