@smarterclayton smarterclayton released this Dec 29, 2016 · 267 commits to master since this release

This is a feature development release leading up to v1.5.0. It is immediately prior to rebasing onto Kubernetes 1.5.

SHA256 Checksums

9ba0b123fe9792cdde76b0ed7f65cfc631f8db54942afb5eb6408c1d9935cc83  openshift-origin-client-tools-v1.5.0-alpha.1+71d3fa9-linux-32bit.tar.gz
a8ea8a13bfdfa113cd18d32ccc08d4cd9bc7b583d39921c8202570e4dba1f712  openshift-origin-client-tools-v1.5.0-alpha.1+71d3fa9-linux-64bit.tar.gz
ec05350dc06889dca456d70252e3cb969aa6ce7ac8b873c02fac453ffd5f815f  openshift-origin-server-v1.5.0-alpha.1+71d3fa9-linux-64bit.tar.gz


Latest release


@smarterclayton smarterclayton released this Dec 12, 2016 · 2308 commits to master since this release

This is a patch release to Origin v1.3.x containing stability and security fixes.


v1.3.2 (2016-12-12)
Full Changelog

  • Fix AWS attach / detach logic for volumes #12024
  • Cluster resource quotas were not properly recording their status, leading to inaccurate quota info #12067

Release SHA256 Checksums

ed6c77bd870bb70a474a435b74475090e0b1d17f837e4156b442a1176d634e6d  openshift-origin-client-tools-v1.3.2-ac1d579-linux-32bit.tar.gz
73f175a5aba04aaca3f873ca24631f246931dc5d9904d50bc4a7153988d121b1  openshift-origin-client-tools-v1.3.2-ac1d579-linux-64bit.tar.gz
a1049820c3cca7ffaf7fe1e8b7913eddea09ae705b4e8e8f42072abeb46085de  openshift-origin-image-v1.3.2-ac1d579-linux-64bit.tar.gz
d84852af7cc8c2de21b566286667c7850415d23f1d007e612c73c04f276c8bc4  openshift-origin-server-v1.3.2-ac1d579-linux-64bit.tar.gz




@smarterclayton smarterclayton released this Nov 19, 2016 · 884 commits to master since this release

This is the first release candidate for OpenShift Origin v1.4.0.


Release roadmap
v1.4.0-rc1 (2016-11-19)
Full Changelog

Release SHA256 Checksums

71b854fdc5e80f97afa8e20c4f138eff3dc8c3acb4a8dae6c6bac14fa93270ef  openshift-origin-client-tools-v1.4.0-rc1.b4e0954-linux-32bit.tar.gz
8b51c0c3db20101740590075a63540fefe7a4f797fdb832974c6f61bac8bd901  openshift-origin-client-tools-v1.4.0-rc1.b4e0954-linux-64bit.tar.gz
574185a6a19bb0ef02dd15d6c6aac1e08d89106725bcd39d8fa85297fe7c8528  openshift-origin-server-v1.4.0-rc1.b4e0954-linux-64bit.tar.gz




@smarterclayton smarterclayton released this Nov 19, 2016 · 808 commits to master since this release

This is the first alpha release for OpenShift v1.5.0.


Release roadmap
v1.5.0-alpha.0 (2016-11-19)
Full Changelog

Release SHA256 Checksum

8d1559c5f1b6b33a45d2c0e81e7d0d4389a2a4f6ebf825c029d5c1c434ceb6f3  openshift-origin-client-tools-v1.5.0-alpha.0+3b2bbe5-linux-32bit.tar.gz
1c45409e742e67466fca0b66eed98f4e5672acbcdb11817b5014f1f7830ed463  openshift-origin-client-tools-v1.5.0-alpha.0+3b2bbe5-linux-64bit.tar.gz
0585066a9fe5a9240b119d83b6585558a7de02a59bee81db5ece581a78abf833  openshift-origin-server-v1.5.0-alpha.0+3b2bbe5-linux-64bit.tar.gz




@smarterclayton smarterclayton released this Nov 4, 2016 · 1088 commits to master since this release

This is the final alpha for Origin 1.4.

