What's new in version 3.2.0

Get a quick overview of what's added, changed, improved, or deprecated in this release.

IBM® Cloud Private Version 3.2.0 introduces the following new features and enhancements:

• Installation, configuration, and upgrade
• Security and compliance
• Network
• Storage
• Monitoring and logging
• Performance improvements
• IBM Cloud Private management console
• IBM Cloud Private CLI (cloudctl)
• IBM Cloud Private Cloud Foundry and Cloud Foundry Enterprise Environment
• IBM Multicloud Manager
• IBM Cloud Pak for Multicloud Management
• IBM Edge Computing for Servers
• Technology preview
• APIs
• Package version changes
• Troubleshooting and support

Installation, configuration, and upgrade

Changes to IBM Cloud Paks

• Terminology changes: There are two terminology updates to the IBM Cloud Paks that took effect on 28 June, 2019 in version 3.2.0.

  • What was previously referred to as a Solution Pak is now referred to as an IBM Cloud Pak.
  • What was previously referred to as a Cloud Pak is now referred to as an IBM Certified Container.

• Released the IBM Cloud Pak for Multicloud Management. See IBM Cloud Pak for Multicloud Management for more information.

IBM Cloud Private Fix packs

You can apply a fix pack to your cluster to fix known issues with IBM Cloud Private.

The current fix pack is version 3.2.0.2003. This fix pack became available on 24 April, 2020. For more information about the fixes that are included in this fix pack, see Fixed reported problems.

Enabling IBM Multicloud Manager

You can configure IBM Multicloud Manager during IBM® Cloud Private installation by customizing your config.yaml file. For details see IBM Multicloud Manager.

Multi-release upgrade

You can upgrade directly to IBM Cloud Private 3.2.0 from versions 3.1.0, 3.1.1, and 3.1.2. For more information, see Upgrading.

Deploying Red Hat OpenShift version 3.11 in high availability mode

You can now configure high availability for a IBM Cloud Private with OpenShift version 3.11 cluster by deploying IBM Cloud Private on dedicated OpenShift nodes. In the config.yaml file during installation, you can specify the dedicated OpenShift nodes for the master, proxy, and management cluster nodes that deploy the IBM Cloud Private components as OpenShift workloads.

Key Management Service Hardware Security Module package

The Key Management Service (KMS) Hardware Security Module (HSM) chart and images are no longer included in the IBM Cloud Private installer. To use KMS, you can download and install the 3.2.0 Key Management HSM key-management-hsm-amd64.tar.gz package from IBM Passport Advantage. For more information, see Configuring Key Management Service.

Modularized installation

To reduce the footprint of IBM Cloud Private on your platform, during installation and afterwards, you can disable management services. After installation, if you require any disabled services, you can enable them. For more information on the components that are available and the management services that are included with the component, see Enabling and disabling IBM Cloud Private components.

Security and compliance

• The SSL (Secure Sockets Layer) certificates that are required for your LDAP over SSL (LDAPS) connection are now automatically configured when you connect with your directory. For more information, see Configuring LDAP connection.

• You can create a timing policy to designate a time for the following scans: Vulnerability Advisor (VA) pod, VA image, Mutation Advisor process. For more information, see the Timing policy section on the Vulnerability Advisor page.

• New user management APIs are added. For a complete list of user management APIs, see User management APIs.

• IAM service health and version check APIs are added. For more information, see Service health and version check APIs.

• MongoDB is used in place of MariaDB for OpenID Connect (OIDC).

• Several IAM adoption guide topics are updated. For more information, see Security guide.

• You can change Logjam, and LDAP cache and search settings. For more information, see IAM for IBM Cloud Private platform users and Troubleshooting users and user groups search issues.

• Key Management Service adoption guide is added. For more information, see Key Management Service (KMS) adoption guide.

• As a key management user, you can create a secret with a specific annotation that provisions an instance of the Key Management Service. For more information, see Provisioning KMS instances.

• IBM Cloud Private version 3.2.0 now supports nCipher nShield Connect HSM 12.40.2. For more information, see Configuring nCipher nShield Connect HSM 12.40.2.

