Skip to content
May 1, 2019

@smarterclayton smarterclayton released this Oct 11, 2018 · 5433 commits to master since this release

This is the 3.11 release of OpenShift Origin.

Backwards Compatibility

  • auth: The auth reconcile command is now deprecated as its functionality is part of the server #20177
    • The CLI command is now identical to the upstream auth reconcile and no longer updates roles
  • auth: The cluster-reader RBAC role is now an aggregated role to simplify adding new permissions #20279
  • cli: oc patch is now consistent with the kubectl patch command #20665
  • cli: oc types is now deprecated - use oc api-resources instead #21000
  • security: If the scheduler.alpha.kubernetes.io/node-selector annotion is set on a namespace, openshift.io/node-selector is now ignored #21058
  • server: The openshift start node functionality and openshift start have been removed - the Kubelet must now be started directly #20344, #20717
    • By using the Kubelet directly we make nodes easier to manage and more consistent with the upstream.
    • Future releases will remove other parts of openshift start master.

Changes

Roadmap for the v3.11 release

v3.11.0 (2018-10-10) Full Changelog

API

  • build: Allow dashes to be used in the environment variable names in builds #20738
  • image: Return information about image layers that are associated with an image stream to improve registry performance #19969, #20643
  • security: Promote sysctl annotations to fields in SecurityContextConstraints #20151

Component updates

  • Updated to Kubernetes v1.11.0-62-gd4cacc0 + patches
    • 62943: set updated replicas in statefulsets #20347
    • 64378: Don't reset global timeout on each for loop iteration #20452
    • 64426: Clean up fake mounters. #20117
    • 64447: Add block volume support to internal provisioners #20058
    • 64541: Add more kubectl auth reconcile flags #20281
    • 64860:checkLimitsForResolvConf for the pod create and update events instead of checking period #20070
    • 64879: Add block volume support to Cinder volume plugin #20270
    • 64896: kubectl: wait for all errors and successes on podEviction #20452
    • 65189: fix paths w shortcuts when copying from pods #20034
    • 65189: revert: fix paths w shortcuts when copying from pods" #20075
    • 65226: Put all the node address cloud provider retrival complex logic into cloudResourceSyncManager #20615
    • 65238: fix scheduler port boundary to match detection #20033
    • 65326: fix printer check to tolerate vendoring #20033
    • 65329: make builder tolerant of restmapper failures when it doesn't need the answer #20033
    • 65367: make sure delete waiting doesn't re-evaluate the resource lists #20033
    • 65368: legacy api endpoints only support v1 ever #20033
    • 65370: delete should tolerate a failed wait because of missing verbs #20033
    • 65377: special-case templates get.go #20033
    • 65447: Resolve potential devicePath symlink when MapVolume #20117
    • 65480: allow enabling kubelet serving certificate rotation via flag #20033
    • 65486: show type differences in reflect diff #20033
    • 65488: flatten nested lists for flatten in visitor #20033
    • 65489: kubectl convert should not double wrap output in nested lists #20033
    • 65547: Honor custom transport dialer #20033
    • 65549: Fix flexvolume in containerized kubelets #20358
    • 65587: Revert "certs: only append locally discovered addresses when we got none from the cloudprovider" #20033
    • 65686: fix kubectl create priorityclass failure bug #20624
    • 65700: Update output format so that it matches actual accepted values #20139
    • 65705: Block volumes should have empty FSType #20327
    • 65711: make template printers a recommended printer #20257
    • 65715: fail on rbac resources of non-v1 versions in reconcile #20177
    • 65786: update --template printer defaulting #20257
    • 65856: only need to ignore resources that match discovery conditions #20242
    • 65899: use self-signed cert fixtures in integration test servers #20309
    • 65904: track schemes by name for error reporting #20242
    • 65906: Improve multi-authorizer errors #20379
    • 65908: switch delete strategy to background deletion #20274
    • 65987: Add region label to dynamic provisioned cinder PVs #20418
    • 66008: Convert TestServerRunWithSNI to subtests to isolate flake #20302
    • 66085: fix updateJob scheduling of resync #20763
    • 66136: make delete waits match on UID #20305
    • 66172: Reverting commit #56600 as GCE PD is allocated in chunks of GiB inste... #20418
