Openshift Origin v3.10.0-rc.0 Release Notes
Release Date: 2018-06-20 // almost 6 years ago-
🚀 This is the first release candidate of OpenShift Origin 3.10.
Backwards Compatibility
- Moving from legacy API resources (
/oapi
) to group resources - 🔧 Configuration changes
- The
disabledFeatures
configuration item has been removed from master config #19070 - Master configuration no longer requires the deprecated clusterNetworkCIDR/hostSubnetLength fields to be set in
networkConfig
#18669 - Some node default values have changed #19190
- Remove the default pods-per-core setting of 10, which makes nodes default to 250 pods total.
- The certificate signing controller defaults to creating certs with a 1 year expiration (a7bd9d6)
- The
- ⚡️ rbac: Project editors can no longer create or update daemonsets, which prevents tenants from impacting cluster stability #18971
- Metrics for the template instance broker have changed #19133
- 🚚 Moved or deleted content #19262
- The examples/ directory has been cleaned up
- The v1 federation implementation has been removed as it did not graduate to beta.
- The node.service systemd file has been removed from hte RPMS, along with the master services (2113900)
- 🔄 Changes to OpenShift images #19509
- As we prepare to split the OpenShift API server into multiple binaries, several new images have been created:
- openshift/origin-hypershift - A new
hypershift
binary that launches OpenShift specific components - openshift/origin-hyperkube - The Kubernetes
hyperkube
binary - openshift/origin-cli - The OpenShift CLI
oc
- openshift/origin-tests - The extended test suite for OpenShift
- Some existing images have been renamed
- openshift/origin is now openshift/origin-control-plane
- openshift/node is now openshift/origin-node
- The openshift/openvswitch image has been folded into openshift/origin-node
- A new binary
openshift-node-config
takes anode-config.yaml
file and converts it tokubelet
arguments in the openshift/origin-node image
- CLI changes
- Some client-side deletion support has been removed in favor of the controller-driven deletion mechanisms #19616
oc export
is deprecated andoc get --export
should be used instead.
- The router has separate liveness and readiness probes for use with upstream load balancers #19009
- 🔧 XFS quota for emptyDir volumes is now configured via a config file in the volume directory #19533
- 🔄 Changes to
oc cluster up
- The cluster launched by
oc cluster up
is now launched as a set of individual processes running in images, instead
of the previous single large container. This more closely mimics real production environments. - Docker machine support in
oc cluster up
has been removed oc cluster up
now only supports launching a cluster of the same version as theoc
binary.
- The cluster launched by
🔄 Changes
🚀 Roadmap for the v3.10 release
v3.10.0-rc.0 (2018-06-19) Full Changelog
API
👍 Ingress support
👍 In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that
maps KubernetesIngress
objects (in theirv1beta1
form) to OpenShiftRoutes
automatically. This
👍 allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on
hostnames, and securely manage Ingress secrets.The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS
hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route
is deleted it will be recreated by the controller. Once a route is created, any annotations or route
specific fields will not be altered unless the route is deleted (such as weighted service backends). A
route with a TLS endpoint will be set toReencrypt
termination, but that may be changed after creation.The router process itself no longer needs to watch
Ingress
orSecret
resources.- 👍 router: Replace router support for ingress with an ingress-to-route controller #18658
Other changes
- Image signature annotations are ignored #19037
- ⚡️ Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532
⚡️ Component updates
- ⚡️ Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
- 42873: add kubectl api-resources command #19884
- 54530: api: validate container phase transitions #18791
- 57202: Fix format string in describers #18810
- 58972: Fix job's backoff limit for restart policy OnFailure #19672
- 59170: Fix kubelet PVC stale metrics #18637