Backwards Compatibility


Release roadmap
v1.4.0-alpha.1 (2016-11-03)
Full Changelog

API Changes and backwards compatibility notes

  • PATCH is allowed in CORS requests #11700
  • Authorization checks like SubjectAccessReview may now be performed on non-existent namespaces #11321
  • Webhooks that are in error now return a JSON status body with their response with extended information about the failure #11077
  • The permissions required to proxy a node have changed #11228
  • Deployment behavior with automatic=false has changed in 1.4 #11223
  • Remove updatePercent from deployments #11090
  • The CLI has removed support for passing comma-separated template parameters through --param/--value - the flag must be specified multiple times to pass multiple parameters #11539


Update Kubernetes to v1.4.0 + patches

  • 1.4.x Cherry picks #11709
  • 35285: Remove stale volumes if endpoint/svc creation fails. #11722
  • 35082: Wait for all pods to be running before checking PDB status #11714
  • 33014: Report the image digest in pod status when available #11674
  • 34434: Print valid json/yaml output in kubectl set image #11664
  • 34298: Fix potential panic in namespace controller #11632
  • 30836: Fix dynamic provisioning for vSphere #11598
  • 35608: Update PodAntiAffinity to ignore calls to subresources #11578
  • 34997: Fix kube vsphere.kerneltime #11574
  • 35420: Remove Job also from for Replace strategy #11523
  • 32593: Audit test fails to take into account timezone #11505
  • 31607: Add kubectl describe storageclass #11481
  • 30145: Add PVC storage to Limit Range #11396
  • 32084: Do not allow creation of GCE PDs in unmanaged zones #11369
  • 32077: Do not report warning event when an unknown provisioner is requested #11368
  • 32662: Change the default volume type of GlusterFS provisioner #11367
  • 35206: Update default run func for cmds containing sub-commands #11362
  • 27714: Send recycle events from pod to pv. #11259
  • 34763: Log warning on invalid --output-version #11239
  • 34028: Add --dry-run option to kubectl create sub-commands #11238
  • 33958: Add global timeout flag #11104
  • 34010: Match GroupVersionKind against specific version #11286
  • 34020: Allow empty annotation values #11210
  • 33464: Fix cache expiration check #11088
  • 33319: Add nodeport option when creating NodePort service #11059


  • sysctl support in runtime and via SecurityConstraintContexts #11195

  • Rules review endpoint for other users #11172

  • SCC check API: REST #11075

  • Support non-string template parameter substitution #11421

  • Enable jenkins autoprovisioning #11065

  • Fix OAuth redirect ref in Jenkins service account #11681

  • F5 should be able to integrate into the openshift-sdn directly #11181

  • Provide vxlan integration options to the router cmd line #11677
  • Fix a problem with F5 node watches #11742

  • Verify all certificates used by the router #11218

  • Change router to use a certificate list/map file for stronger validation of user certificates #11217
  • Allow wildcards to be supported in routers #11550

  • Allow compression to optionally be enabled for all routes #11469

  • Convert openshift-sdn to a CNI plugin #11082

  • network: Fix join/isolate project network under CNI #11679
  • sdn: miscellaneous fixes after the CNI merge #11613
  • network: fix single-tenant pod setup and leave docker0 around #11588

  • Make rollout and rollback more in line with upstream Kubernetes in the CLI #11655

  • oc: add -o revision in rollout latest #11357
  • oc: deprecate 'deploy --latest' in favor of 'rollout latest --again' #11287

  • Convey conditions about deployments, replication controllers, deployment configs, and replica sets on the API objects for better user comprehension of problems #11214

  • deploy: Set condition reason correctly for new RCs #11609
  • deploy: add conditions when creating replication controllers #11412

  • Add Ceph RBD and Gluster provisioners #11460

  • Support specifying StorageClass while creating volumes with oc set volume #11451

  • Add 'oc set resources' #11384

  • Admins can now default build pod annotations and node selectors #11380

  • Add option to install logging components to oc cluster up #11343

  • Add oc cluster status for helpful info about a recent cluster #11171

  • Add option to oc whoami to print the server url #11180

  • Switch nodes to enable pods-per-core as the primary constraint, and increase max pods #11174

Console Features

Managing project membership

An important feature for people that want to collaborate within the same projects, the new membership management interface lets you add and remove roles to users, groups, and service accounts within your project.


Project administrators have access to view and modify the project’s membership. Membership management is the only difference between an admin and an editor in the default OpenShift roles. Cluster administrators can add a description to any role to provide extra information for end users about what that role actually allows.

