v3.11.0

This is the 3.11 release of OpenShift Origin.

Backwards Compatibility

• auth: The auth reconcile command is now deprecated as its functionality is part of the server #20177
  • The CLI command is now identical to the upstream auth reconcile and no longer updates roles
• auth: The cluster-reader RBAC role is now an aggregated role to simplify adding new permissions #20279
• cli: oc patch is now consistent with the kubectl patch command #20665
• cli: oc types is now deprecated - use oc api-resources instead #21000
• security: If the scheduler.alpha.kubernetes.io/node-selector annotion is set on a namespace, openshift.io/node-selector is now ignored #21058
• server: The openshift start node functionality and openshift start have been removed - the Kubelet must now be started directly #20344, #20717
  • By using the Kubelet directly we make nodes easier to manage and more consistent with the upstream.
  • Future releases will remove other parts of openshift start master.

Changes

Roadmap for the v3.11 release

v3.11.0 (2018-10-10) Full Changelog

API

• build: Allow dashes to be used in the environment variable names in builds #20738
• image: Return information about image layers that are associated with an image stream to improve registry performance #19969, #20643
• security: Promote sysctl annotations to fields in SecurityContextConstraints #20151

Component updates

• Updated to Kubernetes v1.11.0-62-gd4cacc0 + patches
  • 62943: set updated replicas in statefulsets #20347
  • 64378: Don't reset global timeout on each for loop iteration #20452
  • 64426: Clean up fake mounters. #20117
  • 64447: Add block volume support to internal provisioners #20058
  • 64541: Add more kubectl auth reconcile flags #20281
  • 64860:checkLimitsForResolvConf for the pod create and update events instead of checking period #20070
  • 64879: Add block volume support to Cinder volume plugin #20270
  • 64896: kubectl: wait for all errors and successes on podEviction #20452
  • 65189: fix paths w shortcuts when copying from pods #20034
  • 65189: revert: fix paths w shortcuts when copying from pods" #20075
  • 65226: Put all the node address cloud provider retrival complex logic into cloudResourceSyncManager #20615
  • 65238: fix scheduler port boundary to match detection #20033
  • 65326: fix printer check to tolerate vendoring #20033
  • 65329: make builder tolerant of restmapper failures when it doesn't need the answer #20033
  • 65367: make sure delete waiting doesn't re-evaluate the resource lists #20033
  • 65368: legacy api endpoints only support v1 ever #20033
  • 65370: delete should tolerate a failed wait because of missing verbs #20033
  • 65377: special-case templates get.go #20033
  • 65447: Resolve potential devicePath symlink when MapVolume #20117
  • 65480: allow enabling kubelet serving certificate rotation via flag #20033
  • 65486: show type differences in reflect diff #20033
  • 65488: flatten nested lists for flatten in visitor #20033
  • 65489: kubectl convert should not double wrap output in nested lists #20033
  • 65547: Honor custom transport dialer #20033
  • 65549: Fix flexvolume in containerized kubelets #20358
  • 65587: Revert "certs: only append locally discovered addresses when we got none from the cloudprovider" #20033
  • 65686: fix kubectl create priorityclass failure bug #20624
  • 65700: Update output format so that it matches actual accepted values #20139
  • 65705: Block volumes should have empty FSType #20327
  • 65711: make template printers a recommended printer #20257
  • 65715: fail on rbac resources of non-v1 versions in reconcile #20177
  • 65786: update --template printer defaulting #20257
  • 65856: only need to ignore resources that match discovery conditions #20242
  • 65899: use self-signed cert fixtures in integration test servers #20309
  • 65904: track schemes by name for error reporting #20242
  • 65906: Improve multi-authorizer errors #20379
  • 65908: switch delete strategy to background deletion #20274
  • 65987: Add region label to dynamic provisioned cinder PVs #20418
  • 66008: Convert TestServerRunWithSNI to subtests to isolate flake #20302
  • 66085: fix updateJob scheduling of resync #20763
  • 66136: make delete waits match on UID #20305
  • 66172: Reverting commit #56600 as GCE PD is allocated in chunks of GiB inste... #20418
  • 66225: add support for "success" output for edit command #20589
  • 66225: update testcase for edit #20589
  • 66249: fill in normal restmapping info with the legacy guess #20392
  • 66324: Fixing E2E tests for disk resizing #20418
  • 66350: Start cloudResourceSyncsManager before getNodeAnyWay (initializeModules) to avoid kubelet getting stuck in retrieving node addresses from a cloudprovider #20615
  • 66352: update logs cmd to deal w external versions #20343
  • 66397: Fix upper limit on m5/c5 instance typesn #20439
  • 66398: fix logs command to be generic for all resources again #20514
  • 66403: indicate which scheme has conflicting data #20372
  • 66406: Send correct headers for pod printing #20437
  • 66406: tolerate missing column headers in server-side print output #20437
  • 66464: Avoid overflowing int64 in RoundUpSize and return error if overflow int #20418
  • 66519: switch attach to use external objs #20514
  • 66725: update exit code to 0 if patch not needed #20456
  • 66779: add methods to apimachinery to easy unit testing #20471
  • 66835: cloudprovider: aws: return true on existence check for stopped instances #20663
  • 66837: fix panic fake SAR client expansion #20491
  • 66929: add logging to find offending transports #20554
  • 66931: Use the passed-in streams in kubectl top #20529
  • 66932: Include unavailable apiservices in discovery response #20635
  • 67024: add CancelRequest to discovery round-tripper #20554
  • 67033: expose defaul...

v3.10.0

This is the official release of OpenShift Origin v3.10.

