OCP 4.11 Release Notes Tracker

[opayne1]

Please leave comments here for anything that should be highlighted in the 4.11 release notes. If possible, provide a link to the Jira or BZ related to your item. Thank you!

A note about migrating to Jira This tracker might be moved to Jira. In the event that happens, I will update accordingly and provide a direct link.

A note about known issues All Bugzilla items that need to be documented as known issues in the release notes should have Doc Type = Known Issue and the Doc Text field populated accordingly. Before adding a known issue to this tracker:

1. Ensure the Doc Type and Doc Text fields are filled in correctly.
2. See if your issue shows up in the query we will use to populate the release notes.
3. If the fields are set correctly, and the issue is not in the query, add it here.

Resources

• Feature GA Status Tracker

[soltysh]

Remove the following deprecated commands:

oc adm migrate etcd-ttl
oc adm migrate image-references
oc adm migrate legacy-hpa
oc adm migrate storage

they are not suitable to be used in 4.x, and were deprecated already in 4.2. See https://github.com/openshift/oc/pull/1124

[soltysh]

Start deprecating the following commands:

oc serviceaccounts create-kubeconfig 
oc serviceaccounts get-token         
oc serviceaccounts new-token

users should start using oc create token instead to request a proper token. See https://github.com/openshift/oc/pull/1126

Similarly --service-account/-z flag for oc registry login command is being deprecated, users should be using oc create token instead to request a proper token to access internal registry. See https://github.com/openshift/oc/pull/1166

[soltysh]

Following up on https://github.com/openshift/openshift-docs/issues/37586#issuecomment-985582572 and https://github.com/openshift/ocp-build-data/pull/1584 oc 4.11 will be build only with rhel8 support.

[bgilbert]

On nodes that are either provisioned from the VMware OVA image, installed with coreos.inst.platform_id=vmware, or installed with coreos-installer install --platform vmware:

• The Ignition pointer config will now be deleted from the VMware hypervisor after initial provisioning is complete.
• Existing nodes will delete the Ignition pointer config from the VMware hypervisor when upgrading from a previous OCP release.

This addresses CVE-2022-1706.

[SNiemann15]

For IBM Z and IBM Power we will create a PR with input from this gdoc: https://docs.google.com/document/d/1LJhoZ66BHHO_qjolnEVboxJ6iAmRtvttQsnVGdtiwfI/edit?usp=sharing @alishaIBM PR for IBM P/Z: https://github.com/openshift/openshift-docs/pull/46441

[lihongan]

In the Networking part, Support for AWS Load Balancer Operartor (TP) should be added, see https://issues.redhat.com/browse/NE-730

[melvinjoseph86]

In the Networking part, Support for DestinationCA to route created by the ingress-to-route controller should be added, see https://issues.redhat.com/browse/NE-729

[melvinjoseph86]

In the Networking part, Set Default Subdomain for Routes at Project/Namespace Level should be added, see https://issues.redhat.com/browse/NE-700

[ShudiLi]

In the Networking part, the following should be added:

1. Update haproxy RPM to 2.2.24, please see https://issues.redhat.com/browse/NE-813
2. Allow Ingress to be modified on the settings of livenessProbe and readinessProbe, please see https://issues.redhat.com/browse/NE-683
3. Make ROUTER_BACKEND_CHECK_INTERVAL Configurable, please see https://issues.redhat.com/browse/NE-585

[quarterpin]

Power-of-Two algorithm has been re-introduced where the haproxy loadbalancer algorithm now defaults to random : https://issues.redhat.com/browse/NE-709 Ingress operator now supports exposing port configuration which allows multiple ingresscontroller generations of hostnetwork type to reside on same worker node: https://issues.redhat.com/browse/NE-674 Cluster-ingress-Operator to Manage ELB Timeout on the Ingress Service Object: https://issues.redhat.com/browse/NE-357 The ExternalDNS operator is out of tech preview phase and now supports infoblox DNS provider: https://issues.redhat.com/browse/NE-752

[mike-nguyen]

There is a new extension for installation through the MCO: https://issues.redhat.com/browse/COS-828

[miabbott]

RHCOS 4.11 will be rebased to use RHEL 8.6 content

The boilerplate from the last rebase we did:

These packages provide you the latest fixes, features, and enhancements, such as NetworkManager features, as well as the latest hardware support and driver updates.