Creating and Adding Secrets for Build and Deployment Configurations

Prior to 1.4 it was very difficult to set up a build against a private git repository from the web console. Previously you had to Import YAML/JSON to create your secret and then edit your build’s YAML to make it use that secret.

Now you can expand the advanced build options, create a user/password or SSH key based secret and tell the build to use that when cloning your source. Already have your secret created in that project? You can pick any of your existing ones too.


While we were making private git repository connections easier to set up, we figured we should improve setting up push and pull against private image registries as well. The build configuration editor lets you set up a push or pull secret in case the image you are building from or the image stream you are pushing to is on a secure registry. Similarly the new deployment configuration editor allows you to specify a pull secret.

Editor for deployment configuration strategy, hooks, and secrets

We’ve had a GUI editor for build configurations for a few releases now, but now we’ve added one for deployment configurations too. From the new editor you can:

  • Switch your deployment strategy
  • Tweak advanced deployment settings like the maximum number of pods that can be unavailable during - the deployment
  • Add, edit, or remove deployment lifecycle hooks
  • Change the image being deployed
  • Set a pull secret for the registry your image is being pulled from
  • Add, edit, or remove environment variables for the pods that will be deployed


Many of the existing editing actions we supported still exist as separate actions, such as editing health checks, or configuring different resource limits. If you want to make a number of changes without triggering a deployment for each change, you can now Pause your deployment, make all the changes you want, and then Resume it. Pausing will prevent any deployment from happening no matter whether it was automatically or manually triggered.

Organization of Add to Project Catalog / Customizable Categories

Our existing “Add to Project” catalog could become quite cluttered when dealing with builder images with many versions, or lots of templates with slight differences. In the past we had focused on minimizing the number of clicks to getting you to something running, but now we’ve focused on helping you find what you are actually looking for. The main catalog page now only contains high level categories “Languages” and “Technologies” and underneath those are sub-categories, such as “Java” or “Data Stores”. Diving into one of those you’ll find re-designed tiles for builder images and templates. Different versions of the same builder image now all roll-up to the same tile with the semantically latest version automatically selected. We have also taken a hard look at all of our out of the box images and templates and focused on providing better display names, descriptions, and categorization.


Don’t like our categories? Now you can customize the categories and subcategories as much as you want.

Filtering and Sorting the Project List

We have a class of users for OpenShift that manage many projects on behalf of a larger set of developers. To make things easier for people with a large number of projects, the project list now has a text filter on name, display name, description, and project creator. It also allows sorting on several of these attributes.


Quota Warnings

User working within quota constraints had a hard time before knowing when they had run out of quota unless they went to check the Quota page. We wanted to add some checks for the most common scenarios where we people have problems with quota. You’ll now get quota warnings:

  • On the overview - this is a generic warning if anything in your quota is at its limit
  • On the overview pod count visualizations - when we think you are unable to reach your scale target due to quota
  • If you try to create something and we know you are out of quota for that resource
  • If you try to create something and we think it will cause you to exceed quota for a resource

Bookmarkable Page States

Sometimes the little things can make all the difference. Have you been annoyed that you couldn’t send someone straight to the log tab for a pod? Now you can! Tab selection, label filters, and several other options that change page state are now persisted to the URL throughout the console. You can bookmark and share with others.

Support for new and beta Kubernetes features

Create storage using storage classes

  • If your cluster admin sets up storage classes, then they will be available for you to pick from in the “Create Storage” page.

Deployments and ReplicaSets

  • Will fit in seamlessly on the overview alongside your existing Deployment Configurations
  • Will appear on the Applications -> Deployments page
  • Support many of the actions we already supported for Deployment Configurations (excluding the new editor)

Roll-up of PetSet pods on the Overview

  • A PetSet’s pods will roll up into a single card with a pod count visualization like the other controllers
  • You’ll be able to see metrics on the overview for the pods in the petset