Changes

Roadmap for the v3.10 release

v3.10.0 (2018-08-02) Full Changelog

Component updates

• Updates to Kubernetes
  • 62085: Fix incorrect atomic counter usage #20206
  • 62943: Set updated replicas on stateful set status #20350
  • 64658: Avoid leading gRPC connections in CSI #20111
  • 64882: Prevent deleted pods from sometimes leaving mounts #20111
  • 64971: Ensure mutating admission webhooks correctly remove fields #20509
  • 65223: Correctly detect inaccessible AWS encryption key #20072
  • 65226: Store the latest cloud provider node addresses on the node #20369
  • 65339: Prevent leak of a cached pod definition in the scheduler #20071
  • 66350: Prevent kubelet from becoming stuck retrieving node addresses from a cloud provider #20369

Bugs

• router: [release-3.10] Allow egress-router to connect to cluster service network for DNS, etc. #20102
• diagnostics: Fix default image paths used in network diagnostics #20116
• volumes: Bind mount /etc/origin/kubelet-plugins for flex volumes #20153
• node: Honor --kubelet-preferred-address-types #20183
• apiserver: Use in-process loopback client config from Kube #20207
• image: Install ceph-common in control plane so RBD provisioner can find disks #20222
• build: Fix an issue where COPY --from would not work on multi-stage image builds #20256
• console: Change logo, favicon, name on login page #20528

Artifacts

• Images are published to the Docker Hub as openshift/origin-*:v3.10.0.
• RPMs are available via the provided origin.repo file

Release SHA256 Checksums

0f54235127884309d19b23e8e64e347f783efd6b5a94b49bfc4d0bf472efb5b8  ./openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit.tar.gz
6973aebb7b553866f8971c8ca324dd5b79204e2a59c5234cde6fb1b5deb4c7a9  ./openshift-origin-server-v3.10.0-dd10d17-linux-64bit.tar.gz
ae847e3ae278b9420342e651305d34f1ed806b55a23874fc47595a57874e30c6  ./openshift-origin-client-tools-v3.10.0-dd10d17-mac.zip
c1b33aa535b88898d0622e0af2aa673bb814c354fb438c21c18155afc51acf87  ./openshift-origin-client-tools-v3.10.0-dd10d17-windows.zip
23083baadc7b82b6a3998016b795497d9c33327e1985a3b37181cf0e6200d29a  ./CHECKSUM

v3.10.0-rc.0

This is the first release candidate of OpenShift Origin 3.10.

Backwards Compatibility

• Moving from legacy API resources (/oapi) to group resources
  • The server process endpoint now creates resources in the new group APIs (*.openshift.io) #19458
  • The RBAC bootstrap policy file is now saved as rbac.authorization.k8s.io/v1 resources #19756
• Configuration changes
  • The disabledFeatures configuration item has been removed from master config #19070
  • Master configuration no longer requires the deprecated clusterNetworkCIDR/hostSubnetLength fields to be set in networkConfig #18669
  • Some node default values have changed #19190
    • Remove the default pods-per-core setting of 10, which makes nodes default to 250 pods total.
    • The certificate signing controller defaults to creating certs with a 1 year expiration (a7bd9d6)
• rbac: Project editors can no longer create or update daemonsets, which prevents tenants from impacting cluster stability #18971
• Metrics for the template instance broker have changed #19133
• Moved or deleted content #19262
  • The examples/ directory has been cleaned up
  • The v1 federation implementation has been removed as it did not graduate to beta.
  • The node.service systemd file has been removed from hte RPMS, along with the master services (2113900)
• Changes to OpenShift images #19509
  • As we prepare to split the OpenShift API server into multiple binaries, several new images have been created:
    • openshift/origin-hypershift - A new hypershift binary that launches OpenShift specific components
    • openshift/origin-hyperkube - The Kubernetes hyperkube binary
    • openshift/origin-cli - The OpenShift CLI oc
    • openshift/origin-tests - The extended test suite for OpenShift
  • Some existing images have been renamed
    • openshift/origin is now openshift/origin-control-plane
    • openshift/node is now openshift/origin-node
  • The openshift/openvswitch image has been folded into openshift/origin-node
  • A new binary openshift-node-config takes a node-config.yaml file and converts it to kubelet arguments in the openshift/origin-node image
• CLI changes
  • Some client-side deletion support has been removed in favor of the controller-driven deletion mechanisms #19616
  • oc export is deprecated and oc get --export should be used instead.
• The router has separate liveness and readiness probes for use with upstream load balancers #19009
• XFS quota for emptyDir volumes is now configured via a config file in the volume directory #19533
• Changes to oc cluster up
  • The cluster launched by oc cluster up is now launched as a set of individual processes running in images, instead
    of the previous single large container. This more closely mimics real production environments.
  • Docker machine support in oc cluster up has been removed
  • oc cluster up now only supports launching a cluster of the same version as the oc binary.

