Hi,

The tittle for this link https://cloud.ibm.com/docs/openshift?topic=openshift-security#network_segmentation is "Network segmentation and privacy"

If you continue reading then you will see the title "Network segmentation and privacy for VPC clusters" (https://cloud.ibm.com/docs/openshift?topic=openshift-security#network_segmentation_vpc)

In my case I have a cluster in VPC and I wasted some hours try to understand how to apply the things explained in the first section until I realized it only applies to Classic seeing that there is a specific topic for "VPC clusters".

So I think, in case the first section only applies to classic, that "for Classic clusters" should be added to the tittle.

Thank you.

Cluster autoscaling (worker node autoscaling) is not supported in OCP 3.11 (k8s 1.11) because it requires k8s 1.12.

https://cloud.ibm.com/docs/openshift?topic=openshift-ca

Hi, the following subnet addresses are incorrect with mask "/29" :
161.202.146.86/29, 128.168.71.70/29, 165.192.71.222/29 in "AP North" table row in "IBM Cloud Container Registry" section of openshift_firewall.md
Would you be able to fix it ?
Also have you considered publishing the IP addresses as a simple text list - like here, for example : https://www.cloudflare.com/ips-v4 (https://www.cloudflare.com/ips/) or something like this : https://api.cis.cloud.ibm.com/v1/ips. It would be very helpful when the proper firewall rules need to be updated due to IP address change.
Thanks

this doc has bad indextaion on the pvc definition
https://cloud.ibm.com/docs/openshift?topic=openshift-odf-deploy-app

In the section VPC: Opening required ports and IP addresses in other network firewalls, we should add a section to whitelist the container registry route *.appdomain.cloud. I just faced this issue with a client which exposed the openshift container registry externally by following this doc:
https://cloud.ibm.com/docs/openshift?topic=openshift-registry#route_internal_registry

I have been following the docs to manually add VPC block storage to my worker nodes in preparation for installing Portworx. On this page in step 4 of the section for reviewing volume attachment details for a VPC worker node the URL in the cURL command is incorrect.

This is what is in the Docs:
curl -X GET -H "Authorization: <IAM_token>" -H "Content-Type: application/json" -H "X-Auth-Resource-Group-ID: <resource_group_ID>" "https://.containers.cloud.ibm.com/v2/storage/clusters/<cluster_ID>/workers/<worker_ID>/volume_attachments"

The result of this command is a 404 page not found.

After reviewing the actual API docs I found the docs for the API for reviewing attached volumes. The relatative URL should be /v2/storage/vpc/getAttachmentsList.

the command in step 4 looks like it should be:

curl -X GET -H "Authorization: <IAM_token>" -H "Content-Type: application/json" -H "X-Auth-Resource-Group-ID: <resource_group_ID>" "https://.containers.cloud.ibm.com/v2/storage/vpc/getAttachmentList?cluster=<cluster_ID>&worker=<worker_ID>"

I tested the URL using that format and it does work.

Thanks!

To create a VPC cluster from the CLI, --workers parameter is not optional actually.

$ ibmcloud oc cluster create vpc-gen2 --name mycluster --zone jp-tok-1 --vpc-id $vpc --subnet-id $subnet --flavor bx2.4x16 --version 4.6_openshift --cos-instance $crn

Creating cluster...
FAILED
The requested number of worker nodes is fewer than the minimum 2 worker nodes that are required for an OpenShift cluster. You have 0 existing worker nodes in the cluster, which you requested to change by 1 worker nodes. Revise your request, and try again. (E3310)

Document URL:
https://cloud.ibm.com/docs/openshift?topic=openshift-clusters&locale=en#cluster_vpcg2_cli

https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-lbaas#setup_vpc_nlb_pub
Hi, Essentially code blocks on this page, if used "as is" will result in silent failure if applied to Openshift. The behaviour the instructions are talking about will not happen and in fact the user won't get an error.

In the three code blocks containing this kind of yaml...

`apiVersion: v1
kind: Service
metadata:
name: <app_name>-vpc-nlb-<VPC_zone>
annotations:
service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "nlb"
service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "public"
service.kubernetes.io/ibm-load-balancer-cloud-provider-vpc-node-selector: "="
service.kubernetes.io/ibm-load-balancer-cloud-provider-vpc-subnets: "<subnet1_ID,subnet2_ID>"
service.kubernetes.io/ibm-load-balancer-cloud-provider-zone: ""
spec:
type: LoadBalancer
selector:
<selector_key>: <selector_value>
ports:

• name: http
  protocol: TCP
  port: 8080
  targetPort: 8080
• name: https
  protocol: TCP
  port: 443
  externalTrafficPolicy: Local`

The annotations section needs to be a subsection of the metadata tag. As it is the annotations section will be ignored meaning the yaml will be applied but the NLB will not be created (any of the other annotation's functions will also not take effect).

