Enabling features using feature gates

As an administrator, you can use feature gates to enable features that are not part of the default set of features.

Understanding feature gates

You can use the FeatureGate custom resource (CR) to enable specific feature sets in your cluster. A feature set is a collection of OKD features that are not enabled by default.

You can activate the following feature set by using the FeatureGate CR:

• TechPreviewNoUpgrade. This feature set is a subset of the current Technology Preview features. This feature set allows you to enable these Technology Preview features on test clusters, where you can fully test them, while leaving the features disabled on production clusters.

  Enabling the TechPreviewNoUpgrade feature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.

  The following Technology Preview features are enabled by this feature set:

  • External cloud providers. Enables support for external cloud providers for clusters on vSphere, AWS, Azure, and GCP. Support for OpenStack is GA. This is an internal feature that most users do not need to interact with. (ExternalCloudProvider)

  • Shared Resources CSI Driver and Build CSI Volumes in OpenShift Builds. Enables the Container Storage Interface (CSI). (CSIDriverSharedResource)

  • CSI volumes. Enables CSI volume support for the OKD build system. (BuildCSIVolumes)

  • Swap memory on nodes. Enables swap memory use for OKD workloads on a per-node basis. (NodeSwap)

  • OpenStack Machine API Provider. This gate has no effect and is planned to be removed from this feature set in a future release. (MachineAPIProviderOpenStack)

  • Insights Operator. Enables the Insights Operator, which gathers OKD configuration data and sends it to Red Hat. (InsightsConfigAPI)

  • Pod topology spread constraints. Enables the matchLabelKeys parameter for pod topology constraints. The parameter is list of pod label keys to select the pods over which spreading will be calculated. (MatchLabelKeysInPodTopologySpread)

  • Retroactive Default Storage Class. Enables OKD to retroactively assign the default storage class to PVCs if there was no default storage class when the PVC was created.(RetroactiveDefaultStorageClass)

  • Pod disruption budget (PDB) unhealthy pod eviction policy. Enables support for specifying how unhealthy pods are considered for eviction when using PDBs. (PDBUnhealthyPodEvictionPolicy)

  • Dynamic Resource Allocation API. Enables a new API for requesting and sharing resources between pods and containers. This is an internal feature that most users do not need to interact with. (DynamicResourceAllocation)

  • Pod security admission enforcement. Enables the restricted enforcement mode for pod security admission. Instead of only logging a warning, pods are rejected if they violate pod security standards. (OpenShiftPodSecurityAdmission)

For more information about the features activated by the TechPreviewNoUpgrade feature gate, see the following topics:

• Shared Resources CSI Driver and Build CSI Volumes in OpenShift Builds

• CSI inline ephemeral volumes

• Swap memory on nodes

• Using Insights Operator

• Managing machines with the Cluster API

• Controlling pod placement by using pod topology spread constraints

• Managing the default storage class

• Specifying the eviction policy for unhealthy pods

• Pod security admission enforcement.

Enabling feature sets at installation

You can enable feature sets for all nodes in the cluster by editing the install-config.yaml file before you deploy the cluster.

Prerequisites

• You have an install-config.yaml file.

Procedure

1. Use the featureSet parameter to specify the name of the feature set you want to enable, such as TechPreviewNoUpgrade:

   Enabling the TechPreviewNoUpgrade feature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.

   Sample install-config.yaml file with an enabled feature set

   compute:
   - hyperthreading: Enabled
     name: worker
     platform:
       aws:
         rootVolume:
           iops: 2000
           size: 500
           type: io1
         metadataService:
           authentication: Optional
         type: c5.4xlarge
         zones:
         - us-west-2c
     replicas: 3
   featureSet: TechPreviewNoUpgrade

2. Save the file and reference it when using the installation program to deploy the cluster.

Verification

You can verify that the feature gates are enabled by looking at the kubelet.conf file on a node after the nodes return to the ready state.

