Skip to content

v1.3.0-rc1

Pre-release
Pre-release
Compare
Choose a tag to compare
@smarterclayton smarterclayton released this 07 Sep 22:25
· 24072 commits to master since this release
v1.3.0-rc1
884520c

This is release candidate 1 of OpenShift Origin 1.3.0.

Backwards Compatibility

  • HAProxy router template format has changed
    • As part of the expanded features added to the HAProxy router in 1.3, a configuration file format change was necessary to the internal structure used by the router config template (the haproxy.config.template) file. Instructions for adapting to the new format are located here
  • Jenkins auto-deployment has been disabled - see #10260 for more

API Changes

  • Networking
    • Many of the network API objects have much stricter validation. #10466
  • Routes
    • All backends in a route may be set to have zero weight, which means no traffic should be sent to that backend. #10428

Component updates

  • Updated to Kubernetes 1.3.5 + patches
    • 32000: Update node status instead of node in kubelet #10790
    • 31730: Fixes for attach-detach controller enablement on existing nodes #10748
    • 30690: Don't bind pre-bound pvc & pv if size request not satisfied #10522
    • 31627: make deep copy of quota objects before mutations #10704
    • 31396: Fixed integer overflow bug in rate limiter #10646
    • 31047: Close websocket stream when client closes #10550
    • 25308: fix rollout nil panic issue #10543
    • 29093: Fix panic race in scheduler cache from 28886 #10518
    • 30839: queueActionLocked requires write lock #10504
    • 30624: Node controller deletePod return true if there are pods pending deletion #10503
    • 30731: Always return command output for exec probes and kubelet RunInContainer #10494
    • 30796: Quota usage checking ignores unrelated resources #10493
    • 28234: Make sure --record=false is acknowledged when passed to commands #10486
    • 30736: Close websocket watch when client closes #10475
    • 29639:: Fix default resource limits (node allocatable) for downward api volumes and env vars #10467
    • 27541: Attach init container #10427
    • 30510: Endpoint controller logs errors during behavior #10415
    • 30626: prevent RC hotloop on denied pods #10414
    • 30533: Validate involvedObject.Namespace matches event.Namespace #10392
    • 30313: remove duplicate errors from aggregate error outputs #10317
    • 29212: hpa: ignore scale targets whose replica count is 0 #10305
    • 29982: Fix PVC.Status.Capacity and AccessModes after binding #10268
    • 30162: return err on oc run --image with invalid value #10250
    • 31446: fix delay establishing log streaming connection #10617
    • 31353: fix duplicate validation/field/errors #10613
    • Additional bulk picks #10247, #10385, #10541
  • Updated Docker distribution
    • Fix pushing to GCS storage #10640

Features

v1.3.0-rc1 (2016-08-07)
Full Changelog

Add setting and viewing route weights from the CLI

The A/B route balancing feature now has a CLI command to manage it oc set route-backends and route weights show up in the oc get and oc describe commands for the route.
Routes may have one or more optional backend services with weights controlling how much traffic flows to each service. Traffic is assigned proportional to the combined weights
of each backend. A weight of zero means that the backend will receive no traffic. If all weights are zero the route will not send traffic to any backends.

You can bulk set route backends by specifying their name and weight:

$ oc set route-backends myroute prod=99 canary=1

Which will send 99% of traffic to the prod service and 1% to the canary service. If the service does not exist no traffic will be sent. You can keep the service listed as
a backend but not send traffic to it by specifying weight 0:

$ oc set route-backends myroute prod=1 canary=0

See the help for more advanced incremental adjustments (--adjust canary=+10%).

  • Add CLI support for routes with multiple backends #10551.

Support bare-metal, highly available IPs for services

For users deploying onto bare metal without a cloud provider, access to highly available TCP load balancing can be difficult. OpenShift 1.3 extends the supported ip-failover
router HA solution to also enable HA Kube services with failover. Administrators would configure HA router nodes and then ensure that a block of IPs is routed to those nodes
in the IP failover configuration. That block would then be configured in the OpenShift master-config.yaml:

networkConfig:
  ingressIPNetworkCIDR: 172.46.0.0/16

This is the default behavior, and can be disabled by setting the value equal to 0.0.0.0/32. When a service of type=LoadBalancer is created, a new IP would be assigned to the
service and traffic would flow to that service. Note that running with a cloud provider disables this feature since the providers native service load balancer is used.

