v3.6.0-alpha.1
Pre-release
This is a feature release of OpenShift Origin.
Backwards Compatibility
- The Jenkins v1 image is now deprecated - use the new v2 image which has access to the new Jenkins BlueOcean UI #13605
- By default, new clusters will limit which image registries can be imported from by default #13313
- Builds of i386 OpenShift have been temporarily removed due to bugs in Go 1.7 #13686
Changes
v3.6.0-alpha.1 (2017-04-12) Full Changelog
API
- Deployments
- The securityContext field is now copied over to lifecycle hook pods, which means they will share user, group, fsGroup, and SELinux settings #12733
- Authorization
- The
attributeRestrictionsfield in subject access reviews is deprecated and will be removed in a future release, to be consistent with the new approach of having multiple resource types for access reviews. #13466
- The
- Networking:
- CIDRs that are provided to ClusterNetwork, HostSubnet, and EgressNetworkPolicy must now be valid and in canonical form to prevent accidental leaks of network info. #13508
Component updates
- Updates to Kubernetes
- Updates to Docker distribution
Features
Add a Service Broker for Templates
Templates allow users in OpenShift to easily define, share, and deploy precanned applications. The new service broker will allow any template to be
exposed in the service catalog and then consumed by end users. The broker will initially support deploying the template inside of the user's project,
but eventually allow templates to be used to deployed on other clusters and linked back to the end user.
To support the service broker, a new resource has been added to projects - the TemplateInstance. This lets you declaratively instantiate a template
and then in the future update that template.
Template service broker is tech preview for OpenShift 3.6
- Template service broker #12953
Add metrics to routers
The router has been upgraded to return Prometheus metrics for routes and the pods under those routes. New clusters will have the ROUTER_METRICS_TYPE environment variable set to haproxy and ROUTER_LISTEN_ADDR set to 0.0.0.0:1935, which turns on metrics on port 1935 (protected by the ROUTER_STATS_PASSWORD and user).
The exposed metrics describe per route, service, and pod information about the traffic flowing over the routers, and can be gathered by an Prometheus capable collector to report information about edge traffic.
- Expose metrics in the router #13337
Support F5 partitions in the router
F5 BigIP servers allow for multiple active "partitions" to be managed for security and failure separation at the API level. This change adds support for targeting a partition from the F5 router management code and makes it possible for OpenShift to manage only a subset of a given F5 router.
- Support F5 partition paths #13391
Add webhook support to builds for GitLab and BitBucket
Like the GitHub and generic web hooks, this allows users to create a webhook trigger with oc set triggers and then use that webhook from
a GitLab or BitBucket repository. The hook supports extracting the commit message and author and adding it to the trigger cause.
- Support gitlab and bitbucket webhooks #13389
Control which registries can be imported from
A new configuration flag has been added to the OpenShift config that limits which registries users can import images from by default. Administrators
who can create images directly via the API can import any image, but regular users will receive an error if they import from an unsupported registry.
By default, the list of registries is set to the important publicly hosted registries.
- Allow administrators to control which registries can be imported #13313
Send events when builds are started or complete
A new event is sent when a build starts running, and when it succeeds, fails, or is cancelled another event will be reported. This makes it easier
to see the timeline of events in the CLI and web console.
- Send events on builds #13660
Create and deploy applications with the service catalog in the web console
The service catalog is an important new component of OpenShift and Kubernetes and will be tech preview in 3.6. The web console will expose
binding services provisioned in the catalog to existing applications, as well as deploying new components into a project from the console
(via the template broker). More coming soon!
- web: First prototype of creating service bindings from the console #1395
- web: Add catalog to web console #1389
Bugs
- admin: Use correct PEM header when generating key pairs #13498
- auth: SelfSubjectAccessReview does not authorize with api groups #13715
- build: Add a label to built images containing the name of the build #13703
- build: Adding generic build failed reason when no specific error shows up #13590
- build: Ensure next build is kicked off when a build completes #13670
- cli:
oc tagshould not allow setting an alias tag across different image streams #13632 - client: mark Image type +nonNamespaced=true #13525
- cluster: Set DNS bind and IP address correctly for newer server versions #13539
- cluster: Simplify the output of
oc cluster up#13636 - cluster: Use router suffix for router certificate hostnames #13647
- deploy: Add owner reference to rc from the deployer #13582
- deploy: Carry over the securityContext from the deployment config to lifecycle hook #12733
- deploy: Retry pending deployments longer before failing them #13550
- deploy: Retry scaling when the server's caches are not warmed up (prevent a race with namespace creation) #13279
- deploy: Use patch API for pausing and resuming deployment config #13613
- image: Ensure both strong and weak image refs prevent pruning #13671
- image: Image imports should be considered long-running requests and allowed to take more than 30s to complete #13458
- network: Port openshift-sdn-ovs script to go #12145
- network: SDN egress policy should not firewall endpoints from global namespaces #13071
- network: The IP reported for node by openshift-sdn can change on restart - make it stable #13645
- network: Wait for namespaces to be loaded before setting VNID, which prevents temporary network unavailability in pods #13666
- newapp: Address redundant line if new-app error output #13541
- newapp: Fix extra lines in new-app output #13540
- node: Fix mount propagation on rootfs for containerized node #13327
- node: system container mounts /rootfs rslave #13499
- perf: Used shared informer in build controllers #13510
- registry: Add --fs-group and --supplementary-groups to
oc adm registry#12951 - router: Ensure that route creation and deletion does not panic by tracking routes by UID #13494
- security: Correctly delete RoleBindingRestrictions when namespaces are deleted #13563
- security: Refactor impersonation code to be easier to read and more specific #13630
- security: The RestrictUsersAdmission admission controller should allow service account namespaces to be implicit #13649
- template: Better error when an unrecognized type is found #13624
- web: Allow more space on the nav bar for extensions that use a context switcher #1376
- web: Fix wrapping issues with very long usernames #1377
- web: Support a query param for expanding advanced builder options #1398
- web: Fix "View Membership" from catalog project summary #1407
- web: Split off next-steps into component #1400
- web: Create a binding from a svc to an app #1414
Release SHA256 Checksums
38378daa2945bbba332c1af2d857ff09fded70420ee742d72a704fdd4d242043 openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-linux-64bit.tar.gz
ea35585dcdd3719555396f2e58141cd68ba1a94c033b1bc89d72c4347b543267 openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-mac.zip
a336cc57f1aad5c88cd5c453e9068831e00d6d052c9ace59770bdabd39413ba4 openshift-origin-client-tools-v3.6.0-alpha.1-46942ad-windows.zip
ac72399befd3a7f147d09d556853f6871a9a78bec0eb63f9a5e56fb01a094eb3 openshift-origin-server-v3.6.0-alpha.1-46942ad-linux-64bit.tar.gz