2021-04-23.md

This Week in Enhancements - 2021-04-23

I manually added the priority/important-soon label to a few pull requests this week, but may not have caught all of them. If you are the author or reviewer of a pull request that is related to a 4.9 release priority, please make use the /priority important-soon command on the PR to label it so the newsletter tool sorts it into the right section.

Enhancements for Release Priorities

Prioritized New Enhancements

<PR ID>: (activity this week / total activity) summary

There was 1 Prioritized New Enhancement:

• 744: (3/3) general: External control plane topology (csrwng)

  External control plane support was introduced in OCP 4 with the support for the IBM Cloud Managed service (ROKS). At the time, this was the only platform that was run with an external control plane. It was sufficient to use a platform type of IBMCloud to distinguish it from other OCP installations with traditional control plane topology.

  More recently, an orthogonal field was added to the Infrastructure resource to indicate the type of control plane topology. Current supported values for the controlPlaneTopology field are HighlyAvailable and SingleReplica.

  This enhancement proposes adding a third possible value to the control plane topology field: External. A value of External in this field indicates that control plane components such as Kube API server, Kube Controller Manager, and Kube Scheduler are running outside the cluster and are not visible as pods inside the cluster.

Prioritized New Updates

<PR ID>: (activity this week / total activity) summary

There were 2 Prioritized New Updates:

• 741: (27/27) general: workload-partitioning: update cri-o annotation handling (dhellmann)

• 743: (17/17) general: workload-partitioning: describe warning annotation (dhellmann)

Other Enhancements

Other Merged Enhancements

<PR ID>: (activity this week / total activity) summary

There were 2 Other Merged pull requests:

• 551: (5/57) machine-api: Propose to backport the "external remediation template" feature (slintes)

  By using MachineHealthChecks a cluster admin can configure automatic remediation of unhealthy machines and nodes. The machine healthcheck controller's remediation strategy is deleting the machine, and letting the cloud provider create a new one. This isn't the best remediation strategy in all environments.

  There is already a mechanism to provide an alternative, external remediation strategy, by adding an annotation to the MachineHealthCheck and then to Machines. However, this is isn't very maintainable and diverges from upstream.

  With this enhancement we propose a better, future-proof mechanism, that aligns us with the mechanism implemented upstream. This proposal is a backport of parts of the upstream machine healthcheck proposal [0], which also is already implemented [1].

  • [0] upstream machine healthcheck proposal
  • [1] upstream machine healthcheck implementation

Other Merged Updates

• 739: (9/9) general: management-workload-partitioning: improve namespacing in annotation names (dhellmann)

Other New Enhancements

<PR ID>: (activity this week / total activity) summary

There were 9 Other New pull requests:

• 736: (5/5) installer: Add enhancement - PowerVS IPI provider (jaypoulz)

  This document describes how [PowerVS][powervs-website] becomes an infra provider for OpenShift. PowerVS is a cloud offering by IBM that aims to provid customers interested in running secure and flexible workloads on IBM Power (ppc64le) hardware without having to develop and maintain an on premise datacenter. The goal of this enhancement would be to leverage the PowerVS APIs to deploy an OpenShift cluster on this cloud environment. In addition, the APIs would be leveraged for cluster resizing operations post installation.

• 737: (1/1) update: enhancements/update/targeted-update-edge-blocking: Client-side platform parameter (wking)

  This enhancement proposes a mechanism for blocking edges for the subset of clusters considered vulnerable to known issues with a particular update or target release.

  I still prefer the flexibility of a PromQL approach (#426). But that is a bigger update-service shift, and I haven't been able to convince folks it's worth doing, and maybe they're right and it is overkill. This alternative proposal guesses that "platform" will help with targeting most of our target-able blockers, and be quicker to implement. Historically, it would have been helpful in scoping down:

  • rhbz#1809296 in 4.3, affecting GCP clusters.
  • rhbz#1858026 in 4.5, affecting born-in-4.1 None clusters.
  • rhbz#1904582 in 4.6, affecting born-in-4.1 AWS clusters.
  • rhbz#1935539 and rhbz#1942207 in 4.7, affecting vSphere clusters.

