Openshift Origin v3.10.0-rc.0

« Changelog History

Openshift Origin v3.10.0-rc.0 Release Notes

• 🚀 This is the first release candidate of OpenShift Origin 3.10.

  Backwards Compatibility

  • Moving from legacy API resources (/oapi) to group resources
    • The server process endpoint now creates resources in the new group APIs (*.openshift.io) #19458
    • The RBAC bootstrap policy file is now saved as rbac.authorization.k8s.io/v1 resources #19756
  • 🔧 Configuration changes
    • The disabledFeatures configuration item has been removed from master config #19070
    • Master configuration no longer requires the deprecated clusterNetworkCIDR/hostSubnetLength fields to be set in networkConfig #18669
    • Some node default values have changed #19190
    • Remove the default pods-per-core setting of 10, which makes nodes default to 250 pods total.
    • The certificate signing controller defaults to creating certs with a 1 year expiration (a7bd9d6)
  • ⚡️ rbac: Project editors can no longer create or update daemonsets, which prevents tenants from impacting cluster stability #18971
  • Metrics for the template instance broker have changed #19133
  • 🚚 Moved or deleted content #19262
    • The examples/ directory has been cleaned up
    • The v1 federation implementation has been removed as it did not graduate to beta.
    • The node.service systemd file has been removed from hte RPMS, along with the master services (2113900)
  • 🔄 Changes to OpenShift images #19509
    • As we prepare to split the OpenShift API server into multiple binaries, several new images have been created:
    • openshift/origin-hypershift - A new hypershift binary that launches OpenShift specific components
    • openshift/origin-hyperkube - The Kubernetes hyperkube binary
    • openshift/origin-cli - The OpenShift CLI oc
    • openshift/origin-tests - The extended test suite for OpenShift
    • Some existing images have been renamed
    • openshift/origin is now openshift/origin-control-plane
    • openshift/node is now openshift/origin-node
    • The openshift/openvswitch image has been folded into openshift/origin-node
    • A new binary openshift-node-config takes a node-config.yaml file and converts it to kubelet arguments in the openshift/origin-node image
  • CLI changes
    • Some client-side deletion support has been removed in favor of the controller-driven deletion mechanisms #19616
    • oc export is deprecated and oc get --export should be used instead.
  • The router has separate liveness and readiness probes for use with upstream load balancers #19009
  • 🔧 XFS quota for emptyDir volumes is now configured via a config file in the volume directory #19533
  • 🔄 Changes to oc cluster up
    • The cluster launched by oc cluster up is now launched as a set of individual processes running in images, instead
      of the previous single large container. This more closely mimics real production environments.
    • Docker machine support in oc cluster up has been removed
    • oc cluster up now only supports launching a cluster of the same version as the oc binary.

  🔄 Changes

  🚀 Roadmap for the v3.10 release

  v3.10.0-rc.0 (2018-06-19) Full Changelog

  API

  👍 Ingress support

  👍 In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that
  maps Kubernetes Ingress objects (in their v1beta1 form) to OpenShift Routes automatically. This
  👍 allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on
  hostnames, and securely manage Ingress secrets.

  The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS
  hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route
  is deleted it will be recreated by the controller. Once a route is created, any annotations or route
  specific fields will not be altered unless the route is deleted (such as weighted service backends). A
  route with a TLS endpoint will be set to Reencrypt termination, but that may be changed after creation.

  The router process itself no longer needs to watch Ingress or Secret resources.

  • 👍 router: Replace router support for ingress with an ingress-to-route controller #18658

  Other changes

  • Image signature annotations are ignored #19037
  • ⚡️ Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532