Recreated using Safari and Chrome on MacOS

In the following tutorial for OpenShift of VPC there is an incorrect command listed which causes the tutorial to not work:

https://cloud.ibm.com/docs/openshift?topic=openshift-vpc_rh_tutorial

The command in question is in Step 3: Setting up a VPC load balancer to expose your app publicly

The first command given is to run this:

$ oc expose deployment/hello-world --type=LoadBalancer --name=hw-lb-svc --port=8080 --target-port=8080

Running the above command will result in an error that no deployment exists with the name "hello-world" and this is correct.

Since we created the application in the cluster using Openshift command:
$ oc new-app --name hello-world https://github.com/IBM/container-service-getting-started-wt --context-dir="Lab 1"

This creates a deployment config as opposed to the Kubernetes default deployment. Therefore, the correct command that customers will need to run is:

$ oc expose dc/hello-world --type=LoadBalancer --name=hw-lb-svc --port=8080 --target-port=8080

This command will properly expose the application and created the LoadBalancer service. I suspect this was do the the tutorial initially being created for Kubernetes and not for OpenShift.

Hi, I'm trying to follow: https://cloud.ibm.com/docs/openshift?topic=openshift-ingress-qs-roks4 to expose a service via a TLS ingress.

The ingress shown in step 3 is not using the tls option and thus the ingress will only be presented as http (tcp/80). Step 5 then shows accessing this ingress via https.

I would like steps as to how to setup TLS ingress on OpenShift v4.x on IBM Cloud please, using the default cluster TLS certificate. I am currently having issues with this as it stops both https and http ingress connections from working when I include it.

Here is my configuration:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  generation: 3
  labels:
    app.kubernetes.io/name: defectdojo
  name: matt-dd-django
  namespace: sbu-dev
spec:
  rules:
  - host: defectdojo.mattcluster-<hash>-0000.eu-gb.containers.appdomain.cloud
    http:
      paths:
      - backend:
          serviceName: matt-dd-django
          servicePort: http
        path: /
  tls:
  - hosts:
    - defectdojo.mattcluster-<hash>-0000.eu-gb.containers.appdomain.cloud
    secretName: mattcluster-<hash>-0000
status:
  loadBalancer: {}

Thanks.

On https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_limitations it is stated that If your account uses multifactor authentication (MFA), the OpenShift web console cannot authenticate and does not work.

My account uses MFA and the OpenShift web console works. I have tested with both OCP version 4.4 and 4.5.

Please validate this is no longer a limitation and remove the limitation from the documentation if applicable.

At step 3 in https://cloud.ibm.com/docs/openshift?topic=openshift-health-monitor#openshift_monitoring;

oc get daemon sets -n ibm-observe

gives an error if you try to execute it in the CLI, and should be as follows (removing extra space in between the words)

oc get daemonsets -n ibm-observe

In this section https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_cloud_paks#oc_cloud_paks_assign, step 1b, I can not find account id in passport advantage that has the same format as in step 1a.

I think the link is missing an important step to actually enable the vlan spanning: https://cloud.ibm.com/docs/openshift?topic=openshift-subnets#basics_segmentation.  This link only describes the first step to grant the permission for vlan spanning from Manage -> Access (IAM) -> Users -> person name -> Classic infrastructure tab and select/check the box of Network > Manage Network VLAN Spanning,  but after the permission granted, 2nd step needs to 'enable' it through Classic Infrastructure (from hamburger menu) -> IP Management -> VLANs, on the vlans page, expand :

It's shown ad Disabled by default. Then click on Enabled text,

Checking from CLI:

ibmcloud oc vlan spanning get --region us-south

OK
VLAN spanning is enabled.

oc delete project logdna

Should be > oc delete project logdna-agent

This page: https://cloud.ibm.com/docs/openshift?topic=openshift-ingress_annotation has these instructions for annotating routes -

To add annotations to the router, run oc edit svc router-default -n openshift-ingress.

In my 4.3 Cluster, it appears I have to edit the route object itself (e.g. oc edit route ) .. not the service .. to enable annotations. Adding them to the service has no effect.

