Releases: openshift/origin
Releases · openshift/origin
v3.7.0-alpha.1
This is a feature release towards OpenShift Origin v3.7.0. It is based on Kubernetes 1.7.
Changes
v3.7.0-alpha.1 (2017-08-30) Full Changelog
API Changes
- Upgraded to Kubernetes 1.7 #15234
- Please see the Kubernetes release notes for a description of important API changes
- Improved documentation of the
Routebackendweightfield #15309 /oapi/v1/namenspaces/{namespace}/generatedeploymentconfigshas been removed #15585- Add public pull spec field to image stream status #15643
- Improve documentation of the
SecurityContextConstraintpriorityfield #15425 SubjectAccessReviewandResourceAccessReviewwere marked as namespace-scoped incorrectly in the new API groups #15704- Template instantiation will now wait for the object to be ready if it has the
template.alpha.openshift.io/wait-for-readyannotation set totrue#15402 - OpenShift RBAC API objects are now backed by Kubernetes RBAC #15021
- The existing OpenShift RBAC APIs will remain, but are implemented on top of Kubernetes RBAC APIs
- New code should use the Kubernetes RBAC APIs in preference
- The default value of
DeploymentConfigspec.revisionHistoryLimitin apps/v1 is now 10 #15642 - The
spec.requesterfield onTemplateInstancenow is consistent with other API fields that convey user information #15719 - The
status.publicDockerImageRepositoryfield onImageStreamreports a pull spec that can be used outside of the cluster to access images #15643
The API documentation in api is now auto-generated from our public OpenAPI spec and contains more information on individual objects, which is reflected in the OpenShift API documentation #15788.
Component updates
- Updated to Kubernetes v1.7.0-43-g695f48a16f + patches
- #00000: allow nil openapispec
- #00000: disambiguate operation names for legacy discovery
- #00000: make AsVersionedObjects default cleanly
- #36774: allow auth proxy to set groups and extra
- #37380: Improve error reporting in Ceph RBD provisioner
- #38818: Add sequential allocator for device names in AWS
- #38925: Fix nil pointer issue when making mounts for container
- #39732: Fix issue #34242: Attach/detach should recover from a crash
- #39751: Changed default scsi controller type
- #39752: Fix panic in vSphere cloud provider
- #39754: Fix fsGroup to vSphere
- #39757: Fix space in volumePath in vSphere
- #39998: Cinder volume attacher: use instanceID instead of NodeID when verifying attachment
- #40080: Fix resttest Update action when AllowUnconditionalUpdate is false
- #40301: present request header cert CA
- #40423: Support for v1/v2/autoprobe openstack cinder blockstorage
- #40693: fix for vSphere DeleteVolume
- #40903: Set docker opt separator correctly for SELinux options
- #40935: Plumb subresource through subjectaccessreview
- #41043: allow setting replace patchStrategy for structs
- #41196: Fix for Premature iSCSI logout
- #41217: Fix wrong VM name is retrieved by the vSphere Cloud Provider
- #41226: Fix for detach volume when node is not present/ powered off
- #41329: stop senseless negotiation
- #41436: Fix bug in status manager TerminatePod
- #41455: Fix AWS device allocator to only use valid device names
- #41498: cinder: Add support for the KVM virtio-scsi driver
- #41634: Handle error event type
- #41658: Fix cronjob controller panic on status update failure
- #41758: Updated key.pm and cert.pm to remove error in setting up localhostCert pool
- #41814: add client-ca to configmap in kube-public
- #41939: Add an AEAD encrypting transformer for storing secrets encrypted at rest.
- #42033: fix TODO: find and add active pods for dswp
- #42275: discovery restmapping should always prefer /v1
- #42337: Plumb cipher/tls version serving options
- #42421: proxy not providing user info should cause error
- #42491: make the system:authenticated group adder smarter
- #42622: Preserve custom etcd prefix compatibility for etcd3
- #42672: use separate scheme to serve the kube-aggregator
- #42801: add local option to APIService
- #42835: remove legacy insecure port options from genericapiserver
- #42886: allow fallthrough handling from go-restful routes
- #42896: require codecfactory
- #42900: rewire aggregation handling chain to be normal
- #42911: combine kube-apiserver and kube-aggregator
- #42959: Delete host exec pods faster
- #42973: Fix selinux support in vsphere
- #43003: separate discovery from the apiserver
- #43076: allow combining API servers
- #43141: Create controller to auto register TPRs with the aggregator
- #43144: start informers as a post-start-hook
- #43149: break kube-apiserver start into stages
- #43170: Add ability to customize fed namespace for e2e
- #43226: don't start controllers against unhealthy master
- #43289: Attach/detach controller: fix potential race in constructor
- #43301: add APIService conditions
- #43375: Set permission for volume subPaths
- #43377: only log stacks on server errors
- #43383: proxy to IP instead of name, but still use host verification
- #43396: iSCSI CHAP support
- #43575: util/iptables: check for and use new iptables-restore 'wait' argument
- #43762: refactor getPidsForProcess and change error handling
- #43878: Delete EmptyDir volume directly instead...
v3.6.0
This is the public release of OpenShift Origin v3.6.0.
