Skip to content

v1.5.0-alpha.3

Pre-release
Pre-release
Compare
Choose a tag to compare
@smarterclayton smarterclayton released this 20 Feb 21:32
· 21046 commits to master since this release
v1.5.0-alpha.3
cf7e336

This is a development release of OpenShift Origin towards v1.5.0.

Backwards Compatibility

  • The --credentials flag is now removed from oadm router and oadm registry #10830
    • service accounts are the preferred way to set secrets
  • The groups field on the User object has been deprecated #12870
    • Instead, create a Group object and reference the user by name.

Changes

v1.5.0-alpha.3 (2017-02-19) Full Changelog

API

  • templates: Allow namespace specification via parameter in templates #12918

    • If you specify a parameter replacement in the namespace field of a template object, it will be preserved:

      kind: Template
apiVersion: v1
parameters:
- name: NAMESPACE
objects:
- kind: Service
  metadata:
    namespace: foo # ignored
- kind: PersistentVolumeClaim
  metadata:
    namespace: "${NAMESPACE}" # will be set to the value of NAMESPACE

    • Static values for namespace will continue to be ignored to prevent breaking old templates that included those fields

Component updates

  • Patches on top of Kubernetes v1.5.2
    • 35436: Add a package for handling version numbers (including non-semvers) #12448
    • 37228: kubelet: storage: teardown terminated pod volumes #12669
    • 37846: error in setNodeStatus func should not abort node status update #12570
    • 37986: Add clusterid, an optional parameter to storageclass. #12556
    • 38378: glusterfs: properly check gidMin and gidMax values from SC individually #12556
    • 38527: Fail kubelet if runtime is unresponsive for 30 seconds #12776
    • 38579: Let admin configure the volume type and parameters for gluster DP volumes #12556
    • 39831: Check if error is Status in result.Stream() #12610
    • 39842: Remove duplicate calls to DescribeInstance during volume operations #12740
    • 39844: fix bug not using volumetype config in create volume #12556
    • 39998: Cinder volume attacher: use instanceID instead of NodeID when verifying attachment #12955
    • 40023: Allow setting copyright header file for generated completions #12613
    • 40763: reduce log noise when aws cannot find public-ip4 metadata #12760
    • 40859: PV binding: send an event when there are no PVs to bind #12796
    • 41043: allow setting replace patchStrategy for structs #12731
    • 41147: Add debug logging to eviction manager #12876
    • 41329: stop senseless negotiation #12938
    • 41658: Fix cronjob controller panic on status update failure #13005
    • :41034: use instance's Name to attach gce disk #12835
    • : Change docker security opt separator to be compatible with 1.11+ #12831
    • : kubelet: change image-gc-high-threshold below docker dm.min_free_space #12762
    • : Workaround etcd310 / gprc version conflict with CRI #12600
    • : request logs when attaching to a container #12648

Features

Template refinements

The OpenShift 1.5 release added a few new features for templates, including the ability to have integer, boolean, array, or map inputs (using the ${{PARAMETER}} syntax). This alpha also allows templates to span namespaces if you parameterize the namespace field of your objects. Previously, all namespace fields were stripped, but a template object with a namespace that references a parameter will now be filled in, allowing you to instantiate cluster scoped resources that refer to a named resource in the template. oc process --local has been added to allow you to locally transform a template for use with a regular Kubernetes server - the transformation is performed on the client instead of requesting the server do the transformation.

  • templates: Allow namespace specification via parameter in templates #12918
  • templates: Allow templates to be processed locally with --local #12996

Ingress objects in the HAProxy router (tech preview)

The HAProxy router can be configured to expose Kubernetes Ingress objects. This feature is still under development and may change as more security protections are put into place. Not all features supported by Routes are available, including some advanced annotations.

  • router: Support Ingress resources with the HAProxy router (tech preview) #12416
  • router: Allow restricting Ingress objects from changing their hostname values #12653
  • router: Fix Ingress compatibility with f5 #12843

Multicast and NetworkPolicy support for OpenShift SDN (tech preview)

Multicast and NetworkPolicy support are now available in OpenShift SDN for testing. Please see the documentation for more info on how to enable them.

