The following release notes are for previous versions of the Windows Machine Config Operator (WMCO).
This release of the WMCO provides bug fixes for running Windows compute nodes in an OKD cluster. The components of the WMCO 10.16.0 were released in RHBA-2024:5014.
The WMCO is now supported in environments with disconnected networks, which is a cluster that is intentionally impeded from reaching the internet, also known as restricted or air-gapped clusters.
For more information, see Using Windows containers with a mirror registry.
The WMCO can now use both ImageDigestMirrorSet (IDMS) and ImageTagMirrorSet (ITMS) objects to pull images from mirrored registries.
For more information, see Understanding image registry repository mirroring
The Filesystem metrics are now available for Windows nodes in the Utilization tile of the Node details page in the OKD web console. You can query the metrics by running Prometheus Query Language (PromQL) queries. The charts previously reported No datapoints found.
The Network in and Network out charts are now available for Windows pods on the Pod details page in the OKD web console. You can query the metrics by running PromQL queries. The charts previously reported No datapoints found.
The CPU and memory usage metrics are now available for Windows pods on the Pods and Pod details pages in the OKD web console. You can query the metrics by running PromQL queries. The chart previously reported No datapoints found.
Because the WICD service account was missing a required secret, the WMCO was unable to properly configure Windows nodes in a Nutanix cluster. With this fix, the WMCO creates a long-lived token secret for the WICD service account. As a result, the WMCO is able to configure a Windows node on Nutanix. (OCPBUGS-22680)
Previously, the WMCO performed a sanitization step that incorrectly replaced commas with semicolons in a user’s cluster-wide proxy configuration. This behavior caused Windows to ignore the values set in the noProxy
environment variable. As a consequence, the WMCO incorrectly sent traffic through the proxy for the endpoints specified in the no-proxy
parameter. With this fix, the sanitization step that replaced commas with semicolons was removed. As a result, web requests from a Windows node to a cluster-internal endpoint or an endpoint that exists in the no-proxy
parameter do not go through the proxy. (OCPBUGS-24264)
Previously, because of bad logic in the networking configuration script, the WMCO was incorrectly reading carriage returns in the containderd CNI configuration file as changes, and identified the file as modified. This bahavior caused the CNI configuration to be unnecessarily reloaded, potentially resulting in container restarts and brief network outages. With this fix, the WMCO now reloads the CNI configuration only when the CNI configuration is actually modified. (OCPBUGS-2887)
Previously, because of routing issues present in Windows Server 2019, under certain conditions and after more than one hour of running time, workloads on Windows Server 2019 could have experienced packet loss when communicating with other containers in the cluster. This fix enables Direct Server Return (DSR) routing within kube-proxy. As a result, DSR now causes request and response traffic to use a different network path, circumventing the bug within Windows Server 2019. (OCPBUGS-26761)
Previously, the kubelet on Windows nodes was unable to authenticate with private Amazon Elastic Container Registries (ECR). Because of this error, the kubelet was not able to pull images from these registries. With this fix, the kubelet is able to pull images from these registries as expected. (OCPBUGS-26602)
Previously, on Azure clusters the WMCO would check if an external Cloud Controller Manager (CCM) was being used on the cluster. If a CCM was being used, the Operator would adjust configuration logic accordingly. Because the status condition that the WMCO used to check for the CCM was removed, the WMCO proceeded as if a CCM was not in use. This fix removes the check. As a result, the WMCO always configures the required logic on Azure clusters. (OCPBUGS-31626)
Previously, the WMCO logged error messages when a command that was run through an SSH connection to a Windows instance failed. This behavior was incorrect because some commands are expected to fail. For example, when the WMCO reboots a node, the Operator runs PowerShell commands on the instance until they fail, meaning the SSH connection rebooted as expected. With this fix, only actual errors are now logged. (OCPBUGS-20255)
Previously, after rotating the kube-apiserver-to-kubelet-client-ca
certificate, the contents of the kubetl-ca.crt
file on Windows nodes was not populated correctly. With this fix, after certificate rotation, the kubetl-ca.crt
file contains the correct certificates. (OCPBUGS-22237)
Previously, because of a missing DNS suffix in the kubelet host name on instances that are part of a Windows AD domain controller, the cloud provider failed to find VMs by name. With this fix, the DNS suffix is now included in the host name resolution. As a result, the WMCO is able to configure and join Windows instances that are part of AD domain controller. (OCPBUGS-34758)
Previously, registry certificates provided to the cluster by a user were not loaded into the Windows trust store on each node. As a consequence, image pulls from a mirror registry failed, because a self-signed CA is required. With this fix, registry certificates are loaded into the Windows trust store on each node. As a result, images can be pulled from mirror registries with self-signed CAs. (OCPBUGS-36408)
Previously, if there were multiple service account token secrets in the WMCO namespace, scaling Windows nodes would fail. With this fix, the WMCO uses only the secret it creates, ignoring any other service account token secrets in the WMCO namespace. As a result, Windows nodes scale properly. (OCPBUGS-37481)
Previously, if reverse DNS lookup failed due to an error, such as the reverse DNS lookup services being unavailable, the WMCO would not fall back to using the VM hostname to determine if a certificate signing requests (CSR) should be approved. As a consequence, Bring-Your-Own-Host (BYOH) Windows nodes configured with an IP address would not become available. With this fix, BYOH nodes are properly added if reverse DNS is not available. (OCPBUGS-36643)