Skip to main content

OKD 4.20 Release Notes

· 8 min read
Prashanth Sundararaman
Prashanth Sundararaman
Red Hat

Release Notes: 4.20.0-okd-scos.0

Introduction: Transition to CentOS Stream 10

OKD 4.20 marks a significant platform update, transitioning the underlying operating system from Fedora CoreOS (FCOS) to CentOS Stream 10. This strategic change aligns OKD with the future development of OpenShift on RHEL 10, providing early feedback and enhancing stability for the community distribution (OKD-240, OKD-241).

Installation and Platform Management

This release introduces major enhancements to platform architecture, installation flexibility, and day-to-day cluster management.

Platform and Architecture

  • Migration to Cluster API (CAPI): The Machine API (MAPI) is migrating its underlying implementation to use Cluster API (CAPI) for AWS and standalone clusters. This change is transparent to users, and the existing MAPI remains fully supported. A new CAPI operator manages components and enhances load balancer management on AWS, Azure, and GCP.
  • Selectable etcd Database Size (GA): You can now configure the etcd database size beyond its previous 8GB limit. This feature is now Generally Available and helps support large or dense clusters (ETCD-638). Liveness probes are now tuned dynamically based on the database quota to improve stability (ETCD-590).
  • Two-Node Cluster Non-Graceful Recovery: For two-node edge deployments, the cluster can now automatically recover from ungraceful shutdown events like power loss. One node will "fence" the other, restart etcd, and allow the failed node to rejoin safely, improving resilience without manual intervention (Ocpedge-1755).
  • AutoNode for ROSA-HCP: A new node autoscaling solution named AutoNode, powered by Karpenter, is available for ROSA with Hosted Control Planes (ROSA-HCP).

Installation and Updates

  • Update Precheck Command: A new oc adm upgrade recommend command helps administrators identify potential issues before a cluster upgrade, including checks for control plane health, active alerts, and image registry access (OTA-1560).
  • Flexible Node Storage Configurations: The Machine Config Operator (MCO) can now ignore non-reconcilable storage configurations, allowing new nodes with different disk layouts to be added to machine pools without causing errors.
  • Faster Azure Installs with RHCOS Marketplace Images: The installer can now use Red Hat CoreOS (RHCOS) images directly from the Azure Marketplace, significantly reducing installation time by avoiding a custom image upload (CORS-3652).
  • Enhanced GCP Installation: Deployments on GCP Shared VPC (XPN) now support a three-project architecture, allowing DNS to be managed in a separate service project (CORS-4044). Clusters can also use custom private GCP API endpoints for stricter security (CORS-3916).

vSphere Enhancements

  • Multi-NIC Support (GA): Support for creating vSphere virtual machines with multiple network interface controllers (NICs) is now Generally Available and enabled by default (SPLAT-2045).
  • Host Group Mapping: OpenShift zones can now be mapped to vSphere host groups for improved node distribution.

Storage

Storage performance, security, and driver capabilities have been significantly enhanced in this release.

  • Namespace-Level Storage Policies (GA): The StoragePerformantSecurityPolicy feature is now Generally Available. Administrators can define default storage security policies at the namespace level by applying the storage.openshift.io/fsgroup-change-policy and storage.openshift.io/selinux-change-policy labels. This can significantly improve pod startup time for persistent volumes.
  • AWS EFS Single-Zone Volume Support: The AWS EFS CSI driver now supports creating cost-effective, single-availability-zone volumes using the new --single-zone flag.
  • Volume Populator Data Source Validation (GA): The Volume Populators feature is now Generally Available. A new volume-data-source-validator controller is installed by default to validate the dataSourceRef field in a PersistentVolumeClaim (PVC), providing immediate feedback on invalid configurations.
  • Improved Storage Operator Resiliency: The PodDisruptionBudget for all storage operators has been updated with unhealthyEvictionPolicy: AlwaysAllow to ensure critical storage pods can be rescheduled during node maintenance or failures.
  • Manila CSI Plugin Enhancements (OpenStack): The Manila CSI plugin now supports configuring multiple share access rules for a single shared file system, allowing multiple clients to mount and access the same share simultaneously (OSPRH-18263).
  • CSI Drivers and Sidecars Updated: Multiple Container Storage Interface (CSI) drivers (AWS EBS, Azure Disk, Azure File, GCP PD, IBM VPC Block) and sidecar components have been updated to their latest upstream versions.

Networking

This release introduces native BGP support, dual-stack networking on AWS, and greater configuration flexibility.