  • sdn: Implement NetworkPolicies with PodSelectors #12448
  • sdn: Support multicast #12494
  • sdn: Filter disallowed outbound multicast #12650
  • sdn: Allow multicast for VNID 0 #12839
  • sdn: Fixed the multicast CIDR (was 224.0.0.0/3 not /4) #12852

Node bootstrap (tech preview)

For the last several releases Kubernetes and OpenShift have been preparing to allow nodes to "self-register" in cloud environments where nodes can be spun up or down dynamically. In the v1.5.0 release the new experimental --bootstrap flag is available on nodes and will have the node request a client certificate from the master, then request a serving certificate, then download its node configuration from a config map. Cloud VM images can be "baked" with an account capable of self registration and the new oc adm certificate approve command can be used to approve the client and serving certificate requests.

This feature is still experimental and may change in future releases.

  • cluster: Support a simple bootstrap mode for nodes in preparation for self-join #9547

Basic monitoring

oc cluster up now installs a Prometheus and Heapster template to the kube-system namespace - as an administrator you can switch to that namespace and easily install them for monitoring your cluster.

Prometheus can monitor your nodes, apiserver, and services labelled with the appropriate annotations and record metrics or fire alerts. Launch and expose Prometheus with:

$ oc project kube-system
$ oc new-app prometheus
$ oc expose svc/prometheus

See the Prometheus website for more info.

To use a standalone Heapster instance with no historical metrics, run:

$ oc project kube-system
$ oc new-app heapster-standalone

Autoscaling should now be enabled for your cluster. This is useful for smaller clusters where you don't need historical data as provided by Hawkular.

  • clusterup: Install Prometheus and Heapster templates to the kube-system namespace on cluster up #12844
  • examples: Add a standalone Heapster example #12812
  • examples: Add a Prometheus example #12793

Debugging the masters

In order to make it easier to capture profiles and other debug information about a running cluster, the /debug/pprof endpoints are
exposed on apiservers, controllers, and nodes, but protected via a new cluster-debugger role. Since the debug endpoint can extract sensitive information from the cluster, you should only give that role to trusted actors.

# Retrieve and process a heap dump from the master as a cluster-debugger
$ oc get --raw /debug/pprof/heap > /tmp/heap
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/heap

# Capture a 30s CPU profile from the master as a cluster-debugger
$ oc get --raw /debug/pprof/profile > /tmp/cpuprofile
$ go tool pprof PATH_TO_OPENSHIFT_BINARY /tmp/cpuprofile
  • admin: Add a new cluster-debugger role and enable debugging on masters #12895
  • admin: Allow controller to be debugged using OpenShift credentials #12907

Other Features

  • builds: Cancel binary builds if they hang #12484
  • builds: Record built image digest in the build status #12407
  • cli: Adding wildcardpolicy flag to oc create route and a column for the wildcardpolicy to `oc get route' #12713
  • cli: Improve namespace and resource completions #12630
  • deploy: Add support for dc --dry-run to rollout undo #12729
  • dns: Allow nodes to be configured to start local DNS and bind to alternate addresses and ports #12805
  • ipfailover: Allow multiple ipfailover configs on same node #12472
  • registry: Add audit log #12586
  • router: Allow routes to claim non-overlapping hosts (+ paths) and wildcards across namespace boundaries #12441
  • security: Add descriptions to roles to better explain their purpose. #11328
  • security: Add headers that provide extra security protection in browsers #12521
  • server: By default, use protobuf to store server resources #11971
  • storage: Enable Azure dynamic provisioner #12756
  • web: Let users pause rollouts when editing deployment configs #1129
  • web: Support volume mount subpaths and read-only flag #1108
  • web: Improve searches for projects on create from URL page #1145
  • web: Add Stateful Sets to monitoring page #1163
  • web: Add namespace picker to service account tab on membership page #1213