  • admin: Allow oadm prune * to work against a single namespace #11249
  • admin: Make node evacuate command aware of replica set and daemon set #11284
  • audit: Switch to use upstream audit handler #11192
  • auth: Use custom transport for GitLab OAuth communication #11693
  • bootstrap: Add additional warning for oc cluster up not being able to access port 8443 #11597
  • bootstrap: Bind socat to when using it on OS X #11139
  • bootstrap: Display warning instead of error if ports 80/443 in use #11600
  • bootstrap: Do not re-initialize a cluster that already has been initialized #11146
  • bootstrap: Lack of IPv6 should not prevent oc cluster up from starting a container #11219
  • bootstrap: Remove temporary files when creating a new cluster #11157
  • builds: Allow labels to be set when building images #11209
  • builds: Delete temporary secret data as soon as possible in builds #11116
  • builds: If the input image cannot be found, immediately fail the build #11398
  • cli: Add bash completion for pod name to oc exec #11329
  • cli: Clean up command descriptions (1/2) #11608
  • cli: Clean up command descriptions (2/2) #11684
  • cli: Ensure volumes worked correctly when used with oc apply and strategic merge patches #11062
  • cli: Improve oc start-build --follow to behave more predictably #11119
  • cli: Improve exec and attach error messages #11549
  • cli: Improve export for deployment configs #11529
  • cli: Improve oc help global options hint #11703
  • cli: Set the BASIC or SSH secret type with oc secrets new-* #11222
  • cli: Support for the --local flag in set deployment-hooks #11395
  • cli: Update short description for rollout #11657
  • cli: Validate inputs to 'oc run' for better user feedback #11635
  • cli: oadm manage-node --list-pods should return a single list of pods for scripting #11216
  • cli: oc env should be able to return a list of items post-mutation #11379
  • cli: oc login must ignore some SSL cert errors when --insecure #11145
  • cli: oc project should work against a Kubernetes server directly #11120
  • cli: fix oc whoami --show-server output #11697
  • cloud: Initialize cloud provider in node #11620
  • cloud: Make service controller startup failure non-fatal on unsupported platforms #11648
  • deploy: Correct updating lastTransitionTime in deployment conditions #11665
  • deploy: Default maxSurge/maxUnavailable separately #11678
  • deploy: Make deployment triggers more performant with lower latency by avoiding unnecessary work #11501
  • deploy: When instantiating a deployment, ensure it doesn't error if no changes occurred #11500
  • diagnostics: Test more pod to pod connectivity test combinations #11717
  • doc: Improved API docs for role bindings API #11344
  • doc: oc cluster up doc update #11624
  • extended: deployment with multiple containers using a single ICT #11221
  • extended: move deployment fixtures in separate directory #11212
  • images: Add the Jenkins v2 imagestreams to the default list #11360
  • images: Adds display name to image streams, updates PostgreSQL link #11619
  • images: Ensure multi-segment image names are properly handled on image import and tagging #11173
  • images: Improve out-of-the-box template and image stream metadata #11540
  • ipfailover: Allow the iptables chain that will accept multicast connections to be configured #11327
  • jenkins: Autoprovisioning is re-enabled #11543
  • network: Ensure that veth TX queue length is always set to non-zero to enable QoS #11126
  • network: Fix EgressNetworkPolicy match-all-IPs special case #11673
  • network: Fix creation of macvlan interfaces #11663
  • network: Release subnet leases upon hostsubnet delete #11628
  • newapp: Improve oc new-app output for better readability #11220
  • newapp: Validate non-numeric EXPOSE directive when strategy wasn't specified #11687
  • newapp: oc new-app --search should not require docker hub access #11436
  • perf: Improve reliability dockercfg secret creation by using shared caches #11394
  • perf: Use a cache of layer sizes to reduce stats calls in the registry #11558
  • perf: Use service account informer in podsecuritypolicyreview #11612
  • projects: Log project request failures #11226
  • projects: Only pay attention to origin types in project lifecycle admission #11627
  • quota: ClusterResourceQuota was reporting incorrect values #11595
  • reliability: Enable PodDistruptionBudget #11187
  • router: Allow http for edge teminated routes with wildcard policy. #11760
  • security: Control who can set the owner ref field on objects #11397
  • security: Restrict who can use custom builds by default #11411
  • security: Test x509 intermediates correctly #11307
  • server: Require TLS 1.2 by default for clients #11495
  • server: Warn if no login IDPs have been configured #11235
  • volumes: Allow pv controller to recycle pvs, watch recycler pod events #11731
  • volumes: Ensure meta info is loaded before removing a PV #11737