  ⚡️ Component updates

  • ⚡️ Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
    • 42873: add kubectl api-resources command #19884
    • 54530: api: validate container phase transitions #18791
    • 57202: Fix format string in describers #18810
    • 58972: Fix job's backoff limit for restart policy OnFailure #19672
    • 59170: Fix kubelet PVC stale metrics #18637
    • 59301: dockershim: don't check pod IP in StopPodSandbox #18425
    • 59316: Exit if no client cert is available for 5m #18430
    • 59365: Fix StatefulSet set-based selector bug #18797
    • 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
    • 60289: fix freespace for image GC #18767
    • 60342: Fix nested volume mounts for read-only API data volumes #18766
    • 60455: removes custom scalers from kubectl #19275
    • 60490: Volume deletion should be idempotent #18856
    • 60632: Add volumemetrics for ISCSI Plugin #19842
    • 60654: notify systemd on kubelet start #18886
    • 60978: Fix use of "-w" flag to iptables-restore #18919
    • 61287: provide easy methods for direct kubeconfig loading from bytes #18956
    • 61294: Fix cpu cfs quota flag with pod cgroups #19028
    • 61378: --force only takes effect when --grace-period=0 #19213
    • 61459: etcd client add dial timeout #19953
    • 61480: Allow sockets to be mounted in subpath #19329
    • 61790: make reapers tolerate 404s on scaling down #19275
    • 61808: Ensure -o yaml populates kind/apiVersion #19137
    • 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
    • 61962: Avoid data races in unit tests #19137
    • 61985: Restore show-kind function when printing multiple kinds #19137
    • 62074: Narrow interface consumed by scale client #19137
    • 62114: removes job scaler, continued #19275
    • 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
    • 62152: Keep node.kubeconfig correct during rotation #19857
    • 62196: Remove need for server connections for dry-run create #19137
    • 62199: Make priority rest mapper handle partial discovery results #19137
    • 62234: Handle partial group and resource responses consistently #19137
    • 62254: Add name output and verb filtering to api-resources #19884
    • 62336: add statefulset scaling permission to admins, editors, and viewers #19275
    • 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
    • 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
    • 62461: allow higher burst for discovery #19327
    • 62462: Private mount propagation #19364
    • 62469: stop defaulting kubeconfig to http://localhost:8080 #19335
    • 62543: Timeout on instances.NodeAddresses cloud provider request #19733
    • 62572: Prevent virtual infinite loop in volume controller #19371
    • 62584: Make x-kubernetes-print-column print handling opt-in #19352
    • 62668: add metrics to cinder volume #19444
    • 62733: Set a default request timeout for discovery client #19471
    • 62744: Fix kubectl describe cronjob #19391
    • 62827: fix csi data race in csi_attacher_test.go #19508
    • 62874: dockershim/sandbox: clean up pod network even if SetUpPod() failed #19576
    • 62913: make a simple dynamic client that is easy to use #19515
    • 62914: kubelet: fix flake in TestUpdateExistingNodeStatusTimeout #19453
    • 63086: Fix discovery default timeout test #19471
    • 63160: kubelet: logs: do not wait when following terminated container #19545
    • 63169: Remove unnecessary dependencies on api/core/v1 #19509
    • 63177: kubectl takes a dependency on the controllers #19509
    • 63295: Fixed CSI volume detach when the volume is already detached #19816
    • 63303: Return attach error to A/D controller #19816
    • 63321: kubelet: force filterContainerID to empty string when removeAll is true #19580
    • 63339: kubelet: volume: do not create event on mount success #19625
    • 63349: Decorate function not called on Create #19602
    • 63403: don't block creation on lack of delete powers #19404
    • 63416: Retry certificate approval on conflict errors #19770
    • 63417: Panic when map string bool flag has no value #19620
    • 63421: Cache preferred resources, use in kubectl resource name autocomplete (single commit) #19884
    • 63490: default the ignorenotfound for delete when selecting objects #19616
    • 63650: Never clean backoff in job controller #19672
    • 63716: Add InstallPathHandler which allows for more then one path to be associated with health checking. #19009
    • 63831: Always track kubelet -> API connections #19638
    • 63831: Close all kubelet->API connections on heartbeat failure #19638
    • 63848: Deflake discovery timeout test #19714
    • 63875: make TestGetServerGroupsWithTimeout more reliable #19723
    • 63903: Revert "Openstack: register metadata.hostname as node name" #19730
    • 63903: Revert "Specify DHCP domain for hostname" #19730
    • 63903: Revert "Split out the hostname when default dhcp_domain is used in nova.conf" #19730
    • 63926: Avoid unnecessary calls to the cloud provider #19742
    • 63966: kubectl: fix Flatten() when used without Latest() #19747
    • 63977: pkg: kubelet: remote: increase grpc client default size #19774
    • 64026: Enable SELinux relabeling in CSI volumes #19816
    • 64028: Tolarate negative values when calculating job scale progress #19765
    • 64443: services must listen on port 443 for aggregation #19866
    • 64516: Fix error message to be consistent with others #19884
    • 64573: remove extra "../" when copying from pod to local #19898
    • 64797: Handle deleted DaemonSet properly #19927
    • 64855: Fix setup of ephemeral storage #19939
    • 64883: Fix up legacy printer table adapter #19934
    • 64916: improve memory footprint of daemonset simulate #19956
    • 64946: log healthz check #19952
    • 64969: volume: decrease memory allocations for debugging messages #19960
    • 65001: Quiet verbose apiserver logs #19970
    • 65009: daemon: add custom node indexer #19980
    • 65027: Use actual etcd client for /healthz/etcd checks #19992
    • 65063: Re-use private key after failed CSR #20000
    • : Add PSP review to /oapi Resources #19542
    • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
    • : XFS quota for emptyDir volumes #19533
    • : add RawConfig to factory for commands modifying raw kubeconfig files #19343
    • : aggregator to proxy oapi to apps.openshift.io server #18652
    • : allow injecting printers #19137
    • : allow oc kubeconfig loading to have our flags and errors #19335
    • : change config file location and restore perFSGroup to quantity #19773
    • : controller-manager patches for recycler #18887
    • : disable local storage isolation feature gate #19323
    • : enable critical pod support by default #19104
    • : filter daemonset nodes by namespace node selectors #18989
    • : inject new parameter for image resolution into kubectl set image #19348
    • : pods in openshift-* namespace can be marked critical #19104
    • : rewrite unstructured objects on the CLI to avoid oapi #19327
    • : avoid contacting server for restmappings in local mode #19996
    • : make RootFsInfo error non-fatal on start #19137
    • : stop wrapping --sort-by value in {} #19777
  • Other patches
    • docker/distribution#2382: Don't double add scopes
    • docker/docker#36517: ensure hijackedConn implements CloseWrite function
    • google/cadvisor#1903: fix #1902 bug with retryDockerStatus
    • opencontainers/runc#1754: Add timeout while waiting for StartTransinetUnit completion signal
    • opencontainers/runc#1805: fix systemd cpu quota for -1