Bugs

  • admin: Normalize server url before writing to new kubeconfig file #12591
  • admin: Stop generating router/registry client certs #10830
  • admin: Support -z on oadm policy add-cluster-role-to-user #12902
  • build: Take referencePolicy into account when resolving istag #12767
  • builds: Adjust the build duration recorded to be more accurate #12569
  • builds: Don't create two copies of the context dir contents accidentally #12891
  • builds: Ensure controllers stop retrying certain known errors #12842
  • builds: Ensure the build reason is not removed if it races with controllers #12873
  • builds: Ensure we don't miss any build creation events in the controller #12702
  • builds: Improve performance by only running handleBuildCompletion on completed builds #12856
  • builds: Reduce the number of times the build controller attempts to load builds #12623
  • builds: Replace utilruntime.HandleError with glog #12658
  • builds: Start the next serial build immediately after a build is canceled #12699
  • builds: Treat binary buildconfig instantiate requests as long running #12679
  • builds: Use correct context dir during s2i build #12628
  • cli: Add option '--insecure-policy' when creating passthrough and reencrypt route #12725
  • cli: Check image metadata for command line when using oc debug #12585
  • cli: Improve output of oc idle #12718
  • cli: Improve scale, process, and get help output #12724
  • cli: Inform user that port is required as part of set-probe error when port missing #12759
  • cli: Prevent project change from failing on server err #12571
  • cli: Remove special handling of --token and --context for whoami #12872
  • cli: Update "no projects" warning in oc status #12328
  • clusterup: Add instructions for accessing the registry from Docker #12826
  • clusterup: Fix port checking and Mac startup #12745
  • clusterup: Mount host /dev into origin container #12565
  • clusterup: Remove hard-coded docker root mount #12744
  • clusterup: add brew install instructions #12827
  • deploy: Restart controller watch if the resource was out of date #12910
  • diagnostics: Print master config error on each failed test #12832
  • drain: Prevent Normalize from running twice on oadm drain #12651
  • examples: Add examples to quickstarts that use persistent volumes #12682
  • examples: Change MEMORY_LIMIT parameter to be required for databases #12742
  • examples: Fix connection URL in postgresql examples #12664
  • examples: Use secrets in sample templates #12757
  • idle: Increased the time the proxy will hold connections when unidling #12754
  • image: Add replace patch strategy for DockerImageMetadata to better support oc edit istag/NAME #12731
  • images: Add oc tag --reference-policy to control whether pullthrough images are resolved to local tags #12862
  • images: Bug 1415440: Check image history for zero size #12609
  • images: Prune images correctly with the schema2 manifest #12566
  • jobs: Store Jobs in version batch/v1 instead of deprecated extensions/v1beta1 #12517
  • newapp: Report a useful error when wide mode is used with new-app/new-build #12836
  • newapp: Return partial matches when default latest tag is unavailable #12878
  • node: Set the default image garbage collection policy to 85% of disk, not 90% #12762
  • observe: Fix a deadlock when skipping certain resources #12980
  • projects: Sort Projects when requested via the API #12881
  • registry: Ensure images that already exist are given the correct reference on push #12525
  • registry: Return the correct HTTP status for error and remove dead code #12675
  • router: Allow HAProxy logging to be configured via environment variable #12795
  • router: Ensure that route backend weighting works without having to specify an annotation for load balancing #12752
  • router: Fix Ingress handling of nil rule value #12941
  • router: Fix reported invalid certificate errors to not contain special characters #12670
  • router: Increase maxconn default and make the value easily configurable #12716
  • router: Make some verbose logging even higher level #12785
  • router: Only set the load balancer cookie to insecure when insecureEdgeTerminationPolicy is Allow #12802
  • router: Perform both http and https checks for monitoring f5 pools #12764
  • router: Prevent F5 router from failing to publish routes with empty paths #12944
  • router: Small code fixes #12575
  • sdn: Fix NetworkPolicies allowing from all to some (not all) #12972
  • sdn: Fix OVS connection tracking in networkpolicy plugin #12837
  • server: Disable the admission plugin LimitPodHardAntiAffinityTopology by default. #12782
  • server: Ensure file and directory validation errors are output on startup #12761