• 738: (79/79) network: Installing OCP on ARM-Based Smart NICs (danwinship)

  As servers have greater and greater networking needs, hardware vendors have created increasingly more complex and powerful network cards. The latest iteration of this is "Smart NICs" that include an entire ARM system running Linux on the NIC. With such a NIC, we can offload nearly all network processing from the host computer onto the NIC "DPU" (Data Processing Unit), freeing up host CPU resources for customer workloads (and allowing faster data transfer by ensuring the network stack doesn't need to compete for CPU with the customer workload).

  However, doing this requires installing and managing an appropriate software stack on all of the NICs in the cluster. This software will need to be kept in sync with the software on the host PC (eg, as new functionality is added to OCP). The obvious answer to this problem is to run OpenShift on the NIC as well as on the host.

  The initial target of this work is the NVIDIA BlueField-2 DPU. However, similar products are being worked on by other vendors which we will eventually want to support, so the solution should not be too specialized to this one product.

• 742: (38/38) cluster-scope-secret-volumes: Update projected resource CSI driver proposal (adambkaplan)

  This proposal will describe a CSI driver based means for OpenShift cluster administrators to share Secrets / ConfigMaps defined in one namespace with other namespaces.

  Any owners/authors/users of Pods in those namespaces can opt into the consumption of the content of those shared Secrets / ConfigMaps during their Pod's execution.

• 745: (65/65) security: Security Profiles Operator integration in OpenShift (JAORMX)

  Let's integrate the Security Profiles Operator as part of the OpenShift platform in order to allow folks to:

  • Easily install security profiles to secure their workloads (both SELinux and Seccomp)

  • Manage the lifecycle of the aforementioned profiles (make sure that they get attached to the appropriate container as upgrades happen)

  • Enable users to automatically generate profiles for their workloads

  • Provide predefined profiles for existing default workloads in OpenShift

• 746: (2/2) update: Add RFE for unordered OCP versions label (bentito)

  As part of an Operator's bundle definition it may specify the OpenShift version, or versions, it supports. The label, com.redhat.openshift.versions allows for this specification. Currently, this may be enforced at several points in the build pipeline (pyxis, IIB). This enhancement seeks to specify that bundle authors may list versions v4.5 or v4.6 in either order if providing a list of supported OpenShift versions. This enhancement also seeks to sunset this behavior, by only allowing these two specific versions as a list. Going forward, authors would specify a single version, or range, of OpenShift the bundle is supported on. There would no longer be a comma separated list allowed.

• 747: (12/12) network: Add Kubernetes nmstate operator to CVO (yboaron)

  Add the Kubernetes NMState Operator to CVO.

  Currently, there are multiple methods of installing Kubernetes NMState into a cluster:

  • CNV uses a custom operator - CNAO that installs Kubernetes NMstate, among other network related items. The CNAO is deployed using Hyperconverged Cluster Operator - HCO. To deploy Kubernetes NMstate it needs to deploy HCO --> CNAO --> Kubernetes NMstate
  • A new operator has been developed specifically to install Kubernetes NMstate using OLM.

  It is desirable for this to converge.

  Adding the Kubernetes NMstate as part of the CVO will allow for convenient and non-cumbersome use, which will also allow for uniformity between the various platforms (CNV, IPI-Baremetal).

• 748: (4/4) cluster-logging: New proposal: Forwarder output parameter templates (alanconway)

  The ClusterLogForwarder.Outputs API can already set some output parameters from log record fields.

  This proposal allows multiple record fields to be combined into an output value.

• 749: (10/10) ingress: NE-310 Enhancement proposal for HSTS route admission plugin (candita)

  In 3.x and 4.x customers can provide a per-route annotation to enable HSTS. For customers with many routes or regulatory compliance issues, the manual per-route annotation is seen as sub-optimal.

  This enhancement extends the Ingress.config.openshift.io API and adds a new route admission controller to the OpenShift API server which together allow cluster administrators to enforce HSTS globally. This enhancement also provides a recommendation for batch route annotation configuration.

