📢 Kubernetes API removals on 1.25/1.26 and Openshift 4.12/4.13 might impact your Operator. How to deal with it?

[camilamacedo86]

Some APIs versions are deprecated and will no longer be served on the Kubernetes version 1.25/1.26 and consequently on Openshift 4.12/4.13. For further information, check the guide.

⚠️ Be aware that:

• You MUST ensure that you provide solutions for OpenShift 4.11+ (at least) that don’t use the Kubernetes API versions removed in Openshift 4.12/k8s 1.25. Remember that cluster admins MUST have installed a version of your Operator that can work successfully in Openshift 4.12+ before upgrading the OCP cluster from 4.11 to 4.12. Otherwise, they might face workflow issues
• Unfurtunilly, it is not possible to detect these cases as it was done for Kubernetes 1.22 and Openshift 4.9. Resources using these APIs are not provided via the bundle manifests, so we cannot check them with SDK commands such as operator-sdk bundle validate ./bundle --select-optional suite=operatorframework --optional-values=k8s-version=1.25
• It is recommended you begin testing your Operator on Openshift 4.11 ( K8s 1.23+) to check if your versions are or not using these APIs. In this case, you need to perform a full regression test and use the APIRequestCount( such as it is suggested to cluster admins verify if they can safely upgrade their cluster to Openshift 4.9 with the current solutions installed on it ). You can also check warnings in the Operator logs. (Please, ensure that you check the section below: How can I find the usage of the deprecated APIs to know more about it.)

🙆 When the errors will appear

It will be unlikely to find problems by only installing the Operator bundle on the cluster. These APIs are commonly used at runtime (e.g. reconciliations made when the user creates CRs to provision the Operand).

Example:

An Operator reconciles a Kind/API to create a CronJob using batch/v1beta1 or raises an Event using events.k8s.io/v1beta1. Then, these operations will not work from Kubernetes 1.25+ and Openshift 4.12+. The API versions will not be found on the cluster, and you will probably check out errors in Operator logs (api not found).

💁‍♀️ What does it mean for you?

You must ensure that you no longer use these API versions. Otherwise, any operation of your project which requires these versions will fail on Kubernetes versions 1.25/1.26+ and Openshift 4.12/4.13+.

Ideally, to avoid workflow issues and ensure the best user experience for OCP/OLM users you should:

For all Operator versions published on OCP 4.11 (at least):

• a) (best option) can work 100% successfully on 4.12+ (does not use the APIs which will be removed on OCP 4.12/k8s 1.25)
  OR
• b) have the property olm.maxOpenShiftVersion set with the value 4.11 to block cluster upgrades (from OCP 4.11 to 4.12) when versions of our Operators that you are knowledgeable that will not work on OCP 4.12+ are installed. In this way, avoid workflow issues. (You will find a better explanation of it in the below section Suppose I found the usage of these APIs for my next publication. What should I do?)

Therefore, for OCP 4.12 release: you must ensure that the latest version ( head of channel(s) ) published on OCP 4.11 (at least) works on Openshift 4.12+.Otherwise, with your Operator installed, cluster admins cannot upgrade their cluster from OCP 4.11 to 4.12.

🙋 What are the APIs? How can I upgrade my Operator?

You can find all apis/versions removed on 1.25/1.26 on the guide guide as the required steps to upgrade them. However, the following is a summary:

APIs removed from k8s 1.25/ Openshift 4.12:

Group	Version	Resource	How to upgrade
batch	v1beta1	cronjobs	use v1 instead of v1beta1. v1 has been available since k8s v1.21/Openshift 4.8. No notable changes
discovery.k8s.io	v1beta1	endpointslices	use v1 instead of v1beta1. v1 has been available since k8s v1.21/Openshift 4.8. (See the guide to check the notable changes)
events.k8s.io	v1beta1	events	use v1 instead of v1beta1. v1 has been available since k8s v1.19/Openshift 4.6. (See the guide to check the notable changes)
autoscaling	v2beta1	horizontalpodautoscalers	use v2 instead of v2beta1. v2 has been available since k8s v1.23/Openshift 4.10. (No notable changes)
policy	v1beta1	poddisruptionbudgets	use v1 instead of v1beta1. v1 has been available since k8s v1.21/Openshift 4.8. (See the guide to check the notable changes.)
policy	v1beta1	podsecuritypolicies	Migrated to 3rd-party admission webhooks.
node.k8s.io	v1beta1	runtimeclasses	use v1 instead of v1beta1. v1 has been available since k8s v1.20/Openshift 4.7. (No notable changes)