Changes

Roadmap for the v3.10 release

v3.10.0-rc.0 (2018-06-19) Full Changelog

API

Ingress support

In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that
maps Kubernetes Ingress objects (in their v1beta1 form) to OpenShift Routes automatically. This
allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on
hostnames, and securely manage Ingress secrets.

The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS
hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route
is deleted it will be recreated by the controller. Once a route is created, any annotations or route
specific fields will not be altered unless the route is deleted (such as weighted service backends). A
route with a TLS endpoint will be set to Reencrypt termination, but that may be changed after creation.

The router process itself no longer needs to watch Ingress or Secret resources.

• router: Replace router support for ingress with an ingress-to-route controller #18658

Other changes

• Image signature annotations are ignored #19037
• Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532

Component updates

• Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
  • 42873: add kubectl api-resources command #19884
  • 54530: api: validate container phase transitions #18791
  • 57202: Fix format string in describers #18810
  • 58972: Fix job's backoff limit for restart policy OnFailure #19672
  • 59170: Fix kubelet PVC stale metrics #18637
  • 59301: dockershim: don't check pod IP in StopPodSandbox #18425
  • 59316: Exit if no client cert is available for 5m #18430
  • 59365: Fix StatefulSet set-based selector bug #18797
  • 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
  • 60289: fix freespace for image GC #18767
  • 60342: Fix nested volume mounts for read-only API data volumes #18766
  • 60455: removes custom scalers from kubectl #19275
  • 60490: Volume deletion should be idempotent #18856
  • 60632: Add volumemetrics for ISCSI Plugin #19842
  • 60654: notify systemd on kubelet start #18886
  • 60978: Fix use of "-w" flag to iptables-restore #18919
  • 61287: provide easy methods for direct kubeconfig loading from bytes #18956
  • 61294: Fix cpu cfs quota flag with pod cgroups #19028
  • 61378: --force only takes effect when --grace-period=0 #19213
  • 61459: etcd client add dial timeout #19953
  • 61480: Allow sockets to be mounted in subpath #19329
  • 61790: make reapers tolerate 404s on scaling down #19275
  • 61808: Ensure -o yaml populates kind/apiVersion #19137
  • 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
  • 61962: Avoid data races in unit tests #19137
  • 61985: Restore show-kind function when printing multiple kinds #19137
  • 62074: Narrow interface consumed by scale client #19137
  • 62114: removes job scaler, continued #19275
  • 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
  • 62152: Keep node.kubeconfig correct during rotation #19857
  • 62196: Remove need for server connections for dry-run create #19137
  • 62199: Make priority rest mapper handle partial discovery results #19137
  • 62234: Handle partial group and resource responses consistently #19137
  • 62254: Add name output and verb filtering to api-resources #19884
  • 62336: add statefulset scaling permission to admins, editors, and viewers #19275
  • 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
  • 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
  • 62461: allow higher burst for discovery #19327
  • 62462: Private mount propagation #19364
  • 62469: stop defa...

v3.9.0

This is the official feature release of OpenShift Origin.

