OSDOCS-2627: Adding docs for admin ack required to upgrade to OCP 4.9

bergerhoffer · bergerhoffer · commit be4081f06e85 · 2021-09-29T14:51:00.000-04:00
diff --git a/_topic_map.yml b/_topic_map.yml
@@ -444,6 +444,14 @@ Topics:
   File: understanding-the-update-service
 - Name: Installing and configuring the OpenShift Update Service
   File: installing-update-service
+# TODO: Remove below assembly for 4.10:
+- Name: Preparing to update to OpenShift Container Platform 4.9
+  File: updating-cluster-prepare
+  Distros: openshift-enterprise
+# TODO: Remove below assembly for 4.10:
+- Name: Preparing to update to OKD 4.9
+  File: updating-cluster-prepare
+  Distros: openshift-origin
 - Name: Updating a cluster between minor versions
   File: updating-cluster-between-minor
 - Name: Updating a cluster within a minor version from the web console
diff --git a/modules/update-preparing-ack.adoc b/modules/update-preparing-ack.adoc
@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-ack_{context}"]
+= Providing the administrator acknowledgment
+
+After you have evaluated your cluster for any removed APIs and have migrated any removed APIs, you can acknowledge that your cluster is ready to upgrade from {product-title} 4.8 to 4.9.
+
+[WARNING]
+====
+Be aware that all responsibility falls on the administrator to ensure that all uses of removed APIs have been resolved and migrated as necessary before providing this administrator acknowledgment. {product-title} can assist with the evaluation, but cannot identify all possible uses of removed APIs, especially idle workloads or external tools.
+====
+
+.Prerequisites
+
+* You must have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+* Run the following command to acknowledge that you have completed the evaluation and your cluster is ready to upgrade to {product-title} 4.9:
++
+[source,terminal]
+----
+$ oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.8-kube-1.22-api-removals-in-4.9":"true"}}' --type=merge
+----
diff --git a/modules/update-preparing-evaluate-alerts.adoc b/modules/update-preparing-evaluate-alerts.adoc
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-evaluate-alerts_{context}"]
+= Reviewing alerts to identify uses of removed APIs
+
+{product-title} 4.8 introduced two new alerts that fire when an API is in use that will be removed in the next release:
+
+* `APIRemovedInNextReleaseInUse` - for APIs that will be removed in the next {product-title} release.
+* `APIRemovedInNextEUSReleaseInUse` - for APIs that will be removed in the next {product-title} Extended Update Support (EUS) release.
+
+If either of these alerts are firing in your cluster, review the alerts and take action to clear the alerts by migrating manifests and API clients to use the new API version. You can use the `APIRequestCount` API to get more information about which APIs are in use and which workloads are using removed APIs.
diff --git a/modules/update-preparing-evaluate-apirequestcount-workloads.adoc b/modules/update-preparing-evaluate-apirequestcount-workloads.adoc
@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-evaluate-apirequestcount-workloads_{context}"]
+= Using APIRequestCount to identify which workloads are using the removed APIs
+
+You can examine the `APIRequestCount` resource for a given API version to help identify which workloads are using the API.
+
+.Prerequisites
+
+* You must have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+* Run the following command and examine the `username` and `userAgent` fields to help identify the workloads that are using the API:
++
+[source,terminal]
+----
+$ oc get apirequestcounts <resource>.<version>.<group> -o yaml
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc get apirequestcounts ingresses.v1beta1.networking.k8s.io -o yaml
+----
++
+You can also use `-o jsonpath` to extract the `username` values from an `APIRequestCount` resource:
++
+[source,terminal]
+----
+$ oc get apirequestcounts ingresses.v1beta1.networking.k8s.io -o jsonpath='{range ..username}{$}{"\n"}{end}' | sort | uniq
+----
++
+.Example output
+[source,terminal]
+----
+user1
+user2
+app:serviceaccount:delta
+----
diff --git a/modules/update-preparing-evaluate-apirequestcount.adoc b/modules/update-preparing-evaluate-apirequestcount.adoc
@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-evaluate-apirequestcount_{context}"]
+= Using APIRequestCount to identify uses of removed APIs
+
+You can use the `APIRequestCount` API to track API requests and review whether any of them are using one of the removed APIs.
