Skip to content

Latest commit

 

History

History
472 lines (359 loc) · 35.3 KB

2021-04-09.md

File metadata and controls

472 lines (359 loc) · 35.3 KB
Raw

This Week in Enhancements - 2021-04-09

Between holidays and other PTO, it has been a few weeks since we sent the newsletter. This week's update includes changes since 2021-03-19.

Enhancements for Release Priorities

Prioritized Merged Enhancements

<PR ID>: (activity this week / total activity) summary

There were 2 Prioritized Merged pull requests:

  • 574: (47/567) installer: First iteration of running the Assisted Installer in end-user clusters. (mhrivnak)

    The Assisted Installer currently runs as a SaaS on cloud.redhat.com, enabling users to deploy OpenShift clusters with certain customizations, particularly on bare metal hardware. It is necessary to bring those capabilities on-premise in users' "Hub" clusters by installing clusters via Multi-cluster management, such as through Hive and RHACM (Red Hat Advanced Cluster Management).

    This enhancement proposes to add the agent-based installation workflow to Hive.

  • 703: (285/285) general: management workload partitioning (dhellmann)

    This enhancement describes an approach to allow us to isolate the control plane services to run on a restricted set of CPUs. This will be especially useful for resource-constrained enviornments, such as single-node production deployments, where the user wants to reserve most of the CPU resources for their own workloads and needs to configure OpenShift to run on a fixed number of CPUs within the host.

    One example of this use case is seen in telecommunication service providers implementation of a Radio Access Network (RAN). This use case is discussed in more detail below.

Prioritized Closed Enhancements

<PR ID>: (activity this week / total activity) summary

There was 1 Prioritized Closed pull request:

  • 628: (1/142) general: automated resource request scaling (dhellmann)

Other Enhancements

Other Merged Enhancements

<PR ID>: (activity this week / total activity) summary

There were 26 Other Merged pull requests:

  • 549: (30/157) storage: Add proposal for CSI migration (bertinatto)

    We want to allow cluster administrators to seamlessly migrate volumes created using the in-tree storage plugin to their counterpart CSI drivers. It is important to achieve this goal before CSI Migration feature becomes GA in upstream. This also a requirement for supporting out-of-tree cloud providers

  • 590: (32/45) authentication: add 'Allowing URI Scheme in OIDC sub claims' (stlaz)

    Make the oauth-server capable of setting up identities for OIDC identity providers that use the URI scheme in the sub claim of their ID tokens.

  • 617: (3/125) network: [SDN-1364] Add Network Policy audit logging Enhancement (astoycos)

    The OVN-Kubernetes network type uses OVN to implement node overlay networks for Kubernetes. When OVN-Kubernetes is used as the network type for an Openshift cluster, OVN ACLs are used to implement Kubernetes' network policies (NetworkPolicy resources). ACL's can either allow or deny traffic by matching on packets with specific rules. Built into the OVN ACL feature is the ability to specify logging for each "allow" or "deny" rule. This enhancement will activate the OVN ACL feature logging and allow the customer to manipulate the logging level, rate, and namespaces in which it is used, thereby showing valuable realtime information involving network policies.

  • 657: (5/21) dns: Add managementState field to the DNS operator (rfredette)

    The current process for disabling the DNS operator is convoluted, requiring the cluster version operator (CVO) to be disabled as well. Several other operators also have this problem, and solve it by adding the field managementState to their API. managementState has 4 states, describing what is expected of the operator.

    The DNS operator should support the managementState field, and specifically the Managed and Unmanaged states to allow the cluster admin to disable the DNS operator when necessary.

  • 664: (9/21) ingress: Add proxy-protocol enhancement (Miciah)

    This enhancement extends the IngressController API to allow cluster administrators to configure IngressControllers that use the "HostNetwork" and "NodePortService" endpoint publishing strategies to use PROXY protocol.

  • 665: (7/14) ingress: Add power-of-two-random-choices enhancement (Miciah)

    This enhancement changes the default balancing algorithm to HAProxy's Power of Two Random Choices algorithm. In OpenShift 4.7, IngressControllers use the "Least Connections" balancing algorithm by default. The balancing algorithm can be configured on individual Routes using the haproxy.router.openshift.io/balance annotation. In OpenShift 4.8, the default is changed so that IngressControllers use the "Power of Two Random Choices" balancing algorithm by default. Using the Route annotation continues to be supported to configure individual routes. As an added safety measure, an UnsupportedConfigOverrides API field is added to the IngressController API, using which it is possible to revert an IngressController back to using "Least Connections".

