Upgrade Calico on OpenShift 4

About upgrading Calico

This page describes how to upgrade to v3.28 for OpenShift 4 from an existing Calico cluster.

Upgrade OwnerReferences

If you do not use OwnerReferences on resources in the projectcalico.org/v3 API group, you can skip this section.

Starting in Calico v3.28, a change in the way UIDs are generated for projectcalico.org/v3 resources requires that you update any OwnerReferences that refer to projectcalico.org/v3 resources as an owner. After upgrade, the UID for all projectcalico.org/v3 resources will be changed, resulting in any owned resources being garbage collected by Kubernetes.

  1. Remove any OwnerReferences from resources in your cluster that have apiGroup: projectcalico.org/v3.
  2. Perform the upgrade normally.
  3. Add new OwnerReferences to your resources referencing the new UID.

Upgrading Calico on OpenShift 4

Make a manifests directory.

  1. mkdir manifests

Download the Calico manifests for OpenShift and add them to the generated manifests directory:

  1. mkdir calico
  2. wget -qO- https://github.com/projectcalico/calico/releases/download/v3.28.2/ocp.tgz | tar xvz --strip-components=1 -C calico
  3. cp calico/* manifests/

Apply the updated manifests.

  1. oc apply -f manifests/

You can now monitor the upgrade progress with the following command:

  1. watch oc get tigerastatus

If you were upgrading from a version of Calico prior to v3.14 and followed the pre-upgrade steps for host endpoints above, review traffic logs from the temporary policy, add any global network policies needed to allow traffic, and delete the temporary network policy allow-all-upgrade.

Migrating to auto host endpoints

Upgrade Calico on OpenShift 4 - 图1caution

Auto host endpoints have an allow-all profile attached which allows all traffic in the absence of network policy. This may result in unexpected behavior and data.

In order to migrate existing all-interfaces host endpoints to Calico-managed auto host endpoints:

  1. Add any labels on existing all-interfaces host endpoints to their corresponding OpenShift nodes. Calico manages labels on automatic host endpoints by syncing labels from their nodes. Any labels on existing all-interfaces host endpoints should be added to their respective nodes. For example, if your existing all-interface host endpoint for node node1 has the label environment: dev, then you must add that same label to its node:

    1. oc label node node1 environment=dev

  2. Enable auto host endpoints by following the enable automatic host endpoints how-to guide. Note that automatic host endpoints are created with a profile attached that allows all traffic in the absence of network policy.

    1. calicoctl patch kubecontrollersconfiguration default --patch ={"spec": {"controllers": {"node": {"hostEndpoint": {"autoCreate": "Enabled"}}}}}

  3. Delete old all-interfaces host endpoints. You can distinguish host endpoints managed by Calico from others in several ways. First, automatic host endpoints have the label projectcalico.org/created-by: calico-kube-controllers. Secondly, automatic host endpoints’ name have the suffix -auto-hep.

    1. calicoctl delete hostendpoint <old_hostendpoint_name>