+
+.Prerequisites
+
+* You must have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+* Run the following command and examine the `REMOVEDINRELEASE` column of the output to identify the removed APIs that are currently in use:
++
+[source,terminal]
+----
+$ oc get apirequestcounts
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                        REMOVEDINRELEASE   REQUESTSINCURRENTHOUR   REQUESTSINLAST24H
+cloudcredentials.v1.operator.openshift.io                      32                      111
+ingresses.v1.networking.k8s.io                                 28                      110
+ingresses.v1beta1.extensions                1.22               16                      66
+ingresses.v1beta1.networking.k8s.io         1.22               0                       1
+installplans.v1alpha1.operators.coreos.com                     93                      167
+...
+----
++
+You can also use `-o jsonpath` to filter the results:
++
+[source,terminal]
+----
+$ oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.metadata.name}{"\n"}{end}'
+----
++
+.Example output
+[source,terminal]
+----
+1.22    certificatesigningrequests.v1beta1.certificates.k8s.io
+1.22    ingresses.v1beta1.extensions
+1.22    ingresses.v1beta1.networking.k8s.io
+----
diff --git a/modules/update-preparing-list.adoc b/modules/update-preparing-list.adoc
@@ -0,0 +1,104 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-list_{context}"]
+= Removed Kubernetes APIs
+
+// TODO: Keep michael's section in the release notes (which this duplicates), or link to this from his RN section?
+{product-title} 4.9 uses Kubernetes 1.22, which removed the following deprecated `v1beta1` APIs. You must migrate manifests and API clients to use the `v1` API version. For more information about migrating removed APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22[Kubernetes documentation].
+
+.`v1beta1` APIs removed from Kubernetes 1.22
+[cols="2,2,1",options="header",]
+|===
+|Resource |API |Notable changes
+
+|`APIService`
+|`apiregistration.k8s.io/v1beta1`
+|No
+
+|`CertificateSigningRequest`
+|`certificates.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#certificatesigningrequest-v122[Yes]
+
+|`ClusterRole`
+|`rbac.authorization.k8s.io/v1beta1`
+|No
+
+|`ClusterRoleBinding`
+|`rbac.authorization.k8s.io/v1beta1`
+|No
+
+|`CSIDriver`
+|`storage.k8s.io/v1beta1`
+|No
+
+|`CSINode`
+|`storage.k8s.io/v1beta1`
+|No
+
+|`CustomResourceDefinition`
+|`apiextensions.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122[Yes]
+
+|`Ingress`
+|`extensions/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122[Yes]
+
+|`Ingress`
+|`networking.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122[Yes]
+
+|`IngressClass`
+|`networking.k8s.io/v1beta1`
+|No
+
+|`Lease`
+|`coordination.k8s.io/v1beta1`
+|No
+
+|`LocalSubjectAccessReview`
+|`authorization.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#subjectaccessreview-resources-v122[Yes]
+
+|`MutatingWebhookConfiguration`
+|`admissionregistration.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#webhook-resources-v122[Yes]
+
+|`PriorityClass`
+|`scheduling.k8s.io/v1beta1`
+|No
+
+|`Role`
+|`rbac.authorization.k8s.io/v1beta1`
+|No
+
+|`RoleBinding`
+|`rbac.authorization.k8s.io/v1beta1`
+|No
+
+|`SelfSubjectAccessReview`
+|`authorization.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#subjectaccessreview-resources-v122[Yes]
+
+|`StorageClass`
+|`storage.k8s.io/v1beta1`
+|No
+
+|`SubjectAccessReview`
+|`authorization.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#subjectaccessreview-resources-v122[Yes]
+
+|`TokenReview`
+|`authentication.k8s.io/v1beta1`
+|No
+
+|`ValidatingWebhookConfiguration`
+|`admissionregistration.k8s.io/v1beta1`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#webhook-resources-v122[Yes]
+
+|`VolumeAttachment`
+|`storage.k8s.io/v1beta1`
+|No
+
+|===
diff --git a/modules/update-preparing-migrate.adoc b/modules/update-preparing-migrate.adoc
@@ -0,0 +1,8 @@
+// Module included in the following assemblies:
+//
+// * updating/updating-cluster-prepare.adoc
+
+[id="update-preparing-migrate_{context}"]
+= Migrating instances of removed APIs
+
+For information on how to migrate removed Kubernetes APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22[Deprecated API Migration Guide] in the Kubernetes documentation.