[jhou1]

We will have an agent-based installer in dev preview in 4.11 that needs to be added to release notes: https://issues.redhat.com/browse/AGENT-9

[Amrita42]

@jhou1 Yes I would be adding agent-based relevant content to the release notes

[duanwei33]

From the storage part to be update: CSI volume expansion: GA in 4.11 CSI Azure File Driver Operator: GA in 4.11 CSI automatic migration: Cinder/Azure-Disk is GA in 4.11 CSI inline ephemeral volumes: TP in 4.11 Automatic device discovery and provisioning with Local Storage Operator: TP in 4.11 Generic Ephemeral Volumes: GA in 4.11 (to be added)

Persistent storage using FlexVolume: DEP

To be confirm vSphere 6.7 Update 2 or earlier: Virtual hardware version 13: VMware ESXi 6.7 Update 2 or earlier:

=========================== Update on Jun 16: Virtual hardware version 13 Removed vSphere 6.7 Update 2 or earlier Removed VMware ESXi 6.7 Update 2 or earlier Removed

vSphere 7.0 Update 1 or earlier Deprecated VMware ESXi 7.0 Update 1 or earlier Deprecated

cc @lpettyjo @gnufied @jsafrane

All of this is completed in the 4.11 RN - @lpettyjo

[kasturinarra]

Disconnected mirroring with the oc-mirror CLI plug-in should be set to GA in 4.11 cc: @jpower432

[sunzhaohua2]

Machine API part: Cluster API TP https://issues.redhat.com/browse/OCPCLOUD-1389 Enable AWS IMDSv2 https://issues.redhat.com/browse/OCPCLOUD-1436 Enable AWS EFA: https://issues.redhat.com/browse/OCPCLOUD-1353 Enable Azure UltraSSD: https://issues.redhat.com/browse/OCPCLOUD-1357 Enable GCP pd-balanced https://issues.redhat.com/browse/OCPCLOUD-1253

[@jeana-redhat] Covered in #48234, minus EFA (pushed to 4.12)

[xingxingxia]

Authentication part that need be added, CC @y4sht @stlaz : Upstream LegacyServiceAccountTokenNoAutoGeneration is enabled in 4.11 (more details here) https://github.com/openshift/openshift-controller-manager/pull/223 which may impact dockercfg secrets possibly needs be documented (@stlaz could you confirm whether it will complete in 4.11) Feature AUTH-6 Feature AUTH-133 about PSa enabled, PSa autolabeling, new SCCs added, upgraded cluster keeps "scc/restricted" to "system:authenticated" while fresh cluster doesn't, et al (this epic is still on going) New command: oc create token (comes from upstream kubectl, though) may be documented?

[xiaojiey]

For compliance operator,

1. FedRAMP High profiles is ready: Feature: https://issues.redhat.com/browse/CMP-1130
2. On nutanix cluster, due to nutanix csi driver limitation, the raw result could only be stored to worker node. Bug id: https://bugzilla.redhat.com/show_bug.cgi?id=2099287

[wangke19]

For apiserver part, Update Control Plane Kubernetes Version to 1.24, Feaure API-1377. More information can be found in the following changelogs: 1.24.0

[simonpasquier]

For monitoring

https://issues.redhat.com/browse/MON-2168: Make Alertmanager configuration for user defined monitoring generally available https://issues.redhat.com/browse/MON-2193: Size-based retention for Prometheus https://issues.redhat.com/browse/MON-2194: Federation service for user-defined monitoring https://issues.redhat.com/browse/MON-2384: Double scrape interval for Single Node OpenShift https://issues.redhat.com/browse/MON-1591: Grafana removal https://issues.redhat.com/browse/MON-2160: Support additional authentication methods for remote write https://issues.redhat.com/browse/MON-1985: Allow admin users to create new alerting rules based on platform metrics (TP)

cc @bburt-rh

[kasturinarra]

For oc:

Can we have this added as a release note so that customers are clear ? Use of v1 without a group in apiVersion for OpenShift Container Platform resources have been removed in 4.11 and users trying to create any resources with out group will run into issues.

cc: @soltysh could you please help confirm ?

[juzhao]

https://issues.redhat.com/browse/MON-1591: Grafana removal

for monitoring, also https://issues.redhat.com/browse/MON-1961 Remove Prometheus UI https://issues.redhat.com/browse/MON-2196 Improve Query Browser UX (maybe this does not need to add to doc) cc @bburt-rh

[lihongyan1]

For monitoring also MON-1913 Expose field in CMO configmap to configure the retention period of Thanos Ruler cc @bburt-rh

[stlaz]

Authentication part that need be added, CC @y4sht @stlaz : Upstream LegacyServiceAccountTokenNoAutoGeneration is enabled in 4.11 (more details here) openshift/openshift-controller-manager#223 which may impact dockercfg secrets possibly needs be documented (@stlaz could you confirm whether it will complete in 4.11)

this PR is not going to merge in 4.11

Feature AUTH-6 Feature AUTH-133 about PSa enabled, PSa autolabeling, new SCCs added, upgraded cluster keeps "scc/restricted" to "system:authenticated" while fresh cluster doesn't, et al (this epic is still on going) New command: oc create token (comes from upstream kubectl, though) may be documented?

