Skip to content

v3.10.0-rc.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@smarterclayton smarterclayton released this 20 Jun 01:41
· 12539 commits to master since this release
c20e215

This is the first release candidate of OpenShift Origin 3.10.

Backwards Compatibility

  • Moving from legacy API resources (/oapi) to group resources
    • The server process endpoint now creates resources in the new group APIs (*.openshift.io) #19458
    • The RBAC bootstrap policy file is now saved as rbac.authorization.k8s.io/v1 resources #19756
  • Configuration changes
    • The disabledFeatures configuration item has been removed from master config #19070
    • Master configuration no longer requires the deprecated clusterNetworkCIDR/hostSubnetLength fields to be set in networkConfig #18669
    • Some node default values have changed #19190
      • Remove the default pods-per-core setting of 10, which makes nodes default to 250 pods total.
      • The certificate signing controller defaults to creating certs with a 1 year expiration (a7bd9d6)
  • rbac: Project editors can no longer create or update daemonsets, which prevents tenants from impacting cluster stability #18971
  • Metrics for the template instance broker have changed #19133
  • Moved or deleted content #19262
    • The examples/ directory has been cleaned up
    • The v1 federation implementation has been removed as it did not graduate to beta.
    • The node.service systemd file has been removed from hte RPMS, along with the master services (2113900)
  • Changes to OpenShift images #19509
    • As we prepare to split the OpenShift API server into multiple binaries, several new images have been created:
      • openshift/origin-hypershift - A new hypershift binary that launches OpenShift specific components
      • openshift/origin-hyperkube - The Kubernetes hyperkube binary
      • openshift/origin-cli - The OpenShift CLI oc
      • openshift/origin-tests - The extended test suite for OpenShift
    • Some existing images have been renamed
      • openshift/origin is now openshift/origin-control-plane
      • openshift/node is now openshift/origin-node
    • The openshift/openvswitch image has been folded into openshift/origin-node
    • A new binary openshift-node-config takes a node-config.yaml file and converts it to kubelet arguments in the openshift/origin-node image
  • CLI changes
    • Some client-side deletion support has been removed in favor of the controller-driven deletion mechanisms #19616
    • oc export is deprecated and oc get --export should be used instead.
  • The router has separate liveness and readiness probes for use with upstream load balancers #19009
  • XFS quota for emptyDir volumes is now configured via a config file in the volume directory #19533
  • Changes to oc cluster up
    • The cluster launched by oc cluster up is now launched as a set of individual processes running in images, instead
      of the previous single large container. This more closely mimics real production environments.
    • Docker machine support in oc cluster up has been removed
    • oc cluster up now only supports launching a cluster of the same version as the oc binary.

Changes

Roadmap for the v3.10 release

v3.10.0-rc.0 (2018-06-19) Full Changelog

API

Ingress support

In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that
maps Kubernetes Ingress objects (in their v1beta1 form) to OpenShift Routes automatically. This
allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on
hostnames, and securely manage Ingress secrets.

The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS
hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route
is deleted it will be recreated by the controller. Once a route is created, any annotations or route
specific fields will not be altered unless the route is deleted (such as weighted service backends). A
route with a TLS endpoint will be set to Reencrypt termination, but that may be changed after creation.

The router process itself no longer needs to watch Ingress or Secret resources.

  • router: Replace router support for ingress with an ingress-to-route controller #18658

Other changes

  • Image signature annotations are ignored #19037
  • Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532