    • 66225: add support for "success" output for edit command #20589
    • 66225: update testcase for edit #20589
    • 66249: fill in normal restmapping info with the legacy guess #20392
    • 66324: Fixing E2E tests for disk resizing #20418
    • 66350: Start cloudResourceSyncsManager before getNodeAnyWay (initializeModules) to avoid kubelet getting stuck in retrieving node addresses from a cloudprovider #20615
    • 66352: update logs cmd to deal w external versions #20343
    • 66397: Fix upper limit on m5/c5 instance typesn #20439
    • 66398: fix logs command to be generic for all resources again #20514
    • 66403: indicate which scheme has conflicting data #20372
    • 66406: Send correct headers for pod printing #20437
    • 66406: tolerate missing column headers in server-side print output #20437
    • 66464: Avoid overflowing int64 in RoundUpSize and return error if overflow int #20418
    • 66519: switch attach to use external objs #20514
    • 66725: update exit code to 0 if patch not needed #20456
    • 66779: add methods to apimachinery to easy unit testing #20471
    • 66835: cloudprovider: aws: return true on existence check for stopped instances #20663
    • 66837: fix panic fake SAR client expansion #20491
    • 66929: add logging to find offending transports #20554
    • 66931: Use the passed-in streams in kubectl top #20529
    • 66932: Include unavailable apiservices in discovery response #20635
    • 67024: add CancelRequest to discovery round-tripper #20554
    • 67033: expose default LogsForObject consumeRequest func #20550
    • 67093: improve config file modification time #20566
    • 67094:Fix incorrect reporting of total request including current pod in the resource allocation priority function. #20603
    • 67094:Ouput volumes (total capacity and requests) too along with cpu and memory when the feature BalanceAttachedNodeVolumes is used. #20603
    • 67097: Ignore EIO error in unmount path #20866
    • 67236: fix azure disk create failure due to sdk upgrade #20662
    • 67316: Adds tests for --all-containers=true #20684
    • 67399: update patch to work with --local and avoid extra requests #20642
    • 67399: update patch to work with --local and avoid extra requests #20665
    • 67433: allow failed discovery on initial quota controller start #20635
    • 67433: allow failed discovery on initial quota controller start #20693
    • 67493: Tolerate nil input in GetValueFromIntOrPercent #20532
    • 67615: attach: Move the AttachFunc default function to the initializer #20697
    • 67698: Fix NameFromCommandArgs when passing command after -- #20730
    • 67822: Remove provisioner config from log message. #20756
    • 67835: Tests that use CheckTestingNSDeletedExcept must be serial #18816
    • 67896: expose generic storage factory primitives #20777
    • 67957: Size http2 buffers to allow concurrent streams #20783
    • 68007: Orphan DaemonSet when deleting with --cascade option set #20793
    • 68008: apiserver: forward panic in WithTimeout filter #20979
    • 68563: fix scheduler crash when Prioritize Map function failed #21194
    • 68678: tighten maximum retry loop for aggregate api availability #21012
    • 68680: Fix chown on distributed flex volumes (like gluster) #21070
    • : Node selector aware DS controller should not process openshift-io/node-selector if scheduler.alpha.kubernetes.io/node-selector is set. #21058
    • : Coerce string->int, empty object -> slice for backwards compatibility #20164
    • : Ensure perFSGroup quanity is positive #20564
    • : Expose ns lifecyle admission list of allowed resources #20242
    • : Gracefully handle empty volume-config file #20154
    • : oc patches on kubectl #20721
    • : patch in a non-standard location for apiservices #20578
    • : rewrite unstructured objects on the CLI to avoid oapi #20033
    • : simplify kube-controller-manager patches #20954
    • : switch back to use ugorji/go - decode to signed integers #20033
    • : tidy up oc patches and ensure we never print a non-groupified object #20385
    • : GCE load balancer unit test is flaky #20230
    • : Remove influxdb dependency until the next rebase #18816
    • : carry old printers until we update #20033
    • : carry old printers until we update #20257
    • : Fix cloud provider vsphere data race #20033
    • : Increase loglevel for health check #20616
    • : Make auth reconcile work with backlevel versions until ansible updates #20033
    • : vSphere test has race conditions, disable #20231