  🔋 Features

  🏗 Multi-stage Docker image build support

  🏗 Builds using the Dockerfile build strategy can now build multi-stage Docker images. The from field continues to target
  🐳 the last image stage in the Dockerfile, but the new as attribute on imageSources allows other stages to be replaced
  with triggered images.

  • 👌 Support multi-stage dockerbuilds via imagebuilder #18741, #19494

  👌 Support external OAuth token authenticators

  🔧 OpenShift can now be configured to delegate login flows to a remote OAuth capable endpoint like Keycloak. This allows
  📚 a central Keycloak server to authenticate multiple clusters. See the documentation for more details about configuring
  this option.

  • 🔧 auth: Add option to configure an external OAuth server #18969
  • 👍 auth: Support WebhookTokenAuthenticators for using external servers as token authenticators #18868

  Other Features

  • auth: Add oc adm prune role command to clean up rolebindings that are not bound to valid roles #19619
  • 🖨 cli: Add server-side column printer support for openshift objects #19934
  • clusterup: Add --enable=automation-service-broker #19409
  • image: Parallelize image mirroring and reuse mounted layers #19017
  • migrate: Allow storage migration to be performed in parallel #19691
  • 🐳 registry: Both internal and external hostnames for the registry should be in docker pull secrets #19838
  • ⚡️ router: Make updating status on the router optional #17420
  • 0️⃣ router: Prometheus should scrape the router by default #18254
  • 👍 router: Support for DNS names in egress routes #15409
  • router: Perform real backoff when contending for writes from the router #18686
  • 🔀 router: Make router conflict detection work even during initial informer sync #19706
  • router: Allow only a subset of routes from specific domains to be overriden by the hostname-template #19418
  • router: Allow egress-router to connect to its own node IP for DNS #19885
  • server: Expose api-versions and api-resources in oc #19884
  • template: Allow TemplateInstances to create arbitrary resources, including CRDs #19396