Changes
v3.6.0 (2017-07-30) Full Changelog
See the earlier release notes for other features implemented in this release:
Component updates
- Updates to Kubernetes
- 42038: Add backup-volfile-servers to mount option #15396
- 44756: Don't call spew unless we're logging #15520
- 48613: proxy/userspace: honor listen IP address as host IP if given #15174
- 48709: glusterfs: retry without auto_unmount only when it's not supported #15396
- 48813: maxinflight handle should let panicrecovery handler call NewLogged #15306
- 48884: Do not mutate pods on update #15190
- 48940: support fc volume attach and detach #15407
- 48960: No warning event for DNSSearchForming #15350
- 49111: Fix findmnt parsing in containerized kubelet #15372
- 49120: Modify podpreset lister to use correct namespace #15318
- 49127: Make definite mount timeout for glusterfs volume mount #15396
- 49230: use informers for quota calculation #15357
- 49353: Use specified ServerName in aggregator TLS validation #15388
- 49444: Do not spin forever if kubectl drain races with other removal #15436
- 49475: Fixed glusterfs mount options #15396
- 49688: Don't block watch cache Get/List on unready #15515
- Also expose gRPC metrics in kube storage #15517
- Carry a patch for reporting 429 metrics #15485
- Double the global timeout if performing a global list #15505
Features
Record the last snippet of build logs into the build API result
In many cases, the last few lines of the build log contain an accurate reason for a failing build. This adds a new field logSnippet to the build status and populates it with the last few lines of build logs when the build is marked as failed. This field is purely informational and may not be a complete representation of the final logs.
- Grab a snippet of build logs for failing builds #15181
Bugs
- build: Retry build push failures on a larger set of errors #15406
- build: Only set the build timestamps the first time to avoid duplicate writes #15487
- cli: Remove use of policy API from CLI #15196
- cluster: Remove
oc cluster updependency on oc binary #15471 - images: Fix panic when POSTing an image to the server #15541
- rbac: Handle cleanup of individual authz objects in sync #15223
- rbac: Update bootstrappolicy/dead addDeadClusterRole to include systemOnly annotation #15320
- rbac: Reconcile controller roles at startup #15354
- rbac: Update quota controller's role for Kube authorizer #15348
- route: Fix panic when user sets edge TLS termination on a route #15550
- router: Unconditionally remove proxy headers to prevent httpoxy #15146
- router: Add an ENV to control ipv6 behavior in the router #15351
- server: Set mutation limit proportional to read limit by default #15206
- server: Make the master endpoint lease ttl configurable #15214
- server: Run separate informers for api and controllers #15217
- server: Register aggregator resources into scheme prior to starting any components #15226
- server: Unable to authenticate to the controller process using the remote authorizer #15458
- server: Add gRPC metrics for the API server's connection to etcd #15517
- server: Make controller client rate limits proportional to the overall limit #15479
Release SHA256 Checksums
ecb0f52560ac766331052a0052b1de646011247f637c15063f4d74432e1ce389 ./openshift-origin-client-tools-v3.6.0-c4dd4cf-linux-64bit.tar.gz
c9565850257fd758585118c4b5e1be42ddcf133026c02adee2695191690f022e ./openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit.tar.gz
320dd318b4b094fea9aadee9473173054d1f11b97895b94315fe2f095f08b652 ./CHECKSUM
6ade4ce9b300b1a9ed4ccfa49f3476a0721c71b78e7dd43ca58f4752b29ab5f1 ./openshift-origin-client-tools-v3.6.0-c4dd4cf-mac.zip
6a45e7fe115dd4c8675ba06e8d958da6819b84a876ea6eb1c085a92b741e43f7 ./openshift-origin-client-tools-v3.6.0-c4dd4cf-windows.zip
v3.6.0-rc.0
This is the first release candidate for OpenShift 3.6.
Backwards Compatibility
- Security Context Constraints migrated from older versions of OpenShift that have a null allowed
volumesarray will now default to["none"]- This will prevent future migration to PodSecurityPolicy from being ambiguous
- #14625
- Deployment Configs no longer allow leading or trailing spaces on images
- Kubernetes 1.7 will tighten this validation and this will prevent future migrations from being necessary
- #14744
- Users may now create routes with empty
spec.tls.destinationCACertificatefields- To preserve backwards compatibility, when the route is retrieved from the
/oapi/v1/routes/*endpoint it will have a synthetic certificate injected. Retrieving the route from the new/apis/route.openshift.io/v1endpoint will show the new empty value. - #14818
- To preserve backwards compatibility, when the route is retrieved from the
- When creating builds via the new
/apis/build.openshift.io/v1endpoint pruning will be automatically defaulted- Builds created via the old API are unaffected. Callers may set the limit high to avoid pruning
- #14845
Changes
v3.6.0-rc.0 (2017-07-13) Full Changelog
API
- The autoscaling v2alpha1 API - new in Kubernetes 1.6 - is disabled by default #15058
- Image stream tags will now return labels from the parent image stream
- Sending an update to the tag with empty labels will not cause an error #15098
Component updates
- Updated to Kubernetes v1.6.1-1-g5115d708d7 + patches
- Add the API aggregation code as a backport to 3.6 from Kubernetes 1.7
- 43003: Separate discovery from the apiserver #14513
- 44399: Add deregistration for aggregator paths #14513
- 44408: Aggregator controller changes only #14513
- 44466: Use our own serve mux that directs how we want #14513
- 45247: Promote apiregistration from v1alpha1 to v1beta1 #14676
- 45247: generated: Promote apiregistration from v1alpha1 to v1beta1 #14676
- 45370: refactor names for the apiserver handling chain #14513
- 45432: Use apiservice.status to break apart controller and handling concerns #14513
- 46112: apimachinery: move unversioned registration to metav1 #14593
- 46440: Fix api server handler routing (move CRD behind TPR) #14513
- 46440: Fix api server handler routing (move CRD behind TPR) #14847
- 46800: Separate group and version priority #14676
- 47060: Fix etcd storage location for CRs #14499
- 47347: Actually check for a live discovery endpoint before aggregating (part 2) #14881