Step 1) on https://cloud.ibm.com/docs/openshift?topic=openshift-deploy-odf-vpc#ocs-storage-vpc states to install the oc CLI.

Users that have it already installed but not the latest version of plugin container-service[kubernetes-service] will be unable to enable the ODF addon and see the message:

FAILED
'openshift-data-foundation' is not a registered command. See 'ibmcloud ks cluster addon enable help'.

These users need to update the plugin.

My request is to make Step 1) one look like:

1. Install the oc CLI or update the oc CLI

Commands should have a "copy to clipboard" icon next to them. Below pages have very many commands without the Copy to clipboard icon which is inconvenient for people who wants to copy these commands:
https://cloud.ibm.com/docs/openshift?topic=openshift-users
https://cloud.ibm.com/docs/openshift?topic=openshift-add_workers
https://cloud.ibm.com/docs/openshift?topic=openshift-network_policies
https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_apps
https://cloud.ibm.com/docs/openshift?topic=openshift-ingress-settings
https://cloud.ibm.com/docs/openshift?topic=openshift-block_storage
https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-block
https://cloud.ibm.com/docs/openshift?topic=openshift-kubernetes-service-cli
https://cloud.ibm.com/docs/openshift?topic=openshift-cs_troubleshoot
https://cloud.ibm.com/docs/openshift?topic=openshift-cs_troubleshoot_clusters

Screenshots please refer to below:

The doc shows "--provider " in ibmcloud oc cluster create but if specified it results in error.

Incorrect Usage: flag provided but not defined: -provider

I tested in OpenShift 4.5 on VPC Gen2.

Hi Team,

I am using Windows 10 and successfully installed ibm cloud, then while trying to install oc I don't see the steps for windows.

Open: https://cloud.ibm.com/docs/openshift?topic=openshift-openshift-cli#cli_oc
Navigate to: Installing the OpenShift Origin CLI (oc)

#4 talks about how to install in Mac.
#3 talks about how to unzip using command tar -xvf oc.tar.gz. But the problem here is the the downloaded compressed file is oc.zip.

After unzip what to do next is not mentioned. I am kind of blocked here.
Can you please update the documentation or share the next steps on how to proceed next?

When I unzip there is only one file oc.exe

But still no luck.

Please share the steps on how to proceed next for Windows 10 OS.

Document says "When the provisioning of your OpenShift master is completed, the status of your cluster changes to deployed." and the output of ibmcloud oc cluster ls is shown.

But we can not see deployed state by ibmcloud oc cluster ls actually. we can see the state by ibmcloud oc cluster get --cluster mycluster.

Worker state is the same.

URL: https://cloud.ibm.com/docs/openshift?topic=openshift-clusters&locale=en#cluster_vpcg2_cli

On https://cloud.ibm.com/docs/openshift?topic=openshift-cs_ov#compare_ocp

Can you refer the following link about network ?
https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/about-openshift-sdn.html

I am confused a little bit about network part.
In my understanding, default network is using OVS.
"This Pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS)." ( https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/about-openshift-sdn.html)

The url from LogDNA git repo is changed from https://raw.githubusercontent.com/logdna/logdna-agent/master/logdna-agent-ds-os.yml to https://raw.githubusercontent.com/logdna/logdna-agent/master/logdna-agent-ds-os.y**a**ml

In the "Controlling traffic with ACLs" section:

Step 5, inbound rules has:

• Allow incoming traffic requests to apps that run on your worker nodes
• Source IP: any
• Source Port: 30000-32767
• Destination IP: any
• Destination Port: any

and in Step 6, its "counterpart" outbound rule has:


• Source IP: any
• Source Port: 30000-32767
• Destination IP: any
• Destination Port: any

But, as it is written, the are the same, in different directions, so one of them is flipped.
Based on the description, it seems the inbound rule should be:

• Destination Port: 30000-32767

The add-on page links to the OpenShift Data Foundation, page, which does not exist.

