<PR ID>: (activity this week / total activity) summary
There was 1 Prioritized Merged pull request:
-
565: (83/396) installer: single-node deployment with bootstrap-in-place (eranco74)
As we add support for new features such as single-node production deployment, we need a way to install such clusters without an extra node dependency for bootstrap.
This enhancement describes the flow for installing Single Node OpenShift using a liveCD that performs the bootstrap logic and reboots to become the single node.
<PR ID>: (activity this week / total activity) summary
There was 1 Prioritized New pull request:
-
628: (20/20) general: automated resource request scaling (dhellmann)
This enhancement describes an approach to allow us to scale the resource requests for the control plane services to reduce consumption for constrained environments. This will be especially useful for single-node production deployments, where the user wants to reserve most of the CPU resources for their own workloads and needs to configure OpenShift to run on a fixed number of CPUs within the host.
One example of this use case is seen in telecommunication service providers implementation of a Radio Access Network (RAN). This use case is discussed in more detail below.
<PR ID>: (activity this week / total activity) summary
There were 2 Prioritized Active pull requests:
-
585: (55/132) update: EUS Upgrades MVP (sdodson)
This enhancement outlines a set of cross platform improvements meant to ensure the safety of multiple back-to-back minor version upgrades associated with EUS to EUS upgrades. Additionally, we outline improvements applicable to all upgrades meant to reduce the duration of upgrades and workload disruption.
All of the work detailed herein is prerequisite to enabling upgrades which skip reboots. However where non-overlapping resources exist we can pursue reboot removal in parallel such as the Node team validating upstream's stated Kubelet version skew policies.
-
593: (2/32) general: Add proposal for hiding container mountpoints from systemd (lack)
The current implementation of Kubelet and CRI-O both use the top-level namespace for all container and Kubelet mountpoints. However, moving these container-specific mountpoints into a private namespace reduced systemd overhead with no difference in functionality.
<PR ID>: (activity this week / total activity) summary
There were 4 Other Merged pull requests:
-
540: (2/27) machine-config: Installer/MCO: store pointer ignition customizations in MachineConfig (hardys)
This enhancement proposes changing the way installer ignition customizations are stored, so that instead of storing the modified pointer ignition in a Secret we include the user changes in a MachineConfig, such that the MCO can manage it, and it is included in the MCO rendered config.
-
561: (2/36) network: Initial proposal of "allow-from-router" NetworkPolicy (danwinship)
Many users want to create NetworkPolicies that say, effectively, "allow traffic from routers". However, the router can run with one of several different "endpoint publishing strategies", which use the cluster network differently, and when using the
HostNetworkstrategy, the NetworkPolicy-relevant behavior also varies depending on the network plugin in use. This makes it impossible to create an "allow traffic from routers" policy that will work in any cluster. Indeed, in some cases, it is difficult to create such a policy even just for a single cluster, even when you know exactly how the cluster is configured. -
592: (45/154) olm: Safer Cluster Upgrades for OLM Managed Operators (awgreene)
OpenShift Cluster Admins introduce new services to their clusters by way of OLM Managed Operators. When performing a Minor OpenShift Upgrade, there is no guarantee that these operators will continue to run on the upgraded cluster version.
Many operators shipped by Red Hat are rigorously tested on a specific set of OpenShift versions. The teams responsible for this testing know exactly which
{major}.{minor}versions of OpenShift that their operators can run on. OLM should allow Operator Authors to specify the maximum{major}.{minor}version of OpenShift that their operator may run on.With this information OLM should:
- Prevent Minor OpenShift Upgrades when it is possible to determine that one or more installed operators will not run on the next minor OpenShift version.
- Prevent the operator from being installed on OpenShift clusters whose version is greater than the
maxOpenShiftVersionspecified by the operator.
-
627: (2/2) single-node: create single-node directory and move related enhancements into it (dhellmann)
<PR ID>: (activity this week / total activity) summary
There was 1 Other Closed pull request:
- 622: (3/3) general: sts-by-default proposal (joelddiaz)
<PR ID>: (activity this week / total activity) summary
There were 6 Other New pull requests:
-
617: (77/77) network: [SDN-1364] Add Network Policy audit logging Enhancement (astoycos)
The OVN-Kubernetes network type uses OVN to implement node overlay networks for Kubernetes. When OVN-Kubernetes is used as the network type for an Openshift cluster, OVN ACLs are the used to implement Kubernetes network policies (
NetworkPolicyresources). ACL's can either allow or deny traffic by matching on packets with specific rules. Built into the OVN ACL feature is the ability to specify logging for each "allow" or "deny" rule. This enhancement will activate the OVN ACL feature logging and allow the customer to manipulate the logging level, rate, and namespaces in which it is used, thereby showing valuable realtime information involving network policies. -
618: (7/7) network: Add more details about host port ownership (danwinship)
This clarifies our usage of host network ports on nodes.