Features

  • build: Support ConfigMaps as sources in build definitions - allows you to have config from the build #19655, #20064
  • cli: Add oc image append which can add a new layer or change metadata on a Docker image against a remote registry #20027
  • cli: Add oc image extract to extract all or part of an image to disk from any platform #20466
  • cli: Support SSPI (Kerberos authentication) on Windows for the command line #11371
  • cli: Include the kubectl binary in release output #20932, #20958, #20900
  • network: Support automatic and highly available egress IPs for applications #19578, #20485, #21085, #20258, #20500
  • router: Support for mutual TLS authentication between the router and service backends. #19891, #20476
  • router: Allow HAProxy to dynamically change backends without requiring a reload #19073, #20559, #20557, #20630, #20646

Bugs

  • auth: Add namespaced servicebrokers, serviceclasses and serviceplans to admin/edit/view ClusterRoles #20852
  • auth: Update GitLab IDP to support OIDC #19997
  • auth: Use the upstream RBAC roles for reconciliation #20638
  • build: Ensure OOMKilled reason from pods are reported on build status #20297
  • build: Move deployer and build binaries into oc #20011 #20008
  • build: Remove false alarm warning for repo binary input on oc start-build #20100
  • cli: Allow patching configapi using oc patch #20642
  • cli: Honor 'oc edit' output format #20589
  • cli: accept --kubeconfig like kubectl #20721
  • cluster: Cluster quota controller tolerate inaccessible api resources #20693
  • deploy: Be tolerant on deployment decode and strict on encode to prevent incorrect fields #20185
  • deploy: Fix printing DC replicas #21017
  • dns: Restore graceful shutdown of DNS server #21021
  • image: Deprecate oc import-image legacy path using annotations #19673
  • image: Image stream imports longer than 30s should not fail #20419
  • image: Log image changes on verify-image-signature without --save #19976
  • image: Prune images in parallel #19468
  • image: Reuse existing imagestreams with new-app #20052
  • migrate: Ignore resources that cannot be listed and updated #21075
  • network: Bug 1614660 - Network diagnostic will auto detect runtime #20647
  • network: Show EgressCIDRs in "oc get hostsubnets" #20486
  • network: Update egress IPs when node changes IP #20393
  • node: Set FileCheckFrequency default properly #20158
  • route: Fix issue where routes are not cleaned up when a namespace label is deleted or updated. #20579
  • router: Bug 1618563 - Use the TCP balance scheme if configured before falling back to the default router load balancing algo #20702
  • router: Fix weight logic for A/B testing #19893
  • router: HAProxy ip whitelist exceeding max config arguments that haproxy allows. #20357
  • router: Router metrics sometimes fails to detect HTTP/1 connections #21043
  • service-catalog: use K8s NamespaceLifecycle admission controller #20673
  • test: Enable a large chunk of upstream e2e tests that were accidentally not being run #18816

Release SHA256 Checksums

The latest artifacts are always located at https://artifacts-openshift-release-3-11.svc.ci.openshift.org/zips/

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  CHECKSUM
4b0f07428ba854174c58d2e38287e5402964c9a9355f6c359d1242efd0990da3  openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
9bfcd70df56d902b2cd39dea06e73f4c5451ef9e2ad0e8d6d5b27a92af8503fc  openshift-origin-server-v3.11.0-0cbc58b-linux-64bit.tar.gz
75d58500aec1a2cee9473dfa826c81199669dbc0f49806e31a13626b5e4cfcf0  openshift-origin-client-tools-v3.11.0-0cbc58b-mac.zip
cdb84cc0000d0f0983120f903b2cad7114527ce2a9c4eb1988986eda7b877bfa  openshift-origin-client-tools-v3.11.0-0cbc58b-windows.zip
Assets 7

@smarterclayton smarterclayton released this Aug 3, 2018 · 6664 commits to master since this release

This is the official release of OpenShift Origin v3.10.

Changes

Roadmap for the v3.10 release

v3.10.0 (2018-08-02) Full Changelog

Component updates

  • Updates to Kubernetes
    • 62085: Fix incorrect atomic counter usage #20206
    • 62943: Set updated replicas on stateful set status #20350
    • 64658: Avoid leading gRPC connections in CSI #20111
    • 64882: Prevent deleted pods from sometimes leaving mounts #20111
    • 64971: Ensure mutating admission webhooks correctly remove fields #20509
    • 65223: Correctly detect inaccessible AWS encryption key #20072
    • 65226: Store the latest cloud provider node addresses on the node #20369
    • 65339: Prevent leak of a cached pod definition in the scheduler #20071
    • 66350: Prevent kubelet from becoming stuck retrieving node addresses from a cloud provider #20369

Bugs

  • router: [release-3.10] Allow egress-router to connect to cluster service network for DNS, etc. #20102
  • diagnostics: Fix default image paths used in network diagnostics #20116
  • volumes: Bind mount /etc/origin/kubelet-plugins for flex volumes #20153
  • node: Honor --kubelet-preferred-address-types #20183
  • apiserver: Use in-process loopback client config from Kube #20207
  • image: Install ceph-common in control plane so RBD provisioner can find disks #20222
  • build: Fix an issue where COPY --from would not work on multi-stage image builds #20256
  • console: Change logo, favicon, name on login page #20528

Artifacts

  • Images are published to the Docker Hub as openshift/origin-*:v3.10.0.
  • RPMs are available via the provided origin.repo file

Release SHA256 Checksums

0f54235127884309d19b23e8e64e347f783efd6b5a94b49bfc4d0bf472efb5b8  ./openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit.tar.gz
6973aebb7b553866f8971c8ca324dd5b79204e2a59c5234cde6fb1b5deb4c7a9  ./openshift-origin-server-v3.10.0-dd10d17-linux-64bit.tar.gz
ae847e3ae278b9420342e651305d34f1ed806b55a23874fc47595a57874e30c6  ./openshift-origin-client-tools-v3.10.0-dd10d17-mac.zip
c1b33aa535b88898d0622e0af2aa673bb814c354fb438c21c18155afc51acf87  ./openshift-origin-client-tools-v3.10.0-dd10d17-windows.zip
23083baadc7b82b6a3998016b795497d9c33327e1985a3b37181cf0e6200d29a  ./CHECKSUM
Assets 8
Pre-release
Pre-release

@smarterclayton smarterclayton released this Jun 20, 2018 · 6664 commits to master since this release

This is the first release candidate of OpenShift Origin 3.10.

