Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 5. Preparing to update to OpenShift Container Platform 4.12
OpenShift Container Platform 4.12 uses Kubernetes 1.25, which removed several deprecated APIs.
A cluster administrator must provide a manual acknowledgment before the cluster can be updated from OpenShift Container Platform 4.11 to 4.12. This is to help prevent issues after upgrading to OpenShift Container Platform 4.12, where APIs that have been removed are still in use by workloads, tools, or other components running on or interacting with the cluster. Administrators must evaluate their cluster for any APIs in use that will be removed and migrate the affected components to use the appropriate new API version. After this evaluation and migration is complete, the administrator can provide the acknowledgment.
Before you can update your OpenShift Container Platform 4.11 cluster to 4.12, you must provide the administrator acknowledgment.
5.1. Removed Kubernetes APIs
OpenShift Container Platform 4.12 uses Kubernetes 1.25, which removed the following deprecated APIs. You must migrate manifests and API clients to use the appropriate API version. For more information about migrating removed APIs, see the Kubernetes documentation.
| Resource | Removed API | Migrate to | Notable changes |
|---|---|---|---|
|
|
|
| No |
|
|
|
| |
|
|
|
| |
|
|
|
| No |
|
|
|
| |
|
|
| ||
|
|
|
| No |
- For more information about pod security admission in OpenShift Container Platform, see Understanding and managing pod security admission.
5.2. Evaluating your cluster for removed APIs
There are several methods to help administrators identify where APIs that will be removed are in use. However, OpenShift Container Platform cannot identify all instances, especially workloads that are idle or external tools that are used. It is the responsibility of the administrator to properly evaluate all workloads and other integrations for instances of removed APIs.
5.2.1. Reviewing alerts to identify uses of removed APIs
Two alerts fire when an API is in use that will be removed in the next release:
-
- for APIs that will be removed in the next OpenShift Container Platform release.
APIRemovedInNextReleaseInUse -
- for APIs that will be removed in the next OpenShift Container Platform Extended Update Support (EUS) release.
APIRemovedInNextEUSReleaseInUse
If either of these alerts are firing in your cluster, review the alerts and take action to clear the alerts by migrating manifests and API clients to use the new API version.
Use the
APIRequestCountAPIRequestCount5.2.2. Using APIRequestCount to identify uses of removed APIs
You can use the
APIRequestCountPrerequisites
-
You must have access to the cluster as a user with the role.
cluster-admin
Procedure
Run the following command and examine the
column of the output to identify the removed APIs that are currently in use:REMOVEDINRELEASE$ oc get apirequestcountsExample output
NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H ... poddisruptionbudgets.v1.policy 391 8114 poddisruptionbudgets.v1beta1.policy 1.25 2 23 podmonitors.v1.monitoring.coreos.com 3 70 podnetworkconnectivitychecks.v1alpha1.controlplane.operator.openshift.io 612 11748 pods.v1 1531 38634 podsecuritypolicies.v1beta1.policy 1.25 3 39 podtemplates.v1 2 79 preprovisioningimages.v1alpha1.metal3.io 2 39 priorityclasses.v1.scheduling.k8s.io 12 248 prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io 1.26 3 86 ...ImportantYou can safely ignore the following entries that appear in the results:
-
The and the
system:serviceaccount:kube-system:generic-garbage-collectorusers might appear in the results because these services invoke all registered APIs when searching for resources to remove.system:serviceaccount:kube-system:namespace-controller -
The and
system:kube-controller-managerusers might appear in the results because they walk through all resources while enforcing various policies.system:cluster-policy-controller
You can also use
to filter the results:-o jsonpath$ oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.metadata.name}{"\n"}{end}'Example output
1.26 flowschemas.v1beta1.flowcontrol.apiserver.k8s.io 1.26 horizontalpodautoscalers.v2beta2.autoscaling 1.25 poddisruptionbudgets.v1beta1.policy 1.25 podsecuritypolicies.v1beta1.policy 1.26 prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io-
The
5.2.3. Using APIRequestCount to identify which workloads are using the removed APIs
You can examine the
APIRequestCountPrerequisites
-
You must have access to the cluster as a user with the role.
cluster-admin
Procedure
Run the following command and examine the
andusernamefields to help identify the workloads that are using the API:userAgent$ oc get apirequestcounts <resource>.<version>.<group> -o yamlFor example:
$ oc get apirequestcounts poddisruptionbudgets.v1beta1.policy -o yamlYou can also use
to extract the-o jsonpathandusernamevalues from anuserAgentresource:APIRequestCount$ oc get apirequestcounts poddisruptionbudgets.v1beta1.policy \ -o jsonpath='{range .status.currentHour..byUser[*]}{..byVerb[*].verb}{","}{.username}{","}{.userAgent}{"\n"}{end}' \ | sort -k 2 -t, -u | column -t -s, -NVERBS,USERNAME,USERAGENTExample output
VERBS USERNAME USERAGENT watch system:serviceaccount:openshift-operators:3scale-operator manager/v0.0.0 watch system:serviceaccount:openshift-operators:datadog-operator-controller-manager manager/v0.0.0
5.3. Migrating instances of removed APIs
For information about how to migrate removed Kubernetes APIs, see the Deprecated API Migration Guide in the Kubernetes documentation.
5.4. Providing the administrator acknowledgment
After you have evaluated your cluster for any removed APIs and have migrated any removed APIs, you can acknowledge that your cluster is ready to upgrade from OpenShift Container Platform 4.11 to 4.12.
Be aware that all responsibility falls on the administrator to ensure that all uses of removed APIs have been resolved and migrated as necessary before providing this administrator acknowledgment. OpenShift Container Platform can assist with the evaluation, but cannot identify all possible uses of removed APIs, especially idle workloads or external tools.
Prerequisites
-
You must have access to the cluster as a user with the role.
cluster-admin
Procedure
Run the following command to acknowledge that you have completed the evaluation and your cluster is ready for the Kubernetes API removals in OpenShift Container Platform 4.12:
$ oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.11-kube-1.25-api-removals-in-4.12":"true"}}' --type=merge
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}