For https://cloud.ibm.com/docs/docs?topic=solution-tutorials?topic=solution-tutorials-scalable-webapp-openshift
The reference link for Scalable web application on OpenShift in Tutorials is broken:

Hello All - beginner in the world of VPC and clusters - need help

I am working thru Tutorial "Creating an OpenShift cluster in your Virtual Private Cloud (VPC)"
In Step 3: Setting up a VPC load balancer to expose your app publicly

I type in the following command - which results in error. Can anyone help & see what I may have done wrong?

oc expose deployment/hello-world --type=LoadBalancer --name=hw-lb-svc --port=8080 --target-port=8080
Error from server (NotFound): deployments.apps "hello-world" not found

It seems like my previous steps have been successful

weng_ng@cloudshell:$ oc get svc -n hello-world
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-world ClusterIP 172.21.135.21 8080/TCP 96m
weng_ng@cloudshell:$

weng_ng@cloudshell:~$ oc get pods -n hello-world
NAME READY STATUS RESTARTS AGE
hello-world-1-build 0/1 Completed 0 97m
hello-world-1-deploy 0/1 Completed 0 96m
hello-world-1-dhcmc 1/1 Running 0 96m

https://cloud.ibm.com/docs/openshift?topic=openshift-registry#route_internal_registry step 8, code block is messed up

I have followed this article to let LOGDNA logging works with openshift , but it didn't work.
https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_health#openshift_logdna_sysdig_cleanup

https://cloud.ibm.com/docs/openshift?topic=openshift-planning_worker_nodes

the statement in the yellow alert about HIPPA compliance does not match with IBMs official stance on compliance. Either note this as recommended practice or remove the advisory.

https://www.ibm.com/cloud/compliance/industry

Do not use. Use another term such as "controller," "leader," "parent," or "primary."

https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_changelog

2019 instead of 2020 in the release notes on April 21
https://cloud.ibm.com/docs/openshift?topic=openshift-iks-release

Hello,

In the smallest cluster section of the docs (https://cloud.ibm.com/docs/openshift?topic=openshift-faqs#smallest_cluster) this excerpt on worker pools is contradictory to the Service Limitations (https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_limitations#tech_limits)

Worker pools: For any type of cluster, each worker pool must have at least 1 worker node at all times. For the smallest size cluster possible, you can have only 1 worker pool.

contradicts

Worker pool size | You must have a minimum of 2 worker nodes per zone in your worker pool at all times. For more information, see What is the smallest size cluster that I can make?. You cannot scale worker pools down to zero. Because of the worker node quota, you are limited in the number of worker pools per cluster and number of worker nodes per worker pool. For example, with the default worker node quota of 500 per region, you might have up to 500 worker pools of 1 worker node each in a region with only 1 cluster. Or, you might have 1 worker pool with up to 500 worker nodes in a region with only 1 cluster.

Can you please clarify which is the correct statement and bring the other in line with the proper limitation?

Thank you,
Matt.

To create a VPC cluster from the CLI, --cos-instance <cos_CRN> parameter is required.
To create a standard object storage instance, command is guided as follows, but NAME is not given so failed to create.
ibmcloud resource service-instance-create cloud-object-storage standard global

I run the following and created a standard object storage instance successfully.
ibmcloud resource service-instance-create my-object-storage cloud-object-storage standard global

Document URL:
https://cloud.ibm.com/docs/openshift?topic=openshift-clusters&locale=en#cluster_vpcg2_cli

Page: https://cloud.ibm.com/docs/openshift?topic=openshift-overview
Invalid link: https://cloud.ibm.com/docs/openshift?topic=openshift-infrastructure_providers

Under How does OpenShift Data Foundation work?

Because ODF abstracts your underlying storage, you can create use ODF to creat File, Block, or Object storage claims all from the same underlying raw block storage.

you can create use ODF to creat File, should probably be you can use ODF to create File,

According to the documentation for a HA the setup is : "with a total of at least 9 worker nodes, three worker nodes per zone that are evenly spread across three zones."

Sorry, this is not acceptable, in case your workload can be run on 1 worker node there is no reason to have at least 3 per zone

More correct would be that the sum of 2 zones out of 3 must be able to run the entire workload, so in case 1 zone goes down the workload remains available at expected performance.

Hi,
I think step 2 for rebooting a node is wrong at: worker node reboot
as it says to use oc drain <name> while it should be oc add drain <name>
At least with oc 4.5.

Hope this helps. Regards,
Asier.

When following the official document [1] to set up object store to be used by apps deployed in Openshift we got some issues that in some way is because the document is not very clear describing some of the steps.

For example in this document is not very clear that for openshift 4.X you need to use Helm version 3.

More in the section "Adding object storage to apps" [2] ,some of the options in the configuration file we can delete or comment them because they are not need it. ( of course depends of the configuration of the COS, but this should be referred in the document).