-
623: (1/1) storage: Confirm Azure Disk names (huffmanca)
We want certain CSI drivers such as AWS, GCE, Cinder, Azure and vSphere to be installable on OpenShift, so as:
- They can be used along-side in-tree drivers and when upstream enables migration flag for these volume types, their replacement CSI drivers can take over and none of the storage features get affected.
- OpenShift provides native storage provided by underlying cloud out of the box after installation for the clouds that don't have in-tree volume plugins in Kubernetes.
-
624: (5/5) update: Add: upgrade-blocker-operator (michaelgugino)
Add an extensible API and associated operator to block upgrades.
-
625: (3/3) cluster-logging: Simplify JSON forwarding proposal (alanconway)
When applications write structured JSON logs, consumers want to access fields of JSON log entries for indexing and other purposes. The current logging [data model][data_model] stores the log entry as a JSON string, not a JSON object. Consumers can't access the log entry fields without a second JSON parse of this string.
This proposal will allow alternate structured forms of output record.
-
626: (9/9) machine-config: enhancements/machine-config: securing MCS (crawford)
The bootstrapping process for new cluster nodes is a tricky problem, primarily due to the fact that a new nodes start from a position of almost zero knowledge. These nodes need to fetch their machine configuration and authenticate themselves with the cluster before they can access most resources and have workloads scheduled. At the same time, a malicious actor pretending to be a new node cannot be allowed to join the cluster. Otherwise, they would be able to get access to sensitive resources and could have workloads and their secrets scheduled to them. Today, we protect against this by preventing cluster workloads from accessing the Machine Config Server, the component of the Machine Config Operator which is responsible for serving Ignition configs, derived from a set of Machine Configs, to new machines. This approach presents a problem though: workloads on OpenShift are not allowed to make use of TCP ports 22623 and 22624, the ports used by the Machine Config Server.
<PR ID>: (activity this week / total activity) summary
There were 19 Other Active pull requests:
- 576: (33/90) cluster-logging: Move ES cert management into Elasticsearch Operator (ewolinetz)
- 549: (21/34) storage: Add proposal for CSI migration (bertinatto)
- 571: (19/172) network: Cloud API component for egress IP (alexanderConstantinescu)
- 574: (17/237) installer: First iteration of running the Assisted Installer in end-user clusters. (mhrivnak)
- 406: (14/14) kube-apiserver: Add preliminary data section to network check enhancement. (sanchezl)
- 581: (12/19) network: Add network flows export support proposal (rcarrillocruz)
- 608: (12/23) windows-containers: WINC-482: Bring Your Own Windows Host design (aravindhp)
- 524: (12/203) network: New method for providing configurable self-hosted LB/DNS/VIP for on-prem (yboaron)
- 463: (7/200) machine-api: Describing steps to support out-of-tree providers (Danil-Grigorev)
- 603: (7/39) network: Initial proposal of allow mtu and overlay port changes (juanluisvaladas)
- 78: (7/39) general: Add "Build OKD-on-Fedora-CoreOS in Prow" proposal (LorbusChris)
- 403: (4/6) authentication: webhook authentication: kubeconfig auth specification, 0-ttl cache (stlaz)
- 520: (3/9) network: Static IP Addresses from DHCP (cybertron)
- 577: (3/57) ingress: describe one-stop-shopping for exposing customized routes (deads2k)
- 612: (2/2) cluster-logging: Simplify initial cloudwatch proposal based on feedback. (alanconway)
- 438: (2/19) ingress: Add ingress fault detection proposal (sgreene570)
- 489: (1/1) kube-apiserver: p2pnc: update (sanchezl)
- 177: (1/9) olm: Library for OLM operator-inspect functionality (shawn-hurley)
- 465: (1/17) insights: Insights operator up to date gathering (martinkunc)
<PR ID>: (activity this week / total activity) summary
There was 1 Revived (closed more than 7 days ago, but with new comments) pull request:
- 61: (2/33) platforms: oVirt IPI enhancement document (rgolangh)
<PR ID>: (activity this week / total activity) summary
There were 5 Other lifecycle/stale pull requests:
- 411: (0/28) installer: run the Assisted Installer on-premise as opposed to utilizing a cloud service (mhrivnak)
- 415: (1/3) etcd: add backup config controller (hexfusion)
- 447: (0/12) insights: Insights-gateway (iNecas)
- 483: (0/7) machine-api: Add proposal for API to automatically spread MachineSets across AZs. (dgoodwin)
- 497: (0/4) cloud-integration: Initial draft of Cloud Credentials Rotation. (dgoodwin)