  🐛 Bugs

  • 🏗 build: Retry retrieving build logs in some cases #19695
  • cert: Order x509 certificate subjects to prevent a Golang / GNUTLS incompatibility #18837
  • 👍 cli: Support quay.io pushing in oc image mirror #19016
  • cli: Correct oc scale error handling #19275
  • cli: Improve validation for oc set volume #19169
  • 0️⃣ cli: Fix incorrect oc run default option #19712
  • cli: Dots should be allowed in environment variable names passed to oc new-app #19688
  • diagnostic: Replace usage of brctl with /sbin/ip #19929
  • 0️⃣ jenkins: Adjust jenkins template setting to account for effects of constrained default max heap #18832
  • 🚀 network: Fix handleDeleteSubnet() to release network from subnet allocator #18801
  • ⚡️ network: Fix egressip handling when a NetNamespac is updated #18808
  • network: The NetworkCheck diagnostic did not use the correct config file #18709
  • 🔧 network: Allow configurable CNI bin dir in openshift SDN #18464
  • network: Correctly report initial NodeNetworkUnavailable condition #18758
  • network: Allow subnet allocator to handle changes to the subnet values #18999
  • network: Prevent incorrect deletion of HostSubnet OVS flows #19080
  • network: Make changing egress network policy rules more efficient #19346
  • 🖨 network: Print out errors that occur when using macvlan and a namespace cannot be retrieved #19491
  • 🚚 network: Remove openvswitch check from UnitStatus diagnostic #19572
  • 🔧 network: Use a real OVS transaction when changing network configuration on the host #19393
  • network: Use a go-native DNS library instead of dig command for dns resolution in egress network policy #19805
  • network: Do not throw spurious error when minTTL=0 for the domain in egress network policy #19950
  • 🚚 network: Remove the node from dnsmasq config when shutting down #19987
  • network: Get lowest TTL from the DNS resolution chain for egress DNS #19982
  • node: Fix to pass quoted unsafe strings (with characters like *,<,%) correctly to kubelet #19951
  • ⚡️ registry: Update docker config secret to support the future location of the registry service #19514
  • 🐳 registry: Make docker registry service controller check all secrets #19788
  • router: When a router is reloaded after a batch of route/ingress changes are committed, haproxy sometimes fail to reload #18587
  • ⚡️ router: Some route status updates were being lost #19018
  • router: Combine backend map files to fix path based routing #18840
  • router: Wildcard routes should not take precedence over sub-routes #19076
  • router: Some routes were being rejected incorrectly when NAMESPACE_LABELS was set #19330
  • router: The router can forget routes when routes are created and deleted in rapid succession #19175
  • router: Unidle in router should ignore headless services #19416
  • router: Allow Prometheus to get metrics from the router #19318
  • 🔒 security: Correctly handle legacy PodSecurityPolicyReview resources #19542
  • 🐎 server: Improve performance of the SDN controller by using shared caches #18911
  • 🔒 server: Move range allocation to an internal API as rangeallocations.security.openshift.io #19277
  • server: Set etcd DialTimeout, fix etcd start order in all-in-one #19953
  • server: When etcd is down, avoid pathological healthz behaviors #19992
  • 🌲 service-catalog: Start API and controller pods with log verbosity = 3 #19135

  🚀 Release SHA256 Checksums

  f876258c9a6221637a84e35ff68e9af96c2f2013eb9ae41ea33abd9286aa045c ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
  dcb414712e8ae08146634d0c18720476e7afd024aa100bd2246d064de6658664 ./openshift-origin-server-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
  872e0b58684af5d17b41a0585c50b41d09fbefa449d80927ba91252ac998deb3 ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-mac.zip
  25eef2fc0401209e3b5d40239827c023f463cdafeb06f81f1a6a0af9deaa1d25 ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-windows.zip
  1c21ba58ee0f7fc8b55e9d84099632ec970051adc3744a294a10bcd3aefcfe21 ./CHECKSUM
  

• All Versions
• Previous v3.10.0-alpha.0
• Next v3.10.0
• Latest Version