- 47347: Actually check for a live discovery endpoint before aggregating #14595
- 47347: Actually check for a live discovery endpoint before aggregating #15022
- Add secret at rest encryption backport from Kubernetes 1.7
- Fixes:
- 41758: Updated key.pm and cert.pm to remove error in setting up localhostCert pool #14847
- 42835: Remove legacy insecure port options from genericapiserver #14513
- 43878: Delete EmptyDir volume directly instead of renaming the directory #14549
- 43982: Fix deletion of Gluster, Ceph and Quobyte volumes #14667
- 44058: Make background garbage collection cascading #14907
- 44115: Scheduler should not log an error when no fit #14714
- 44746: Support for PodPreset in get command #15148
- 44784: Handle vendored names in OpenAPI gen #14993
- 44898: While calculating pod's cpu limits, need to count in init-container #14605
- 44962: Remove misleading error from CronJob controller when it can't find parent #14899
- 45049: Log an EBS vol's instance when attaching fails because VolumeInUse #14844
- 45085: kube-apiserver: check upgrade header to detect upgrade connections #14676
- 45349: Fix daemonsets to have correct tolerations for TaintNodeNotReady and TaintNodeUnreachable. #14653
- 45637: --api-version on explain is not deprecated #14872
- 45661: orphan when kubectl delete --cascade=false #14189
- 45864: Fix unit tests for autoregister_controller.go reliable #14519
- 46034: Event aggregation: include latest event message in aggregate event #14793
- 46036: Retry clientCA post start hook on transient failures #14474
- 46121: Fix kuberuntime GetPods #14290
- 46771: Allow persistent-volume-binder to List Nodes/Zones Available in the Cluster #14899
- 46796: Bump namespace controller to 10 workers #14806
- 46852: Lookup no --no-headers flag safely in PrinterForCommand function #14472
- 46968: bkpPortal should be initialized beforehand #14478
- 46974: Avoid * in filenames #14477
- 47003: Fix sorting of aggregate errors for golang 1.7. #14495
- 47003: Remove duplicate errors from an aggregate error input. Helps Helps with some scheduler errors that fill the log enormously. #14495
- 47078: HPA: only send updates when the status has changed #14529
- 47270: kubectl drain errors if pod is already deleted #14663
- 47274: Don't provision for PVCs with AccessModes unsupported by plugin #14705
- 47281: Update devicepath with filepath.Glob result \into
- 47367: Add client side event spam filtering #14747
- 47450: Ignore 404s on evict #14690
- 47462: Strip container id from events #14693
- 47491: Image name must not have leading trailing whitespace #14691
- 47516: Fix getInstancesByNodeNames for AWS #14669
- 47605: Change Container permissions to Private for provisioned Azure Volumes #14733
- 47701: Force protobuf to be stable in output #14723
- 47740: Add websocket protocol authentication method #14716
- 47740: Use websocket protocol authenticator in apiserver #14716
- 47792: Fix rawextension decoding in update #14764
- 47822: Separate serviceaccount and secret storage config #14838
- 47823: Don't pass CRI error through to waiting state reason #14887
- 47904: Prioritize messages for long steps in storage trace output #14911
- 47919: Use %q formatter for error messages from the AWS SDK [#14948](htt...
- Add the API aggregation code as a backport to 3.6 from Kubernetes 1.7
v3.6.0-alpha.2
This is a feature release of OpenShift Origin.
Backwards Compatibility
- The experimental command
oc import docker-composehas been removed #13795- Work has moved to the kompose project
- The
status.unavailableReplicasfield on deployment configs no longer accepts negative numbers #14046 - The extended certificate validation feature in the router is now much stricter #13897
- In order to ensure that buggy, malicious, or invalid certificates cannot crash a router the extended certificate feature now decodes and then re-encodes certificates from routes. Only a known set of allowed PEM blocks and certificate types will be accepted, including the common RSA and ECSDA variants of both public and private keys.
- If you are upgrading your cluster and have not disabled extended certification (on by default) you should start a test router instance and verify that all routes successfully load before completing your rollout.
- Routes that fail extended validation are taken out of rotation and have a status field message set indicating they are not accepted.
Changes
v3.6.0-alpha.2 (2017-06-07) Full Changelog
API
- Add fields to builds that display the status of build results #13307
- A series of stages and steps are part of build status and populated by the builder.
- Two fields are added to build config spec to control how many successful and failed builds are preserved on the cluster #13788
- The
spec.tls.destinationCACertificatefield on a route is now optional - routers that don't allow defaulting will reject this route
Component updates
- Updated to Kubernetes v1.6.1-1-g5115d708d7 + patches
- 39732: Fix issue #34242: Attach/detach should recover from a crash #14119
- 40423: Support for v1/v2/autoprobe openstack cinder blockstorage #14005
- 41498: cinder: Add support for the KVM virtio-scsi driver #14005
- 41634: Handle error event type #13939
- 41939: Add an AEAD encrypting transformer for storing secrets encrypted at rest. #14243
- 42033: fix TODO: find and add active pods for dswp #14119
- 42672: use separate scheme to serve the kube-aggregator #13974
- 42801: add local option to APIService #13974
- 42886: allow fallthrough handling from go-restful routes #13974
- 42900: rewire aggregation handling chain to be normal #13974
- 42911: combine kube-apiserver and kube-aggregator #13974
- 43076: allow combining API servers #13974
- 43141: Create controller to auto register TPRs with the aggregator #13974
- 43144: start informers as a post-start-hook #13974
- 43149: break kube-apiserver start into stages #13974
- 43170: Add ability to customize fed namespace for e2e #14106
- 43226: don't start controllers against unhealthy master #13974
- 43289: Attach/detach controller: fix potential race in constructor #14119
- 43301: add APIService conditions #14285
- 43375: Set permission for volume subPaths #13895
- 43377: only log stacks on server errors #14173
- 43383: proxy to IP instead of name, but still use host verification #13974