Backwards Compatibility

  • Moving from legacy API resources (/oapi) to group resources
    • The server process endpoint now creates resources in the new group APIs (*.openshift.io) #19458
    • The RBAC bootstrap policy file is now saved as rbac.authorization.k8s.io/v1 resources #19756
  • Configuration changes
    • The disabledFeatures configuration item has been removed from master config #19070
    • Master configuration no longer requires the deprecated clusterNetworkCIDR/hostSubnetLength fields to be set in networkConfig #18669
    • Some node default values have changed #19190
      • Remove the default pods-per-core setting of 10, which makes nodes default to 250 pods total.
      • The certificate signing controller defaults to creating certs with a 1 year expiration (a7bd9d6)
  • rbac: Project editors can no longer create or update daemonsets, which prevents tenants from impacting cluster stability #18971
  • Metrics for the template instance broker have changed #19133
  • Moved or deleted content #19262
    • The examples/ directory has been cleaned up
    • The v1 federation implementation has been removed as it did not graduate to beta.
    • The node.service systemd file has been removed from hte RPMS, along with the master services (2113900)
  • Changes to OpenShift images #19509
    • As we prepare to split the OpenShift API server into multiple binaries, several new images have been created:
      • openshift/origin-hypershift - A new hypershift binary that launches OpenShift specific components
      • openshift/origin-hyperkube - The Kubernetes hyperkube binary
      • openshift/origin-cli - The OpenShift CLI oc
      • openshift/origin-tests - The extended test suite for OpenShift
    • Some existing images have been renamed
      • openshift/origin is now openshift/origin-control-plane
      • openshift/node is now openshift/origin-node
    • The openshift/openvswitch image has been folded into openshift/origin-node
    • A new binary openshift-node-config takes a node-config.yaml file and converts it to kubelet arguments in the openshift/origin-node image
  • CLI changes
    • Some client-side deletion support has been removed in favor of the controller-driven deletion mechanisms #19616
    • oc export is deprecated and oc get --export should be used instead.
  • The router has separate liveness and readiness probes for use with upstream load balancers #19009
  • XFS quota for emptyDir volumes is now configured via a config file in the volume directory #19533
  • Changes to oc cluster up
    • The cluster launched by oc cluster up is now launched as a set of individual processes running in images, instead
      of the previous single large container. This more closely mimics real production environments.
    • Docker machine support in oc cluster up has been removed
    • oc cluster up now only supports launching a cluster of the same version as the oc binary.

Changes

Roadmap for the v3.10 release

v3.10.0-rc.0 (2018-06-19) Full Changelog

API

Ingress support

In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that
maps Kubernetes Ingress objects (in their v1beta1 form) to OpenShift Routes automatically. This
allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on
hostnames, and securely manage Ingress secrets.

The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS
hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route
is deleted it will be recreated by the controller. Once a route is created, any annotations or route
specific fields will not be altered unless the route is deleted (such as weighted service backends). A
route with a TLS endpoint will be set to Reencrypt termination, but that may be changed after creation.

The router process itself no longer needs to watch Ingress or Secret resources.

  • router: Replace router support for ingress with an ingress-to-route controller #18658

Other changes

  • Image signature annotations are ignored #19037
  • Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532

