Skip to content

v3.0.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 08 Jun 21:45
· 6 commits to main since this release
v3.0.0
1243a3b

v3.0.0

WARNING: This release will result in an AIStore cluster rollout to sync pod templates.

Added

  • Default pod-level security context applied when securityContext is unset, with runtime-default seccomp profiles.
  • AIS-container security context spec option aisContainerSecurityContext to replace capabilities. Keeps the same underlying K8s type.
    • Default when aisContainerSecurityContext is unset: drop all capabilities and disallow privilege escalation.

Changed

  • Admission webhook

    • Rejects specs that set both spec.tls and any of configToUpdate.net.http.{server_crt,server_key,client_ca_tls}. The operator owns these paths (/var/certs/{tls.crt,tls.key,ca.crt}) whenever spec.tls is configured.
    • Allows updates to both proxy and target capabilities, mapped to container security context.

  • Target rollouts now tolerate Kubernetes-unschedulable pending pods.

  • Container spec comparison and sync are now unified across init, primary, and sidecar containers, with a per-kind rollout-trigger policy:

    • Sidecars (e.g. ais-logs): resources and securityContext diffs now trigger a rollout in addition to image.
    • Init containers: all init containers are compared. securityContext diffs now trigger a rollout in addition to image; env and probe diffs no longer trigger.
    • Renaming a container at the same index now triggers a rollout.

  • Pod template field removals cause a rollout to sync (previously only env respected removals).

  • All label-based selection will use prefixed labels app.kubernetes.io/name and app.kubernetes.io/component

    • Labels applied to pods are NOT changed.
    • Newly-created StatefulSets select only on prefixed labels. Existing StatefulSets continue to select on all labels and are not updated in place.
    • Replaces selector usage of app and component. Legacy labels remain on pods and StatefulSets for compatibility with existing selectors.
    • User labels cannot override app.kubernetes.io/name and app.kubernetes.io/component.

  • Deprecated the capabilities spec option, replaced with a more accurate aisContainerSecurityContext.

  • Deprecated the stateStorageClass and hostPathPrefix root-level spec options. Use stateStorage.pvc.storageClass and stateStorage.hostPath.prefix, respectively.

  • Updated default manager args set by the operator kustomize overlay and resulting helm chart:

    • Enable leader election by default.
    • Set explicit bind addresses for health probe and metrics.
    • Metrics server will now use the certificate from the metrics-server-cert secret.

Removed

  • Removed StatsD ConfigMap, volume, and mounts
    • StatsD support was deprecated in AIStore in v3.28 and dropped in v4.0
  • Removed deprecated TLS spec fields: spec.tlsCertificate, spec.tlsSecretName, spec.tlsCertManagerIssuerName.
    • Migrate to spec.tls.certificate, spec.tls.secretName, or spec.tls.certificate with mode: csi respectively before upgrading. Existing CRs that still use the old fields will be rejected by the new schema.
  • Removed deprecated log-sidecar spec fields: spec.logSidecarImage, spec.logSidecarResources.
    • Migrate to spec.logSidecar.image and spec.logSidecar.resources before upgrading.
  • Removed backwards-compatible env-var rollout skips: AIS_PUBLIC_HOSTNAME removals on the AIS container and AIS_PUBLIC_DNS_MODE/HOST_IPS additions on the init container will now trigger a rollout instead of being ignored.
  • Removed the rollout-skip for adding resources.requests.ephemeral-storage; resource diffs are now compared in full.
Assets 3
Loading