  • 668: (8/68) console: Add Customize Project Access Roles proposal (jerolimov)

    Cluster admins want to give project admins only access to a customized list of predefined roles to force compliance rules or provide more options.

    The OpenShift Developer Console provides a simple way to share access to the currently selected project. This change will only affect the project page in the developer perspective. Users can be assigned here to specific roles on the project access tab. Currently only the roles "Admin", "Edit" and "View" are selectable.

  • 674: (37/118) authentication: Service CA Certificate Generation for StatefulSet Pods, first version (mtrmac)

    The Service CA-generated certificates for headless services include *.${service.name}.${service.namespace}.svc and *.${service.name}.${service.namespace}.svc.cluster.local as subjects, to allow TLS-protected connections to individual StatefulSet pods.

  • 677: (2/117) sandboxed-containers: sandboxed containers enhancement proposal (fidencio)

    Sandboxed containers will be integrated into OpenShift to provide the ability to run kernel isolated containers. Under the hood, the feature will rely on Kata Containers, an Open Source project working to provide a stronger workload isolation using hardware virtualization technologies as an additional layer of defense.

  • 679: (16/81) general: coreos-bootimage-streams: Standardized CoreOS bootimage metadata (cgwalters)

    Since the initial release of OpenShift 4, we have "pinned" RHCOS bootimage metadata inside openshift/installer. In combination with the binding between the installer and release image, this means that everything needed to install OpenShift (including the operating system "bootimages" such as e.g. AMIs and OpenStack .qcow2 files) are all captured behind the release image which we can test and ship as an atomic unit.

    We have a mechanism to do in place updates, but there is no automated mechanism to update "bootimages" past a cluster installation.

    This enhancement does not describe an automated mechanism to do this: the initial goal is to include this metadata in a standardized format in the cluster and at mirror.openshift.com so that UPI installations can do this manually, and we can start work on an IPI mechanism.

  • 680: (41/80) ingress: Ability to Customize HAProxy 2.x Error Page (miheer)

    There is no supported method to customize an IngressController's error pages in OCP 4. Users may want to customize an IngressController's error pages for branding or other reasons. For example, users may want a custom HTTP 503 error page to be returned if no pod is available. When the requested URI does not exist, users may want an IngressController to return a custom 404 page.

  • 686: (77/99) ingress: NE-530 ingress: global options to enable HSTS (candita)

    In 3.x and 4.x customers can provide a per-route annotation to enable HSTS. For customers with many routes or regulatory compliance issues, the manual per-route annotation is problematic.

    This enhancement extends the IngressController API to allow cluster administrators to enable HSTS globally, without having to add an annotation to each route.

  • 688: (12/60) monitoring: enhancements/monitoring: Describe single replica topology mode (simonpasquier)

    The Cluster Monitoring Operator (CMO) needs to respect the infrastructureTopology field newly added to the infrastructures.config.openshift.io CRD. Depending on the value, it should configure the monitoring operands for highly-available operations or not.

  • 689: (20/35) installer: Add Enhancement for Installing to Azure Stack Hub (patrickdillon)

    This enhancement covers adding support to install OpenShift clusters to Azure Stack Hub (ASH). Azure Stack Hub looks and feels like standard Azure, but differs significantly in terms of implemenetation and technical details. Azure Stack Hub shares characteristics from Azure cloud environments and on-prem platforms. This enhancement covers details for the Installer to create infrastructure and run an OpenShift cluster on ASH.

  • 694: (4/4) network: Amend egress router CNI controller (danielmellado)

    Egress traffic is traffic going from OpenShift pods to external systems, outside of OpenShift. There are a few options for enabling egress traffic, such as allow access to external systems from OpenShift physical node IPs, use EgressFirewall, EgressIPs or in our case, EgressRouter.

    In enterprise environments, egress routers are often preferred. They allow granular access from a specific pod, group of pods, or project to an external system or service. Access via node IP means all pods running on a given node can access external systems.