Component updates

  • Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
    • 42873: add kubectl api-resources command #19884
    • 54530: api: validate container phase transitions #18791
    • 57202: Fix format string in describers #18810
    • 58972: Fix job's backoff limit for restart policy OnFailure #19672
    • 59170: Fix kubelet PVC stale metrics #18637
    • 59301: dockershim: don't check pod IP in StopPodSandbox #18425
    • 59316: Exit if no client cert is available for 5m #18430
    • 59365: Fix StatefulSet set-based selector bug #18797
    • 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
    • 60289: fix freespace for image GC #18767
    • 60342: Fix nested volume mounts for read-only API data volumes #18766
    • 60455: removes custom scalers from kubectl #19275
    • 60490: Volume deletion should be idempotent #18856
    • 60632: Add volumemetrics for ISCSI Plugin #19842
    • 60654: notify systemd on kubelet start #18886
    • 60978: Fix use of "-w" flag to iptables-restore #18919
    • 61287: provide easy methods for direct kubeconfig loading from bytes #18956
    • 61294: Fix cpu cfs quota flag with pod cgroups #19028
    • 61378: --force only takes effect when --grace-period=0 #19213
    • 61459: etcd client add dial timeout #19953
    • 61480: Allow sockets to be mounted in subpath #19329
    • 61790: make reapers tolerate 404s on scaling down #19275
    • 61808: Ensure -o yaml populates kind/apiVersion #19137
    • 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
    • 61962: Avoid data races in unit tests #19137
    • 61985: Restore show-kind function when printing multiple kinds #19137
    • 62074: Narrow interface consumed by scale client #19137
    • 62114: removes job scaler, continued #19275
    • 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
    • 62152: Keep node.kubeconfig correct during rotation #19857
    • 62196: Remove need for server connections for dry-run create #19137
    • 62199: Make priority rest mapper handle partial discovery results #19137
    • 62234: Handle partial group and resource responses consistently #19137
    • 62254: Add name output and verb filtering to api-resources #19884
    • 62336: add statefulset scaling permission to admins, editors, and viewers #19275
    • 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
    • 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
    • 62461: allow higher burst for discovery #19327
    • 62462: Private mount propagation #19364
    • 62469: stop defaulting kubeconfig to http://localhost:8080 #19335
    • 62543: Timeout on instances.NodeAddresses cloud provider request #19733
    • 62572: Prevent virtual infinite loop in volume controller #19371
    • 62584: Make x-kubernetes-print-column print handling opt-in #19352
    • 62668: add metrics to cinder volume #19444
    • 62733: Set a default request timeout for discovery client #19471
    • 62744: Fix kubectl describe cronjob #19391
    • 62827: fix csi data race in csi_attacher_test.go #19508
    • 62874: dockershim/sandbox: clean up pod network even if SetUpPod() failed #19576
    • 62913: make a simple dynamic client that is easy to use #19515
    • 62914: kubelet: fix flake in TestUpdateExistingNodeStatusTimeout #19453
    • 63086: Fix discovery default timeout test #19471
    • 63160: kubelet: logs: do not wait when following terminated container #19545
    • 63169: Remove unnecessary dependencies on api/core/v1 #19509
    • 63177: kubectl takes a dependency on the controllers #19509
    • 63295: Fixed CSI volume detach when the volume is already detached #19816
    • 63303: Return attach error to A/D controller #19816
    • 63321: kubelet: force filterContainerID to empty string when removeAll is true #19580
    • 63339: kubelet: volume: do not create event on mount success #19625
    • 63349: Decorate function not called on Create #19602
    • 63403: don't block creation on lack of delete powers #19404
    • 63416: Retry certificate approval on conflict errors #19770
    • 63417: Panic when map string bool flag has no value #19620
    • 63421: Cache preferred resources, use in kubectl resource name autocomplete (single commit) #19884
    • 63490: default the ignorenotfound for delete when selecting objects #19616
    • 63650: Never clean backoff in job controller #19672
    • 63716: Add InstallPathHandler which allows for more then one path to be associated with health checking. #19009
    • 63831: Always track kubelet -> API connections #19638
    • 63831: Close all kubelet->API connections on heartbeat failure #19638
    • 63848: Deflake discovery timeout test #19714
    • 63875: make TestGetServerGroupsWithTimeout more reliable #19723
    • 63903: Revert "Openstack: register metadata.hostname as node name" #19730
    • 63903: Revert "Specify DHCP domain for hostname" #19730
    • 63903: Revert "Split out the hostname when default dhcp_domain is used in nova.conf" #19730
    • 63926: Avoid unnecessary calls to the cloud provider #19742
    • 63966: kubectl: fix Flatten() when used without Latest() #19747
    • 63977: pkg: kubelet: remote: increase grpc client default size #19774
    • 64026: Enable SELinux relabeling in CSI volumes #19816
    • 64028: Tolarate negative values when calculating job scale progress #19765
    • 64443: services must listen on port 443 for aggregation #19866
    • 64516: Fix error message to be consistent with others #19884
    • 64573: remove extra "../" when copying from pod to local #19898
    • 64797: Handle deleted DaemonSet properly #19927
    • 64855: Fix setup of ephemeral storage #19939
    • 64883: Fix up legacy printer table adapter #19934
    • 64916: improve memory footprint of daemonset simulate #19956
    • 64946: log healthz check #19952
    • 64969: volume: decrease memory allocations for debugging messages #19960
    • 65001: Quiet verbose apiserver logs #19970
    • 65009: daemon: add custom node indexer #19980
    • 65027: Use actual etcd client for /healthz/etcd checks #19992
    • 65063: Re-use private key after failed CSR #20000
    • : Add PSP review to /oapi Resources #19542
    • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
    • : XFS quota for emptyDir volumes #19533
    • : add RawConfig to factory for commands modifying raw kubeconfig files #19343
    • : aggregator to proxy oapi to apps.openshift.io server #18652
    • : allow injecting printers #19137
    • : allow oc kubeconfig loading to have our flags and errors #19335
    • : change config file location and restore perFSGroup to quantity #19773
    • : controller-manager patches for recycler #18887
    • : disable local storage isolation feature gate #19323
    • : enable critical pod support by default #19104
    • : filter daemonset nodes by namespace node selectors #18989
    • : inject new parameter for image resolution into kubectl set image #19348
    • : pods in openshift-* namespace can be marked critical #19104
    • : rewrite unstructured objects on the CLI to avoid oapi #19327
    • : avoid contacting server for restmappings in local mode #19996
    • : make RootFsInfo error non-fatal on start #19137
    • : stop wrapping --sort-by value in {} #19777
  • Other patches

Features

Multi-stage Docker image build support

Builds using the Dockerfile build strategy can now build multi-stage Docker images. The from field continues to target
the last image stage in the Dockerfile, but the new as attribute on imageSources allows other stages to be replaced
with triggered images.

  • Support multi-stage dockerbuilds via imagebuilder #18741, #19494

Support external OAuth token authenticators

OpenShift can now be configured to delegate login flows to a remote OAuth capable endpoint like Keycloak. This allows
a central Keycloak server to authenticate multiple clusters. See the documentation for more details about configuring
this option.