- 43396: iSCSI CHAP support #14112
- 43575: util/iptables: check for and use new iptables-restore 'wait' argument #14186
- 43922: prevent corrupted spdy stream after hijacking connection #13669
- 43945: Remove 'beta' from default storage class annotation #14427
- 44066: Improve federation e2e test setup #14106
- 44068: Use Docker API Version instead of docker version (fixup) #14335
- 44068: Use Docker API Version instead of docker version #14158
- 44072: Cleanup e2e framework for federation #14106
- 44073: Optionally retrieve fed e2e cluster config from secrets #14106
- 44082: use AvailabilityZone instead of Availability #14005
- 44221: validateClusterInfo: use clientcmdapi.NewCluster() #13653
- 44295: Azure disk: dealing with missing disk probe #14072
- 44406: CRI: Stop following container log when container exited. #14380
- 44439: controller: fix saturation check in Deployments #13890
- 44452: Implement LRU for AWS device allocator #14119
- 44462: 44489: fix selfLink for cluster-scoped resources #14001
- 44566: WaitForCacheSync before running attachdetach controller #14119
- 44570: Explicit namespace from kubeconfig should override in-cluster config #13653
- 44625: Retry secret reference addition on conflict #14033
- 44639: Set fed apiserver to bind to 8443 instead of 443 #14107
- 44730: Check for terminating Pod prior to launching successor in StatefulSet #13653
- 44760: Fix issue #44757: Flaky Test_AttachDetachControllerRecovery #14119
- 44781: Ensure desired state of world populator runs before volume reconstructor #14144
- 44798: Cinder: Automatically Generate Zone if Availability in Storage Class is not Configured #14159
- 44837: Fix Content-Type error of apis #14285
- 44859: e2e: handle nil ReplicaSet in checkDeploymentRevision #13653
- 44861: NotRegisteredErr for known kinds not registered in target GV #13653
- 44895: util/iptables: grab iptables locks if iptables-restore doesn't support --wait #14186
- 44939: don't HandleError on container start failure #14077
- 44970: CRI: Fix StopContainer timeout #13938
- 45100: node-controller: deflake TestUpdateNodeWithMultiplePods #13940
- 45105: taint-controller-tests: double 'a bit of time' to avoid flakes #13953
- 45171: Use groupName comment for listers/informers #13982
- 45235: remove bearer token from headers after we consume it #14007
- 45238: expose kubelet authentication and authorization builders #14011
- 45286: When pods are terminated we should detach the volume #14191
- 45304: increase the QPS for namespace controller #14274
- 45403: apiserver: injectable default watch cache size #14052
- 45413: Extend timeouts in timed_workers_test #14225
- 45427: 45897: GC controller improvements #14358
- 45496: fix pleg relist time #14282
- 45505: expose the controller initializers #14033
- 45515: Ignore openrc group #13964
- 45601: util/iptables: fix cross-build failures due to ...
v1.5.1
This is a patch release of OpenShift Origin.
Changes
v1.5.1 (2017-05-16) Full Changelog
Bugs
- sdn: fix initialization order to prevent crash on node startup #13767
- router: Match subpaths correctly when path contains trailing slash #13923
Release SHA256 Checksums
7d683132a1ea27806d7b2dfbeec4dd1b9d5b0b7db6b97ed05506365135453f55 openshift-origin-client-tools-v1.5.1-7b451fc-linux-32bit.tar.gz
1e5f73098c3e3bf6f887c8678c078f650e62c477eca255c0f131d6b6be805c6c openshift-origin-client-tools-v1.5.1-7b451fc-linux-64bit.tar.gz
0cc3646f2cb2aafcde4bc5bc6890f1c78dabcda4b90ac0b891edef7d7b86bdfe openshift-origin-client-tools-v1.5.1-7b451fc-mac.zip
06f320daef3539f0d7e4a526ec2cbdfdfbfa3a61022ca6fdc0ebcb1ed09ad3f7 openshift-origin-client-tools-v1.5.1-7b451fc-windows.zip
abe50d51aa2485cac9374026a46c30901335f86171d79b7a5747f289e26f9cd0 openshift-origin-server-v1.5.1-7b451fc-linux-64bit.tar.gz
v1.5.0
This is the release of OpenShift Origin 1.5.
Changes
v1.5.0 (2017-04-21) Full Changelog
Component updates
- Additional patches to Kubernetes 1.5.2
- 37845: Azure disk volume fixes #13218
- 38925: Fix nil pointer issue when making mounts for container #13270
- 39751: Changed default scsi controller type #13314
- 39752: Fix panic in vSphere cloud provider #13314
- 39754: Fix fsGroup to vSphere #13314
- 39757: Fix space in volumePath in vSphere #13314
- 40066: Set custom PollingDelay of 5 seconds for Azure VirtualMachinesClient #13218
- 40417: Always detach volumes in operator executor #13251
- 40693: fix for vSphere DeleteVolume #13314
- 41217: Fix wrong VM name is retrieved by the vSphere Cloud Provider #13314
- 41226: Fix for detach volume when node is not present/ powered off #13314
- 41436: Fix bug in status manager TerminatePod #13377
- 42275: discovery restmapping should always prefer /v1 #13727
- 42622: Preserve custom etcd prefix compatibility for etcd3 #13299
- 42973: Fix selinux support in vsphere #13373
- 43460: Remove unused DockerManager daemon version #13513
Bugs
- hack: Remove need for docker in build-images, use multi-tag #13394
- images: Fix image pruning with both strong & weak refs #13677
- images: Insecure istag allows for insecure transport #13274
- install: Restrict packages from CentOS to OVS only #13684
- install: Remove the excluders origin-excluder #13402
- network: Fix service IP validation to handle "ClusterIP: None" #13787
- network: Fix single-node-cluster local multicast delivery #13768
- network: Fix race between ovsdb-server.service and node service #13418
- router: Prevent the router from deadlocking itself when calling Commit() #13744
- security: Update namespace finalizer to delete RoleBindingRestrictions #13588
- Revert "Fix of BUG 1405440" #13348
Release SHA256 Checksums
7100e3c9324ddb31cd0bee1c0bc74d11f79aa580f7c8776eba321094029503ab openshift-origin-client-tools-v1.5.0-031cbe4-linux-32bit.tar.gz
e928067175be0e8a5947c21ebbbf1359687846749e83411b7cd0b99759968605 openshift-origin-client-tools-v1.5.0-031cbe4-linux-64bit.tar.gz
8ea85801afbd464a1bb90346e31c3f3a3325ae93fc188c0d34bd49fc68fc7e16 openshift-origin-client-tools-v1.5.0-031cbe4-mac.zip
e4650d9a53678141c17147a98670fc842fc78049762877def4cb66e385aadee7 openshift-origin-client-tools-v1.5.0-031cbe4-windows.zip
e9bd3c92842acb17ab920b663dfb80f094707fbac8a92dde341631dbfdb13628 openshift-origin-server-v1.5.0-031cbe4-linux-64bit.tar.gz
v3.6.0-alpha.1
This is a feature release of OpenShift Origin.