[chao007]

Storage: CSI Resize GA in 4.11 https://issues.redhat.com/browse/STOR-263 CSI GCP: Add parameters to VolumeSnapshotClass for disk image config CSI GCP: Enable volume clone.

[xiuwang]

Support to configure OCS storages as image registry storage backend: https://issues.redhat.com/browse/IR-87 Spread registry across multiple zones: https://issues.redhat.com/browse/IR-228 Add two prometheusrules and push them to telemeter server https://issues.redhat.com/browse/IR-167

[ahardin-rh]

I am opening a PR for this one, but commenting here for awareness and tracking:

As upstream Kubernetes moved the "LegacyServiceAccountTokenNoAutoGeneration" feature gate to beta and turned it on by default, OpenShift follows this security feature and ships with it turned on, too.

This feature removes automatic generation of Service Account token secrets, meaning that a Service Account no longer gets a token automatically generated upon its creation.

However, OpenShift Controller Manager still requires Service Account tokens to appear in secrets in order to function properly, and it will continue to request these tokens in secrets in OpenShift 4.11. This behavior will be fixed in 4.12 to properly use the TokenRequest API instead.

This effectively means that Service Account token secrets will still appear as autogenerated in OpenShift 4.11, although instead of 2 secrets per Service Account, there will now be only one, which will be further reduced to zero in 4.12. Note that dockercfg secrets will still be generated as secrets in 4.12 and no secrets are getting deleted during upgrades.

per Stanislav Láznička and Eric Rich.

docs PR: https://github.com/openshift/openshift-docs/pull/47056

[sheriff-rh]

For compliance operator,

1. FedRAMP High profiles is ready: Feature: issues.redhat.com/browse/CMP-1130

2. On nutanix cluster, due to nutanix csi driver limitation, the raw result could only be stored to worker node. Bug id: bugzilla.redhat.com/show_bug.cgi?id=2099287

I have created a pull request for your review @xiaojiey https://github.com/openshift/openshift-docs/pull/47153

[gpei]

Hi, noticed we just added the "RHEL 9 support for oc" - https://github.com/openshift/openshift-docs/pull/47405 in the release note, could we also add a note about the RHEL-9 support for openshift-installer? That's also one of the OS coverage for openshift-installer in QE's 4.11 testing, thanks.

[Amrita42]

@jhou1 Yes I would be adding agent-based relevant content to the release notes

UPDATE agent-based installation content is not going for 4.11 but 4.12 docs.

[mffiedler]

We will need a "Known Issues" release note for https://bugzilla.redhat.com/show_bug.cgi?id=2084062 @qiliRedHat @tssurya Can you provide a short description of the limitation in the bz?

[qiliRedHat]

We will need a "Known Issues" release note for https://bugzilla.redhat.com/show_bug.cgi?id=2084062 @qiliRedHat @tssurya Can you provide a short description of the limitation in the bz?

@mffiedler Surya and I got agreement on the following description in https://bugzilla.redhat.com/show_bug.cgi?id=2084062#c63 Description in 4.11 Release Note: When an OVN cluster has more than 75 worker nodes, creating a large number(2000) of services and routes objects all at once (all together) could cause some pods that are created at the same time as these services to be stuck in 'ContainerCreating' status. Doing 'oc describe pod ', will show events with Warning 'FailedCreatePodSandBox...failed to configure pod interface: timed out waiting for OVS port binding (ovn-installed)'.

[ingvagabund]

oc CLI: https://bugzilla.redhat.com/show_bug.cgi?id=2097830: oc 4.11 built with go1.18 on MacOS does not function properly due to change in error handling of untrusted certificates in go1.18 libraries. Due to the change, oc login and other oc commands can fail with certificate is not trusted error without proceeding further when running on MacOS. Including inability to create/update/delete resources in a cluster. Until the error handling is properly fixed in go1.18 the recommended workaround is to use oc 4.10 instead of oc 4.11.

[@bergerhoffer update] Added via PR #48074 (merged)

[jianzhangbjz]

Hi, for OLM, I guess we should add the below two bugs as 4.11 known issues. I had included the doc team in the bug before. https://bugzilla.redhat.com/show_bug.cgi?id=2088541 https://bugzilla.redhat.com/show_bug.cgi?id=2076323

And, from 4.11 on, the default Catalog Index image is file-based, not SQL-based anymore.

registry.redhat.io/redhat/redhat-operator-index:v4.11
registry.redhat.io/redhat/redhat-marketplace-index:v4.11
registry.redhat.io/redhat/certified-operator-index:v4.11
registry.redhat.io/redhat/community-operator-index:v4.11

[simonpasquier]

@bburt-rh I think we need to add https://bugzilla.redhat.com/show_bug.cgi?id=2100860 as a known issue for user-defined alerting.