  • server: Ensure the master binds to the configured address in some cases #12779
  • servingcert: Recreate generated service cert secret when deleted #12853
  • storage: Use the correct etcd paths for user identities and egress network policies in storage #12607
  • web: Switch empty extension files to return 200 with Content-Length zero #12644
  • web: Show storage class type and zone, even if no description #1141
  • web: Use block syntax for stages in examples #1142
  • web: Fix dangling "none" on statefulset template #1143
  • web: Don't show full editor for one-line post-commit scripts #1146
  • web: Look for kubernetes.io/description on storage classes #1147
  • web: Exclude stateful sets from other resources #1149
  • web: Fix always-visible build config warning #1150
  • web: Test if metrics are available on StatefulSet page #1148
  • web: Bug 1414709 - stateful sets page has no label filter #1152
  • web: Fix StatefulSets breadcrumbs & label display #1153
  • web: Hide storage classes select when there are none #1156
  • web: Bug 1415083 - Make build hook fields required for selected type #1157
  • web: Bug 1415087 - Fix persistent "Scaling to..." message for stateful sets #1159
  • web: Bug 1415058 - Fix events on stateful sets #1158
  • web: Avoid race condition on pod metrics page load #1160
  • web: Bug 1414691 - Fix name validation for several resources #1155
  • web: Fix Stateful sets replicas count #1165
  • web: Switch to a specific class .icon-wrap instead of :first-child selector for icon-row Fixes openshift/origin-web-console#1144 (comment) #1164
  • web: Correcting word-break-all comment #1170
  • web: Bug 1415602: Fix next steps for deploy image #1169
  • web: Update membership role filter to use new annotation #1172
  • web: Better conflict handling for env var edits #1171
  • web: Add EnvironmentService unit tests #1173
  • web: Retry initial terminal sizing until we have a bounding box #1176
  • web: Add golang category #1168
  • web: Correct the right alignment of the log viewer go to end button by adjusting it to match middle container edge. Fixes openshift/origin-web-console#1162 #1177
  • web: Fixing issue where long, unbroken strings in URLs breaks layout #1166
  • web: Improve placeholder and description for build hook commands #1181
  • web: Make empty msg for stateful sets consistant with other ones #1179
  • web: Fix error changing route termination to passthrough #1183
  • web: Let users specify insecureEdgeTerminationPolicy for other termination types #1184
  • web: Show builders and templates that match no subcategory #1193
  • web: Show router canonical hostname on route page #1194
  • web: Don't link to image stream tags that haven't synced yet #1202
  • web: Correct alignment/spacing of 'loading log' message when waiting for logs. Fixes openshift/origin-web-console#1190 #1196
  • web: Correct controller names in ngdocs #1204
  • web: Turn off capitalization and autocorrect for some inputs #1208
  • web: Don't zoom on iOS when focusing a textarea #1210
  • web: Add tech preview header to StatefulSets list & detail page #1198
  • web: Don't add input-group class when hiding copy to clipboard button #1211
  • web: Add note for storage class used on PVC grid #1200
  • web: Make verify-dist print what files are failing #1214
  • web: Dont show advanced option link for Custom deployment strategy #1215
  • web: Warn when editing YAML did not change the object #1222
  • web: Don't show failed pods in pod donut #1223
  • web: Remove old routes watcher in the Services controller #1226
  • web: Bug 1419887 - Validate advanced form inputs that are hidden #1228
  • web: Fix membership addRoleToUser() fn, check namespace w/subject before asserting subject already has role #1229
  • web: History for an image stream tag can't be shown #1246
  • web: Fix sample pipeline button #1248
  • web: Bug 1413516: Correctly handle suffix k in usageValue filter #1249

Release SHA256 Checksums

ba77489cfaba0b699aae4145a934bd974f3370de33698452f9b167bfadd0d798  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-linux-32bit.tar.gz
cd126aee3a2ed9734724b483adb4256035c8de840ae409f11adbafa0ec3d2042  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-linux-64bit.tar.gz
36e03331b2d434ebc26a4004080fb07d14308f7f2af619ff9eb366120dfbc58e  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-mac.zip
0bf59816e8a1c235bc76f443961fb4d6ef387432005ecea139684ed9b69b90c3  openshift-origin-client-tools-v1.5.0-alpha.3-cf7e336-windows.zip
4c67e4bb982ab3fa80f85fb26f2b0f6a1e4c728cc62ee12dd25f4065a81131fc  openshift-origin-server-v1.5.0-alpha.3-cf7e336-linux-64bit.tar.gz
Assets 8
Loading