Backwards Compatibility
- The Jenkins v1 image is now deprecated - use the new v2 image which has access to the new Jenkins BlueOcean UI #13605
- By default, new clusters will limit which image registries can be imported from by default #13313
- Builds of i386 OpenShift have been temporarily removed due to bugs in Go 1.7 #13686
Changes
v3.6.0-alpha.1 (2017-04-12) Full Changelog
API
- Deployments
- The securityContext field is now copied over to lifecycle hook pods, which means they will share user, group, fsGroup, and SELinux settings #12733
- Authorization
- The
attributeRestrictionsfield in subject access reviews is deprecated and will be removed in a future release, to be consistent with the new approach of having multiple resource types for access reviews. #13466
- The
- Networking:
- CIDRs that are provided to ClusterNetwork, HostSubnet, and EgressNetworkPolicy must now be valid and in canonical form to prevent accidental leaks of network info. #13508
Component updates
- Updates to Kubernetes
- Updates to Docker distribution
Features
Add a Service Broker for Templates
Templates allow users in OpenShift to easily define, share, and deploy precanned applications. The new service broker will allow any template to be
exposed in the service catalog and then consumed by end users. The broker will initially support deploying the template inside of the user's project,
but eventually allow templates to be used to deployed on other clusters and linked back to the end user.
To support the service broker, a new resource has been added to projects - the TemplateInstance. This lets you declaratively instantiate a template
and then in the future update that template.
Template service broker is tech preview for OpenShift 3.6
- Template service broker #12953
Add metrics to routers
The router has been upgraded to return Prometheus metrics for routes and the pods under those routes. New clusters will have the ROUTER_METRICS_TYPE environment variable set to haproxy and ROUTER_LISTEN_ADDR set to 0.0.0.0:1935, which turns on metrics on port 1935 (protected by the ROUTER_STATS_PASSWORD and user).
The exposed metrics describe per route, service, and pod information about the traffic flowing over the routers, and can be gathered by an Prometheus capable collector to report information about edge traffic.
- Expose metrics in the router #13337
Support F5 partitions in the router
F5 BigIP servers allow for multiple active "partitions" to be managed for security and failure separation at the API level. This change adds support for targeting a partition from the F5 router management code and makes it possible for OpenShift to manage only a subset of a given F5 router.
- Support F5 partition paths #13391
Add webhook support to builds for GitLab and BitBucket
Like the GitHub and generic web hooks, this allows users to create a webhook trigger with oc set triggers and then use that webhook from
a GitLab or BitBucket repository. The hook supports extracting the commit message and author and adding it to the trigger cause.
- Support gitlab and bitbucket webhooks #13389
Control which registries can be imported from
A new configuration flag has been added to the OpenShift config that limits which registries users can import images from by default. Administrators
who can create images directly via the API can import any image, but regular users will receive an error if they import from an unsupported registry.
By default, the list of registries is set to the important publicly hosted registries.
- Allow administrators to control which registries can be imported #13313
Send events when builds are started or complete
A new event is sent when a build starts running, and when it succeeds, fails, or is cancelled another event will be reported. This makes it easier
to see the timeline of events in the CLI and web console.
- Send events on builds #13660
Create and deploy applications with the service catalog in the web console
The service catalog is an important new component of OpenShift and Kubernetes and will be tech preview in 3.6. The web console will expose
binding services provisioned in the catalog to existing applications, as well as deploying new components into a project from the console
(via the template broker). More coming soon!
- web: First prototype of creating service bindings from the console #1395
- web: Add catalog to web console #1389
Bugs
- admin: Use correct PEM header when generating key pairs #13498
- auth: SelfSubjectAccessReview does not authorize with api groups #13715
- build: Add a label to built images containing the name of the build #13703
- build: Adding generic build failed reason when no specific error shows up #13590
- build: Ensure next build is kicked off when a build completes #13670
- cli:
oc tagshould not allow setting an alias tag across different image streams #13632 - client: mark Image type +nonNamespaced=true #13525
- cluster: Set DNS bind and IP address correctly for newer server versions #13539
- cluster: Simplify the output of
oc cluster up#13636 - cluster: Use router suffix for router certificate hostnames #13647
- deploy: Add owner reference to rc from the deployer #13582
- deploy: Carry over the securityContext from the deployment config to lifecycle hook #12733
- deploy: Retry pending deployments longer before failing them #13550
- deploy: Retry scaling when the server's caches are not warmed up (prevent a race with namespace creation) #13279
- deploy: Use patch API for pausing and resuming deployment config #13613
- image: Ensure both strong and weak image refs prevent pruning #13671
- image: Image imports should be considered long-running requests and allowed to take more than 30s to complete #13458
- network: Port openshift-sdn-ovs script to go #12145
- network: SDN egress policy should not firewall endpoints from global namespaces #13071
- network: The IP reported for node by openshift-sdn can change on restart - make it stable #13645
- network: Wait for namespaces to be loaded before setting VNID, which prevents temporary network unavailability in pods #13666
- newapp: Address redundant line if new-app error output #13541
- newapp: Fix extra lines in new-app output #13540
- node: Fix mount propagation on rootfs for containerized node #13327
- node: system container mounts /rootfs rslave #13499
- perf: Used shared informer in build controllers #13510
- registry: Add --fs-group and --supplementary-groups to
oc adm registry#12951 - router: Ensure that route creation and deletion does not panic by tracking routes by UID #13494
- security: Correctly delete RoleBindingRestrictions when namespaces are deleted #13563
- s...