Component updates

  • Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
    • 42873: add kubectl api-resources command #19884
    • 54530: api: validate container phase transitions #18791
    • 57202: Fix format string in describers #18810
    • 58972: Fix job's backoff limit for restart policy OnFailure #19672
    • 59170: Fix kubelet PVC stale metrics #18637
    • 59301: dockershim: don't check pod IP in StopPodSandbox #18425
    • 59316: Exit if no client cert is available for 5m #18430
    • 59365: Fix StatefulSet set-based selector bug #18797
    • 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
    • 60289: fix freespace for image GC #18767
    • 60342: Fix nested volume mounts for read-only API data volumes #18766
    • 60455: removes custom scalers from kubectl #19275
    • 60490: Volume deletion should be idempotent #18856
    • 60632: Add volumemetrics for ISCSI Plugin #19842
    • 60654: notify systemd on kubelet start #18886
    • 60978: Fix use of "-w" flag to iptables-restore #18919
    • 61287: provide easy methods for direct kubeconfig loading from bytes #18956
    • 61294: Fix cpu cfs quota flag with pod cgroups #19028
    • 61378: --force only takes effect when --grace-period=0 #19213
    • 61459: etcd client add dial timeout #19953
    • 61480: Allow sockets to be mounted in subpath #19329
    • 61790: make reapers tolerate 404s on scaling down #19275
    • 61808: Ensure -o yaml populates kind/apiVersion #19137
    • 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
    • 61962: Avoid data races in unit tests #19137
    • 61985: Restore show-kind function when printing multiple kinds #19137
    • 62074: Narrow interface consumed by scale client #19137
    • 62114: removes job scaler, continued #19275
    • 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
    • 62152: Keep node.kubeconfig correct during rotation #19857
    • 62196: Remove need for server connections for dry-run create #19137
    • 62199: Make priority rest mapper handle partial discovery results #19137
    • 62234: Handle partial group and resource responses consistently #19137
    • 62254: Add name output and verb filtering to api-resources #19884
    • 62336: add statefulset scaling permission to admins, editors, and viewers #19275
    • 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
    • 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
    • 62461: allow higher burst for discovery #19327
    • 62462: Private mount propagation #19364
    • 62469: stop defaulting kubeconfig to http://localhost:8080 #19335
    • 62543: Timeout on instances.NodeAddresses cloud provider request #19733
    • 62572: Prevent virtual infinite loop in volume controller #19371
    • 62584: Make x-kubernetes-print-column print handling opt-in #19352
    • 62668: add metrics to cinder volume #19444
    • 62733: Set a default request timeout for discovery client #19471
    • 62744: Fix kubectl describe cronjob #19391
    • 62827: fix csi data race in csi_attacher_test.go #19508
    • 62874: dockershim/sandbox: clean up pod network even if SetUpPod() failed #19576
    • 62913: make a simple dynamic client that is easy to use #19515
    • 62914: kubelet: fix flake in TestUpdateExistingNodeStatusTimeout #19453
    • 63086: Fix discovery default timeout test #19471
    • 63160: kubelet: logs: do not wait when following terminated container #19545
    • 63169: Remove unnecessary dependencies on api/core/v1 #19509
    • 63177: kubectl takes a dependency on the controllers #19509
    • 63295: Fixed CSI volume detach when the volume is already detached #19816
    • 63303: Return attach error to A/D controller #19816
    • 63321: kubelet: force filterContainerID to empty string when removeAll is true #19580
    • 63339: kubelet: volume: do not create event on mount success #19625
    • 63349: Decorate function not called on Create #19602
    • 63403: don't block creation on lack of delete powers #19404
    • 63416: Retry certificate approval on conflict errors #19770
    • 63417: Panic when map string bool flag has no value #19620
    • 63421: Cache preferred resources, use in kubectl resource name autocomplete (single commit) #19884
    • 63490: default the ignorenotfound for delete when selecting objects #19616
    • 63650: Never clean backoff in job controller #19672
    • 63716: Add InstallPathHandler which allows for more then one path to be associated with health checking. #19009
    • 63831: Always track kubelet -> API connections #19638
    • 63831: Close all kubelet->API connections on heartbeat failure #19638
    • 63848: Deflake discovery timeout test #19714
    • 63875: make TestGetServerGroupsWithTimeout more reliable #19723
    • 63903: Revert "Openstack: register metadata.hostname as node name" #19730
    • 63903: Revert "Specify DHCP domain for hostname" #19730
    • 63903: Revert "Split out the hostname when default dhcp_domain is used in nova.conf" #19730
    • 63926: Avoid unnecessary calls to the cloud provider #19742
    • 63966: kubectl: fix Flatten() when used without Latest() #19747
    • 63977: pkg: kubelet: remote: increase grpc client default size #19774
    • 64026: Enable SELinux relabeling in CSI volumes #19816
    • 64028: Tolarate negative values when calculating job scale progress #19765
    • 64443: services must listen on port 443 for aggregation #19866
    • 64516: Fix error message to be consistent with others #19884
    • 64573: remove extra "../" when copying from pod to local #19898
    • 64797: Handle deleted DaemonSet properly #19927
    • 64855: Fix setup of ephemeral storage #19939
    • 64883: Fix up legacy printer table adapter #19934
    • 64916: improve memory footprint of daemonset simulate #19956
    • 64946: log healthz check #19952
    • 64969: volume: decrease memory allocations for debugging messages #19960
    • 65001: Quiet verbose apiserver logs #19970
    • 65009: daemon: add custom node indexer #19980
    • 65027: Use actual etcd client for /healthz/etcd checks #19992
    • 65063: Re-use private key after failed CSR #20000
    • : Add PSP review to /oapi Resources #19542
    • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
    • : XFS quota for emptyDir volumes #19533
    • : add RawConfig to factory for commands modifying raw kubeconfig files #19343
    • : aggregator to proxy oapi to apps.openshift.io server #18652
    • : allow injecting printers #19137
    • : allow oc kubeconfig loading to have our flags and errors #19335
    • : change config file location and restore perFSGroup to quantity #19773
    • : controller-manager patches for recycler #18887
    • : disable local storage isolation feature gate #19323
    • : enable critical pod support by default #19104
    • : filter daemonset nodes by namespace node selectors #18989
    • : inject new parameter for image resolution into kubectl set image #19348
    • : pods in openshift-* namespace can be marked critical #19104
    • : rewrite unstructured objects on the CLI to avoid oapi #19327
    • : avoid contacting server for restmappings in local mode #19996
    • : make RootFsInfo error non-fatal on start #19137
    • : stop wrapping --sort-by value in {} #19777
  • Other patches