Release SHA256 Checksums

3001b9b00861567c9fbef99766e5a9af729477fae93c392818ad3fab6d4713dd  openshift-origin-client-tools-v1.4.0-alpha.1+f189ede-linux-32bit.tar.gz
59a59c21cf7631cf4f32a38eb96d661e73b0fa08c4d996735f5e339911731d8f  openshift-origin-client-tools-v1.4.0-alpha.1.f189ede-linux-64bit.tar.gz
229bd998bcb22871a0c2b0cc6ae5688324d79ed998cff922df5f73c35ca06861  openshift-origin-server-v1.4.0-alpha.1.f189ede-linux-64bit.tar.gz



@smarterclayton smarterclayton released this Oct 18, 2016 · 5746 commits to master since this release

This is a patch release to Origin v1.2.x containing a security related fix. All users are recommended to upgrade to v1.2.2 who are on v1.2.x.


v1.2.2 (2016-08-18)
Full Changelog

  • Intermediate CA certificates were being improperly checked for authorization (CVE-2016-7075) #11413

Release SHA256 Checksums

4b2321ffe2dc2ca74651532b77fa1ebca9865de173790aedcdd0ecad2831d4a1  openshift-origin-client-tools-v1.2.2-565691c-linux-32bit.tar.gz
d957b439a9194ccf01c48973449b84495649fadecc00c34a49ca6fd38b6c96a0  openshift-origin-client-tools-v1.2.2-565691c-linux-64bit.tar.gz
f431fcf03a6ae9aa9a6800f00050e571481ee71fe0821dea1ca405d1e5b4f76a  openshift-origin-server-v1.2.2-565691c-linux-64bit.tar.gz



@smarterclayton smarterclayton released this Oct 14, 2016 · 2308 commits to master since this release

UPDATED: Mac client tools have been rebuilt on top of Go 1.7 to fix various issues related to the OS X Sierra update.

This is a patch release to Origin v1.3.x containing a security related fix. All users are recommended to upgrade to v1.3.1 who are on v1.3.0.


v1.3.1 (2016-08-14)
Full Changelog

  • Intermediate CA certificates were being improperly checked for authorization (CVE-2016-7075) #11308
  • Tolerate caching delays when checking permissions for newly created namespaces #10932
  • Properly default client rate limiting in controllers - very low values were being defaulted #10930
  • Some non-resource URLs were being denied for the cluster infrastructure roles #10933
  • Annotations used in cluster resource quota were not being properly validated #10929
  • oc login should ignore some SSL related errors when using --insecure #11179
  • Some roles should have access to the node's /spec endpoint #11047
  • Fixed oc segfault seen in macOS Sierra (10.12) #11085

Release SHA256 Checksums

72ab655a7e5068bba654b774ef614715a7baba011e7305f6796bda829d59192e  openshift-origin-client-tools-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-32bit.tar.gz
2e25d7da6748562f10138a7616a7c027c3025086e08b42355978aebfed4da718  openshift-origin-client-tools-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-64bit.tar.gz
ba5b9b1af3af19b7e4a01179e4a8af61486deeac6870c4cadfaf733322bc7181  openshift-origin-server-v1.3.1-dad658de7465ba8a234a4fb40b5b446a45a4cee1-linux-64bit.tar.gz




@smarterclayton smarterclayton released this Sep 16, 2016 · 2228 commits to master since this release

This is Origin v1.3.0 rebased onto Kube v1.4.0-beta.3





@smarterclayton smarterclayton released this Sep 16, 2016 · 2308 commits to master since this release

This is OpenShift Origin 1.3.0!

Backwards Compatibility

Please see alpha.0 -> rc1 release notes for a full description of backwards compatibility changes.

  • v1beta3 in storage is no longer supported - please see the release notes for a migration guide
  • This is the last release that will support v1.0.0 API backwards compatibility, specifically:
    • The Service field spec.portalIP will no longer be returned in 1.4.0
    • The Pod field status.hostIP will no longer be returned in 1.4.0


Release roadmap
v1.3.0 (2016-09-15)
Full Changelog
RC Changelog

Blog post coming soon - please see alpha.1, alpha.2, alpha.3, rc1 for more!