- 59301: dockershim: don't check pod IP in StopPodSandbox #18425
- 59316: Exit if no client cert is available for 5m #18430
- 59365: Fix StatefulSet set-based selector bug #18797
- 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
- 60289: fix freespace for image GC #18767
- 60342: Fix nested volume mounts for read-only API data volumes #18766
- 60455: removes custom scalers from kubectl #19275
- 60490: Volume deletion should be idempotent #18856
- 60632: Add volumemetrics for ISCSI Plugin #19842
- 60654: notify systemd on kubelet start #18886
- 60978: Fix use of "-w" flag to iptables-restore #18919
- 61287: provide easy methods for direct kubeconfig loading from bytes #18956
- 61294: Fix cpu cfs quota flag with pod cgroups #19028
- 61378:
--force
only takes effect when--grace-period=0
#19213 - 61459: etcd client add dial timeout #19953
- 61480: Allow sockets to be mounted in subpath #19329
- 61790: make reapers tolerate 404s on scaling down #19275
- 61808: Ensure -o yaml populates kind/apiVersion #19137
- 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
- 61962: Avoid data races in unit tests #19137
- 61985: Restore show-kind function when printing multiple kinds #19137
- 62074: Narrow interface consumed by scale client #19137
- 62114: removes job scaler, continued #19275
- 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
- 62152: Keep node.kubeconfig correct during rotation #19857
- 62196: Remove need for server connections for dry-run create #19137
- 62199: Make priority rest mapper handle partial discovery results #19137
- 62234: Handle partial group and resource responses consistently #19137
- 62254: Add name output and verb filtering to api-resources #19884
- 62336: add statefulset scaling permission to admins, editors, and viewers #19275
- 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
- 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
- 62461: allow higher burst for discovery #19327
- 62462: Private mount propagation #19364
- 62469: stop defaulting kubeconfig to http://localhost:8080 #19335
- 62543: Timeout on instances.NodeAddresses cloud provider request #19733
- 62572: Prevent virtual infinite loop in volume controller #19371
- 62584: Make x-kubernetes-print-column print handling opt-in #19352
- 62668: add metrics to cinder volume #19444
- 62733: Set a default request timeout for discovery client #19471
- 62744: Fix kubectl describe cronjob #19391
- 62827: fix csi data race in csi_attacher_test.go #19508
- 62874: dockershim/sandbox: clean up pod network even if SetUpPod() failed #19576
- 62913: make a simple dynamic client that is easy to use #19515
- 62914: kubelet: fix flake in TestUpdateExistingNodeStatusTimeout #19453
- 63086: Fix discovery default timeout test #19471
- 63160: kubelet: logs: do not wait when following terminated container #19545
- 63169: Remove unnecessary dependencies on api/core/v1 #19509
- 63177: kubectl takes a dependency on the controllers #19509
- 63295: Fixed CSI volume detach when the volume is already detached #19816
- 63303: Return attach error to A/D controller #19816
- 63321: kubelet: force filterContainerID to empty string when removeAll is true #19580
- 63339: kubelet: volume: do not create event on mount success #19625
- 63349: Decorate function not called on Create #19602
- 63403: don't block creation on lack of delete powers #19404
- 63416: Retry certificate approval on conflict errors #19770
- 63417: Panic when map string bool flag has no value #19620
- 63421: Cache preferred resources, use in kubectl resource name autocomplete (single commit) #19884
- 63490: default the ignorenotfound for delete when selecting objects #19616
- 63650: Never clean backoff in job controller #19672
- 63716: Add InstallPathHandler which allows for more then one path to be associated with health checking. #19009
- 63831: Always track kubelet -> API connections #19638
- 63831: Close all kubelet->API connections on heartbeat failure #19638
- 63848: Deflake discovery timeout test #19714
- 63875: make TestGetServerGroupsWithTimeout more reliable #19723
- 63903: Revert "Openstack: register metadata.hostname as node name" #19730
- 63903: Revert "Specify DHCP domain for hostname" #19730