  • 697: (23/34) ingress: Add transition-ingress-from-beta-to-stable enhancement (Miciah)

    This enhancement updates the ingress-to-route controller to use the stable networking.k8s.io/v1 version of the Ingress API. Although the API server already supports the v1 API version without this enhancement, the ingress-to-route controller requires changes to transition from using the v1beta1 client to using the v1 client and to support new v1 features. These new features include the spec.pathType and spec.ingressClassType fields as well as the associated IngressClass API. This enhancement does not extend the Route API to accommodate new features in the Ingress API; these are only supported to the extent that they are compatible with the Route API.

  • 699: (10/14) cluster-logging: Updated for schema->index change (alanconway)

    This enhancement will allow structured JSON log entries to be forwarded as JSON objects in JSON output records.

  • 700: (16/16) storage: Add initial OEP for lso cleanup (gnufied)

    This enhancement proposes a mechanism that will allow PVs provisioned by local-storage-operator(LSO) to be deleted and corresponding symlinks to be removed from the node when LocalVolume or LocalVolumeSet objects are deleted.

  • 708: (27/27) ingress: Ingress: HAProxy thread tuning (rfredette)

    This proposal is to allow the cluster administrator to configure the number of connection handling threads within ingress controller pods.

  • 715: (32/32) console: proposal for disabled Quick Starts (nemesis09)

    OpenShift's Serverless team has proposed an idea to create a "Quick Starts" mechanism which introduces users to various ways of interacting with serverless in the Console. Quick Starts should be a mechanism we can use to vastly improve our customer's initial user experience on a empty cluster or with all various workflows.

    The goal of this proposal is to define a lightweight mechanism for OpenShift's Console component, to guide users thought various workflows, and help them understand the steps neccesary to get the desired outcome.

Other merged housekeeping and minor updates

  • 704: (2/2) network: Add enhancements/network/OWNERS (russellb)
  • 714: (3/3) general: README: clarify that new components require an enhancement (markmc)
  • 720: (2/2) housekeeping: Add staebler to OWNERS (patrickdillon)
  • 723: (3/3) oc: update replace dependencies step (sallyom)
  • 726: (4/4) general: management-workload-partitioning: update kubelet config file name (dhellmann)
  • 727: (2/2) general: management-workload-partitioning: add installer work to ga task list (dhellmann)

Other New Enhancements

<PR ID>: (activity this week / total activity) summary

There were 16 Other New pull requests:

  • 706: (56/56) api-review: apply user defined tags to all resources (gregsheremeta)

    This enhancement describes a proposal to allow an administrator of OpenShift to have the ability to apply user defined tags to all resources created by OpenShift in AWS.

    Note: this enhancement is slightly retroactive. Work has already begun on this.

  • 707: (12/12) installer: Add Enhancement for Installing to Alibaba Cloud (lemondlut)

    This enhancement covers adding support to install OpenShift clusters to Alibaba Cloud and details for the Installer to create infrastructure and run an OpenShift cluster on Alibaba Cloud.

  • 709: (62/62) installer: Add proposal for credentials management outside the openshift cluster for new platforms (akhil-rane)

    The intent of this enhancement is to take the process of credentials management outside the OpenShift cluster for new platforms. We propose to make manual mode as default for clusters on new platforms.

  • 710: (68/68) cluster-logging: New enhancment proposal: forward-to-Loki (alanconway)

    Add a new output type to the ClusterLogForwarder API to forward logs to a Loki instance. An important part of using Loki is choosing the right Loki labels to define log streams. We present a default set of Loki labels, and explain how the choice of labels affect performance and queries.

  • 711: (3/3) olm: add "fail open" risk/mitigation (njhale)

    OpenShift Cluster Admins introduce new services to their clusters by way of OLM Managed Operators. When performing a Minor OpenShift Upgrade, there is no guarantee that these operators will continue to run on the upgraded cluster version.

    Many operators shipped by Red Hat are rigorously tested on a specific set of OpenShift versions. The teams responsible for this testing know exactly which {major}.{minor} versions of OpenShift that their operators can run on. OLM should allow Operator Authors to specify the maximum {major}.{minor} version of OpenShift that their operator may run on.

    With this information OLM should:

    • Prevent Minor OpenShift Upgrades when it is possible to determine that one or more installed operators will not run on the next minor OpenShift version.
    • Prevent the operator from being installed on OpenShift clusters whose version is greater than the maxOpenShiftVersion specified by the operator.

