我的书签
添加书签
移除书签Preparing to update to OKD 4.9
- Removed Kubernetes APIs
- Evaluating your cluster for removed APIs
- Migrating instances of removed APIs
- Providing the administrator acknowledgment
OKD 4.9 uses Kubernetes 1.22, which removed a significant number of deprecated v1beta1 APIs.
OKD 4.8.14 introduced a requirement that an administrator must provide a manual acknowledgment before the cluster can be upgraded from OKD 4.8 to 4.9. This is to help prevent issues after upgrading to OKD 4.9, where APIs that have been removed are still in use by workloads, tools, or other components running on or interacting with the cluster. Administrators must evaluate their cluster for any APIs in use that will be removed and migrate the affected components to use the appropriate new API version. After this evaluation and migration is complete, the administrator can provide the acknowledgment.
Before you can upgrade your OKD 4.8 cluster to 4.9, you must provide the administrator acknowledgment.
Removed Kubernetes APIs
OKD 4.9 uses Kubernetes 1.22, which removed the following deprecated v1beta1 APIs. You must migrate manifests and API clients to use the v1 API version. For more information about migrating removed APIs, see the Kubernetes documentation.
| Resource | API | Notable changes |
|---|---|---|
|
| No |
|
| |
|
| No |
|
| No |
|
| No |
|
| No |
|
| |
|
| |
|
| |
|
| No |
|
| No |
|
| |
|
| |
|
| No |
|
| No |
|
| No |
|
| |
|
| No |
|
| |
|
| No |
|
| |
|
| No |
Evaluating your cluster for removed APIs
There are several methods to help administrators identify where APIs that will be removed are in use. However, OKD cannot identify all instances, especially workloads that are idle or external tools that are used. It is the responsibility of the administrator to properly evaluate all workloads and other integrations for instances of removed APIs.
Reviewing alerts to identify uses of removed APIs
Two alerts fire when an API is in use that will be removed in the next release:
APIRemovedInNextReleaseInUse- for APIs that will be removed in the next OKD release.APIRemovedInNextEUSReleaseInUse- for APIs that will be removed in the next OKD Extended Update Support (EUS) release.
If either of these alerts are firing in your cluster, review the alerts and take action to clear the alerts by migrating manifests and API clients to use the new API version. You can use the APIRequestCount API to get more information about which APIs are in use and which workloads are using removed APIs.
Using APIRequestCount to identify uses of removed APIs
You can use the APIRequestCount API to track API requests and review whether any of them are using one of the removed APIs.
Prerequisites
- You must have access to the cluster as a user with the
cluster-adminrole.
Procedure
Run the following command and examine the
REMOVEDINRELEASEcolumn of the output to identify the removed APIs that are currently in use:$ oc get apirequestcounts
Example output
NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24Hcloudcredentials.v1.operator.openshift.io 32 111ingresses.v1.networking.k8s.io 28 110ingresses.v1beta1.extensions 1.22 16 66ingresses.v1beta1.networking.k8s.io 1.22 0 1installplans.v1alpha1.operators.coreos.com 93 167...
You can safely ignore the following entries that appear in the results:
system:serviceaccount:kube-system:generic-garbage-collectorappears in the results because it walks through all registered APIs searching for resources to remove.system:kube-controller-managerappears in the results because it walks through all resources to count them while enforcing quotas.
You can also use
-o jsonpathto filter the results:$ oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.metadata.name}{"\n"}{end}'
Example output
1.22 certificatesigningrequests.v1beta1.certificates.k8s.io1.22 ingresses.v1beta1.extensions1.22 ingresses.v1beta1.networking.k8s.io
Using APIRequestCount to identify which workloads are using the removed APIs
You can examine the APIRequestCount resource for a given API version to help identify which workloads are using the API.
Prerequisites
- You must have access to the cluster as a user with the
cluster-adminrole.
Procedure
Run the following command and examine the
usernameanduserAgentfields to help identify the workloads that are using the API:$ oc get apirequestcounts <resource>.<version>.<group> -o yaml
For example:
$ oc get apirequestcounts ingresses.v1beta1.networking.k8s.io -o yaml
You can also use
-o jsonpathto extract theusernamevalues from anAPIRequestCountresource:$ oc get apirequestcounts ingresses.v1beta1.networking.k8s.io -o jsonpath='{range ..username}{$}{"\n"}{end}' | sort | uniq
Example output
user1user2app:serviceaccount:delta
Migrating instances of removed APIs
For information on how to migrate removed Kubernetes APIs, see the Deprecated API Migration Guide in the Kubernetes documentation.
Providing the administrator acknowledgment
After you have evaluated your cluster for any removed APIs and have migrated any removed APIs, you can acknowledge that your cluster is ready to upgrade from OKD 4.8 to 4.9.
Be aware that all responsibility falls on the administrator to ensure that all uses of removed APIs have been resolved and migrated as necessary before providing this administrator acknowledgment. OKD can assist with the evaluation, but cannot identify all possible uses of removed APIs, especially idle workloads or external tools. |
Prerequisites
- You must have access to the cluster as a user with the
cluster-adminrole.
Procedure
Run the following command to acknowledge that you have completed the evaluation and your cluster is ready to upgrade to OKD 4.9:
$ oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.8-kube-1.22-api-removals-in-4.9":"true"}}' --type=merge