- 63903: Revert "Split out the hostname when default dhcp_domain is used in nova.conf" #19730
- 63926: Avoid unnecessary calls to the cloud provider #19742
- 63966: kubectl: fix Flatten() when used without Latest() #19747
- 63977: pkg: kubelet: remote: increase grpc client default size #19774
- 64026: Enable SELinux relabeling in CSI volumes #19816
- 64028: Tolarate negative values when calculating job scale progress #19765
- 64443: services must listen on port 443 for aggregation #19866
- 64516: Fix error message to be consistent with others #19884
- 64573: remove extra "../" when copying from pod to local #19898
- 64797: Handle deleted DaemonSet properly #19927
- 64855: Fix setup of ephemeral storage #19939
- 64883: Fix up legacy printer table adapter #19934
- 64916: improve memory footprint of daemonset simulate #19956
- 64946: log healthz check #19952
- 64969: volume: decrease memory allocations for debugging messages #19960
- 65001: Quiet verbose apiserver logs #19970
- 65009: daemon: add custom node indexer #19980
- 65027: Use actual etcd client for /healthz/etcd checks #19992
- 65063: Re-use private key after failed CSR #20000
- : Add PSP review to /oapi Resources #19542
- : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
- : XFS quota for emptyDir volumes #19533
- : add RawConfig to factory for commands modifying raw kubeconfig files #19343
- : aggregator to proxy oapi to apps.openshift.io server #18652
- : allow injecting printers #19137
- : allow oc kubeconfig loading to have our flags and errors #19335
- : change config file location and restore perFSGroup to quantity #19773
- : controller-manager patches for recycler #18887
- : disable local storage isolation feature gate #19323
- : enable critical pod support by default #19104
- : filter daemonset nodes by namespace node selectors #18989
- : inject new parameter for image resolution into kubectl set image #19348
- : pods in openshift-* namespace can be marked critical #19104
- : rewrite unstructured objects on the CLI to avoid oapi #19327
- : avoid contacting server for restmappings in local mode #19996
- : make RootFsInfo error non-fatal on start #19137
- : stop wrapping --sort-by value in {} #19777
- Other patches
- docker/distribution#2382: Don't double add scopes
- docker/docker#36517: ensure hijackedConn implements CloseWrite function
- google/cadvisor#1903: fix #1902 bug with retryDockerStatus
- opencontainers/runc#1754: Add timeout while waiting for StartTransinetUnit completion signal
- opencontainers/runc#1805: fix systemd cpu quota for -1
🔋 Features
🏗 Multi-stage Docker image build support
🏗 Builds using the Dockerfile build strategy can now build multi-stage Docker images. The
from
field continues to target
🐳 the last image stage in the Dockerfile, but the newas
attribute onimageSources
allows other stages to be replaced
with triggered images.👌 Support external OAuth token authenticators
🔧 OpenShift can now be configured to delegate login flows to a remote OAuth capable endpoint like Keycloak. This allows
📚 a central Keycloak server to authenticate multiple clusters. See the documentation for more details about configuring
this option.- 🔧 auth: Add option to configure an external OAuth server #18969
- 👍 auth: Support WebhookTokenAuthenticators for using external servers as token authenticators #18868
Other Features
- auth: Add
oc adm prune role
command to clean up rolebindings that are not bound to valid roles #19619 - 🖨 cli: Add server-side column printer support for openshift objects #19934
- clusterup: Add --enable=automation-service-broker #19409
- image: Parallelize image mirroring and reuse mounted layers #19017
- migrate: Allow storage migration to be performed in parallel #19691
- 🐳 registry: Both internal and external hostnames for the registry should be in docker pull secrets #19838
- ⚡️ router: Make updating status on the router optional #17420
- 0️⃣ router: Prometheus should scrape the router by default #18254
- 👍 router: Support for DNS names in egress routes #15409
- router: Perform real backoff when contending for writes from the router #18686
- 🔀 router: Make router conflict detection work even during initial informer sync #19706
- router: Allow only a subset of routes from specific domains to be overriden by the hostname-template #19418