  • 712: (136/136) cluster-logging: [cluster-logging] Add proposal for loki as an alternative log store (periklis)

    The purpose of this is to provide an alternative low-retention log store based on Loki for the cluster logging stack. This aims to provide a cloud-native first solution specialized in storing logs and in turn lessen the operational cost running cluster logging.

  • 716: (29/29) machine-config: Create pre-assigning-nodes-to-machine-config-pools-4-8.md (beekhof)

    In telco bare-metal environments, there is a need to have Nodes be provisioned with a known Machine Config Pool.

    The traditional flow is for Nodes to come up as workers and be moved to the desired pool after provisioning, however this consumes a significant portion of the maintenance window in bare-metal environments.

  • 717: (1/1) machine-config: Create pre-assigning-nodes-to-machine-config-pools.md (beekhof)

    In telco bare-metal environments, there is a need to have Nodes be provisioned with a known Machine Config Pool.

    The traditional flow is for Nodes to come up as workers and be moved to the desired pool after provisioning, however this consumes a significant portion of the maintenance window in bare-metal environments.

  • 718: (43/43) general: Introduce HA conventions for platform components (ravisantoshgudimetla)

    This PR introduces HA conventions for platform specific operators/operands

    cc @smarterclayton

  • 719: (2/2) installer: Create change-ocp-install-config-values-after-install-completes (hhockett)

    Today an OpenShift cluster needs to be installed using networking and DNS configuration where it will permanently reside.

    There are scenarios where you may want to install OpenShift plus a set of software on a system in one location, and then move the system to another location. This would also involve modifying the OpenShift configuration after it has been moved to another location where there are different networking and DNS values.

    This enhancement describes how to allow an OpenShift cluster to be modified to a different set of networking and DNS values.

  • 721: (11/11) network: metallb: Use CNO as the integration point (russellb)

    We do not currently support full automation for Services of type=LoadBalancer (Service Load Balancers, or SLBs) for OpenShift in bare metal environments. While bare metal clusters are of primary interest, we hope to find a solution that would apply to other on-premise environments that don’t have native load balancer capabilities available (a cluster on VMware, RHV, or OpenStack without Octavia, for example).

  • 722: (6/6) multi-arch: Add "Build OKD for ppc64le" proposal (mjturek)

    Currently OKD only provides builds for x86_64 based systems. This enhancement is a proposal to build and publish OKD for ppc64le hardware alongside the x86_64 builds. In this proposal, how, when, and where these builds will happen will be detailed.

  • 724: (6/6) console: Update internationalization enhancement for how to handle login template translation strings (sg00dwin)

    Our goal is to add internationalization to OpenShift's front-end (with some constraints) in order to improve the user experience for a wider range of customers worldwide. OpenShift does not currently have this functionality. We have created a POC using the react-i18next framework, which allows for the marking and translation of strings in the application, and moment.js for localizing dates and times. We have also added a plugin, i18next-pseudo, that generates pseudotranslations, and have connected with the Red Hat globalization team for early-stage testing and to learn more about the translation process used for other products at Red Hat. We want to implement localization more widely in the console.

  • 725: (2/2) distributed-tracing: WIP distributed tracing doc (sallyom)

    This document is an overview of distributed tracing and how it benefits a distributed system with microservices such as OpenShift. Also, this document provides information necessary to configure distributed tracing in an OpenShift deployment with a vendor-agnostic collector capable of exporting telemetry data to any back-end analysis tool. Some open-source back-ends for OpenTelemetry data are Jaeger, Prometheus, and Zipkin. Here is a list of vendors that currently support OpenTelemetry.

    Distributed tracing has the ability to quickly detect and diagnose problems as well as improve performance of distributed systems and microservices. By definition, distributed tracing tracks and observes service requests as they flow through a system by collecting data as requests go from one service to another. It's possible, then, to pinpoint bugs and bottlenecks or other issues that can impact overall system performance. Simply put, tracing provides the story of an end-to-end request that is difficult to get otherwise.

    OpenTelemetry supports a wire protocol OTLP over gRPC. OTLP is a request/response protocol. OTLP is used to send data to an OpenTelemetry Collector that can be configured to forward and export data to any data analysis tool that supports OpenTelemetry.