  • auth: Add option to configure an external OAuth server #18969
  • auth: Support WebhookTokenAuthenticators for using external servers as token authenticators #18868

Other Features

  • auth: Add oc adm prune role command to clean up rolebindings that are not bound to valid roles #19619
  • cli: Add server-side column printer support for openshift objects #19934
  • clusterup: Add --enable=automation-service-broker #19409
  • image: Parallelize image mirroring and reuse mounted layers #19017
  • migrate: Allow storage migration to be performed in parallel #19691
  • registry: Both internal and external hostnames for the registry should be in docker pull secrets #19838
  • router: Make updating status on the router optional #17420
  • router: Prometheus should scrape the router by default #18254
  • router: Support for DNS names in egress routes #15409
  • router: Perform real backoff when contending for writes from the router #18686
  • router: Make router conflict detection work even during initial informer sync #19706
  • router: Allow only a subset of routes from specific domains to be overriden by the hostname-template #19418
  • router: Allow egress-router to connect to its own node IP for DNS #19885
  • server: Expose api-versions and api-resources in oc #19884
  • template: Allow TemplateInstances to create arbitrary resources, including CRDs #19396

Bugs

  • build: Retry retrieving build logs in some cases #19695
  • cert: Order x509 certificate subjects to prevent a Golang / GNUTLS incompatibility #18837
  • cli: Support quay.io pushing in oc image mirror #19016
  • cli: Correct oc scale error handling #19275
  • cli: Improve validation for oc set volume #19169
  • cli: Fix incorrect oc run default option #19712
  • cli: Dots should be allowed in environment variable names passed to oc new-app #19688
  • diagnostic: Replace usage of brctl with /sbin/ip #19929
  • jenkins: Adjust jenkins template setting to account for effects of constrained default max heap #18832
  • network: Fix handleDeleteSubnet() to release network from subnet allocator #18801
  • network: Fix egressip handling when a NetNamespac is updated #18808
  • network: The NetworkCheck diagnostic did not use the correct config file #18709
  • network: Allow configurable CNI bin dir in openshift SDN #18464
  • network: Correctly report initial NodeNetworkUnavailable condition #18758
  • network: Allow subnet allocator to handle changes to the subnet values #18999
  • network: Prevent incorrect deletion of HostSubnet OVS flows #19080
  • network: Make changing egress network policy rules more efficient #19346
  • network: Print out errors that occur when using macvlan and a namespace cannot be retrieved #19491
  • network: Remove openvswitch check from UnitStatus diagnostic #19572
  • network: Use a real OVS transaction when changing network configuration on the host #19393
  • network: Use a go-native DNS library instead of dig command for dns resolution in egress network policy #19805
  • network: Do not throw spurious error when minTTL=0 for the domain in egress network policy #19950
  • network: Remove the node from dnsmasq config when shutting down #19987
  • network: Get lowest TTL from the DNS resolution chain for egress DNS #19982
  • node: Fix to pass quoted unsafe strings (with characters like *,<,%) correctly to kubelet #19951
  • registry: Update docker config secret to support the future location of the registry service #19514
  • registry: Make docker registry service controller check all secrets #19788
  • router: When a router is reloaded after a batch of route/ingress changes are committed, haproxy sometimes fail to reload #18587
  • router: Some route status updates were being lost #19018
  • router: Combine backend map files to fix path based routing #18840
  • router: Wildcard routes should not take precedence over sub-routes #19076
  • router: Some routes were being rejected incorrectly when NAMESPACE_LABELS was set #19330
  • router: The router can forget routes when routes are created and deleted in rapid succession #19175
  • router: Unidle in router should ignore headless services #19416
  • router: Allow Prometheus to get metrics from the router #19318
  • security: Correctly handle legacy PodSecurityPolicyReview resources #19542
  • server: Improve performance of the SDN controller by using shared caches #18911
  • server: Move range allocation to an internal API as rangeallocations.security.openshift.io #19277
  • server: Set etcd DialTimeout, fix etcd start order in all-in-one #19953
  • server: When etcd is down, avoid pathological healthz behaviors #19992
  • service-catalog: Start API and controller pods with log verbosity = 3 #19135

Release SHA256 Checksums

f876258c9a6221637a84e35ff68e9af96c2f2013eb9ae41ea33abd9286aa045c  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
dcb414712e8ae08146634d0c18720476e7afd024aa100bd2246d064de6658664  ./openshift-origin-server-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
872e0b58684af5d17b41a0585c50b41d09fbefa449d80927ba91252ac998deb3  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-mac.zip
25eef2fc0401209e3b5d40239827c023f463cdafeb06f81f1a6a0af9deaa1d25  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-windows.zip
1c21ba58ee0f7fc8b55e9d84099632ec970051adc3744a294a10bcd3aefcfe21  ./CHECKSUM
Assets 7

@smarterclayton smarterclayton released this Mar 30, 2018 · 8137 commits to master since this release

This is the official feature release of OpenShift Origin.