Changes

Roadmap for the v3.9 release

v3.9.0 (2018-03-30) Full Changelog

Component updates

• Updates to Kubernetes
  • 51042: Allow passing request-timeout from NewRequest all the way down #13701
  • 52324: Fix bug on kubelet failure to umount mount points. #18225
  • 54530: api: validate container phase transitions #18792
  • 56164: Split out a KUBE-EXTERNAL-SERVICES chain so we don't have to run KUBE-SERVICES from INPUT #18754
  • 56288: Add list of pods that use a volume to multiattach events #18290
  • 56315: Record volumeID in GlusterFS PV spec UPSTREAM: 56823: Add volID based delete() and resize() if volID is available in pv spec UPSTREAM: 57516: Add custom volume name based on SC parameter UPSTREAM: 58513: Add Namespace to glusterfs custom volume names UPSTREAM: 58626: Use correct pv annotation to fetch volume ID #18326
  • 56432: e2e: test containers projected volume updates should not exit #18387
  • 56846: Fix Cinder detach problems #18140
  • 56872: Fix event generation #18442
  • 57202: Fix format string in describers #18853
  • 57336: Abstract some duplicated code in the iptables proxier #18754
  • 57461: Don't create no-op iptables rules for services with no endpoints #18754
  • 57480: Fix build and test errors from etcd 3.2.13 upgrade #18731
  • 57854: fix bug of swallowing missing merge key error #18331
  • 57967: Fixed TearDown of NFS with root squash. #18154
  • 58177: Redesign and implement volume reconstruction work #18554
  • 58316: set fsGroup by securityContext.fsGroup in azure file #18526
  • 58375: Recheck if transformed data is stale when doing live lookup during update #18530
  • 58415: Improve messaging on resize #18509
  • 58439: Fix loading structured admission plugin config #18529
  • 58439: Surface error loading admission plugin config #18529
  • 58522: Clean up error messages for pre-bound PVCs #18284
  • 58533: add suggestion to describe pod for container names #18178
  • 58574: fixing array out of bound by checking initContainers instead of containers #18403
  • 58617: Make ExpandVolumeDevice() idempotent if existing volume capacity meets the requested size #18432
  • 58685: Fill size attribute for the OpenStack V3 API volumes #18237
  • 58720: Ensure that the runtime mounts RO volumes read-only #18255
  • 58739: Don't bind PVs and PVCs with different access modes #18284
  • 58753: Fix kubectl explain for cronjobs #18268
  • 58794: Resize mounted volumes #18421
  • 58930: Don't wait for certificate rotation on Kubelet start #18322
  • 58955: pkg: kubelet: do not assume anything about images names #18340
  • 58977: Fix pod sandbox privilege. #18820
  • 58991: restore original object on apply err #18337
  • 58994: Race condition between listener and client in remote_runtime_test #18409
  • 59170: Fix kubelet PVC stale metrics #18787
  • 59279: nodelifecycle: set OutOfDisk unknown on node timeout #18417
  • 59297: Improve error returned when fetching container logs during pod termination #18515
  • 59350: Do not recycle volumes that are used by pods #18552
  • 59365: Fix StatefulSet set-based selector bug #18824
  • 59386: Scheduler - not able to read from config file if configmap is not found #18475
  • 59449: Fix to register priority function ResourceLimitsPriority correctly. #18503
  • 59506: fix --watch on multiple requests #18514
  • 59569: Do not ignore errors from EC2::DescribeVolume in DetachDisk #18544
  • 59767: kubelet: check for illegal phase transition #18585
  • 59873: Fix DownwardAPI refresh race #18636
  • 59923: Rework volume manager log levels #18636
  • 60299: apiserver: fix testing etcd config for etcd 3.2.16 #18731
  • 60301: Fix Deployment with Recreate strategy not to wait on Pods in terminal phase #18760
  • 60306: Only run connection-rejecting rules on new connections #18754
  • 60342: Fix nested volume mounts for read-only API data volumes #18789
  • 60430: don't use storage cache during apiserver unit test #18731
  • 60457: tests: e2e: empty msg from channel other than stdout should be non-fatal #18755
  • 60490: Volume deletion should be idempotent #18878
  • 61045: subpath fixes #18957
  • 61107: Add atomic writer subpath e2e tests #18957
  • 61107: Detect backsteps correctly in base path detection #18957
  • 61193: bugfix(mount): lstat with abs path of parent instead of '/..' #18985
  • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18977
  • : Short-circuit HPA oapi/v1.DC #18380
  • : hack in working autoscale reference for oc autoscale #18376
  • : hack out the oapi for restmapping resources when more than one is present #18377
  • : patch the upstream SA token controller and use it #18508
• Updates to docker/distribution
  • UPSTREAM: docker/docker#36517: ensure hijackedConn implements CloseWrite function

Features

FEATURE DESCRIPTION

PARAGRAPH

• DESCRIPTION #PR

Other Features

• build: Issue 17941: Add oc new-build --push-secret option #18477
• deploy: Add support for deployments in oc status #18439, #18579

Bugs

• auth: Change Header used for impersonation scopes to match upstream #18378
• auth: Deprecate some policy commands #18102
• build: Adjust newapp/newbuild error messages (arg classification vs. actual … #18272
• build: Fix BuildConfigInstantiateFailed warning when lastVersion == 0 #17146
• cli: Add infos count to oc status #18422
• cli: Suppress project list on login if you have access to greater than 50 projects #18706
• diagnostic: Add an AppCreate diagnostic #16658
• diagnostic: AggregatedLogging ClusterRoleBindings false negative fix #18888
• diagnostic: Fix AnalyzeLogs to provide more clear debug message #18654
• image: Fix annotation tri...

v3.7.2

This is a patch release of OpenShift Origin.

Changes

v3.7.2 (2018-03-16) Full Changelog

Component updates

• Updates to Kubernetes
  • 49624: Add daemonset to all categories #18478
  • 53690: Fix hpa scaling above max replicas w/ scaleUpLimit #18216
  • 54701: Refactor reconcileAutoscaler method in hpa #18216
  • 55631: Parse and return the last line in the log even if it is partial #17546
  • 57422: Rework method of updating atomic-updated data volumes #18167
  • 57967: Fixed TearDown of NFS with root squash. #18954
  • 58301: Limit all category to apps group for ds/deployment/replicaset #18478
  • 58572: Automated cherry pick of #58547: Send correct resource version for delete events from watch #18246
  • 58720: Ensure that the runtime mounts RO volumes read-only #18954
  • 60342: Fix nested volume mounts for read-only API data volumes #18954
  • 61047: Lock subPath volumes #18954
  • 61109: Detect backsteps correctly in base path detection #18954
  • 61196: bugfix(mount): lstat with abs path of parent instead of '/..' #18954
  • Revert "UPSTREAM: 53916: update .dockercfg data to config.json format" #18062

Bugs

• auth: Fix issues with oc adm migrate authorization #18221
• migrate: handle NotFound via resource matching and during conflicts #18287
• server: Include proto swagger document in discovery #18309
• server: Don't expose oapi types as 'all' #18478
• deployments: Correctly trigger DC trigger reconciliation on image change release #18524
• build: Correctly set selinux labels for build containers #17546

Release SHA256 Checksums

abc89f025524eb205e433622e59843b09d2304cc913534c4ed8af627da238624  ./openshift-origin-client-tools-v3.7.2-282e43f-linux-64bit.tar.gz
74933671b886f790dbf83edfba25a522851244c37a586dc491a39ebf30ece893  ./openshift-origin-server-v3.7.2-282e43f-linux-64bit.tar.gz
8ae2f51cdde5c76a33add98c64efc30f11f5c0fbd1dacc5ae5d0f147b96f7d18  ./openshift-origin-client-tools-v3.7.2-282e43f-mac.zip
45e525b751d7659e05adfbd005851cdeb769df511cfe38f5e45c0dfed854e784  ./openshift-origin-client-tools-v3.7.2-282e43f-windows.zip

v3.9.0-alpha.3

This is a feature release of OpenShift Origin.