APis removed from k8s 1.26Openshift 4.13:

Group	Version	Resource	How to upgrade
autoscaling	v2beta2	horizontalpodautoscalers	use v2 instead of v2beta2. v2 has been available since k8s v1.23/Openshift 4.10(No notable changes)
flowcontrol.apiserver.k8s.io	v1beta1	flowschemas	use v1beta2 instead of v1beta1. v1beta2 has been available since k8s v1.23/Openshift 4.10(No notable changes)
flowcontrol.apiserver.k8s.io	v1beta1	prioritylevelconfigurations	use v1beta2 instead of v1beta1. v1beta2 has been available since  k8s v1.23/Openshift 4.10(No notable changes)

🙋‍♀️ How can I find the usage of the deprecated APIs:

1. Inspect your Operator source code. Look for manifests and imports using the removed versions, e.g.:

$ find . \|  grep -r "k8s.io/api/batch/v1beta1" 

Binary file ./.git/index matches
./vendor/[k8s.io/client-go/kubernetes/scheme/register.go](http://k8s.io/client-go/kubernetes/scheme/register.go):	batchv1beta1 "[k8s.io/api/batch/v1beta1](http://k8s.io/api/batch/v1beta1)"
./vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/batch_client.go:	v1beta1 "k8s.io/api/batch/v1beta1"
./vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/cronjob.go:	v1beta1 "[k8s.io/api/batch/v1beta1](http://k8s.io/api/batch/v1beta1)"
./vendor/k8s.io/api/batch/v1beta1/generated.pb.go:// source: k8s.io/kubernetes/vendor/k8s.io/api/batch/v1beta1/generated.proto
./vendor/k8s.io/api/batch/v1beta1/generated.pb.go:	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/batch/v1beta1/generated.proto", fileDescriptor_e57b277b05179ae7)
./vendor/k8s.io/api/batch/v1beta1/doc.go:package v1beta1 // import "[k8s.io/api/batch/v1beta1](http://k8s.io/api/batch/v1beta1)"
./vendor/modules.txt:k8s.io/api/batch/v1beta1
./pkg/controller/keycloakbackup/keycloakbackup_reconciler_test.go:	"k8s.io/api/batch/v1beta1"
./pkg/controller/keycloakbackup/keycloakbackup_controller.go:	"[k8s.io/api/batch/v1beta1](http://k8s.io/api/batch/v1beta1)"
./pkg/common/backup_state.go:	"k8s.io/api/batch/v1beta1"
./pkg/model/postgresql_aws_periodic_backup.go:	"[k8s.io/api/batch/v1beta1](http://k8s.io/api/batch/v1beta1)"

2. By running your Operator on the cluster, you can check that the Kubernetes API will also try to warn you when a workflow that uses these API versions is executed, e.g.:

1.651068606661642e+09	INFO	KubeAPIWarningLogger	batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
1.651068606756052e+09	INFO	controller.memcached	Creating a new CronJob	{"reconciler group": "[cache.example.com](http://cache.example.com/)", "reconciler kind": "Memcached", "name": "memcached-sample", "namespace": "default", "Cron.Namespace": "default", "Cron.Name": "memcached-sample"}

⚠️ The above test was made using Kind 0.12.0 and k8s 1.23+. Please, do the tests against Kubernetes API 1.23+. Ideally, Openshift 4.11+ to ensure that the warnings will be fired.