Other new housekeeping and minor updates

  • 713: (2/2) ingress: Ingress: Post-implementation fixups for a couple of EPs (sgreene570)
  • 728: (2/2) general: management-workload-partitioning: fix typo in annotation name (dhellmann)

Other Active Enhancements

<PR ID>: (activity this week / total activity) summary

There were 24 Other Active pull requests:

  • 669: (45/46) console: Add Customize Add Page proposal (jerolimov)
  • 701: (40/43) monitoring: metrics scraping with local authentication and authorization (deads2k)
  • 635: (30/54) manifestlist: IR-57: API changes for manifest list support (ricardomaraschini)
  • 551: (20/51) machine-api: Propose to backport the "external remediation template" feature (slintes)
  • 613: (16/18) network: NetworkPolicies for System Namespaces (danwinship)
  • 661: (15/118) operator-framework-api: New OpenshiftCatalogueValidator (camilamacedo86)
  • 637: (15/267) monitoring: Add: Alerting Standards (michaelgugino)
  • 687: (14/82) storage: Add AWS EFS CSI driver operator (jsafrane)
  • 683: (14/24) insights: Insights Operator pulling and exposing data from the OCM API (tremes)
  • 475: (13/20) general: enhancements/update/update-blocker-lifecycle: Propose a new enhancement (wking)
  • 137: (13/299) general: CLI in-cluster management (sallyom)
  • 647: (12/59) windows-containers: WINC-544: Enhancement proposal for monitoring Windows Nodes (VaishnaviHire)
  • 673: (12/42) machine-api: short-circuiting-backoff (mshitrit)
  • 663: (12/22) dns: Add configurable-dns-pod-placement enhancement (Miciah)
  • 522: (11/38) olm: Update OLM managed operator metrics enhancement (awgreene)
  • 660: (8/19) cluster-logging: Flow control API enhancements, first draft. (alanconway)
  • 492: (3/48) rhcos: add rhcos-inject enhancement (crawford)
  • 302: (2/29) kube-apiserver: [thought-experiment] single-node cluster static pod creation (deads2k)
  • 462: (2/37) ingress: Add client-tls enhancement (Miciah)
  • 642: (1/48) kubelet: Auto Node Sizing (harche)
  • 443: (1/96) machine-config: Support a provisioning token for the Machine Config Server (cgwalters)
  • 426: (1/125) general: enhancements/update/targeted-update-edge-blocking: Propose a new enhancement (wking)
  • 417: (1/116) installer: Add enhancement: IPI kubevirt provider (ravidbro)
  • 265: (1/139) general: Signal cluster deletion (abutcher)

Other Closed Enhancements

<PR ID>: (activity this week / total activity) summary

There were 2 Other Closed pull requests:

  • 411: (2/64) installer: run the Assisted Installer on-premise as opposed to utilizing a cloud service (mhrivnak)
  • 525: (3/9) machine-config: Add FCCT support in MC proposal (LorbusChris)

Old (labeled as stale, but discussion in last 21 days) Enhancements

<PR ID>: (activity this week / total activity) summary

There were 5 Old (labeled as stale, but discussion in last 21 days) pull requests:

  • 255: (1/109) monitoring: add restart metrics enhancement (rphillips)
  • 361: (1/110) baremetal: Minimise Baremetal footprint, live-iso bootstrap (hardys)
  • 468: (4/52) machine-api: Add dedicated instances proposal (alexander-demichev)
  • 486: (1/72) local-storage: Adds proposal for auto partitioning in LSO (rohan47)
  • 566: (1/45) general: Separating provider-specific code in the installer (janoszen)

Other lifecycle/stale Enhancements

<PR ID>: (activity this week / total activity) summary

There were 3 Other lifecycle/stale pull requests:

  • 201: (0/81) general: bootimages: Downloading and updating bootimages via release image (cgwalters)
  • 477: (0/42) update: enhancements/update/manifest-install-levels: Propose a new enhancement (wking)
  • 554: (0/8) general: conventions: Clarify when workload disruption is allowed (smarterclayton)

Idle (no comments for at least 21 days) Enhancements

<PR ID>: (activity this week / total activity) summary

There were 47 Idle (no comments for at least 21 days) pull requests:

  • 124: (0/75) update: enhancements/update/automatic-updates: Propose a new enhancement (wking)
  • 146: (0/213) installer: openstack: Add Baremetal Compute Nodes RFE (pierreprinetti)
  • 174: (0/58) builds: first draft of configmap/secret injection via volumes enhancement (bparees)
  • 292: (0/203) machine-api: Add Managing Control Plane machines proposal (enxebre)
  • 296: (0/181) network: Add ovs-hardware-offload enhancement (zshi-redhat)
  • 341: (0/80) maintenance: Machine-maintenance operator proposal (dofinn)
  • 343: (0/43) authentication: cluster-wide oauth-proxy settings (deads2k)
  • 346: (0/83) installer: Installer pre-flight validations (mandre)
  • 357: (0/225) accelerators: Supporting out-of-tree drivers on OpenShift (zvonkok)
  • 363: (0/201) cvo: Enhancement for adding upgrade preflight checks for operators (LalatenduMohanty)
  • 371: (0/15) ingress: Add forwarded-header-policy enhancement (Miciah)
  • 400: (0/18) general: OpenStack AZ Support (iamemilio)
  • 403: (0/16) authentication: webhook authentication: kubeconfig auth specification, 0-ttl cache (stlaz)
  • 406: (0/16) kube-apiserver: Add preliminary data section to network check enhancement. (sanchezl)
  • 415: (0/11) etcd: add backup config controller (hexfusion)
  • 427: (0/54) update: enhancements/update/phased-rollouts: Propose a new enhancement (wking)
  • 463: (0/574) machine-api: Describing steps to support out-of-tree providers (Danil-Grigorev)
  • 480: (0/86) etcd: enhancements/etcd: support assisted install (hexfusion)
  • 520: (0/13) network: Static IP Addresses from DHCP (cybertron)
  • 527: (0/74) installer: enhancement/installer: check OpenStack versions (EmilienM)
  • 531: (0/15) update: enhancements/update/channel-metadata: Distribute channel description strings (wking)
  • 538: (0/14) machine-api: update machine-api-usage-telemetry (elmiko)
  • 547: (0/36) baremetal: Propose BMC-less remediation enhancement (AKA poison pill) (n1r1)
  • 562: (0/149) security: Enhancing SCC to Gate Runtime Classes (haircommander)
  • 564: (0/18) cluster-logging: Allowing users to specify a delete policy based on amount of storage used within the ES cluster (ewolinetz)
  • 567: (0/106) machine-api: Added proposal for remediation history (slintes)
  • 571: (0/231) network: Cloud API component for egress IP (alexanderConstantinescu)
  • 575: (0/74) installer: Installer Enhacement Proposal: Manifests from STDIN (oglok)
  • 593: (0/131) general: Add proposal for hiding container mountpoints from systemd (lack)
  • 603: (0/53) network: Initial proposal of allow mtu and overlay port changes (juanluisvaladas)
  • 618: (0/14) network: Add more details about host port ownership (danwinship)
  • 623: (0/1) storage: Confirm Azure Disk names (huffmanca)
  • 624: (0/19) update: Add: upgrade-blocker-operator (michaelgugino)
  • 626: (0/38) machine-config: enhancements/machine-config: securing MCS (crawford)
  • 636: (0/57) kube-apiserver: API Removal Notifications (sanchezl)
  • 643: (0/64) update: Add Reduced Reboots enhancement (sdodson)
  • 650: (0/39) scheduling: Add ClusterOperator Scheduling (michaelgugino)
  • 652: (0/1) node: Enable cgroup v2 support (harche)
  • 654: (0/10) dns: ARO private DNS zone resource removal (jim-minter)
  • 666: (0/16) kube-apiserver: adding new userequest audit policy (EmilyM1)
  • 675: (0/2) operator-sdk: enhancements: Fix various links in the downstream operator-sdk proposal (timflannagan)
  • 676: (0/1) kube-apiserver: api compatibility (sanchezl)
  • 682: (0/31) alerting: alerting as a feature (dofinn)
  • 690: (0/3) api-review: Add mirror-by-digest-only to ImageContentSourcePolicy (QiWang19)
  • 691: (0/2) installer: OpenStack root volume AZs (Fedosin)
  • 693: (0/26) general: CONVENTIONS: Add section on limits (smarterclayton)
  • 695: (0/25) cluster-version-operator: move CVO upgrades doc to enhancements (deads2k)