  • Support network ingress on arbitrary IPs #9454
  • Add a default ingress ip range #10500

Image Policy API

Image policy allows you to manage which images are allowed to run on the cluster and perform resolution of image tags to image digests on demand (to lock the executed version).
Policy allows:

  • Block images outside of the integrated registry from being used in pods
  • Require the presence of an annotation on the underlying image (not settable by end users) to run the image
  • Allow integrators to perform security scans of images and then block the image from being executed on the platform.

The default configuration will block images that are annotated in the internal registry - if the annotation images.openshift.io/deny-execution is set on an image referenced
by a pod to true, OpenShift will prevent that image from being run. This can be used by an external scanner to block certain images from being used.

See the image policy documentation for more on configuring policy.

  • Add image policy enforcement #8995

Build integrations with the cluster more easily

The new oc observe command is an experimental tool for reacting to changes in your Kubernetes cluster and building scripted interactions. It allows you to easily
get notified of changes to a particular resource type (like services, deployments, namespaces, persistent volumes) and invoke a command.

For example, if you want to send an email to your admin every time a node stops being reachable, create a script that takes

$ cat mail.sh
#!/bin/sh
if [[ $2 != 'False' ]]; then
  touch "/tmp/ready/$1"
  exit 0
fi
if [[ -f "/tmp/ready/$1" ]]; then
  echo mail -s "$1 went DOWN!" [email protected] "We're down at $(datetime)"
fi
rm "/tmp/ready/$1"

$ oc observe node -a '{{ range .status.conditions }}{{ if eq .type "Ready" }}{{ .status }}{{ end }}{{ end }}' --output gotemplate -- ./mail.sh

Whenever a node transitions from having condition Ready with status True to status False, an email will be sent to your admin. See the oc observe help for
more suggestions and explanation of how observe can help you build simple integrations.

You can get observe as a Docker image via docker pull openshift/observe:latest - the oc observe command is the entrypoint and you can bind mount a kubeconfig file
to /root/.kube/config.

Improve the OAuth Grant page

OpenShift embeds a full featured OAuth server for managing access to cluster resources. The OAuth authorization grant page has been improved to describe the scopes being
requested, the impact those scopes might have, and to warn users of any potential security risks. In addition, the grant page now allows the user to select which scopes
to grant.

screen shot 2016-08-12 at 11 50 40 am

  • Improve OAuth Grant page and allow partial scope approval #10321

Other Features

  • project: Respect scope rules in list/watch projects #10252
  • cli: Improve oc describe imagestream #10405