3. Test all Operator workflows on the cluster and check if it's calling these deprecated APIs (which will be removed).

Be aware that you need to test all workflows of your Operator ( apply all custom resources so that you can try to trigger all possible reconciliations and code paths ). The Openshift API APIRequestCount or Kubernetes metrics can only count the APIs which were effectively called and hit on the cluster.

💡 Note that it is not easy to identify if your Operator is doing the calls. Other components running on the cluster can also have called them. In this way, we recommend that you; initialise a new cluster for these tests. Then, before beginning to test your Operator verify the results so that you can compare the calls to these APIs before your Operator and workflows are executed with its result at the end.

Testing the Operator on Openshift 4.11

You will need to use the command $ oc get apirequestcounts. To check all steps and options with examples, see the 4.2. Evaluating your cluster for removed APIs provided to cluster admins know how the could check if the solutions installed were using the removed APIs on k8s 1.22/4.9 before they upgrade the cluster. Also, you will see in the 4.2.3. Using APIRequestCount to identify which workloads are using the removed APIs, that is possible to identify who made the call by looking at the USERNAME and USERAGENT.

Example

• Before running the Operator and its workflow using CronJob v1beta1:

Run oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.metadata.name}{"\n"}{end}'

Then, you will check:

1.26	[flowschemas.v1beta1.flowcontrol.apiserver.k8s.io](http://flowschemas.v1beta1.flowcontrol.apiserver.k8s.io/)
1.26	horizontalpodautoscalers.v2beta2.autoscaling
1.25	podsecuritypolicies.v1beta1.policy
1.26	[prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io](http://prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io/)

• After running the Operator and its workflow using CronJob v1beta1:

1.25	cronjobs.v1beta1.batch
1.26	[flowschemas.v1beta1.flowcontrol.apiserver.k8s.io](http://flowschemas.v1beta1.flowcontrol.apiserver.k8s.io/)
1.26	horizontalpodautoscalers.v2beta2.autoscaling
1.25	podsecuritypolicies.v1beta1.policy
1.26	[prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io](http://prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io/)

• We can check how many calls were made against the CronJob v1beta1:

$ oc get apirequestcounts cronjobs.v1beta1.batch 
NAME                     REMOVEDINRELEASE   REQUESTSINCURRENTHOUR   REQUESTSINLAST24H
cronjobs.v1beta1.batch   1.25               4                       4

• Now, let's check who made the calls (note that it is not very intuitive always. The result here depends on how you are doing the test, and you will probably check the SA name used to run your Operator)

$ oc get apirequestcounts cronjobs.v1beta1.batch   -o jsonpath='{range .status.currentHour..byUser[*]}{..byVerb[*].verb}{","}{.username}{","}{.userAgent}{"\n"}{end}'   | sort -k 2 -t, -u | column -t -s,-NVERBS,USERNAME,USERAGENT
create list watch  kube:admin  main/v0.0.0

Above, you can see that the username is kube:admin because the test was made by running the Operator from an local development environment ( using $ make run makefile target provided in the projects built using Operator-SDK/Kubebuilder )

• Now, let's check its results with an API called from OCP components:

oc get apirequestcounts[ flowschemas.v1beta1.flowcontrol.apiserver.k8s.io](http://flowschemas.v1beta1.flowcontrol.apiserver.k8s.io/) -o jsonpath='{range .status.currentHour..byUser[*]}{..byVerb[*].verb}{","}{.username}{","}{.userAgent}{"\n"}{end}' | sort -k 2 -t, -u | column -t -s,-NVERBS,USERNAME,USERAGENT
get    system:serviceaccount:openshift  cluster  version:default   cluster  version  operator/v0.0.0
patch  system:serviceaccount:openshift  network  operator:default  cluster  network  operator/v0.0.0

IMPORTANT NOTE: You can safely ignore the entries that appear in the results from system:serviceaccount:openshift and from the following usernames if you check them:

• system:serviceaccount:kube-system:generic-garbage-collector
• system:kube-controller-manager
• system:cluster-policy-controller
• system:serviceaccount:openshift-monitoring:kube-state-metrics
• system:serviceaccount:openshift-cluster-machine-approver:machine-approver-sa
• system:serviceaccount:openshift-network-operator:default

Testing the Operator on a Kubernetes cluster ( i.e. Kind )

The APIRequestCount is an Openshift API, so you will not find this option on Kubernetes clusters. Howsoever, you can use Kubernetes metrics to check if your Operator calls the deprecated APIs (More info).