Features

Multi-stage Docker image build support

Builds using the Dockerfile build strategy can now build multi-stage Docker images. The from field continues to target
the last image stage in the Dockerfile, but the new as attribute on imageSources allows other stages to be replaced
with triggered images.

  • Support multi-stage dockerbuilds via imagebuilder #18741, #19494

Support external OAuth token authenticators

OpenShift can now be configured to delegate login flows to a remote OAuth capable endpoint like Keycloak. This allows
a central Keycloak server to authenticate multiple clusters. See the documentation for more details about configuring
this option.

  • auth: Add option to configure an external OAuth server #18969
  • auth: Support WebhookTokenAuthenticators for using external servers as token authenticators #18868

Other Features

  • auth: Add oc adm prune role command to clean up rolebindings that are not bound to valid roles #19619
  • cli: Add server-side column printer support for openshift objects #19934
  • clusterup: Add --enable=automation-service-broker #19409
  • image: Parallelize image mirroring and reuse mounted layers #19017
  • migrate: Allow storage migration to be performed in parallel #19691
  • registry: Both internal and external hostnames for the registry should be in docker pull secrets #19838
  • router: Make updating status on the router optional #17420
  • router: Prometheus should scrape the router by default #18254
  • router: Support for DNS names in egress routes #15409
  • router: Perform real backoff when contending for writes from the router #18686
  • router: Make router conflict detection work even during initial informer sync #19706
  • router: Allow only a subset of routes from specific domains to be overriden by the hostname-template #19418
  • router: Allow egress-router to connect to its own node IP for DNS #19885
  • server: Expose api-versions and api-resources in oc #19884
  • template: Allow TemplateInstances to create arbitrary resources, including CRDs #19396