[1]https://cloud.ibm.com/docs/openshift?topic=openshift-object_storage
[2] https://cloud.ibm.com/docs/openshift?topic=openshift-object_storage#add_cos

It will be productive if you include the command to retrieve public IP of hosts tahn trying to research in the interest of time.
In this step where command needs to be included
2. Retrieve the matching public IP addresses of your hosts from your cloud provider. at this link https://cloud.ibm.com/docs/openshift?topic=openshift-access_cluster#sat_public_access

Under "Permissions to create a cluster" it says you might need to edit "Identity and Access Management" to include "Service ID creator" and "User API key creator". These are really under "IAM Identity Service".
https://cloud.ibm.com/docs/openshift?topic=openshift-access_reference#cluster_create_permissions

see below for the text on the webpage. Surely the requirement is to use Redhat UBI, or even - if it's going to really be agnostic - any type of Linux with a certain kernel type? Whatever the answer - it's probably not uniquely Ubuntu.

"What kind of apps can I run? Can I move existing apps, or do I need to develop new apps?
Your containerized app must be able to run on the supported operating system, Ubuntu 16.64, 18.64. You also want to consider the statefulness of your app. For more information about the kinds of apps that can run in Red Hat OpenShift on IBM Cloud, see Planning app deployments."

Hi, We from IBM cloud schematics service (Orchestrator as service in IBM cloud) team and our service used by Cloudpak customers to deploy the coudpak into their ROKS

From our service we whitelist only this (https://github.com/ibm-cloud-docs/openshift/blob/master/openshift_firewall.md.) IP ranges to meet security guidelines. we want to get notified before this list updated to avoid cloudpak deployment failures.

we also look at this document manually every week to catch the new addition IPs but still this is not efficient as the doc update happen any point in time.

So here is the summary

• We are not able to keep-up. Customers are complaining; and we are reactive..
  We would like to be proactive..
• Is it possible to get notified about the new IP ranges that we must whitelist in our deployments - to ensure that the CloudPaks can be deployed in those target clusters.

https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#openshift_release_history

Looks like below:

Supported? | OpenShift | Kubernetes version | Red Hat OpenShift on IBM Cloud release date | Red Hat OpenShift on IBM Cloud unsupported date | | --- | --- | --- | --- | | Supported | 4.7 / 1.20 | 09 Jun 2021 | Jun 2022† | | Supported | 4.6 / 1.19 | 17 Feb 2021 | Apr 2022 † | | Supported | 4.5 / 1.18 | 13 Oct 2020 | 30 Sep 2021 † | | Not supported | 4.4 / 1.17 | 21 Jul 2020 | 31 May 2021 | | Not supported | 4.3 / 1.16 | 20 Apr 2020 | 7 Mar 2021 | | Deprecated | 3.11 / 1.11 | 01 Aug 2019 | 06 Jun 2022 † |

I am assuming this is supposed to be in tabular form.

See step 2 under here https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-lbaas#vpc_lb_dns

Virtual Server Link not working in sentence In VPC clusters, make sure to select a [virtual server](https://cloud.ibm.com/docs/vpc-on-classic-vsi?topic=vpc-on-classic-vsi-profiles) flavor that meets the minimum hardware requirements for Portworx.

Cannot find this link but have found one for VPC https://cloud.ibm.com/docs/vpc?topic=vpc-profiles.

The User access permissions page has a link that is not formatted correctly:

For https://cloud.ibm.com/docs/openshift?topic=openshift-openshift_versions#ocp3to4-migrate-prereqs

It appears that the reference links for IBM Cloud Object Storage in Section 3 are broken, they are all being presented by a 404

It got cloudy in here...
Unfortunately, we couldn’t find the page you were looking for, but here are some helpful places to start from:

Hi folks,

I spotted some minor typos in the https://cloud.ibm.com/docs/openshift?topic=openshift-health-monitor page - looks like some letters could have been missed during a copy/paste.

• "Built-in OpenShift monitoring tools" section;
  • "clumetrics"
  • "caaccessed"
  • "persisstorage"
• "Forwarding cluster and app metrics to IBM Cloud Monitoring" section
  • "you can collects cluster and pod metrics" (should be "collect")
• "Master states"
  • "Your Red Hat OpenShift on IBM Cloud includes an IBM-managed" - should this have the word "cluster" after "IBM Cloud"?

Regards,

Matt

In section "Lesson 1" part 1, this article includes a link for instructions to install the "ibmcloud oc" CLI plugin here. The linked article does not contain such instructions.