<PR ID>: (activity this week / total activity) summary
There were 55 Idle (no comments for at least 7 days) pull requests:
- 124: (0/27) update: enhancements/update/automatic-updates: Propose a new enhancement (wking)
- 137: (0/106) general: CLI in-cluster management (sallyom)
- 146: (0/65) installer: openstack: Add Baremetal Compute Nodes RFE (pierreprinetti)
- 174: (0/23) builds: first draft of configmap/secret injection via volumes enhancement (bparees)
- 198: (0/6) kube-controller-manager: stability: add quota to all namespaces (deads2k)
- 201: (0/32) general: bootimages: Downloading and updating bootimages via release image (cgwalters)
- 255: (0/39) monitoring: add restart metrics enhancement (rphillips)
- 265: (0/57) general: Signal cluster deletion (abutcher)
- 292: (0/75) machine-api: Add Managing Control Plane machines proposal (enxebre)
- 296: (0/68) network: Add ovs-hardware-offload enhancement (zshi-redhat)
- 302: (0/11) kube-apiserver: [thought-experiment] single-node cluster static pod creation (deads2k)
- 327: (0/10) security: Add enhancement proposal for selinux-operator (JAORMX)
- 341: (0/30) maintenance: Machine-maintenance operator proposal (dofinn)
- 343: (0/15) authentication: cluster-wide oauth-proxy settings (deads2k)
- 346: (0/33) installer: Installer pre-flight validations (mandre)
- 357: (0/82) general: Supporting out-of-tree drivers on OpenShift (zvonkok)
- 361: (0/45) baremetal: Minimise Baremetal footprint, live-iso bootstrap (hardys)
- 363: (0/91) cvo: Enhancement for adding upgrade preflight checks for operators (LalatenduMohanty)
- 371: (0/5) ingress: Add forwarded-header-policy enhancement (Miciah)
- 400: (0/4) general: OpenStack AZ Support (iamemilio)
- 416: (0/30) installer: draft of install CA management proposal (bparees)
- 417: (0/40) installer: Add enhancement: IPI kubevirt provider (ravidbro)
- 426: (0/50) general: enhancements/update/targeted-update-edge-blocking: Propose a new enhancement (wking)
- 427: (0/22) update: enhancements/update/phased-rollouts: Propose a new enhancement (wking)
- 440: (0/23) installer: Create single node control plane based on installer bootstrap (eranco74)
- 443: (0/26) machine-config: Support a provisioning token for the Machine Config Server (cgwalters)
- 449: (0/0) ingress: Add Tunable Router Buffer Sizes EP (sgreene570)
- 456: (0/1) ingress: Adds ExternalDNS Operator Enhancement Proposal (danehans)
- 458: (0/4) network: Whereabouts IPAM CNI Sticky IP Addresses Enhancement (dougbtv)
- 460: (0/3) ingress: Add empty-requests-policy enhancement (Miciah)
- 461: (0/0) ingress: Add aws-elb-idle-timeout enhancement (Miciah)
- 462: (0/16) ingress: Add client-tls enhancement (Miciah)
- 468: (0/13) machine-api: Add dedicated instances proposal (alexander-demichev)
- 473: (0/77) network: Enable IPsec support in OVNKubernetes (markdgray)
- 475: (0/1) general: enhancements/update/update-blocker-lifecycle: Propose a new enhancement (wking)
- 477: (0/16) update: enhancements/update/manifest-install-levels: Propose a new enhancement (wking)
- 480: (0/41) etcd: enhancements/etcd: support assisted install (hexfusion)
- 486: (0/21) local-storage: Adds proposal for auto partitioning in LSO (rohan47)
- 492: (0/13) rhcos: add rhcos-inject enhancement (crawford)
- 522: (0/6) olm: Update OLM managed operator metrics enhancement (awgreene)
- 525: (0/0) machine-config: Add FCCT support in MC proposal (LorbusChris)
- 527: (0/20) installer: enhancement/installer: check OpenStack versions (EmilienM)
- 531: (0/6) update: enhancements/update/channel-metadata: Distribute channel description strings (wking)
- 538: (0/1) machine-api: update machine-api-usage-telemetry (elmiko)
- 545: (0/0) network: Add BGP design section (markdgray)
- 547: (0/12) baremetal: Propose BMC-less remediation enhancement (AKA poison pill) (n1r1)
- 551: (0/9) machine-api: Propose to backport the "external remediation template" feature (slintes)
- 554: (0/2) general: conventions: Clarify when workload disruption is allowed (smarterclayton)
- 562: (0/69) security: Enhancing SCC to Gate Runtime Classes (haircommander)
- 564: (0/6) cluster-logging: Allowing users to specify a delete policy based on amount of storage used within the ES cluster (ewolinetz)
- 566: (0/17) general: Separating provider-specific code in the installer (janoszen)
- 567: (0/19) machine-api: Added proposal for remediation history (slintes)
- 575: (0/19) installer: Installer Enhacement Proposal: Manifests from STDIN (oglok)
- 590: (0/0) authentication: add 'Allowing URI Scheme in OIDC sub claims' (stlaz)
- 613: (0/0) network: NetworkPolicies for System Namespaces (danwinship)