Backwards Compatibility

• TODO

Changes

Roadmap for the v3.9 release

v3.9.0-alpha.3 (2018-01-23) Full Changelog

API

• TODO

Component updates

• Updated to Kubernetes v1.9.1-57-ga0ce1bc657 + patches
  • 49312: allow the /version endpoint to pass through #17576
  • 49885: Ignore UDP metrics in kubelet #17106
  • 50390: Admit sysctls for other runtime. #17274
  • 50673: Azure - Use cloud environment to instantiate storage client #17052
  • 52260: fix azure disk mounter issue #17052
  • 53135: Fixed counting of unbound PVCs towards limit of attached volumes #17442
  • 53576: Revert "Validate if service has duplicate targetPort" #17115
  • 53989: Remove repeated random string generations in scheduler volume predicate #17442
  • 54410: Cpu manager reconcile loop - restore state #18055
  • 54459: fix azure storage account num exhausting issue #17052
  • 54597: kubelet: check for illegal container state transition #17514
  • 54607: fix azure pv crash due to volumeSource.ReadOnly value nil #17052
  • 55248: increase iptables max wait from 2 seconds to 5 (fix) #17115
  • 55316: Make StatefulSet report an event when recreating failed pod #18060
  • 55631: Parse and return the last line in the log even if it is partial #17198
  • 55641: dockershim: remove corrupt checkpoints immediately upon detection #17299
  • 55703: use full gopath for externalTypes #17115
  • 55704: Return original error instead of negotiation one #17115
  • 55772: Only attempt to construct GC informers for watchable resources #17115
  • 55796: Correct ConstructVolumeSpec() #17423
  • 55974: Allow constructing spdy executor from existing transports #17115
  • 55974: Allow constructing spdy executor from existing transports #17391
  • 56045: Fix getting logs from daemonset #17405
  • 56191: CPU Manager panics on state initialization error #18055
  • 56356: Wait for controllerrevision informer to sync on statefulset controller startup #17513
  • 56408: admission: do not leak admission plugin config types outside of the plugin #18111
  • 56503: MustRunAsNonRoot should reject a pod if it has non-numeric USER #17512
  • 56506: kubelet: include runtime error in event on CreatePodSandbox failure #18002
  • 56687: kube-apiserver: enable admissionregistration v1beta1 api by default #17576
  • 56864: pick pod-selector changes from #56864 #17616
  • 56971: LimitRange ignores objects previously marked for deletion #17978
  • 57099: increase the podLogTimeout for downward volume test #17627
  • 57107: Check ns setup error during e2e #17576
  • 57148: expose special storage locations #17576
  • 57149: make quota reusable #17576
  • 57150: allow convert to default on a per object basis #17576
  • 57211: Process cluster-scoped owners correctly #17820
  • 57214: Remove mutation from pvc validation #17876
  • 57247: cpumanager: Propagate error up instead panic #18051
  • 57276: Fix vsphere cloudprovider naming #17961
  • 57349: add watch to requirements for quota-able resources #17863
  • 57993: Add volumemetrics for glusterfs plugin #18091
  • 58018: make controller port exposure optional #18003
  • 58107: Fix quota controller worker deadlock #18080
  • 58302: uniquify resource lock identities #18100
  • : add flag for running bare kube-controller-manager #18100
  • : add our immortal namespaces directly to admission plugin #17914
  • : allow controller context injection to share informers #17115
  • : allow injection of controller context function #18003
  • : allow injection of controller context function #18097
  • : allow multiple containers to union for swagger #17115
  • : disable failing etcd test for old level #17391
  • : exclude some origin resources from quota #17576
  • : keep set working on internal types #17576
  • : make wiring in kubeproxy easy until we sort out config #17576
  • : patch scheduler to apply defaults. drop once we run separate scheduler #17576
  • : switch apply to use the legacyscheme so our types can be handled #17576
  • : switch back to use encode/json to avoid serialization errors #17115
  • : switch back to use ugorji/go to avoid deserialization errors #17768
  • : add back PrintSuccess. remove when printing is fixed #17576
  • : disable flaky InitFederation unit test #17115
  • : enable beta APIs by default. fixed by several pulls upstream #17576
  • : etcd testing #17115
  • : remove usage of bad transport since only GKE routes #17576
  • : run hack/copy-kube-artifacts.sh #17115
  • : skip controller metric error, drop once we run in a separate process #17576
  • : skip scheduler configz error, drop once we run in a separate process #17576
  • : stop adding federation to hyperkube one release early #17663
  • revert: 9176245: : allow controller context injection to share informers #17861
  • revert: cf235c2: UPSTREAM: : switch apply to use the legacyscheme so our types can be handled #17885
• Updated to Docker distribution v2.6.0-rc.1-210-g00b6b84 + patches
  • docker/distribution: 2382: Don't double add scopes #17115
  • docker/distribution: 2384: Fallback to GET for manifest #17115
  • docker/distribution: 2402: Allow manifest specification #17115
  • docker/distribution: 2402: Allow manifest specification #18078

Features

• TODO

Bugs

• build: Fixed the wrong name of building image. According to the implementati… #17050
  • Fixed the wrong name of building image. According to the implementation and running behavior. the building image is openshift/origin-release (215b3d8)
• auth: Allow registry-admin to manage RBAC r...

v3.7.1

This is a patch release of OpenShift Origin.