• Added instructions for specifying TLS ciphers for etcd and Kubernetes after the installation of your IBM® Cloud Private cluster. For more information, see Specifying TLS ciphers for etcd and Kubernetes after IBM Cloud Private installation.

Audit

Audit logging adoption guide is added. For more information, see Audit logging adoption guide.

• Use statistics about generated audit data to help you tune audit policies, allocate disk space, and prepare ELK or SIEM to handle audit records. For more information, see Audit logging data statistics.
• You can integrate your IBM Cloud Private audit logs with Splunk. For more information, see Integrating IBM Cloud Private with Splunk.
• Learn how to add custom dashboards in Kibana so you can analyze your audit logs. For more information, see Audit logging Kibana dashboard.

Certificates

Replacing, refreshing, and restoring certificates created by the installer

You can replace the root CA certificate and refresh and restore the certificates that are created by the installer and used by platform services in your IBM Cloud Private environment. For more information, see Replacing certificates, Refreshing certificates, and Restoring certificates.

The root CA certificate is now stored within the ibmcloud-cluster-ca-cert secret in the kube-public namespace. The certificate can be imported into your client truststores to access IBM Cloud Private Platform APIs. For more information, see Certificates in IBM Cloud Private.

Certificate manager changes

• You can view the Certificates, Issuers, and ClusterIssuers in your cluster, including information on certificate age and expiration. For more information, see Viewing IBM Cloud Private cert-manager resources.

• You can manually refresh cert-manager certificates and automatically restart pods by using these certificates. For more information, see Refreshing IBM Cloud Private cert-manager certificates.

• You can configure certificate durations and renewal windows. For more information, see Customizing IBM Cloud Private cert-manager certificates.

• You can configure IP addresses in addition to DNS servers in cert-manager certificates. For more information, see Creating IBM Cloud Private cert-manager certificates.

• You can now configure the ACME issuer to create trusted certificates from letsencrypt.org. For more information, see Adding certificates by using ACME issuer.

Network

VMware NSX-T is upgraded to version 2.4.

Configure a Calico route reflector if your cluster is in an environment that has different Layer 3 segments, and you do not want Layer 3 connectivity across these segments. For more information about configuring a route reflector during IBM Cloud Private installation, see Deploying IBM Cloud Private across isolated Layer 3 segments. For more information about configuring a route reflector after IBM Cloud Private installation, see Configuring Calico route reflector after IBM Cloud Private installation.

Storage

• You can now configure a storage class for vSphere during IBM Cloud Private installation. For more information, see Use the config.yaml file for vSphere Cloud Provider configuration.

• GlusterFS and Minio can now be configured on Linux® x86_64, Linux® on Power® (ppc64le), and IBM® Z platforms.

• CephFS external server can be integrated with IBM Cloud Private.

Monitoring and logging

IBM Cloud Private monitoring

The ibm-icpmonitoring Helm chart now provides role-based access controls (RBAC) for access to the monitoring dashboards in Grafana. For more information, see Role-based access for monitoring dashboards.

IBM Cloud Private logging

Available procedures for managing logging configuration that cover horizontal and vertical scaling, and managing security.

• You can enable security features for logging services after initial IBM Cloud Private installation. For more information, see Enabling security for logging services.

• The logging service has deprecated running without security enabled. For more information, see Enabling security for logging services.

• You can manage resources that are allocated for logging services. For more information, see Managing resource allocation for logging services.

• You can now enable Elastic Stack health monitoring for logging. For more information, see Enabling Elastic monitoring.

• You can customize your data retention policies to help keep data sizes under control. For more information, see Modifying the data retention policy for logging services.

• You can install more instances of the Logging chart with security enabled to prevent unauthenticated access and to restrict access based on namespace access. Extra instances enable secure operation for many scenarios including multi-tenancy. For more information, see Installing additional logging instances.

• If you need more capacity, you can now horizontally scale the logging service to use newly added nodes after initial IBM Cloud Private installation. For more information, see Scaling logging services after IBM Cloud Private installation.