diff --git a/updating/updating-cluster-between-minor.adoc b/updating/updating-cluster-between-minor.adoc
@@ -21,6 +21,9 @@ See xref:../authentication/using-rbac.adoc[Using RBAC to define and apply permis
 * Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy.
 * If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP].
 * If your cluster uses manually maintained credentials with the AWS Secure Token Service (STS), obtain a copy of the `ccoctl` utility from the release image being upgraded to and use it to process any updated credentials. For more information, see xref:../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#sts-mode-upgrading[_Upgrading an OpenShift Container Platform cluster configured for manual mode with STS_].
+* Review the list of APIs that were removed in Kubernetes 1.22, migrate any affected components to use the new API version, and provide the administrator acknowledgment. For more information, see xref:../updating/updating-cluster-prepare.adoc#updating-cluster-prepare[Preparing to update to {product-title} 4.9].
++
+// TODO: Currently, this ^ admin ack is only applicable for 4.9 and should be removed for 4.10+
 
 [IMPORTANT]
 ====
diff --git a/updating/updating-cluster-prepare.adoc b/updating/updating-cluster-prepare.adoc
@@ -0,0 +1,37 @@
+[id="updating-cluster-prepare"]
+= Preparing to update to {product-title} 4.9
+include::modules/common-attributes.adoc[]
+:context: updating-cluster-prepare
+
+toc::[]
+
+{product-title} 4.9 uses Kubernetes 1.22, which removed a significant number of deprecated `v1beta1` APIs.
+
+4.8.TODO introduced a requirement that an administrator must provide a manual acknowledgment before the cluster can be upgraded from {product-title} 4.8 to 4.9. This is to help prevent issues after upgrading to {product-title} 4.9, where APIs that have been removed are still in use by workloads, tools, or other components running on or interacting with the cluster. Administrators must evaluate their cluster for any APIs in use that will be removed and migrate the affected components to use the appropriate new API version. After this is done, the administrator can provide the administrator acknowledgment.
+
+Before you can upgrade your {product-title} 4.8 cluster to 4.9, you must provide the administrator acknowledgment.
+
+// TODO: Update to specify which 4.8 z-stream this check was introduced in.
+
+// Removed Kubernetes APIs
+include::modules/update-preparing-list.adoc[leveloffset=+1]
+
+[id="evaluating-cluster-removed-apis"]
+== Evaluating your cluster for removed APIs
+
+There are several methods to help administrators identify where APIs that will be removed are in use. However, {product-title} cannot identify all instances, especially workloads that are idle or external tools that are used. It is the responsibility of the administrator to properly evaluate all workloads and other integrations for instances of removed APIs.
+
+// Reviewing alerts to identify uses of removed APIs
+include::modules/update-preparing-evaluate-alerts.adoc[leveloffset=+2]
+
+// Using APIRequestCount to identify uses of removed APIs
+include::modules/update-preparing-evaluate-apirequestcount.adoc[leveloffset=+2]
+
+// Using APIRequestCount to identify which workloads are using the removed APIs
+include::modules/update-preparing-evaluate-apirequestcount-workloads.adoc[leveloffset=+2]
+
+// Migrating instances of removed APIs
+include::modules/update-preparing-migrate.adoc[leveloffset=+1]
+
+// Providing the administrator acknowledgment
+include::modules/update-preparing-ack.adoc[leveloffset=+1]
