×

OKD 4.17 introduces architectural changes and enhancements/ The procedures that you used to manage your OKD 3 cluster might not apply to OKD 4.

It is not possible to upgrade your existing OKD 3 cluster to OKD 4. You must start with a new OKD 4 installation. Tools are available to assist in migrating your control plane settings and application workloads.

Architecture

With OKD 3, administrators individually deployed Fedora hosts, and then installed OKD on top of these hosts to form a cluster. Administrators were responsible for properly configuring these hosts and performing updates.

OKD 4 represents a significant change in the way that OKD clusters are deployed and managed. OKD 4 includes new technologies and functionality, such as Operators, machine sets, and Fedora CoreOS (FCOS), which are core to the operation of the cluster. This technology shift enables clusters to self-manage some functions previously performed by administrators. This also ensures platform stability and consistency, and simplifies installation and scaling.

Beginning with OKD 4.13, FCOS now uses Fedora 9.2 packages. This enhancement enables the latest fixes and features as well as the latest hardware support and driver updates. For more information about how this upgrade to RHEL 9.2 might affect your options configuration and services as well as driver and container support, see the RHCOS now uses RHEL 9.2 in the OpenShift Container Platform 4.13 release notes.

For more information, see OpenShift Container Platform architecture.

Immutable infrastructure

OKD 4 uses Fedora CoreOS (FCOS), which is designed to run containerized applications, and provides efficient installation, Operator-based management, and simplified upgrades. FCOS is an immutable container host, rather than a customizable operating system like Fedora. FCOS enables OKD 4 to manage and automate the deployment of the underlying container host. FCOS is a part of OKD, which means that everything runs inside a container and is deployed using OKD.

In OKD 4, control plane nodes must run FCOS, ensuring that full-stack automation is maintained for the control plane. This makes rolling out updates and upgrades a much easier process than in OKD 3.

For more information, see Fedora CoreOS (FCOS).

Operators

Operators are a method of packaging, deploying, and managing a Kubernetes application. Operators ease the operational complexity of running another piece of software. They watch over your environment and use the current state to make decisions in real time. Advanced Operators are designed to upgrade and react to failures automatically.

For more information, see Understanding Operators.

Installation and upgrade

Installation process

To install OKD 3.11, you prepared your Fedora hosts, set all of the configuration values your cluster needed, and then ran an Ansible playbook to install and set up your cluster.

In OKD 4.17, you use the OpenShift installation program to create a minimum set of resources required for a cluster. After the cluster is running, you use Operators to further configure your cluster and to install new services. After first boot, Fedora CoreOS (FCOS) systems are managed by the Machine Config Operator (MCO) that runs in the OKD cluster.

For more information, see Installation process.

Infrastructure options

In OKD 3.11, you installed your cluster on infrastructure that you prepared and maintained. In addition to providing your own infrastructure, OKD 4 offers an option to deploy a cluster on infrastructure that the OKD installation program provisions and the cluster maintains.

Upgrading your cluster

In OKD 3.11, you upgraded your cluster by running Ansible playbooks. In OKD 4.17, the cluster manages its own updates, including updates to Fedora CoreOS (FCOS) on cluster nodes. You can easily upgrade your cluster by using the web console or by using the oc adm upgrade command from the OpenShift CLI and the Operators will automatically upgrade themselves. If your OKD 4.17 cluster has Fedora worker machines, then you will still need to run an Ansible playbook to upgrade those worker machines.

For more information, see Updating clusters.

Migration considerations

Review the changes and other considerations that might affect your transition from OKD 3.11 to OKD 4.

Storage considerations

Review the following storage changes to consider when transitioning from OKD 3.11 to OKD 4.17.

Local volume persistent storage

Local storage is only supported by using the Local Storage Operator in OKD 4.17. It is not supported to use the local provisioner method from OKD 3.11.

For more information, see Persistent storage using local volumes.

FlexVolume persistent storage

The FlexVolume plugin location changed from OKD 3.11. The new location in OKD 4.17 is /etc/kubernetes/kubelet-plugins/volume/exec. Attachable FlexVolume plugins are no longer supported.

For more information, see Persistent storage using FlexVolume.

Container Storage Interface (CSI) persistent storage

Persistent storage using the Container Storage Interface (CSI) was Technology Preview in OKD 3.11. OKD 4.17 ships with several CSI drivers. You can also install your own driver.

Red Hat OpenShift Data Foundation

OpenShift Container Storage 3, which is available for use with OKD 3.11, uses Red Hat Gluster Storage as the backing storage.

Red Hat OpenShift Data Foundation 4, which is available for use with OKD 4, uses Red Hat Ceph Storage as the backing storage.

Unsupported persistent storage options

Support for the following persistent storage options from OKD 3.11 has changed in OKD 4.17:

  • GlusterFS is no longer supported.