• You can apply additional filtering to the log collection process. For more information, see Updating logging service collection filters.

Monitoring on OpenShift

OpenShift provides an optional Prometheus-based monitoring component, but does not provide the same capabilities as the IBM Cloud Private monitoring service. When you install IBM Cloud Private on OpenShift, the IBM Cloud Private monitoring service is installed by default. You can disable the monitoring service on OpenShift. For more information, see the Managing Grafana dashboards section on the IBM Cloud Private monitoring page.

If IBM Multicloud Manager is configured, IBM Cloud Private monitoring must be enabled to federate metrics from your other clusters.

Logging on OpenShift

OpenShift provides an optional Elasticsearch-based logging service that collect logs from system and application components automatically. You can choose to install the IBM Cloud Private logging service. For more information, see IBM Cloud Private logging.

Performance improvements

Automatic Helm repository synchronization fetches only updated Helm charts: When the Helm repositories are automatically synchronized, only the charts that have updates are fetched. This saves time by not fetching all of the charts, whether they have pending updates.

You can now use the Vulnerability Advisor to scan external image registries. For more information, see Scanning external registries with the Vulnerability Advisor.

IBM Cloud Private management console

The IBM Cloud Private and IBM Multicloud Manager management console are integrated. When you have IBM Multicloud Manager configured, you can access the IBM Cloud Private experience from Local cluster > Manage Local Cluster. Note: The IBM Cloud Private management console opens in a new tab.

See the IBM Multicloud Manager configuration overview for configuration topics. For more information about the IBM Cloud Private management console, see Accessing your IBM Cloud Private cluster by using the management console.

The Getting started page location changed and contains new information. For instance, you can access all the supported CLI tools and you can see Configure Client content, which is also available from the user menu. Additionally, you can access the web terminal from the header.

Search is now available for both IBM Cloud Private and IBM Multicloud Manager. You can search for Kubernetes resources across all your clusters from a single view. For example, you can search by created (how recently the object was created), or cluster (the cluster the object is on). For more information, see the Search section of Accessing your IBM Cloud Private cluster by using the management console.

You can also configure your own logo for the Login, About modal, and Common header by running kubectl edit configmap platform-ui-config -n kube-system to edit the ConfigMap. See Configuring your logo in the IBM Cloud Private management console for more information.

Other changes to the management console include: Dashboard renamed to Overview, and Services menu renamed Cluster Services, as well as navigation changes.

You can now update Helm repositories individually. In addition to updating all of your Helm repositories on the Helm releases page with a single click, you can also update each Helm repository individually. See Managing Helm repositories for more information.

IBM Cloud Private management console now supports namespace-level service brokers. For more information see Managing Service Catalog resources.

The services Launch links on the Helm Releases page are moved to the release details page. The links that were on the Helm Releases page that launch the services are now available by selecting the release name on the Helm Releases page. You might need to select the deployment name to see the link. If a link is available for the service, select Launch to test the service.

You can now deploy Helm charts to remote namespaces. By leveraging IBM Multicloud Manager, you can deploy Helm charts to namespaces that are on remote clusters, as well as, namespaces that are on your local cluster. See Deploying Helm charts in the Catalog for more information.

You can seamlessly use the Catalog in both IBM Cloud Private and IBM Multicloud Manager as a single control plane to manage deployed workloads on local and managed clusters.

The name of the cluster that you are working with is now visible in the header.

IBM Cloud Private CLI (cloudctl)

You can now use the IBM Cloud Private CLI to manage multiple clusters with the new mc command. See IBM Cloud Private CLI multicluster commands (mc) to learn about the cloudctl mc commands that you can run to access your IBM Multicloud Manager clusters.

Run the new cloudctl iam oauth-client IBM Cloud Private CLI commands to simplify onboarding and managing workloads. See IBM Cloud Private CLI iam commands (iam).

IBM Cloud Private Cloud Foundry and Cloud Foundry Enterprise Environment

For the details of changes to IBM Cloud Private Cloud Foundry and Cloud Foundry Enterprise Environment, see What's new in IBM Cloud Private Cloud Foundry and Cloud Foundry Enterprise Environment Version 3.2.0.