v3.6.0-alpha.0
This is a feature release towards OpenShift 3.6.
Please note that we have updated the version numbering scheme for OpenShift to be consistent with the OpenShift version history to minimize impact to the installer and other related documentation and web links. OpenShift 3.6 replaces version number 1.6, and will be based on Kubernetes 1.6.
Changes
v3.6.0-alpha.0 (2017-03-21) Full Changelog
API
Move OpenShift API resources to their own API groups
API groups in Kubernetes allow extension of core APIs and better separation of unrelated API types.
In this release we are introducing API groups for all OpenShift API resources so that in the future
they can be used as extensions to a base Kubernetes distribution. These resources continue to be available
at /oapi/v1, but clients should begin using the new paths.
New API groups are available from the OpenShift API server at:
/apis/apps.openshift.io/v1: DeploymentConfigs/apis/authorization.openshift.io/v1: OpenShift role based access control/apis/build.openshift.io/v1: Build configs and builds/apis/image.openshift.io/v1: Images, ImageStreams, and other supporting resources/apis/oauth.openshift.io/v1: OpenShift OAuth resources like ClientAuthorization and Tokens/apis/network.openshift.io/v1: Network policy for openshift-sdn and NetworkEgressPolicy/apis/project.openshift.io/v1: Projects and project requests for role based access to namespaces/apis/quota.openshift.io/v1: ClusterQuota and supporting namespaced resources/apis/route.openshift.io/v1: Routes/apis/security.openshift.io/v1: PodSecurityPolicyReview resources/apis/template.openshift.io/v1: Templates/apis/user.openshift.io/v1: User and group resources
Stored templates, configuration, and client code intended for use with 3.6 and above can substitute the
apiVersion field for an object with GROUP/v1. CLI code will continue to generate objects with the
legacy apiVersion v1 to enable working with older versions. On many commands you can use
--output-version to indicate the new version
- API groups #12986
- Builds
Component updates
- Kubernetes:
- vSphere driver fixes:
- 39752: Fix panic in vSphere cloud provider #13159
- 39754: Fix fsGroup for vSphere #13159
- 39757: Fix space in volumePath in vSphere #13159
- 40693: Fix for vSphere DeleteVolume #13159
- 41217: Fix wrong VM name retrieval from the vSphere Cloud Provider #13159
- 42973: Fix selinux support in vSphere #13374
- Other fixes
- 36774: Allow auth proxy to set groups and extra info #12803
- 38818: Add sequential allocator for device names in AWS #13130
- 38925: Fix nil pointer issue when making mounts for container #13269
- 39751: Changed default SCSI controller type #13159
- 40080: Fix unit tests for Update action when AllowUnconditionalUpdate is false #12541
- 40301: Serve request header certificate CA #13163
- 40935: Include subresource in subjectaccessreview #13085
- 41226: Fix for detach volume when node is not present / powered off #13159
- 41436: Fix bug in status manager TerminatePod #13378
- 41455: Fix AWS device allocator to only use valid device names #13130
- 41814: Add client-ca to configmap in kube-public #13217
- 42275: API Discovery should always prefer /v1 #13152
- 42337: Plumb cipher/tls version serving options #13167
- 42491: Make the system:authenticated group addition smarter #13247
- 42622: Ensure etcd custom prefixes are not lost when upgrading to etcd3 #13298
- : Allow use of '*' as a capability in Security Context Constraints. #12875
- : Add appliedclusterresourcequotas to ignoredGroupVersionResources in namespace controller #12986
- : Admission namespace isAccessReview, remove post 1.7 rebase #13128
- : Wait for loopback permissions, remove after updating loopback authenticator #13217
- revert: add ExtraClientCACerts to SecureServingInfo" #13163
Features
Redesigned OpenShift Web Console Overview #1335
The web console has been heavily revised with a focus on showing the relationships between services and deployments,
with significant enhancements to layout and information presentation.
Other changes:
- web: Add fullscreen terminal support #1167
- web: Additional checks for security concerns during Import YAML and Template process #1321
Support environment variables as input to Jenkins Pipeline builds and build args to Docker builds
This makes it easier to parameterize these two classes of builds
- builds: Add env var support to the pipeline strategy #12323
- Allow build request override of pipeline strategy envs #13160
- builds: Support build args on Docker builds #12439, #13257
Other Features
- admin: Add a new network diagnostic pod image #12982
- admin: Use DefaultImagePrefix instead of hardcoded 'openshift/origin' for network diagnostic image. #13107
- documentation: Describe networking requirements for vendors replacing openshift-sdn #12981
- image: Support
reference-policyonoc import-image#13339 - jenkins: Support automatic use of 32 vs. 64 bit JVMs with the integrated Jenkins for more efficient memory use #13032
- registry: Allow control over TLS version and ciphers for docker-registry #13258
- security: The privileged SCC should be able to use all capabilities, even those not yet defined #12875
- security: Add a client for SCC review #12478
- security: Fix issue in SCC review defaulting #13044
- security: Make ciphers/tls version configurable #13167
- tests: Bundle test files with the extended.test binary in the RPM so tests can be run anywhere #13361
Bugs
- builds: Add parent BuildConfig to Build OwnerReferences #12961
- builds: Prevent build updates from reverting the build phase #13048
- builds: No failure reason displayed when build failed using invalid contextDir #13203
- builds: Work around docker race condition when running build post commit hooks #13100
- builds: Retry pulling an image if the build fails #13380
- cli: Don't print odd command names when the binary is symlinked #12781
- clusterup: Switch to nip.io from xip.io for default cluster up wildcard DNS #13023
- clusterup: Warn on error parsing Docker version #13201
- clusterup: Use loopback interface for ...
v1.5.0-rc.0
This is the first release candidate for OpenShift Origin v1.5.