Changes

v3.7.1 (2018-01-16) Full Changelog

Component updates

• Updates to Kubernetes
  • 51634: Revert to using isolated PID namespaces in Docker #17722
  • 55641: dockershim: remove corrupt checkpoints immediately upon detection #17302
  • 56356: Wait for controllerrevision informer to sync on statefulset controller startup #17620
  • 56503: MustRunAsNonRoot should reject a pod if it has non-numeric USER #17686
  • 57211: Process cluster-scoped owners correctly #17818
  • Allow controller context injection to share informers #17855
• Updates to Docker distribution
  • docker/distribution: 2140: Add 'ca-central-1' region for registry S3 storage driver #17585

Bugs

• deploy: Fix deployment config scale subresource #17517#17599
• oauth: Make client authorizations tolerant of UID changes (4800340)
• router: Fix example certificates used in router tests #17959
• server: Fix panic on controllers start #17855

Release SHA256 Checksums

56e9dbff7e5e4ade1e92cc10ff1bd1ae2789ec400be0d8a5b2177fd6c465af21  ./openshift-origin-client-tools-v3.7.1-ab0f056-linux-64bit.tar.gz
bd783fe128fac2f2dd117a23a4c1d9d1b0a8313e2bdb433f640c3b23df7eb8f8  ./openshift-origin-server-v3.7.1-ab0f056-linux-64bit.tar.gz
e2cdad103485580166e4aef14e111551439c2c18a1ed77376b16808755b363ea  ./openshift-origin-client-tools-v3.7.1-ab0f056-mac.zip
dc228416bc07bf96ea6ecca431004bfc1182af0c0b0be7834fceda5e8a663b3e  ./openshift-origin-client-tools-v3.7.1-ab0f056-windows.zip

v3.7.0

This is the official 3.7 release of OpenShift Origin.

Changes

Roadmap for the v3.7 release

v3.7.0 (2017-11-29) Full Changelog

API

• SecurityContextConstraints can't be patched because an empty array is returned by the server #17185
  • OpenShift now always returns an empty array for the users, groups, and subjects fields on SecurityContextConstraints
• Merge imagestreamtag list on strategy merge patch correctly #17091
  • Image stream spec tags were not correctly merged when strategic merge patches were used. This is now fixed.
• DeploymentConfig replicas field is now correctly marked as optional in the API spec #17035

Component updates

• Updates to Kubernetes
  • 48813: maxinflight handler should let panicrecovery handler call NewLogged #17048
  • 49128: add svc and netpol to discovery #17454
  • 49885: Ignore UDP metrics in kubelet #17303
  • 54597: kubelet: check for illegal container state transition #17051
  • 54763: make iptables wait flag generic; increase the max wait time from 2 seconds to 5 seconds #17062
  • 54812: Allow override of cluster level (default, whitelist) tolerations by namespace level empty (default, whitelist) tolerations. #17116
  • 54828: trigger endpoint update on pod deletion #17120
  • 54921: rename metric reflector_xx_last_resource_version #17173
  • 54979: Certificate store handles rel path incorrectly #17135
  • 55028: kubelet: dockershim: remove orphaned checkpoint files #17175
  • 55248: increase iptables max wait from 2 seconds to 5 (fix) #17222
  • 56221: log errors while trying to GC resources #17426
  • 56223: ensure that network policy can be GC'd #17426
  • drop: fix for bz1507257 hacked from upstream PR47850, drop these changes in favour of that PR because this one does not carry the entire dependent chain. Conflicts were removed manually. #17097