Changes

Roadmap for the v3.9 release

v3.9.0 (2018-03-30) Full Changelog

Component updates

  • Updates to Kubernetes
    • 51042: Allow passing request-timeout from NewRequest all the way down #13701
    • 52324: Fix bug on kubelet failure to umount mount points. #18225
    • 54530: api: validate container phase transitions #18792
    • 56164: Split out a KUBE-EXTERNAL-SERVICES chain so we don't have to run KUBE-SERVICES from INPUT #18754
    • 56288: Add list of pods that use a volume to multiattach events #18290
    • 56315: Record volumeID in GlusterFS PV spec UPSTREAM: 56823: Add volID based delete() and resize() if volID is available in pv spec UPSTREAM: 57516: Add custom volume name based on SC parameter UPSTREAM: 58513: Add Namespace to glusterfs custom volume names UPSTREAM: 58626: Use correct pv annotation to fetch volume ID #18326
    • 56432: e2e: test containers projected volume updates should not exit #18387
    • 56846: Fix Cinder detach problems #18140
    • 56872: Fix event generation #18442
    • 57202: Fix format string in describers #18853
    • 57336: Abstract some duplicated code in the iptables proxier #18754
    • 57461: Don't create no-op iptables rules for services with no endpoints #18754
    • 57480: Fix build and test errors from etcd 3.2.13 upgrade #18731
    • 57854: fix bug of swallowing missing merge key error #18331
    • 57967: Fixed TearDown of NFS with root squash. #18154
    • 58177: Redesign and implement volume reconstruction work #18554
    • 58316: set fsGroup by securityContext.fsGroup in azure file #18526
    • 58375: Recheck if transformed data is stale when doing live lookup during update #18530
    • 58415: Improve messaging on resize #18509
    • 58439: Fix loading structured admission plugin config #18529
    • 58439: Surface error loading admission plugin config #18529
    • 58522: Clean up error messages for pre-bound PVCs #18284
    • 58533: add suggestion to describe pod for container names #18178
    • 58574: fixing array out of bound by checking initContainers instead of containers #18403
    • 58617: Make ExpandVolumeDevice() idempotent if existing volume capacity meets the requested size #18432
    • 58685: Fill size attribute for the OpenStack V3 API volumes #18237
    • 58720: Ensure that the runtime mounts RO volumes read-only #18255
    • 58739: Don't bind PVs and PVCs with different access modes #18284
    • 58753: Fix kubectl explain for cronjobs #18268
    • 58794: Resize mounted volumes #18421
    • 58930: Don't wait for certificate rotation on Kubelet start #18322
    • 58955: pkg: kubelet: do not assume anything about images names #18340
    • 58977: Fix pod sandbox privilege. #18820
    • 58991: restore original object on apply err #18337
    • 58994: Race condition between listener and client in remote_runtime_test #18409
    • 59170: Fix kubelet PVC stale metrics #18787
    • 59279: nodelifecycle: set OutOfDisk unknown on node timeout #18417
    • 59297: Improve error returned when fetching container logs during pod termination #18515
    • 59350: Do not recycle volumes that are used by pods #18552
    • 59365: Fix StatefulSet set-based selector bug #18824
    • 59386: Scheduler - not able to read from config file if configmap is not found #18475
    • 59449: Fix to register priority function ResourceLimitsPriority correctly. #18503
    • 59506: fix --watch on multiple requests #18514
    • 59569: Do not ignore errors from EC2::DescribeVolume in DetachDisk #18544
    • 59767: kubelet: check for illegal phase transition #18585
    • 59873: Fix DownwardAPI refresh race #18636
    • 59923: Rework volume manager log levels #18636
    • 60299: apiserver: fix testing etcd config for etcd 3.2.16 #18731
    • 60301: Fix Deployment with Recreate strategy not to wait on Pods in terminal phase #18760
    • 60306: Only run connection-rejecting rules on new connections #18754
    • 60342: Fix nested volume mounts for read-only API data volumes #18789
    • 60430: don't use storage cache during apiserver unit test #18731
    • 60457: tests: e2e: empty msg from channel other than stdout should be non-fatal #18755
    • 60490: Volume deletion should be idempotent #18878
    • 61045: subpath fixes #18957
    • 61107: Add atomic writer subpath e2e tests #18957
    • 61107: Detect backsteps correctly in base path detection #18957
    • 61193: bugfix(mount): lstat with abs path of parent instead of '/..' #18985
    • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18977
    • : Short-circuit HPA oapi/v1.DC #18380
    • : hack in working autoscale reference for oc autoscale #18376
    • : hack out the oapi for restmapping resources when more than one is present #18377
    • : patch the upstream SA token controller and use it #18508
  • Updates to docker/distribution

Features

FEATURE DESCRIPTION

PARAGRAPH

  • DESCRIPTION #PR

Other Features

  • build: Issue 17941: Add oc new-build --push-secret option #18477
  • deploy: Add support for deployments in oc status #18439, #18579