Changes
Roadmap for the v1.5.0 release
v1.5.0-rc.0 (2017-03-09) Full Changelog
API
- Routes
- Change "." to "-" in generated hostnames for routes #12976
Component updates
- 37093: Endpoints with TolerateUnready annotation should list Pods in state terminating #13134
- 38746: recognize eu-west-2 region #13056
- 38818: Add sequential allocator for device names in AWS #13131
- 38855: Fix variable shadowing in exponential backoff when deleting volumes #13084
- 38909: Add path exist check in getPodVolumePathListFromDisk #13058
- 39825: Make PDBs represent percentage in StatefulSet #13143
- 40301: present request header cert CA #13145
- 40497: Make HandleError prevent hot-loops #13088
- 40553: Adjust global log limit to 1ms #13088
- 40625: controller: old pods should block deployment completeness #13133
- 40903: Set docker opt separator correctly for SELinux options #13141
- 40935: Plumb subresource through subjectaccessreview #13086
- 41196: Fix for Premature iSCSI logout #12990
- 41366: Change default reconciler sync period to 1 minute #13132
- 41455: Fix AWS device allocator to only use valid device names #13131
- 41864: Allow 'kubectl drain --force' to remove orphaned pods #13123
- 42097: Enqueue controllers after minreadyseconds when all pods are ready #13140
- 42178: stop spamming logs on restart of server #13126
- 42294: fix rsListerSynced and podListerSynced for DeploymentController #13173
- 42337: Plumb cipher/tls version serving options #13198
- 40301: present request header cert CA #13145
- 40903: Set docker opt separator correctly for SELinux options #13141
Bugs
- Ensure RPMs are only build from clean git trees #13000
- Add missing newlines in oc tag #12948
- Origin image was creating a file at /usr/local/bin with imagebuilder #13009
- Generated changes #13015
- Backported redistributable logic to Origin specfile #12969
- Removed line breaks in glog messages #12962
- Only report no running pods once #13022
- Install ceph-common pkg on origin to support rbd provisioning #13060
- Add PodSecurityPolicyReview client #13045
- Bug 1425706 - protect from nil tlsConfig. #13073
- Prevent build updates from reverting the build phase #13075
- Bug 1422376: Fix resolving ImageStreamImage latest tag #13090
- tito: generate man pages #13078
- Don't overwrite /usr/local/bin with a file #13092
- update guest profile with new arp tuning missed in #13034 #13103
- Verify manifest with remote layers #13099
- Use DefaultImagePrefix instead of hardcoded 'openshift/origin' for network diagnostic image. #13062
- backup and remove keys during migration #13118
- Update the reconciler sync period in master_config_test #13132
- Necessary origin updates #13145
- provider recorder to attach detach controller #13150
- Use posttrans for docker-excluder (#1404193) #13148
- Change logging deployer image name from 'logging-deployment' to 'logging-deployer' #13165
- Add stateful sets permissions to disruption controller #13199
- Output VXLAN multicast flow in sorted order #13200
- cluster up: warn on error parsing Docker version #13204
- No failure reason displayed when build failed using invalid contextDir #13206
- Work around docker race condition when running build post commit hooks. #13196
- make ciphers/tls version configurable #13198
- sdn: make /var/lib/cni persistent to ensure IPAM allocations stick around across node restart #13236
- Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow" #13250
- Allow control over TLS version and ciphers for docker-registry #13260
- Fix of BUG 1405440 #13273
- CGO_ENABLED prevents build cache reuse #13325
- Add addExtension helper #1195
- Fix duplicates in a repeater error for missing child services #1269
Release SHA256 Checksums
f8e1b6da0fe766a203f9cc454608eaa17eadf64da623466f1d8e1c39e2639997 openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-linux-32bit.tar.gz
1796f5131d253591c4649ee316b0f6d7a0b48b70010c56b0c0017e081475d284 openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-linux-64bit.tar.gz
60c8c174a6078382cd347dd75f8a4d362c19d5b2c9cc0e21baf6f86a6a56b6f3 openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-mac.zip
5d257629dc09ebd6e674ac7cb719ef423ec2d6ae6c237e251c8fa68160102ec5 openshift-origin-client-tools-v1.5.0-rc.0-49a4a7a-windows.zip
5c3475fa31d278efbb6a3f350eefd15d0ce2cb938043d11ac3c673250d9b39ab openshift-origin-server-v1.5.0-rc.0-49a4a7a-linux-64bit.tar.gz
v1.5.0-alpha.3
This is a development release of OpenShift Origin towards v1.5.0.
Backwards Compatibility
- The
--credentialsflag is now removed fromoadm routerandoadm registry#10830- service accounts are the preferred way to set secrets
- The
groupsfield on theUserobject has been deprecated #12870- Instead, create a
Groupobject and reference the user by name.