Bugs

• build: Adding sample Jenkins Pipeline #16880
• build: Allow image trigger controller to create custom builds #17108
• cli: Return error when long-form service account name is used with oc policy #17061
• image: Correctly dereference ImageStreamTags #16821
• image: Signature import now correctly falls back to (in)secure transport #17202
• login: Preserve errors correctly when certain errors happen in login #17138
• migrate: Correctly handle NotFound errors during migration #17080
• network: Validate node IP is local during sdn node initialization #17043
• network: fix a segfault with cidr addresses and correct the creation of cluster network object #17076
• network: Fix up destination MAC of auto-egress-ip packets #17099
• network: Network component should refresh certificates if they expire #17135
• network: Avoid parsing the whole dump-flows output in the OVS health check #17333
• network: Allow assign-macvlan annotation to specify an interface #17383
• router: Change the router reload suppression so that it doesn't block updates #17049
• router: Fix the suppress health checks when only one backing service logic #17077, #17155
• rpm: Move master config ghosts to /etc/origin/master/ #15163
• server: Fix panic during openshift controller options initialization #17127
• template: Fix duplicate timeout directive #17030
• template: Add template.openshift.io/bindable annotation, default is true #17215
• template: Add app label to example templates #17224
• web: Rework nav to remove :hover selectors to address bugs, inconsistencies #2388
• web: Fix bug where secondary nav items truncate in IE11 #2390
• web: Adjust h1 margins so page header border aligns with left nav item #2389
• web: Allow EnvFrom Prefix #2377
• web: Reveal and hide secrets #2378
• web: Bump container terminal to v2.1.1 to fix refresh when disconnect / re-connect #2398
• web: Add resourceVersion as a secondary sort for events #2395
• web: Update membership filter to use MEMBERSHIP_WHITELIST in Constants.js #2402
• web: Preserve newlines in broker status messages #2401
• web: Bug 1507753 - Make config page and environment tab actions consistent #2404
• web: Check 'auth' field when displaying .dockercfg config #2392
• web: Inform the user when no projects to select templates from #2399
• web: Fix bugzilla 15077030 where deleting a rolebinding for a serviceaccount can delete additional rolebindings for serviceaccounts from another namespace #2406
• web: Update plan info on service instance update #2409
• web: Fix adding role to service account where namespace is sometimes missed #2411
• web: Show ProvisionCallFailed in notification drawer #2413
• web: Correctly merge env edits after background upates #2407
• web: Follow-on updates from @jennyhaines openshift/origin-web-console#2362 (comment) #2400
• web: Fix missing RolloutCancelled event in notification drawer #2412
• web: Fix for adding non-builder templates to a project #2424
• web: Use label-editor for PVC labels #2423
• web: Fix vertical alignment of "View Details" link #2425
• web: Bug 1505281 - Improve import YAML results message #2426
• web: Fix bug where wrong next steps message can be displayed #2429
• web: Remove breadcrumbs from catalog, create, and next-steps pages #2431
• web: Fix bug where custom img icons don't appear in catalog cards #2432
• web: Fix bugs with headings #2437
• web: Fix for create project dialog in projects list for mobile. #2444
• web: Fix broken route links #2445
• web: Update help text on CA inputs #2443
• web: Don't wrap "Clear Filter" text #2439
• web: Should not display the 'Reveal Secret' link when secrets without 'data' field #2448
• web: Wizard fixes for iPhone #2451
• web: Fix problems with env valueFrom for DC hooks #2461
• web: Check for 'auths' field for bot...

v3.7.0-rc.0

v3.7.0-rc.0

This is a feature release of OpenShift Origin.

Changes

Roadmap for the v3.7 release

v3.7.0-rc.0 (2017-10-27) Full Changelog

API

• Images
  • The imagestream spec.dockerImageRepository field is now deprecated #16181
• Routes
  • Support additional field selectors on routes #16305
• Builds
  • API docs should show the right return value for build instantiate and build instantiatebinary #16157
  • The experimental extended builds feature has been removed in favor of the existing ability to chain builds with image sources #16811

Component updates

• Updated to Kubernetes v1.7.6-166-ga08f5eeb62 + patches
  • 45345: Support "fstype" parameter in dynamically provisioned PVs #16232
  • 45611: remove use of printf semantics for view-last-applied cmd #16983
  • 47599: Rerun init containers when the pod needs to be restarted #16865
  • 47806: kubelet: fix inconsistent display of terminated pod IPs by using events instead #16464
  • 47806: kubelet: fix inconsistent display of terminated pod IPs by using events instead #16615
  • 48033: Refactor and simplify generic printer for unknown objects #16892
  • 48226: Log get PVC/PV errors in MaxPD predicate only at high verbosity. #16329
  • 48502: Add a refreshing discovery client #16215
  • 48524: fix udp service blackhole problem when number of backends changes from 0 to non-0 #16328
  • 48583: Record 429 and timeout errors to prometheus #16266
  • 48584: Move event type #16865
  • 48589: When faild create pod sandbox record event. #16865
  • 48605: support json output for log backend of advanced audit #16128
  • 48612: Warn if cluster ID is missing for AWS #16331
  • 48709: glusterfs: retry without auto_unmount only when it's not supported #15199
  • 48757: Fix flaky test in reconciler_test #16871
  • 48940: support fc volume attach and detach #15437
  • 48970: Recreate pod sandbox when the sandbox does not have an IP address. #16865
  • 49016: PV controller: resync informers manually #16965
  • 49025: fix NodePort test on baremetal installs #15766
  • 49127: Make definite mount timeout for glusterfs volume mount #15199
  • 49133: add controller permissions to set blockOwnerDeletion #16182
  • 49142: Slow-start batch pod creation of rs, rc, ds, jobs #16111
  • 49215: Require Cluster ID for AWS #16331
  • 49219: Use case-insensitive header keys for --requestheader-group-headers. #16186
  • 49416: FC volume plugin: remove block device at DetachDisk #16236
  • 49420: Fix c-m crash while verifying attached volumes #15433
  • 49475: Fixed glusterfs mount options #15199
  • 49638: Remove default binding of system:node role to system:nodes group #14227
  • 49640: Run mount in its own systemd scope #15725
  • 49899: Update the client cert used by the kubelet on expiry #16571
  • 50036: Bring volume operation metrics #16490, #16615
  • 50094: apimachinery: remove pre-apigroups import path logic #15955
  • 50258: Add token cache component #14916
  • 50258: Add token group adder component #14916
  • 50258: Add union token authenticator #14916
  • 50258: Simplify bearer token auth chain, cache successful authentications #14916
  • 50334: Support iscsi volume attach and detach #16299
  • 50350: Wait for container cleanup before deletion #16865
  • 50476: fix the webhook unit test; the server cert needs to have a valid CN; fix a fuzzer #16861
  • 50583: Make endpoints controller update based on semantic equality #16889
  • 50843: FlexVolume: Add ability to control 'SupportsSELinux' during driver's init phase #16174
  • 51035: Show events when describing service accounts #13621, #16615
  • 51119: Allow audit to log authorization failures #16128
  • 51148: Enable finalizers independent of GC enablement #16105
  • 51199: Makes Hostname and Subdomain fields of v1.PodSpec settable when empty and updates the StatefulSet controller to set them when empty #16722
  • 51448: Add PVCRef to VolumeStats #16205
  • 51473: Fix cAdvisor prometheus metrics #16048
  • 51534: update scheduler to return structured errors instead of process exit #16015
  • 51535: allow disabling the scheduler port #16015
  • 51553: Expose PVC metrics via kubelet prometheus #16205
  • 51633: update GC controller to wait until controllers have been initialized #16617
  • 51636: add reconcile command to kubectl auth #16104
  • 51638: allow to generate extended methods in client-go #16019
  • 51644: do not update init containers status if terminated #16244
  • 51705: Address panic in TestCancelAndReadd #16077
  • 51727: ensure all unstructured resources #16082
  • 51728: Enable CRI-O stats from cAdvisor #16441
  • 51750: output <none> for colums not found #17023
  • 51782: A policy with 0 rules should return an error #16128
  • 51796: Fix pod and node names switched around in error message. #16392, #16615
  • 51803: make url parsing in apiserver configurable #16110
  • 51932: fix format of forbidden messages #16110
  • 51972: ProducesObject should only update the returned API object resource documentation #16157
  • 51972: ProducesObject should only update the returned API object resource documentation #16615
  • 52030: Fill in creationtimestamp in audit events #16128
  • 52073: Fix cross-build #16441
  • 52092: Fix resource quota controller panic (Drop in 1.8) #16241
  • 52112: Allow watch cache disablement per type #16398, #16615
  • 52127: Fix deployment timeout reporting #16277
  • 52168: Fix incorrect status msg in podautoscaler #16664
  • 52221: Always populate volume status from node #16384
  • 52297: Use cAdvisor constant for crio imagefs ...