- router: Allow egress-router to connect to its own node IP for DNS #19885
- server: Expose api-versions and api-resources in oc #19884
- template: Allow TemplateInstances to create arbitrary resources, including CRDs #19396
🐛 Bugs
- 🏗 build: Retry retrieving build logs in some cases #19695
- cert: Order x509 certificate subjects to prevent a Golang / GNUTLS incompatibility #18837
- 👍 cli: Support quay.io pushing in
oc image mirror
#19016 - cli: Correct
oc scale
error handling #19275 - cli: Improve validation for
oc set volume
#19169 - 0️⃣ cli: Fix incorrect
oc run
default option #19712 - cli: Dots should be allowed in environment variable names passed to
oc new-app
#19688 - diagnostic: Replace usage of brctl with /sbin/ip #19929
- 0️⃣ jenkins: Adjust jenkins template setting to account for effects of constrained default max heap #18832
- 🚀 network: Fix handleDeleteSubnet() to release network from subnet allocator #18801
- ⚡️ network: Fix egressip handling when a NetNamespac is updated #18808
- network: The NetworkCheck diagnostic did not use the correct config file #18709
- 🔧 network: Allow configurable CNI bin dir in openshift SDN #18464
- network: Correctly report initial NodeNetworkUnavailable condition #18758
- network: Allow subnet allocator to handle changes to the subnet values #18999
- network: Prevent incorrect deletion of HostSubnet OVS flows #19080
- network: Make changing egress network policy rules more efficient #19346
- 🖨 network: Print out errors that occur when using macvlan and a namespace cannot be retrieved #19491
- 🚚 network: Remove openvswitch check from UnitStatus diagnostic #19572
- 🔧 network: Use a real OVS transaction when changing network configuration on the host #19393
- network: Use a go-native DNS library instead of dig command for dns resolution in egress network policy #19805
- network: Do not throw spurious error when minTTL=0 for the domain in egress network policy #19950
- 🚚 network: Remove the node from dnsmasq config when shutting down #19987
- network: Get lowest TTL from the DNS resolution chain for egress DNS #19982
- node: Fix to pass quoted unsafe strings (with characters like *,<,%) correctly to kubelet #19951
- ⚡️ registry: Update docker config secret to support the future location of the registry service #19514
- 🐳 registry: Make docker registry service controller check all secrets #19788
- router: When a router is reloaded after a batch of route/ingress changes are committed, haproxy sometimes fail to reload #18587
- ⚡️ router: Some route status updates were being lost #19018
- router: Combine backend map files to fix path based routing #18840
- router: Wildcard routes should not take precedence over sub-routes #19076
- router: Some routes were being rejected incorrectly when NAMESPACE_LABELS was set #19330
- router: The router can forget routes when routes are created and deleted in rapid succession #19175
- router: Unidle in router should ignore headless services #19416
- router: Allow Prometheus to get metrics from the router #19318
- 🔒 security: Correctly handle legacy PodSecurityPolicyReview resources #19542
- 🐎 server: Improve performance of the SDN controller by using shared caches #18911
- 🔒 server: Move range allocation to an internal API as rangeallocations.security.openshift.io #19277
- server: Set etcd DialTimeout, fix etcd start order in all-in-one #19953
- server: When etcd is down, avoid pathological healthz behaviors #19992
- 🌲 service-catalog: Start API and controller pods with log verbosity = 3 #19135
🚀 Release SHA256 Checksums
f876258c9a6221637a84e35ff68e9af96c2f2013eb9ae41ea33abd9286aa045c ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz dcb414712e8ae08146634d0c18720476e7afd024aa100bd2246d064de6658664 ./openshift-origin-server-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz 872e0b58684af5d17b41a0585c50b41d09fbefa449d80927ba91252ac998deb3 ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-mac.zip 25eef2fc0401209e3b5d40239827c023f463cdafeb06f81f1a6a0af9deaa1d25 ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-windows.zip 1c21ba58ee0f7fc8b55e9d84099632ec970051adc3744a294a10bcd3aefcfe21 ./CHECKSUM
- Moving from legacy API resources (