  • router: Properly clean up deleted routes in the router #10855
  • cli: oc process was not properly handling parameter values with = in them #10880
  • storage: Ensure the master side attach-detach function works successfully #10892
  • quota: Ensure that the cluster resource quota annotation selector works for long annotation values #10896

Release SHA256 Checksums

05c83a3337ab995bad24b7359b876a3d2d3bdbdf09cc40949835c52d2fc0c659  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-32bit.tar.gz
0d3b632fae9bc2747caee2dae7970865097a4bc1d83b84afb31de1c05b356054  openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz
fcdeeb5bed5faa606ec024b7b1e7c9d3e3303f8cb21df70c5a4da1b20340609c  openshift-origin-image-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz
cadb7408c45be8c19dde30c82e59f21cec1ba4f23f07131f9a6c8c20b22c3f73  openshift-origin-server-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz




@smarterclayton smarterclayton released this Sep 7, 2016 · 2324 commits to master since this release

This is release candidate 1 of OpenShift Origin 1.3.0.

Backwards Compatibility

  • HAProxy router template format has changed
    • As part of the expanded features added to the HAProxy router in 1.3, a configuration file format change was necessary to the internal structure used by the router config template (the haproxy.config.template) file. Instructions for adapting to the new format are located here
  • Jenkins auto-deployment has been disabled - see #10260 for more

API Changes

  • Networking
    • Many of the network API objects have much stricter validation. #10466
  • Routes
    • All backends in a route may be set to have zero weight, which means no traffic should be sent to that backend. #10428

Component updates

  • Updated to Kubernetes 1.3.5 + patches
    • 32000: Update node status instead of node in kubelet #10790
    • 31730: Fixes for attach-detach controller enablement on existing nodes #10748
    • 30690: Don't bind pre-bound pvc & pv if size request not satisfied #10522
    • 31627: make deep copy of quota objects before mutations #10704
    • 31396: Fixed integer overflow bug in rate limiter #10646
    • 31047: Close websocket stream when client closes #10550
    • 25308: fix rollout nil panic issue #10543
    • 29093: Fix panic race in scheduler cache from 28886 #10518
    • 30839: queueActionLocked requires write lock #10504
    • 30624: Node controller deletePod return true if there are pods pending deletion #10503
    • 30731: Always return command output for exec probes and kubelet RunInContainer #10494
    • 30796: Quota usage checking ignores unrelated resources #10493
    • 28234: Make sure --record=false is acknowledged when passed to commands #10486
    • 30736: Close websocket watch when client closes #10475
    • 29639:<drop>: Fix default resource limits (node allocatable) for downward api volumes and env vars #10467
    • 27541: Attach init container #10427
    • 30510: Endpoint controller logs errors during behavior #10415
    • 30626: prevent RC hotloop on denied pods #10414
    • 30533: Validate involvedObject.Namespace matches event.Namespace #10392
    • 30313: remove duplicate errors from aggregate error outputs #10317
    • 29212: hpa: ignore scale targets whose replica count is 0 #10305
    • 29982: Fix PVC.Status.Capacity and AccessModes after binding #10268
    • 30162: return err on oc run --image with invalid value #10250
    • 31446: fix delay establishing log streaming connection #10617
    • 31353: fix duplicate validation/field/errors #10613
    • Additional bulk picks #10247, #10385, #10541
  • Updated Docker distribution
    • Fix pushing to GCS storage #10640


v1.3.0-rc1 (2016-08-07)
Full Changelog

Add setting and viewing route weights from the CLI

The A/B route balancing feature now has a CLI command to manage it oc set route-backends and route weights show up in the oc get and oc describe commands for the route.
Routes may have one or more optional backend services with weights controlling how much traffic flows to each service. Traffic is assigned proportional to the combined weights
of each backend. A weight of zero means that the backend will receive no traffic. If all weights are zero the route will not send traffic to any backends.

You can bulk set route backends by specifying their name and weight:

$ oc set route-backends myroute prod=99 canary=1

Which will send 99% of traffic to the prod service and 1% to the canary service. If the service does not exist no traffic will be sent. You can keep the service listed as
a backend but not send traffic to it by specifying weight 0:

$ oc set route-backends myroute prod=1 canary=0

See the help for more advanced incremental adjustments (--adjust canary=+10%).

  • Add CLI support for routes with multiple backends #10551.

Support bare-metal, highly available IPs for services

For users deploying onto bare metal without a cloud provider, access to highly available TCP load balancing can be difficult. OpenShift 1.3 extends the supported ip-failover
router HA solution to also enable HA Kube services with failover. Administrators would configure HA router nodes and then ensure that a block of IPs is routed to those nodes
in the IP failover configuration. That block would then be configured in the OpenShift master-config.yaml:


This is the default behavior, and can be disabled by setting the value equal to When a service of type=LoadBalancer is created, a new IP would be assigned to the
service and traffic would flow to that service. Note that running with a cloud provider disables this feature since the providers native service load balancer is used.