Example

• Before running the Operator and applying the CR, which has a code implementation calling the CronJob API v1beta1 that will be removed on k8s 1.25:

$ kubectl get --raw /metrics | prom2json | jq '
>   # set $deprecated to a list of deprecated APIs
>   [
>     .[] | 
>     select(.name=="apiserver_requested_deprecated_apis").metrics[].labels |
>     {group,version,resource}
>   ] as $deprecated 
>   
>   |
>   
>   # select apiserver_request_total metrics which are deprecated
>   .[] | select(.name=="apiserver_request_total").metrics[] |
>   select(.labels | {group,version,resource} as $key | $deprecated | index($key))
> '

Then, we checked as a result:

{
  "labels": {
    "code": "200",
    "component": "apiserver",
    "dry_run": "",
    "group": "policy",
    "resource": "podsecuritypolicies",
    "scope": "cluster",
    "subresource": "",
    "verb": "LIST",
    "version": "v1beta1"
  },
  "value": "1"
}

• Now, see the results after running the Operator and applying the CR. We can check that the Operator reconciliation called the API CronJob v1beta1 to LIST and POST:

{
  "labels": {
    "code": "200",
    "component": "apiserver",
    "dry_run": "",
    "group": "batch",
    "resource": "cronjobs",
    "scope": "cluster",
    "subresource": "",
    "verb": "LIST",
    "version": "v1beta1"
  },
  "value": "1"
}
{
  "labels": {
    "code": "200",
    "component": "apiserver",
    "dry_run": "",
    "group": "policy",
    "resource": "podsecuritypolicies",
    "scope": "cluster",
    "subresource": "",
    "verb": "LIST",
    "version": "v1beta1"
  },
  "value": "1"
}
{
  "labels": {
    "code": "201",
    "component": "apiserver",
    "dry_run": "",
    "group": "batch",
    "resource": "cronjobs",
    "scope": "resource",
    "subresource": "",
    "verb": "POST",
    "version": "v1beta1"
  },
  "value": "1"
}

💁 Suppose I found the usage of these APIs for my next publication. What should I do?

If you see that your Operator version uses these Kubernetes API versions that will be removed on Openshift 4.12/4.13 (K8s 1.25/1.26), then the recommendation would be to upgrade the APIs. However, suppose you cannot fix it for the next publication, OR this publication must be done for Openshift versions where the new API version is not supported.

In this case, the recommendation is to use the olm.maxOpenShiftVersion annotation so that OCP/OLM users with these versions installed on 4.11 cannot upgrade their cluster before upgrading the Operator version installed. Cluster admins will need to upgrade their Operator versions installed to versions that can work on OCP 4.12+ before upgrading their cluster. Also, it would be recommended to ensure that your solution is not published on the OCP 4.12+ by defining the valid OCP range via the annotation com.redhat.openshift.versions into the metadata/annotations.yaml.

Example:

I verified that my new Operator bundle version will be released and is using CronJob v1beta1. Also, I will not fix that for this release. So, I should use the olm.maxOpenShiftVersion annotation not to let OCP/OLM users upgrade their clusters to Openshift 4.12 if this version is installed:

apiVersion:operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  annotations:
    "olm.properties": '[{"type": "olm.maxOpenShiftVersion", "value": "4.11"}]' 

Then, in this case, I also want to ensure that this solution is added to the Openshift catalog from 4.6. Therefore, I will have the OCP label with the range v4.6-v4.11 in the metadata/annotations.yaml:

annotations:
   ....
  com.redhat.openshift.versions: "v4.6-v4.11"

ℹ️ For further information see the documentation.

💁 Suppose I checked that what is published so far can NOT successfully work on Openshift 4.12+. What should I do?