- Instead, create a
Changes
v1.5.0-alpha.3 (2017-02-19) Full Changelog
API
- templates: Allow namespace specification via parameter in templates #12918
-
If you specify a parameter replacement in the namespace field of a template object, it will be preserved:
kind: Template apiVersion: v1 parameters: - name: NAMESPACE objects: - kind: Service metadata: namespace: foo # ignored - kind: PersistentVolumeClaim metadata: namespace: "${NAMESPACE}" # will be set to the value of NAMESPACE -
Static values for namespace will continue to be ignored to prevent breaking old templates that included those fields
-
Component updates
- Patches on top of Kubernetes v1.5.2
- 35436: Add a package for handling version numbers (including non-semvers) #12448
- 37228: kubelet: storage: teardown terminated pod volumes #12669
- 37846: error in setNodeStatus func should not abort node status update #12570
- 37986: Add
clusterid, an optional parameter to storageclass. #12556 - 38378: glusterfs: properly check gidMin and gidMax values from SC individually #12556
- 38527: Fail kubelet if runtime is unresponsive for 30 seconds #12776
- 38579: Let admin configure the volume type and parameters for gluster DP volumes #12556
- 39831: Check if error is Status in result.Stream() #12610
- 39842: Remove duplicate calls to DescribeInstance during volume operations #12740
- 39844: fix bug not using volumetype config in create volume #12556
- 39998: Cinder volume attacher: use instanceID instead of NodeID when verifying attachment #12955
- 40023: Allow setting copyright header file for generated completions #12613
- 40763: reduce log noise when aws cannot find public-ip4 metadata #12760
- 40859: PV binding: send an event when there are no PVs to bind #12796
- 41043: allow setting replace patchStrategy for structs #12731
- 41147: Add debug logging to eviction manager #12876
- 41329: stop senseless negotiation #12938
- 41658: Fix cronjob controller panic on status update failure #13005
- :41034: use instance's Name to attach gce disk #12835
- : Change docker security opt separator to be compatible with 1.11+ #12831
- : kubelet: change image-gc-high-threshold below docker dm.min_free_space #12762
- : Workaround etcd310 / gprc version conflict with CRI #12600
- : request logs when attaching to a container #12648
Features
Template refinements
The OpenShift 1.5 release added a few new features for templates, including the ability to have integer, boolean, array, or map inputs (using the ${{PARAMETER}} syntax). This alpha also allows templates to span namespaces if you parameterize the namespace field of your objects. Previously, all namespace fields were stripped, but a template object with a namespace that references a parameter will now be filled in, allowing you to instantiate cluster scoped resources that refer to a named resource in the template. oc process --local has been added to allow you to locally transform a template for use with a regular Kubernetes server - the transformation is performed on the client instead of requesting the server do the transformation.
- templates: Allow namespace specification via parameter in templates #12918
- templates: Allow templates to be processed locally with
--local#12996
Ingress objects in the HAProxy router (tech preview)
The HAProxy router can be configured to expose Kubernetes Ingress objects. This feature is still under development and may change as more security protections are put into place. Not all features supported by Routes are available, including some advanced annotations.
- router: Support Ingress resources with the HAProxy router (tech preview) #12416
- router: Allow restricting Ingress objects from changing their hostname values #12653
- router: Fix Ingress compatibility with f5 #12843
Multicast and NetworkPolicy support for OpenShift SDN (tech preview)
Multicast and NetworkPolicy support are now available in OpenShift SDN for testing. Please see the documentation for more info on how to enable them.
- sdn: Implement NetworkPolicies with PodSelectors #12448
- sdn: Support multicast #12494
- sdn: Filter disallowed outbound multicast #12650
- sdn: Allow multicast for VNID 0 #12839
- sdn: Fixed the multicast CIDR (was 224.0.0.0/3 not /4) #12852
Node bootstrap (tech preview)
For the last several releases Kubernetes and OpenShift have been preparing to allow nodes to "self-register" in cloud environments where nodes can be spun up or down dynamically. In the v1.5.0 release the new experimental --bootstrap flag is available on nodes and will have the node request a client certificate from the master, then request a serving certificate, then download its node configuration from a config map. Cloud VM images can be "baked" with an account capable of self registration and the new oc adm certificate approve command can be used to approve the client and serving certificate requests.
This feature is still experimental and may change in future releases.
- cluster: Support a simple bootstrap mode for nodes in preparation for self-join #9547
Basic monitoring
oc cluster up now installs a Prometheus and Heapster template to the kube-system namespace - as an administrator you can switch to that namespace and easily install them for monitoring your cluster.
Prometheus can monitor your nodes, apiserver, and services labelled with the appropriate annotations and record metrics or fire alerts. Launch and expose Prometheus with:
$ oc project kube-system
$ oc new-app prometheus
$ oc expose svc/prometheus
See the Prometheus website for more info.
To use a standalone Heapster instance with no historical metrics, run:
$ oc project kube-system
$ oc new-app heapster-standalone
Autoscaling should now be enabled for your cluster. This is useful for smaller clusters where you don't need historical data as provided by Hawkular.
- clusterup: Install Prometheus and Heapster templates to the
kube-systemnamespace on cluster up #12844 - examples: Add a standalone Heapster example #12812
- examples: Add a Prometheus example #12793
Debugging the masters
In order to make it easier to capture profiles and other debug information about a running cluster, the /debug/pprof endpoints are
exposed on apiservers, controllers, and nodes, but protected via a new cluster-debugger role. Since the debug endpoint can extract sensitive information from the cluster, you should only give that role to trusted actors.
# Retrieve and process a heap dump from the master as a cluster-debugger
$ oc get --raw /debug/pprof/heap > /tmp/heap
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/heap
# Capture a 30s CPU profile from the master as a cluster-debugger
$ oc get --raw /debug/pprof/profile > /tmp/cpuprofile
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/cpuprofile
- admin: Add a new cluster-debugger role and enable debugging on masters #12895
- admin: Allow controller to be debugged using OpenShift credentials #12907