  • Support network ingress on arbitrary IPs #9454
  • Add a default ingress ip range #10500

Image Policy API

Image policy allows you to manage which images are allowed to run on the cluster and perform resolution of image tags to image digests on demand (to lock the executed version).
Policy allows:

  • Block images outside of the integrated registry from being used in pods
  • Require the presence of an annotation on the underlying image (not settable by end users) to run the image
  • Allow integrators to perform security scans of images and then block the image from being executed on the platform.

The default configuration will block images that are annotated in the internal registry - if the annotation is set on an image referenced
by a pod to true, OpenShift will prevent that image from being run. This can be used by an external scanner to block certain images from being used.

See the image policy documentation for more on configuring policy.

  • Add image policy enforcement #8995

Build integrations with the cluster more easily

The new oc observe command is an experimental tool for reacting to changes in your Kubernetes cluster and building scripted interactions. It allows you to easily
get notified of changes to a particular resource type (like services, deployments, namespaces, persistent volumes) and invoke a command.

For example, if you want to send an email to your admin every time a node stops being reachable, create a script that takes

$ cat
if [[ $2 != 'False' ]]; then
  touch "/tmp/ready/$1"
  exit 0
if [[ -f "/tmp/ready/$1" ]]; then
  echo mail -s "$1 went DOWN!" "We're down at $(datetime)"
rm "/tmp/ready/$1"

$ oc observe node -a '{{ range .status.conditions }}{{ if eq .type "Ready" }}{{ .status }}{{ end }}{{ end }}' --output gotemplate -- ./

Whenever a node transitions from having condition Ready with status True to status False, an email will be sent to your admin. See the oc observe help for
more suggestions and explanation of how observe can help you build simple integrations.

You can get observe as a Docker image via docker pull openshift/observe:latest - the oc observe command is the entrypoint and you can bind mount a kubeconfig file
to /root/.kube/config.

Improve the OAuth Grant page

OpenShift embeds a full featured OAuth server for managing access to cluster resources. The OAuth authorization grant page has been improved to describe the scopes being
requested, the impact those scopes might have, and to warn users of any potential security risks. In addition, the grant page now allows the user to select which scopes
to grant.

screen shot 2016-08-12 at 11 50 40 am

  • Improve OAuth Grant page and allow partial scope approval #10321

Other Features

  • project: Respect scope rules in list/watch projects #10252
  • cli: Improve oc describe imagestream #10405