Bugs

  • build: Retry retrieving build logs in some cases #19695
  • cert: Order x509 certificate subjects to prevent a Golang / GNUTLS incompatibility #18837
  • cli: Support quay.io pushing in oc image mirror #19016
  • cli: Correct oc scale error handling #19275
  • cli: Improve validation for oc set volume #19169
  • cli: Fix incorrect oc run default option #19712
  • cli: Dots should be allowed in environment variable names passed to oc new-app #19688
  • diagnostic: Replace usage of brctl with /sbin/ip #19929
  • jenkins: Adjust jenkins template setting to account for effects of constrained default max heap #18832
  • network: Fix handleDeleteSubnet() to release network from subnet allocator #18801
  • network: Fix egressip handling when a NetNamespac is updated #18808
  • network: The NetworkCheck diagnostic did not use the correct config file #18709
  • network: Allow configurable CNI bin dir in openshift SDN #18464
  • network: Correctly report initial NodeNetworkUnavailable condition #18758
  • network: Allow subnet allocator to handle changes to the subnet values #18999
  • network: Prevent incorrect deletion of HostSubnet OVS flows #19080
  • network: Make changing egress network policy rules more efficient #19346
  • network: Print out errors that occur when using macvlan and a namespace cannot be retrieved #19491
  • network: Remove openvswitch check from UnitStatus diagnostic #19572
  • network: Use a real OVS transaction when changing network configuration on the host #19393
  • network: Use a go-native DNS library instead of dig command for dns resolution in egress network policy #19805
  • network: Do not throw spurious error when minTTL=0 for the domain in egress network policy #19950
  • network: Remove the node from dnsmasq config when shutting down #19987
  • network: Get lowest TTL from the DNS resolution chain for egress DNS #19982
  • node: Fix to pass quoted unsafe strings (with characters like *,<,%) correctly to kubelet #19951
  • registry: Update docker config secret to support the future location of the registry service #19514
  • registry: Make docker registry service controller check all secrets #19788
  • router: When a router is reloaded after a batch of route/ingress changes are committed, haproxy sometimes fail to reload #18587
  • router: Some route status updates were being lost #19018
  • router: Combine backend map files to fix path based routing #18840
  • router: Wildcard routes should not take precedence over sub-routes #19076
  • router: Some routes were being rejected incorrectly when NAMESPACE_LABELS was set #19330
  • router: The router can forget routes when routes are created and deleted in rapid succession #19175
  • router: Unidle in router should ignore headless services #19416
  • router: Allow Prometheus to get metrics from the router #19318
  • security: Correctly handle legacy PodSecurityPolicyReview resources #19542
  • server: Improve performance of the SDN controller by using shared caches #18911
  • server: Move range allocation to an internal API as rangeallocations.security.openshift.io #19277
  • server: Set etcd DialTimeout, fix etcd start order in all-in-one #19953
  • server: When etcd is down, avoid pathological healthz behaviors #19992
  • service-catalog: Start API and controller pods with log verbosity = 3 #19135

Release SHA256 Checksums

f876258c9a6221637a84e35ff68e9af96c2f2013eb9ae41ea33abd9286aa045c  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
dcb414712e8ae08146634d0c18720476e7afd024aa100bd2246d064de6658664  ./openshift-origin-server-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
872e0b58684af5d17b41a0585c50b41d09fbefa449d80927ba91252ac998deb3  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-mac.zip
25eef2fc0401209e3b5d40239827c023f463cdafeb06f81f1a6a0af9deaa1d25  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-windows.zip
1c21ba58ee0f7fc8b55e9d84099632ec970051adc3744a294a10bcd3aefcfe21  ./CHECKSUM