v3.6.1

This is a patch release of OpenShift Origin.

Changes

v3.6.1 (2017-10-25) Full Changelog

Component updates

• Updates to Kubernetes
  • 45352: Pod (Anti)affinity shouldn't be respected across namespaces. #16016
  • 45743: partial pick of 45743 to fix config groupversion defaults #16976
  • 46236: Support sandbox images from private registries #15880
  • 47731: Use endpoints informer for the endpoint controller. #16575
  • 47788: Get rid of 30s ResyncPeriod in endpoint controller. #16575
  • 49724: skip WaitForAttachAndMount for terminated pods in syncPod #15534
  • 49992: Correctly handle empty watch event cache #15616
  • 50258: Add token cache component #15662
  • 50258: Add token group adder component #15662
  • 50258: Add union token authenticator #15662
  • 50258: Simplify bearer token auth chain, cache successful authentications #15662
  • 50583: Make endpoints controller update based on semantic equality #16890
  • 50934: Skip non-update endpoint updates #15889
  • 51144: Fix unready endpoints bug introduced in #50934 #15889
  • 53753: Reduce log spam in qos container manager #16841

Bugs

• Skip goversioninfo when it is not installed #15550
• Add back origin-sdn-ovs #15542
• print typed podlist for correct serialization #15519
• make the router integration tests run as part of test-end-to-end #15778
• Properly handle errors in policy listing #15762
• Image policy is resolving images on replica sets by default #15867
• Mark subjectaccessreview/resourceaccessreview as root-scoped #15714
• Disable RBAC create commands #15618
• extended: Skip test instead of failing #16126
• Add short ttl cache to token authenticator on success #15662
• make oc adm create-bootstrap-project-template compatible w 1.5 cluster #16207
• Disable TestImageStreamImportDockerHub integration test to unblock the queue #16336
• Retry image stream updates when pruning images #16138
• Updating docker --build-arg test due to docker code change #16541

Release SHA256 Checksums

922afb7a5642040ea7a6b780cd68eb1d15533b6376b503351a4c38a452338d11  ./openshift-origin-client-tools-v3.6.1-008f2d5-linux-64bit.tar.gz
47d0167e0b496b3a64249e40a91513af998fba7d4ba725454e74a8203024ebd8  ./openshift-origin-server-v3.6.1-008f2d5-linux-64bit.tar.gz
b7ecd27a0e3821868255898ef0ab47dfe0e5e371da6a58b0cbadd687e8dccca0  ./openshift-origin-client-tools-v3.6.1-008f2d5-mac.zip
2a970aec5709f572faa02e877ea33d68e23407e2ec6e39ddc3683077814f6031  ./openshift-origin-client-tools-v3.6.1-008f2d5-windows.zip
62a71b1d94abbf34936a021e56881db981634dcfed83bd8ab4052d19a31fd0d4  ./CHECKSUM