  • admin: Add a command to separate projects when multi-tenant SDN is on - oadm pod-network isolate-projects #10365
  • admin: Ignore negative value of grace-period passed to oadm manage-node #10350
  • admin: Recognize gzipped empty layer when marking parents in oadm top images #10293
  • admin: Return directly if no pods found when evacuating #10447
  • bootstrap: Better support containerization on some Docker platforms in oc cluster up #10571
  • builds: Avoid temporary delays in processing builds due to improper use of cache code #10581
  • builds: Avoid using bsdtar for extraction during build #10364
  • builds: Commit information not being properly output into build logs #10515
  • builds: Don't perform pod deletion management for pipeline builds #10370
  • builds: Ensure temporary files are closed if Docker 'DownloadFromContainer' fails #10325
  • builds: Show namespace for custom strategy bc #10340
  • builds: Validate CustomStrategy early #10480
  • cli: Add oc describe help suggestion to cmds with --container option #10469
  • cli: Add a line break when no events in describe #10653
  • cli: Add new-app support for detecting .net apps #10463
  • cli: Allow --raw URL to retrieve authenticated URLs from a server with oc get #10542
  • cli: Avoid failures during scaling by fetching objects up front #10684
  • cli: Better describe oc tag -d #10597
  • cli: Deprecate --list option from volumes cmd #10457
  • cli: Display an error when git is not available and --from-repo is requested in oc start-build #10397
  • cli: Fix oc extract usage message for the --keys flag #10614
  • cli: Fix oc project|projects when in cluster config #10521
  • cli: Improve oc set env key-value pair matching for environment variables #10619
  • cli: Improving circular dependency checking for new-build #10067
  • cli: New app example improvements #10534
  • cli: Project labels should be visible from oc get #10329
  • cli: Remain in the current project at login if possible #10378
  • cli: Return error in oc set env RESOURCE when no env args are provided #10485
  • cli: Show restart count warnings only for latest deployment #10440
  • cli: Suggest use of oc get bc on oc start-build error output #10720
  • cli: Support init containers in 'oc debug' #10578
  • cli: Tagging images across namespaces with oc tag was importing from the wrong location #10510
  • cli: oc extract should default to current directory #10468
  • cli: oc should not fail negotiating API versions against Kubernetes #10824
  • deploy: Don't reprocess configs on stream updates yet #10744
  • deploy: Emit event when cancelling a deployment #10590
  • deploy: React to image stream changes more quickly during deployment processing #10456
  • deploy: Retry conflicts when updating RC faster #10507
  • deploy: Some image change triggers were not being matched on deployments #10444
  • deploy: Wait for deployer pod to be running before getting logs #10560
  • deploy: remove top level generator pkg #10502
  • examples: Fix pre-deploy hook args on cakephp example #10572
  • gitserver: Fix gitserver build config search #10576
  • idling: Add previous-scale annotation for idled resources #10421
  • idling: Clarify idle error and usage output #10492
  • idling: Don't health-check idled services #10420
  • idling: Ensure only endpoints are specified in oc idle #10335
  • idling: Handle deleted services correctly without erroring out #10648
  • images: Make import image more efficient #10244
  • images: Sometimes tags are not updated when running oc tag to referenced tags #10708
  • ipfailover: Fix range expansion on VRRP addresses #10498
  • ipfailover: Stop using node selector as ipfailover label #10388
  • jenkins: Add specific roles and permissions for access to the Jenkins console #10649
  • jenkins: Fix autoprovision enabled field name #10612
  • jenkins: Increase readiness timeout #10593
  • network: Allow startup to continue even if nodes don't have EgressNetworkPolicy list permission #10358
  • network: Clear kubelet-created initial NetworkUnavailable condition on GCE #10545
  • network: Disabling idling should not turn off the service proxy #10667
  • network: Periodically sync k8s iptables rules #10465
  • network: Re-setup SDN on startup if ClusterNetworkCIDR changes #10569
  • network: Regenerate proxy iptables rules on EgressNetworkPolicy change #10652
  • network: Revert SDN automatic mode detection #10751
  • network: SDN plugin name names were missed #10432
  • policy: Allow registry-admin and registry-editor to create serviceaccounts #10443
  • policy: Block setting ownerReferences and finalizers #10464
  • policy: Reconcile non-resource-urls #10785
  • project: Clean up requested project if there are errors creating template items #10577
  • quota: Properly enforce image stream counts #10517
  • registry: Handle older configuration files without erroring out on upgrade #10673
  • registry: Login via token to the registry should use HTTP header info for redirection #10418
  • registry: Properly reuse service clusterIP in oadm registry #10496
  • registry: Properly serve the manifest configuration blob for images #10805
  • registry: servingCert was not handled properly in oadm registry #10442
  • router: Allowed 'true' for the DROP_SYN_DURING_RESTART variable #10514
  • router: Enable secure cookie for secure-only edge routes #10573
  • router: Extend DDOS protection to reencrypt and passthrough routes #10513
  • router: Properly remove duplicates from routers #10747
  • router: Set X-Forwarded-For headers for reencrypt routes. #10318
  • router: Update the default certificate and allow for better replacement #10345
  • router: Use annotations for tuning route healthcheck intervals #10342
  • rpm: Build RPM using the build scripts #10398
  • rpm: Make build spec file platform independent #10695
  • s2i: Increase default timeout for operations against Docker #10675
  • server: Add quota controller metrics #10307
  • server: Call out config validation warnings more clearly #10461
  • volume: Recycler pod was failing to recycle processes #10454

  • Lots of code cleanup PRs, thanks to all who helped! #10591, #10589, #10583, #10557, #10547, #10446, #10433, #10409, #10408, #10399, #10372

Release SHA256 Checksums

a9be9890fbfa491bb05fa659f6f98685a29f41eb5fd6a7c74d0bf959c7eb6502  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-32bit.tar.gz
bfd20d7332e38db6f52fb941c339206aafb8dc259715ced97bdd32a693637d94  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-64bit.tar.gz
e7878e14b9160bf108a951b5f635958fed9244de085eba40fd68f51e7210e918  openshift-origin-server-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-64bit.tar.gz