New features

Ubuntu 20.04 on OpenStack with OVS and Tungsten Fabric greenfield deployments

Implemented full support for Ubuntu 20.04 LTS (Focal Fossa) as the default host operating system on OpenStack with OVS and OpenStack with Tungsten Fabric greenfield deployments.

Support for large clusters

MOSK is now confirmed to be able to run up to 10,000 virtual machines under a single control plane.

Depending on the cloud workload profile and the number of OpenStack objects in use, the control plane needs to be extended with additional hardware. Specifically, for the MOSK clouds that use Open vSwitch as a backend for the Networking service (OpenStack Neutron) and run more than 12,000 network ports, Mirantis recommends deploying extra tenant gateways.

The maximum size of a MOSK cluster is limited to 500 nodes in total, regardless of their roles.

OpenStackDeploymentSecret custom resource

Introduced the OpenStackDeploymentSecret custom resource to aggregate the cloud’s confidential settings such as SSL/TLS certificates, access credentials for external systems, and other secrets. Previously, the secrets were stored together with the rest of configuration in the OpenStackDeployment custom resource.

The following fields have been moved out of the OpenStackDeployment custom resource:

  • features:ssl

  • features:barbican:backends:vault:approle_role_id

  • features:barbican:backends:vault:approle_secret_id

Built-in policies for OpenStack services

Switched all OpenStack services to use the built-in policies, aka in-code policies, to control user access to cloud functions. MOSK keeps the built-in policies up-to-date with the OpenStack development ensuring safe by default behavior as well as allowing you to override only those access rules that you actually need through the features:policies structure in the OpenStackDeployment custom resource.

Sticking to the default policy set as much as possible simplifies the future enablement of advanced authentication and access control functionality, such as scoped tokens and scoped access policies.

Tungsten Fabric image precaching

Added capability to precache containers’ images on Kubernetes nodes to minimize possible downtime on the components update. The feature is enabled by default and can be disabled through the TFOperator custom resource if required.

Configuration of custom Docker registries

Implemented support for custom Docker registries configuration. Using the ContainerRegistry custom resource, you can configure CA certificates on machines to access private Docker registries.