  • CephFS as a standalone product is no longer supported.

  • Ceph RBD as a standalone product is no longer supported.

If you used one of these in OKD 3.11, you must choose a different persistent storage option for full support in OKD 4.17.

For more information, see Understanding persistent storage.

Migration of in-tree volumes to CSI drivers

OKD 4 is migrating in-tree volume plugins to their Container Storage Interface (CSI) counterparts. In OKD 4.17, CSI drivers are the new default for the following in-tree volume types:

  • Amazon Web Services (AWS) Elastic Block Storage (EBS)

  • Azure Disk

  • Azure File

  • Google Cloud Platform Persistent Disk (GCP PD)

  • OpenStack Cinder

  • VMware vSphere

    As of OKD 4.13, VMware vSphere is not available by default. However, you can opt into VMware vSphere.

All aspects of volume lifecycle, such as creation, deletion, mounting, and unmounting, is handled by the CSI driver.

For more information, see CSI automatic migration.

Networking considerations

Review the following networking changes to consider when transitioning from OKD 3.11 to OKD 4.17.

Network isolation mode

The default network isolation mode for OKD 3.11 was ovs-subnet, though users frequently switched to use ovn-multitenant. The default network isolation mode for OKD 4.17 is controlled by a network policy.

If your OKD 3.11 cluster used the ovs-subnet or ovs-multitenant mode, it is recommended to switch to a network policy for your OKD 4.17 cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that ovs-multitenant does. If you want to maintain the ovs-multitenant behavior while using a network policy in OKD 4.17, follow the steps to configure multitenant isolation using network policy.

For more information, see About network policy.

OVN-Kubernetes as the default networking plugin in Red Hat OpenShift Networking

In OKD 3.11, OpenShift SDN was the default networking plugin in Red Hat OpenShift Networking. In OKD 4.17, OVN-Kubernetes is now the default networking plugin.

For more information on the removal of the OpenShift SDN network plugin and why it has been removed see OpenShiftSDN CNI removal in OCP 4.17.

For information on OVN-Kubernetes features that are similar to features in the OpenShift SDN plugin see:

You should install OKD 4 with the OVN-Kubernetes network plugin because it is not possible to upgrade a cluster to OKD 4.17 if it is using the OpenShift SDN network plugin.

Logging considerations

Review the following logging changes to consider when transitioning from OKD 3.11 to OKD 4.17.

Deploying OpenShift Logging

OKD 4 provides a simple deployment mechanism for OpenShift Logging, by using a Cluster Logging custom resource.

Aggregated logging data

You cannot transition your aggregate logging data from OKD 3.11 into your new OKD 4 cluster.

Unsupported logging configurations

Some logging configurations that were available in OKD 3.11 are no longer supported in OKD 4.17.

Security considerations

Review the following security changes to consider when transitioning from OKD 3.11 to OKD 4.17.

Unauthenticated access to discovery endpoints

In OKD 3.11, an unauthenticated user could access the discovery endpoints (for example, /api/* and /apis/*). For security reasons, unauthenticated access to the discovery endpoints is no longer allowed in OKD 4.17. If you do need to allow unauthenticated access, you can configure the RBAC settings as necessary; however, be sure to consider the security implications as this can expose internal cluster components to the external network.

Identity providers

Configuration for identity providers has changed for OKD 4, including the following notable changes:

  • The request header identity provider in OKD 4.17 requires mutual TLS, where in OKD 3.11 it did not.

  • The configuration of the OpenID Connect identity provider was simplified in OKD 4.17. It now obtains data, which previously had to specified in OKD 3.11, from the provider’s /.well-known/openid-configuration endpoint.

OAuth token storage format

Newly created OAuth HTTP bearer tokens no longer match the names of their OAuth access token objects. The object names are now a hash of the bearer token and are no longer sensitive. This reduces the risk of leaking sensitive information.

Default security context constraints

The restricted security context constraints (SCC) in OKD 4 can no longer be accessed by any authenticated user as the restricted SCC in OKD 3.11. The broad authenticated access is now granted to the restricted-v2 SCC, which is more restrictive than the old restricted SCC. The restricted SCC still exists; users that want to use it must be specifically given permissions to do it.

For more information, see Managing security context constraints.

Monitoring considerations

Review the following monitoring changes when transitioning from OKD 3.11 to OKD 4.17. You cannot migrate Hawkular configurations and metrics to Prometheus.

Alert for monitoring infrastructure availability

The default alert that triggers to ensure the availability of the monitoring structure was called DeadMansSwitch in OKD 3.11. This was renamed to Watchdog in OKD 4. If you had PagerDuty integration set up with this alert in OKD 3.11, you must set up the PagerDuty integration for the Watchdog alert in OKD 4.

For more information, see Applying custom Alertmanager configuration.