Other Active Enhancements

<PR ID>: (activity this week / total activity) summary

There were 12 Other Active pull requests:

• 733: (63/74) builds: build: Support Mounted Resource Volumes (adambkaplan)
• 732: (51/52) network: Add Smart NIC OVN offload enhancement (zshi-redhat)
• 724: (31/39) console: Update internationalization enhancement for how to handle login template translation strings (sg00dwin)
• 463: (11/601) machine-api: Describing steps to support out-of-tree providers (Danil-Grigorev)
• 709: (6/66) installer: Add proposal for credentials management outside the openshift cluster for new platforms (akhil-rane)
• 647: (4/62) windows-containers: WINC-544: Enhancement proposal for monitoring Windows Nodes (VaishnaviHire)
• 357: (4/229) general: Supporting out-of-tree drivers on OpenShift (zvonkok)
• 635: (2/56) manifestlist: IR-57: API changes for manifest list support (ricardomaraschini)
• 522: (2/40) olm: Update OLM managed operator metrics enhancement (awgreene)
• 637: (1/270) monitoring: Add: Alerting Standards (michaelgugino)
• 722: (1/7) multi-arch: Add "Build OKD for ppc64le" proposal (mjturek)
• 426: (1/126) general: enhancements/update/targeted-update-edge-blocking: Propose a new enhancement (wking)

Other Closed Enhancements

<PR ID>: (activity this week / total activity) summary

There were 6 Other Closed pull requests:

• 417: (2/118) installer: Add enhancement: IPI kubevirt provider (ravidbro)
• 527: (2/76) installer: enhancement/installer: check OpenStack versions (EmilienM)
• 716: (0/29) machine-config: Create pre-assigning-nodes-to-machine-config-pools-4-8.md (beekhof)
• 717: (1/2) machine-config: Create pre-assigning-nodes-to-machine-config-pools.md (beekhof)
• 719: (1/5) installer: Create change-ocp-install-config-values-after-install-completes (hhockett)
• 740: (8/8) general: workload-partitioning: change crio annotation name (dhellmann)

Revived (closed more than 7 days ago, but with new comments) Enhancements

<PR ID>: (activity this week / total activity) summary

There were 2 Revived (closed more than 7 days ago, but with new comments) pull requests:

• 484: (0/40) art: Flexibly-enforcing-product-build-constraints-in-ci (jupierce)
• 710: (0/74) cluster-logging: New enhancment proposal: forward-to-Loki (alanconway)

Other lifecycle/stale Enhancements

<PR ID>: (activity this week / total activity) summary

There were 5 Other lifecycle/stale pull requests:

• 255: (0/109) monitoring: add restart metrics enhancement (rphillips)
• 361: (0/110) baremetal: Minimise Baremetal footprint, live-iso bootstrap (hardys)
• 468: (0/52) machine-api: Add dedicated instances proposal (alexander-demichev)
• 486: (0/72) local-storage: Adds proposal for auto partitioning in LSO (rohan47)
• 566: (0/45) general: Separating provider-specific code in the installer (janoszen)

Idle (no comments for at least 7 days) Enhancements

<PR ID>: (activity this week / total activity) summary

There were 62 Idle (no comments for at least 7 days) pull requests:

• 124: (0/75) update: enhancements/update/automatic-updates: Propose a new enhancement (wking)
• 137: (0/299) general: CLI in-cluster management (sallyom)
• 146: (0/213) installer: openstack: Add Baremetal Compute Nodes RFE (pierreprinetti)
• 201: (0/83) general: bootimages: Downloading and updating bootimages via release image (cgwalters)
• 265: (0/139) general: Signal cluster deletion (abutcher)
• 292: (0/203) machine-api: Add Managing Control Plane machines proposal (enxebre)
• 302: (0/29) kube-apiserver: [thought-experiment] single-node cluster static pod creation (deads2k)
• 341: (0/80) maintenance: Machine-maintenance operator proposal (dofinn)
• 343: (0/43) authentication: cluster-wide oauth-proxy settings (deads2k)
• 346: (0/83) installer: Installer pre-flight validations (mandre)
• 363: (0/201) cvo: Enhancement for adding upgrade preflight checks for operators (LalatenduMohanty)
• 371: (0/15) ingress: Add forwarded-header-policy enhancement (Miciah)
• 400: (0/18) general: OpenStack AZ Support (iamemilio)
• 403: (0/16) authentication: webhook authentication: kubeconfig auth specification, 0-ttl cache (stlaz)
• 406: (0/16) kube-apiserver: Add preliminary data section to network check enhancement. (sanchezl)
• 427: (0/54) update: enhancements/update/phased-rollouts: Propose a new enhancement (wking)
• 443: (0/96) machine-config: Support a provisioning token for the Machine Config Server (cgwalters)
• 462: (0/56) ingress: Add client-tls enhancement (Miciah)
• 475: (0/20) general: enhancements/update/update-blocker-lifecycle: Propose a new enhancement (wking)
• 477: (0/43) update: enhancements/update/manifest-install-levels: Propose a new enhancement (wking)
• 492: (0/48) rhcos: add rhcos-inject enhancement (crawford)
• 520: (0/13) network: Static IP Addresses from DHCP (cybertron)
• 538: (0/14) machine-api: update machine-api-usage-telemetry (elmiko)
• 547: (0/38) baremetal: Propose BMC-less remediation enhancement (AKA poison pill) (n1r1)
• 554: (0/9) general: conventions: Clarify when workload disruption is allowed (smarterclayton)
• 562: (0/149) security: Enhancing SCC to Gate Runtime Classes (haircommander)
• 564: (0/18) cluster-logging: Allowing users to specify a delete policy based on amount of storage used within the ES cluster (ewolinetz)
• 567: (0/106) machine-api: Added proposal for remediation history (slintes)
• 571: (0/231) network: Cloud API component for egress IP (alexanderConstantinescu)
• 575: (0/74) installer: Installer Enhacement Proposal: Manifests from STDIN (oglok)
• 593: (0/131) general: Add proposal for hiding container mountpoints from systemd (lack)
• 613: (0/18) network: NetworkPolicies for System Namespaces (danwinship)
• 618: (0/15) network: Add more details about host port ownership (danwinship)
• 623: (0/1) storage: Confirm Azure Disk names (huffmanca)
• 624: (0/19) update: Add: upgrade-blocker-operator (michaelgugino)
• 626: (0/38) machine-config: enhancements/machine-config: securing MCS (crawford)
• 636: (0/59) kube-apiserver: API Removal Notifications (sanchezl)
• 642: (0/48) kubelet: Auto Node Sizing (harche)
• 643: (0/65) update: Add Reduced Reboots enhancement (sdodson)
• 650: (0/39) scheduling: Add ClusterOperator Scheduling (michaelgugino)
• 652: (0/1) node: Enable cgroup v2 support (harche)
• 654: (0/10) dns: ARO private DNS zone resource removal (jim-minter)
• 660: (0/19) cluster-logging: Flow control API enhancements, first draft. (alanconway)
• 661: (0/118) operator-framework-api: New OpenshiftCatalogueValidator (camilamacedo86)
• 666: (0/16) kube-apiserver: adding new userequest audit policy (EmilyM1)
• 673: (0/42) machine-api: short-circuiting-backoff (mshitrit)
• 676: (0/1) kube-apiserver: api compatibility (sanchezl)
• 682: (0/31) alerting: alerting as a feature (dofinn)
• 683: (0/24) insights: Insights Operator pulling and exposing data from the OCM API (tremes)
• 687: (0/82) storage: Add AWS EFS CSI driver operator (jsafrane)
• 690: (0/3) api-review: Add mirror-by-digest-only to ImageContentSourcePolicy (QiWang19)
• 691: (0/2) installer: OpenStack root volume AZs (Fedosin)
• 693: (0/26) general: CONVENTIONS: Add section on limits (smarterclayton)
• 695: (0/25) cluster-version-operator: move CVO upgrades doc to enhancements (deads2k)
• 701: (0/43) monitoring: metrics scraping with local authentication and authorization (deads2k)
• 706: (0/135) api-review: apply user defined tags to all resources (gregsheremeta)
• 707: (0/12) installer: Add Enhancement for Installing to Alibaba Cloud (lemondlut)
• 711: (0/3) olm: add "fail open" risk/mitigation (njhale)
• 712: (0/158) cluster-logging: [cluster-logging] Add proposal for loki as an alternative log store (periklis)
• 721: (0/14) network: metallb: Use CNO as the integration point (russellb)
• 725: (0/2) distributed-tracing: WIP distributed tracing doc (sallyom)
• 730: (0/7) network: mtu: ability to change running cluster's mtu setting (msherif1234)