Bugs

  • admin: Add a command to separate projects when multi-tenant SDN is on - oadm pod-network isolate-projects #10365
  • admin: Ignore negative value of grace-period passed to oadm manage-node #10350
  • admin: Recognize gzipped empty layer when marking parents in oadm top images #10293
  • admin: Return directly if no pods found when evacuating #10447
  • bootstrap: Better support containerization on some Docker platforms in oc cluster up #10571
  • builds: Avoid temporary delays in processing builds due to improper use of cache code #10581
  • builds: Avoid using bsdtar for extraction during build #10364
  • builds: Commit information not being properly output into build logs #10515
  • builds: Don't perform pod deletion management for pipeline builds #10370
  • builds: Ensure temporary files are closed if Docker 'DownloadFromContainer' fails #10325
  • builds: Show namespace for custom strategy bc #10340
  • builds: Validate CustomStrategy early #10480
  • cli: Add oc describe help suggestion to cmds with --container option #10469
  • cli: Add a line break when no events in describe #10653
  • cli: Add new-app support for detecting .net apps #10463
  • cli: Allow --raw URL to retrieve authenticated URLs from a server with oc get #10542
  • cli: Avoid failures during scaling by fetching objects up front #10684
  • cli: Better describe oc tag -d #10597
  • cli: Deprecate --list option from volumes cmd #10457
  • cli: Display an error when git is not available and --from-repo is requested in oc start-build #10397
  • cli: Fix oc extract usage message for the --keys flag #10614
  • cli: Fix oc project|projects when in cluster config #10521
  • cli: Improve oc set env key-value pair matching for environment variables #10619
  • cli: Improving circular dependency checking for new-build #10067
  • cli: New app example improvements #10534
  • cli: Project labels should be visible from oc get #10329
  • cli: Remain in the current project at login if possible #10378
  • cli: Return error in oc set env RESOURCE when no env args are provided #10485
  • cli: Show restart count warnings only for latest deployment #10440
  • cli: Suggest use of oc get bc on oc start-build error output #10720
  • cli: Support init containers in 'oc debug' #10578
  • cli: Tagging images across namespaces with oc tag was importing from the wrong location #10510
  • cli: oc extract should default to current directory #10468
  • cli: oc should not fail negotiating API versions against Kubernetes #10824
  • deploy: Don't reprocess configs on stream updates yet #10744
  • deploy: Emit event when cancelling a deployment #10590
  • deploy: React to image stream changes more quickly during deployment processing #10456
  • deploy: Retry conflicts when updating RC faster #10507
  • deploy: Some image change triggers were not being matched on deployments #10444
  • deploy: Wait for deployer pod to be running before getting logs #10560
  • deploy: remove top level generator pkg #10502
  • examples: Fix pre-deploy hook args on cakephp example #10572
  • gitserver: Fix gitserver build config search #10576
  • idling: Add previous-scale annotation for idled resources #10421
  • idling: Clarify idle error and usage output #10492
  • idling: Don't health-check idled services #10420
  • idling: Ensure only endpoints are specified in oc idle #10335
  • idling: Handle deleted services correctly without erroring out #10648
  • images: Make import image more efficient #10244
  • images: Sometimes tags are not updated when running oc tag to referenced tags #10708
  • ipfailover: Fix range expansion on VRRP addresses #10498
  • ipfailover: Stop using node selector as ipfailover label #10388
  • jenkins: Add specific roles and permissions for access to the Jenkins console #10649
  • jenkins: Fix autoprovision enabled field name #10612
  • jenkins: Increase readiness timeout #10593
  • network: Allow startup to continue even if nodes don't have EgressNetworkPolicy list permission #10358
  • network: Clear kubelet-created initial NetworkUnavailable condition on GCE #10545
  • network: Disabling idling should not turn off the service proxy #10667
  • network: Periodically sync k8s iptables rules #10465
  • network: Re-setup SDN on startup if ClusterNetworkCIDR changes #10569
  • network: Regenerate proxy iptables rules on EgressNetworkPolicy change #10652
  • network: Revert SDN automatic mode detection #10751
  • network: SDN plugin name names were missed #10432
  • policy: Allow registry-admin and registry-editor to create serviceaccounts #10443
  • policy: Block setting ownerReferences and finalizers #10464
  • policy: Reconcile non-resource-urls #10785
  • project: Clean up requested project if there are errors creating template items #10577
  • quota: Properly enforce image stream counts #10517
  • registry: Handle older configuration files without erroring out on upgrade #10673
  • registry: Login via token to the registry should use HTTP header info for redirection #10418
  • registry: Properly reuse service clusterIP in oadm registry #10496
  • registry: Properly serve the manifest configuration blob for images #10805
  • registry: servingCert was not handled properly in oadm registry #10442
  • router: Allowed 'true' for the DROP_SYN_DURING_RESTART variable #10514
  • router: Enable secure cookie for secure-only edge routes #10573
  • router: Extend DDOS protection to reencrypt and passthrough routes #10513
  • router: Properly remove duplicates from routers #10747
  • router: Set X-Forwarded-For headers for reencrypt routes. #10318
  • router: Update the default certificate and allow for better replacement #10345
  • router: Use annotations for tuning route healthcheck intervals #10342
  • rpm: Build RPM using the build scripts #10398
  • rpm: Make build spec file platform independent #10695
  • s2i: Increase default timeout for operations against Docker #10675
  • server: Add quota controller metrics #10307
  • server: Call out config validation warnings more clearly #10461
  • volume: Recycler pod was failing to recycle processes #10454
  • Lots of code cleanup PRs, thanks to all who helped! #10591, #10589, #10583, #10557, #10547, #10446, #10433, #10409, #10408, #10399, #10372

Release SHA256 Checksums

a9be9890fbfa491bb05fa659f6f98685a29f41eb5fd6a7c74d0bf959c7eb6502  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-32bit.tar.gz
bfd20d7332e38db6f52fb941c339206aafb8dc259715ced97bdd32a693637d94  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-64bit.tar.gz
257bff09d85a6eb440368f1cb23f689d6fd0131303697797eb737b18d3bbafa5  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-mac.zip
45f6f9060d1f1813a8aab2e6e2af40fb5dc7d2afe537f2d640636b12d9c42d3f  openshift-origin-client-tools-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-windows.zip
e7878e14b9160bf108a951b5f635958fed9244de085eba40fd68f51e7210e918  openshift-origin-server-v1.3.0-rc1-ac0bb1bf6a629e0c262f04636b8cf2916b16098c-linux-64bit.tar.gz
Assets 8
Loading