Bugs

  • auth: Change Header used for impersonation scopes to match upstream #18378
  • auth: Deprecate some policy commands #18102
  • build: Adjust newapp/newbuild error messages (arg classification vs. actual … #18272
  • build: Fix BuildConfigInstantiateFailed warning when lastVersion == 0 #17146
  • cli: Add infos count to oc status #18422
  • cli: Suppress project list on login if you have access to greater than 50 projects #18706
  • diagnostic: Add an AppCreate diagnostic #16658
  • diagnostic: AggregatedLogging ClusterRoleBindings false negative fix #18888
  • diagnostic: Fix AnalyzeLogs to provide more clear debug message #18654
  • image: Fix annotation trigger to reconcile on container image change #18513
  • image: Preserve namespace on imagestreams server-side export #18487
  • image: Prevent scheduled importer of images from advancing too quickly #18604
  • image: Retry import without authentication if we get 401 error for public images #18012
  • migrate: Add migrate command for legacy HPAs #18854
  • network: Fix reassignment of egress IP after removal #18720
  • network: Deal with auto-egress-ip mark conflicting with kube-proxy's masqueradeBit #18121
  • network: Do not allow 'default' project to be isolated using 'oc adm pod-network' #18687
  • network: Don't try to delete (nonexistent) OVS flows for headless/external services #18890
  • network: Fix CNI IPAM data dir #18863
  • network: Fix handleDeleteSubnet() to release network from subnet allocator #18819
  • newapp: --source-image should count as a source input for new-app #18631
  • node: Move pod-namespace calls out of process to prevent races between Go threads #18355
  • node: Restart console container when config changes #18411
  • node: Support --write-flags on openshift start node to support moving directly to kubelet #18322
  • oauth: Enable osin internal error logging #18505
  • router: Make oadm router and registry resiliant to missing client for use in scripts #18546
  • router: Updating route TLS configuration will be possible with 'create' permissions on custom-host #18312
  • security: ClusterResourceOverride plugin should not set CPU or memory minimums below the namespace quota minimum #18553
  • server: Bug 1538389 - Allow node IP change to update Host IP in HostSubnet resource #18281
  • server: Correctly handle newlines in serial files #18405
  • server: Wait for lease acquisition that indicates the controllers and scheduler have successfully started #18338
  • template: Make sure we can unbind a deleted templateinstance #18452

Release SHA256 Checksums

6ed2fb1579b14b4557e4450a807c97cd1b68a6c727cd1e12deedc5512907222e  ./openshift-origin-client-tools-v3.9.0-191fece-linux-64bit.tar.gz
a616d50c0974d4b3d1f12f227883afa7e70028fe78c874fc233eb3466ee12fdf  ./openshift-origin-server-v3.9.0-191fece-linux-64bit.tar.gz
32bdd9464866c8e93d8cf4a3a7718b0bc9fa0f2881f045b97997fa014b52a40b  ./openshift-origin-client-tools-v3.9.0-191fece-mac.zip
705eb110587fdbd244fbb0f93146a643b24295cfe2410ff9fe67a0e880912663  ./openshift-origin-client-tools-v3.9.0-191fece-windows.zip
Assets 7

@smarterclayton smarterclayton released this Mar 16, 2018 · 9769 commits to master since this release

This is a patch release of OpenShift Origin.

Changes

v3.7.2 (2018-03-16) Full Changelog

Component updates

  • Updates to Kubernetes
    • 49624: Add daemonset to all categories #18478
    • 53690: Fix hpa scaling above max replicas w/ scaleUpLimit #18216
    • 54701: Refactor reconcileAutoscaler method in hpa #18216
    • 55631: Parse and return the last line in the log even if it is partial #17546
    • 57422: Rework method of updating atomic-updated data volumes #18167
    • 57967: Fixed TearDown of NFS with root squash. #18954
    • 58301: Limit all category to apps group for ds/deployment/replicaset #18478
    • 58572: Automated cherry pick of #58547: Send correct resource version for delete events from watch #18246
    • 58720: Ensure that the runtime mounts RO volumes read-only #18954
    • 60342: Fix nested volume mounts for read-only API data volumes #18954
    • 61047: Lock subPath volumes #18954
    • 61109: Detect backsteps correctly in base path detection #18954
    • 61196: bugfix(mount): lstat with abs path of parent instead of '/..' #18954
    • Revert "UPSTREAM: 53916: update .dockercfg data to config.json format" #18062

Bugs

  • auth: Fix issues with oc adm migrate authorization #18221
  • migrate: handle NotFound via resource matching and during conflicts #18287
  • server: Include proto swagger document in discovery #18309
  • server: Don't expose oapi types as 'all' #18478
  • deployments: Correctly trigger DC trigger reconciliation on image change release #18524
  • build: Correctly set selinux labels for build containers #17546

Release SHA256 Checksums

abc89f025524eb205e433622e59843b09d2304cc913534c4ed8af627da238624  ./openshift-origin-client-tools-v3.7.2-282e43f-linux-64bit.tar.gz
74933671b886f790dbf83edfba25a522851244c37a586dc491a39ebf30ece893  ./openshift-origin-server-v3.7.2-282e43f-linux-64bit.tar.gz
8ae2f51cdde5c76a33add98c64efc30f11f5c0fbd1dacc5ae5d0f147b96f7d18  ./openshift-origin-client-tools-v3.7.2-282e43f-mac.zip
45e525b751d7659e05adfbd005851cdeb769df511cfe38f5e45c0dfed854e784  ./openshift-origin-client-tools-v3.7.2-282e43f-windows.zip
Assets 7
Mar 13, 2018
You can’t perform that action at this time.