If you have Operator solutions published on this repo it means that these Operators are distributed via its index catalog source (registry.redhat.io/redhat/community-operator-index) then, you can update what was merged yet. ( To understand how the Openshift catalog is built and its sources, see here )

In this case, you can update the previous versions by pushing a new pull request to update the CSV with the olm.maxOpenShiftVersion annotation to not let OCP/OLM users upgrade their clusters from previous OCP versions to Openshift 4.12 as described in the above example. Also, if your solutions are distributed using the bundle format, you can use the label com.redhat.openshift.versions in the manifest/annotations.yaml to provide a valid range to not allow these Operator(s) versions end up OCP 4.12+. ( i.e. com.redhat.openshift.versions: v4.6-v4.11).

⚠️ If you do not inform a value using the com.redhat.openshift.versions, ' your Operator versions distributed via this repository will be added to all available tags for the index catalog registry.redhat.io/redhat/community-operator-index. The image tags represent the Openshift versions. (i.e. _tag v4.10 means that this image is the source available on Openshift 4.10_ ). In this way, if you are still using the previous format (PackageManifest`), you should upgrade your solutions to bundle format to use this feature. See here how can you achieve it.

💡 You can use OPM to check the content available in the index catalogues:

You can use the OPM tool and the command $ opm alpha list bundles registry.redhat.io/redhat/community-operator-index:v<OCP release> <packageName> to check all bundles available for your package on OCP 4.11, e.g.:

$ opm alpha list bundles registry.redhat.io/redhat/community-operator-index:v4.11 am-online
PACKAGE     CHANNEL  BUNDLE                           REPLACES                         SKIPS                              SKIP RANGE      IMAGE
amq-online  stable   amq-online.1.5.0                                                                                                     registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:b350796e748ac56aeaf71711f4eaae06d2b9f77fc1c9aeec1680c9ab096e663c
amq-online  stable   amq-online.1.6.2                                                                                     >=1.5.4 <1.6.0  registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:debf79ef45e0fdd229bdfae29ff9a40926854278b39b4aa0d364f5ae9c02c6dc
amq-online  stable   amq-online.1.7.0                 amq-online.1.6.2                 amq-online.1.5.0                                   registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:5f582e82bd357530a7d66bdf25598b69ad75e79e2b28ca028cd656fb52a8259f
amq-online  stable   amq-online.1.7.1                                                                                                     registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:c838ae843b44b9c812bb0f79002cefbc49e68a7eabcb96f242974bb606408a3f
amq-online  stable   amq-online.1.7.1-0.1628610187.p  amq-online.1.7.0                 amq-online.1.5.0,amq-online.1.7.1                  registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:74a449ae0c1c85c4c203e13b7d0ff489aa8769e3866e8dca9c784ea63a16c4c0
amq-online  stable   amq-online.1.7.2                 amq-online.1.7.1-0.1628610187.p  amq-online.1.5.0                                   registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:c3693f67dc746764051253bcb9be4105cb0b98096f27f76cdb993bc645f87bab
amq-online  stable   amq-online.1.7.3                 amq-online.1.7.2                 amq-online.1.5.0                                   registry.redhat.io/amq7/amq-online-1-controller-manager-rhel7-operator-metadata@sha256:912214021cac94c6c963314385082ad7b23872c03826f9c7795640aea1e8cf6e

[camilamacedo86]

Hi All,

If you are trying to check if your solution is or not using APIs that will be removed in the next release using the OCP Alerts then, we would like just to let you aware that:

The alerts are fired only one hour later, the deprecated API be used on the cluster, and they do not provide any info to let us know who made the request. (before the alert is fired, we can check them in a Pending state).

Then, we must use command-line commands with oc get apirequestcounts to have info to identify from where the alert was raised. (as described in this mailing thread, the details steps)

Therefore, we recommend you use the command line and not the UI, which seems the best approach to avoid any misleading when trying to ensure/QA your solution to verify if it is or not using APIs that will be removed in the next release.