About this release

These release notes track the development of OpenShift sandboxed containers in Red Hat OpenShift Container Platform.

This product is currently in Technology Preview. OpenShift sandboxed containers is not intended for production use. For more information, see the Red Hat Customer Portal support scope for features in Technology Preview.

New features and enhancements

OpenShift sandboxed containers support on OpenShift Container Platform (Technology Preview)

OpenShift sandboxed containers 1.0.0 Technology Preview release introduces built-in support for running Kata Containers as an additional runtime. OpenShift sandboxed containers enables users to choose Kata Containers as an additional runtime to provide additional isolation for their workloads. The OpenShift sandboxed containers Operator automates the tasks of installing, removing, and updating Kata Containers. It allows for tracking the state of those tasks by describing the KataConfig custom resource.

OpenShift sandboxed containers are only supported on bare metal. Red Hat Enterprise Linux CoreOS (RHCOS) is the only supported operating system for OpenShift sandboxed containers 1.0.0. Disconnected environments are not supported in OpenShift Container Platform 4.8.

Known issues

  • If you are using OpenShift sandboxed containers, you cannot use the hostPath volume in a OpenShift Container Platform cluster to mount a file or directory from the host node’s file system into your pod. As an alternative, you can use local persistent volumes. See Persistent storage using local volumes for more information. (BZ#1904609)

  • If you are running Fedora on OpenShift sandboxed containers, you need a workaround to install some packages. Some packages, like iputils, require file access permission changes that OpenShift Container Platform does not grant to containers by default. To run containers that require such special permissions, it is necessary to add an annotation to the YAML file describing the workload, which tells virtiofsd to accept such file permissions for that workload. The required annotations are:

    io.katacontainers.config.hypervisor.virtio_fs_extra_args: |
      [ "-o", "modcaps=+sys_admin", "-o", "xattr" ]
  • In the 4.8 release, adding a value to kataConfgPoolSelector by using the OpenShift Container Platform web console causes scheduling.nodeSelector to be populated with an empty value. Pods that use RuntimeClass with the value of kata might be scheduled to nodes that do not have the Kata Containers runtime installed.

    To work around this issue, specify the nodeSelector value manually in the RuntimeClass kata by running the following command:

    $ oc edit runtimeclass kata

    The following is an example of a RuntimeClass with the correct nodeSelector statement.

    apiVersion: node.k8s.io/v1
    handler: kata
    kind: RuntimeClass
      creationTimestamp: "2021-06-14T12:54:19Z"
      name: kata
        cpu: 250m
        memory: 350Mi
        custom-kata-pool: "true"
  • The OpenShift sandboxed containers Operator details page on Operator Hub contains a few missing fields. The missing fields do not prevent you from installing the OpenShift sandboxed containers Operator in 4.8. (BZ#2019383)

  • Creating multiple KataConfig custom resources results in a silent failure. The OpenShift Container Platform web console does not provide a prompt to notify the user that creating more than one custom resource has failed. (BZ#2019381)

  • Sometimes the Operator Hub in the OpenShift Container Platform web console does not display icons for an Operator. (BZ#2019380)

Asynchronous errata updates

Security, bug fix, and enhancement updates for OpenShift sandboxed containers 1.0 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.8 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.

Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified via email whenever new errata relevant to their registered systems are released.

Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.

This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift sandboxed containers 1.0.0.

RHBA-2021:3751 - OpenShift sandboxed containers 1.0.2 bug fix advisory

Issued: 2021-10-07

OpenShift sandboxed containers release 1.0.2 is now available. This advisory contains an update for OpenShift sandboxed containers with bug fixes.

The list of bug fixes that are included in the update is documented in the RHBA-2021:3751 advisory.

RHBA-2021:3552 - OpenShift sandboxed containers 1.0.1 bug fix advisory

Issued: 2021-09-16

OpenShift sandboxed containers release 1.0.1 is now available. This advisory contains an update for OpenShift sandboxed containers with bug fixes.

The list of bug fixes that are included in the update is documented in the RHBA-2021:3552 advisory.

RHEA-2021:2546 - OpenShift sandboxed containers 1.0.0 image release, bug fix, and enhancement advisory

Issued: 2021-07-29

The components for OpenShift sandboxed containers release 1.0.0 support for OpenShift Container Platform 4.8 are now available as a technology preview.

The list of bug fixes included in the update is documented in the RHEA-2021:3941 advisory.