1. From the Administrator perspective in the web console, navigate to Compute → Nodes.

2. Select a node.

3. In the Node details page, click Terminal.

4. In the terminal window, change your root directory to /host:

   sh-4.2# chroot /host

5. View the kubelet.conf file:

   sh-4.2# cat /etc/kubernetes/kubelet.conf

   Sample output

    ...
   featureGates:
     InsightsOperatorPullingSCA: true,
     LegacyNodeRoleBehavior: false
    ...

   The features that are listed as true are enabled on your cluster.

   The features listed vary depending upon the OKD version.

Enabling feature sets using the web console

You can use the OKD web console to enable feature sets for all of the nodes in a cluster by editing the FeatureGate custom resource (CR).

Procedure

To enable feature sets:

1. In the OKD web console, switch to the Administration → Custom Resource Definitions page.

2. On the Custom Resource Definitions page, click FeatureGate.

3. On the Custom Resource Definition Details page, click the Instances tab.

4. Click the cluster feature gate, then click the YAML tab.

5. Edit the cluster instance to add specific feature sets:

   Enabling the TechPreviewNoUpgrade feature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.

   Sample Feature Gate custom resource

   apiVersion: config.openshift.io/v1
   kind: FeatureGate
   metadata:
     name: cluster (1)
   ....
   spec:
     featureSet: TechPreviewNoUpgrade (2)

   1	The name of the FeatureGate CR must be cluster.
   2	Add the feature set that you want to enable: TechPreviewNoUpgrade enables specific Technology Preview features.

   After you save the changes, new machine configs are created, the machine config pools are updated, and scheduling on each node is disabled while the change is being applied.

Verification

You can verify that the feature gates are enabled by looking at the kubelet.conf file on a node after the nodes return to the ready state.

1. From the Administrator perspective in the web console, navigate to Compute → Nodes.

2. Select a node.

3. In the Node details page, click Terminal.

4. In the terminal window, change your root directory to /host:

   sh-4.2# chroot /host

5. View the kubelet.conf file:

   sh-4.2# cat /etc/kubernetes/kubelet.conf

   Sample output

    ...
   featureGates:
     InsightsOperatorPullingSCA: true,
     LegacyNodeRoleBehavior: false
    ...

   The features that are listed as true are enabled on your cluster.

   The features listed vary depending upon the OKD version.

Enabling feature sets using the CLI

You can use the OpenShift CLI (oc) to enable feature sets for all of the nodes in a cluster by editing the FeatureGate custom resource (CR).

Prerequisites

• You have installed the OpenShift CLI (oc).

Procedure

To enable feature sets:

1. Edit the FeatureGate CR named cluster:

   $ oc edit featuregate cluster

   Enabling the TechPreviewNoUpgrade feature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.

   Sample FeatureGate custom resource

   apiVersion: config.openshift.io/v1
   kind: FeatureGate
   metadata:
     name: cluster (1)
   spec:
     featureSet: TechPreviewNoUpgrade (2)

   1	The name of the FeatureGate CR must be cluster.
   2	Add the feature set that you want to enable: TechPreviewNoUpgrade enables specific Technology Preview features.

   After you save the changes, new machine configs are created, the machine config pools are updated, and scheduling on each node is disabled while the change is being applied.

Verification

You can verify that the feature gates are enabled by looking at the kubelet.conf file on a node after the nodes return to the ready state.

1. From the Administrator perspective in the web console, navigate to Compute → Nodes.

2. Select a node.

3. In the Node details page, click Terminal.

4. In the terminal window, change your root directory to /host:

   sh-4.2# chroot /host

5. View the kubelet.conf file:

   sh-4.2# cat /etc/kubernetes/kubelet.conf

   Sample output

    ...
   featureGates:
     InsightsOperatorPullingSCA: true,
     LegacyNodeRoleBehavior: false
    ...

   The features that are listed as true are enabled on your cluster.

   The features listed vary depending upon the OKD version.