  • BGP Integration for User-Defined Networks (UDN): OVN-Kubernetes now includes native BGP support. This allows the cluster to dynamically advertise pod IP subnets to external provider networks and learn routes from them, simplifying network integration for on-premise UDNs.
  • Dual-Stack Networking for OpenShift on AWS: OpenShift clusters deployed on AWS now support dual-stack (IPv4 and IPv6) networking (CORS-4136).
  • Azure NAT Gateway for Egress Traffic (GA): Support for using Azure NAT Gateway to manage outbound cluster traffic is now Generally Available.
  • Post-Deployment Network Configuration: Disruptive network changes to the br-ex interface can now be applied automatically on node reboot by modifying the NMState configuration file, simplifying advanced network changes (OPNET-594).

Developer Experience and Console

The user experience has been improved with a unified software catalog, enhanced developer tools, and streamlined image management.

Console and User Experience

  • New Ecosystem Navigation: A new top-level Ecosystem section in the navigation centralizes software management, including a Unified Catalog that provides a single place to discover and manage all cluster extensions from OperatorHub.
  • Custom Application Icons in Topology: You can now define a custom icon for your application nodes in the Topology view by adding the app.openshift.io/custom-icon annotation to your workloads (ODC-7803).
  • YAML Editor Improvements: The YAML editor now features a full-screen mode, a "Copy to clipboard" button, and togglable "sticky scroll" for easier navigation.
  • Modernized Web Terminal: The web terminal has been updated to use standard PatternFly components, providing a more consistent UI and new features like closing tabs with a middle-click (ODC-7802).

Image Management

  • ImageStream Multi-Architecture Support: On multi-architecture clusters, ImageStreams now default to importMode: preserveOriginal, ensuring the complete manifest list is preserved when importing a multi-architecture image (MULTIARCH-4552).
  • Registry Pre-flight Checks for oc-mirror: The oc-mirror v2 tool now performs "fail-fast" pre-flight checks to validate the connection to the destination registry, preventing long waits on simple configuration errors (CLID-389).

Security

Security posture is enhanced with default image signature validation, read-only filesystems, and expanded network policies.

  • Default Sigstore Image Validation (GA): The ClusterImagePolicy and ImagePolicy APIs for sigstore are now Generally Available, and the default policy to validate platform images is enabled by default. This strengthens software supply chain security out of the box (OCPNODE-3611).
  • Read-Only Root Filesystems: To enhance security, several core components now run with a read-only root filesystem by default, including pods for OLM, the integrated registry, CVO, and the openshift-kube-scheduler.
  • Network Policies for Core Components: To reduce the potential attack surface, network policies that restrict traffic have been implemented for numerous components, including storage operators and CSI drivers, OLM, Cloud Credential Operator (CCO), MAPI, and CAPI.
  • User Namespaces (GA): The User Name Space feature, which enhances security by allowing pods to run in isolated user namespaces, is now Generally Available.

Deprecations, Removals, and Feature Graduations

Removals and Deprecations

  • Support for Image Manifest Schema 1 Removed: To align with modern container standards, support for the deprecated image manifest schema 1 has been completely removed (WRKLDS-1599).
  • Cgroup v1 Support Removed: Support for cgroup v1 is completely removed. Clusters must be migrated to cgroup v2 before upgrading (OCPNODE-2841).
  • Service Binding Plugin Removed: The Service Binding feature has been removed from the Developer Console, aligning with the deprecation of the Service Binding Operator (ODC-7722).
  • odo CLI Download Link Removed: The download link for the deprecated odo CLI tool has been removed from the "Command Line Tools" page (ODC-7790).
  • Legacy GCE Cloud Provider Resources Removed: Obsolete RBAC resources related to the legacy GCE cloud provider have been removed (WRKLDS-954).

Feature Graduations to General Availability (GA)

The following features are now Generally Available and enabled by default:

  • PinnedImageSets and MachineConfigNode APIs: These MCO features are now GA and their APIs have been promoted to v1.
  • ImageVolume: Allows container images to be used as a volume source for pods (OCPNODE-3121).
  • GCP Labels and Tags: The ability to configure GCP Labels and Tags via the Infrastructure API is now a standard feature (OAPE-232).
  • vSphere Multi-Disk Support: Provides stable support for attaching multiple disks in vSphere environments (SPLAT-2346).
  • Route Advertisements: The routeAdvertisements feature for BGP is now GA (CORENET-5704).
  • Multiple feature gates have been removed as their features are now stable, including MultiArchInstallAWS, MultiArchInstallGCP, PrivateHostedZoneAWS, CloudDualStackNodeIPs, and VSphereMultiVCenters.