[sheriff-rh]

And, from 4.11 on, the default Catalog Index image is file-based, not SQL-based anymore.

Hi, I have created the "features and enhancements" portion of FBC for the release notes. Would you mind reviewing @jianzhangbjz ? https://github.com/openshift/openshift-docs/pull/48040

[rgormley]

Builds Shared Resources Driver for SharedSecrets and ConfigMaps - allow fine-grained access control for sensitive resources (including RHEL entitlements, etc.) with the principle of least privilege.

Jenkins Jenkins has been removed from the OCP payload and placed in the ocp-tools-4 repository to reduce image footprint and decouple Jenkins image releases from OpenShift.

[weliang1]

jboxman-rh, In https://docs.openshift.com/container-platform/4.11/networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.html, the correct command for step of To enable IPsec encryption is oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'.

[rbbratta]

Automatic MTU migration is not supported on Hypershift OVN hosted clusters. https://bugzilla.redhat.com/show_bug.cgi?id=2097818.

A note could be added in: https://docs.openshift.com/container-platform/4.11/networking/changing-cluster-network-mtu.html

[weliang1]

We will need a "Known Issues" release note for https://bugzilla.redhat.com/show_bug.cgi?id=2096986 - IPsec runtime enablement doesn't migrate cluster network MTU Description of problem:We should change cluster network MTU 146 bytes lesser than machine MTU when ipsec runtime enablement is trigerred

[yingwang-0320]

We will need a "Known Issues" release note for https://bugzilla.redhat.com/show_bug.cgi?id=2097579 - create egressqos with wrong syntax/value rules success Description of problem: EgressQoS can not validate wrong format of destination CIDR in rules. Creating or editing egressqos with wrong syntax destination CIDRs can succeed.

[asood-rh]

We will need "Known Issues" release node for https://bugzilla.redhat.com/show_bug.cgi?id=2097701 MetaLLB: Validation unable to create BGPPeers with spec.peerASN Value in OCP 4.10

Description of the problem: Due to validation in place 4 byte ASN value for peerASN or myASN value cannot be provided for BGPPeer Custom Resource.

[jianli-wei]

Known issues on IPI on Alibabacloud with 4.11:

1. Bug 2096692 - [IPI on Alibabacloud] some resources (eni, security group, slb, oss bucket) are not put into the specified resource group
2. Bug 2102011 - [IPI on Alibabacloud] cluster operators "network" and "kube-apiserver" turned degraded after rebooting each node of the cluster
3. Bug 2100746 - [IPI on Alibabacloud] unexpected "User not authorized" on RemoveBackendServers from slb during destroying bootstrap resources
4. Bug 2056387 - [IPI on Alibabacloud][RHEL scaleup] new RHEL worker were not added into the backend of Ingress SLB automatically

@patrickdillon Please review and advise, thanks!

[duanwei33]

Known issue on Nutanix:

Bug 2108700 - [nutanix] persistent volumes created by a cluster are not cleaned up by destroy cluster

cc @gpei @sgaoshang

[xiuwang]

Known issue for image registry: 2111311 - Didn't redirect to backend client with GCP workload identity enabled

[huali9]

Known issue for cloud compute: Bug 2107999 - [GCP] capg-controller-manager report panic after creating machineset and machine stuck in Provisioning

[patrickdillon]

I have reviewed the doc text in the bugs for these known issues.

Known issues on IPI on Alibabacloud with 4.11:

1. Bug 2096692 - [IPI on Alibabacloud] some resources (eni, security group, slb, oss bucket) are not put into the specified resource group
2. Bug 2102011 - [IPI on Alibabacloud] cluster operators "network" and "kube-apiserver" turned degraded after rebooting each node of the cluster
3. Bug 2100746 - [IPI on Alibabacloud] unexpected "User not authorized" on RemoveBackendServers from slb during destroying bootstrap resources
4. Bug 2056387 - [IPI on Alibabacloud][RHEL scaleup] new RHEL worker were not added into the backend of Ingress SLB automatically

@patrickdillon Please review and advise, thanks!

this LGTM

[sergiordlr]

Hello, this bug https://bugzilla.redhat.com/show_bug.cgi?id=2096496 is reported in 4.11 release notes as a "know issue". But the bug has been fixed and verified for ocp 4.11.

We need to remove the bug from the known issues in 4.11 release notes, since it was already fixed.

Thank you!

[opayne1]

Known issue for image registry: 2111311 - Didn't redirect to backend client with GCP workload identity enabled

This BZ was closed. cc @xiuwang