IBM Multicloud Manager

Visualize and monitor multiple clusters with IBM Multicloud Manager. You can ensure that your clusters are secure, operating efficiently, and delivering the service levels that applications expect when you configure IBM Multicloud Manager with your IBM Cloud Private cluster. See the IBM Multicloud Manager configuration overview for configuration topics.

As previously mentioned, IBM Multicloud Manager is now integrated into IBM Cloud Private. The IBM Cloud Private management console now displays IBM Multicloud Manager without a separate interface.

With the integration, you can now configure IBM Multicloud Manager during or after IBM Cloud Private installation. Additionally, you can import resources to manage multiple clusters using the IBM Cloud Private CLI. Learn more about IBM Multicloud Manager changes from the following descriptions:

• Configure IBM Multicloud Manager during IBM Cloud Private installation by customizing your config.yaml file. See Customizing the cluster with the config.yaml file. Additionally you can configure after installation.
• With the new IBM Cloud Private CLI cloudctl mc cluster import command, you can import clusters from different Kubernetes cloud providers, including IBM Cloud Private. After you configure your file and run cloudctl mc cluster import, the targeted cluster becomes a managed cluster for the IBM Multicloud Manager hub cluster.
• Additionally, you can manage an OpenShift stand-alone cluster. See all the options for importing and managing clusters in Importing a target managed cluster to the IBM Multicloud Manager hub cluster.

See the optional packages that are available in Installing optional IBM Multicloud Manager packages, which includes Federation-v2 .

You can also configure IBM Multicloud Manager service registry for your IBM Multicloud Manager managed clusters to discover Kubernetes services, such as Ingress and Istio services. See Working with IBM Multicloud Manager service discovery for more information.

IBM Cloud Pak for Multicloud Management

With the IBM Cloud Pak for Multicloud Management, you gain multicloud visibility, governance, and automation. Capabilities include multicluster management for containers, full stack multicloud provisioning, and infrastructure and application monitoring for mixed workloads. For more information, see IBM Cloud Pak for Multicloud Management.

IBM Edge Computing for Servers

IBM Edge Computing for Servers is available for facilitating edge computing deployments. IBM Edge Computing for Servers includes support for an edge computing profile for significantly reducing the footprint of IBM Cloud Private when IBM Cloud Private is used as a remote edge server. For more details, see IBM Edge Computing for Servers.

Technology preview

The following technology previews are new for this version. For all of the features that are available in IBM® Cloud Private as technology preview code (TPC) only, see the Technology preview section.

System health service

You can now enable the system health service to understand the health of your IBM Cloud Private system. For more information, see IBM Cloud Private system health service.

Mutation policy controller

IBM Cloud Private now includes a mutation policy controller to enforce mutation policies. Create a mutation policy to report mutated pods from scanned images. For more information, see the Mutation policy controller.

Installing IBM Cloud Private with IBM Cloud Kubernetes Service

You can remotely deploy IBM Cloud Paks onto an IBM Cloud Kubernetes Service cluster by using IBM Multicloud Manager. For more information, see Installing IBM Cloud Private with IBM Cloud Kubernetes Service.

Installing Knative on IBM Cloud Private

You can now install a Knative chart on your IBM Cloud Private 3.2.0 cluster. For more information, see Installing Knative on IBM Cloud Private.

Configuring failover settings for your IBM Multicloud Manager clusters

For your IBM Multicloud Manager clusters, you can prepare Minio and then configure failover for IBM Multicloud Manager for both your hub clusters and your managed clusters. For full details, see Configuring failover settings for your IBM Multicloud Manager clusters.

APIs

Documentation for the Helm Tiller APIs is now available. See Helm Tiller REST APIs for more information.

Package version changes

With the introduction of IBM Cloud Private version 3.2.0, the following package versions changed:

Troubleshooting and support

To debug your issues, you can see whether your reported problem was fixed in the release. For the list, see Fixed reported problems.