Changes

Roadmap for the v3.10 release

v3.10.0-rc.0 (2018-06-19) Full Changelog

API

Ingress support

In order to better adapt ingress objects to routes, a new controller has been added to OpenShift that maps Kubernetes Ingress objects (in their v1beta1 form) to OpenShift Routes automatically. This allows the HAProxy router to report status, perform host overrides, support multi-tenant protection on hostnames, and securely manage Ingress secrets.

The controller converts each Ingress rule into its own route, as long as the rule has a hostname or TLS hostname. Any referenced secrets are copied into the final Route and kept up to date. If a generated route is deleted it will be recreated by the controller. Once a route is created, any annotations or route specific fields will not be altered unless the route is deleted (such as weighted service backends). A route with a TLS endpoint will be set to Reencrypt termination, but that may be changed after creation.

The router process itself no longer needs to watch Ingress or Secret resources.

• router: Replace router support for ingress with an ingress-to-route controller #18658

Other changes

• Image signature annotations are ignored #19037
• Explicitly prohibit spec updates to imagestreamtag resources which are not a spec tag. #18532

Component updates

• Updated to Kubernetes v1.10.0-47-gb81c8f8 + patches
  • 42873: add kubectl api-resources command #19884
  • 54530: api: validate container phase transitions #18791
  • 57202: Fix format string in describers #18810
  • 58972: Fix job's backoff limit for restart policy OnFailure #19672
  • 59170: Fix kubelet PVC stale metrics #18637
  • 59301: dockershim: don't check pod IP in StopPodSandbox #18425
  • 59316: Exit if no client cert is available for 5m #18430
  • 59365: Fix StatefulSet set-based selector bug #18797
  • 59931: do not delete node in openstack, if those still exist in cloudprovider #19038
  • 60289: fix freespace for image GC #18767
  • 60342: Fix nested volume mounts for read-only API data volumes #18766
  • 60455: removes custom scalers from kubectl #19275
  • 60490: Volume deletion should be idempotent #18856
  • 60632: Add volumemetrics for ISCSI Plugin #19842
  • 60654: notify systemd on kubelet start #18886
  • 60978: Fix use of "-w" flag to iptables-restore #18919
  • 61287: provide easy methods for direct kubeconfig loading from bytes #18956
  • 61294: Fix cpu cfs quota flag with pod cgroups #19028
  • 61378: --force only takes effect when --grace-period=0 #19213
  • 61459: etcd client add dial timeout #19953
  • 61480: Allow sockets to be mounted in subpath #19329
  • 61790: make reapers tolerate 404s on scaling down #19275
  • 61808: Ensure -o yaml populates kind/apiVersion #19137
  • 61949: Tolerate 406 mime-type errors attempting to load new openapi schema #19137
  • 61962: Avoid data races in unit tests #19137
  • 61985: Restore show-kind function when printing multiple kinds #19137
  • 62074: Narrow interface consumed by scale client #19137
  • 62114: removes job scaler, continued #19275
  • 62146: Fix daemon-set-controller bootstrap RBAC policy #19517
  • 62152: Keep node.kubeconfig correct during rotation #19857
  • 62196: Remove need for server connections for dry-run create #19137
  • 62199: Make priority rest mapper handle partial discovery results #19137
  • 62234: Handle partial group and resource responses consistently #19137
  • 62254: Add name output and verb filtering to api-resources #19884
  • 62336: add statefulset scaling permission to admins, editors, and viewers #19275
  • 62394: Revert "git: Use VolumeHost.GetExec() to execute stuff in volume plugins" #19359
  • 62416: kuberuntime: logs: reduce logging level on waitLogs msg #19334
  • 62461: allow higher burst for discovery #19327
  • 62462: Private mount propagation #19364
  • 62469: stop defaulting kubeconfig to http://localhost:8080 #19335
  • 62543: Timeout on instances.NodeAddresses cloud provider request #19733
  • 62572: Prevent virtual infinite loop in volume controller #19371
  • 62584: Make x-kubernetes-print-column print handling opt-in #19352
  • 62668: add metrics to cinder volume #19444
  • 62733: Set a default request timeout for discovery client #19471
  • 62744: Fix kubectl describe cronjob #19391
  • 62827: fix csi data race in csi_attacher_test.go #19508
  • 62874: dockershim/sandbox: clean up pod network even if SetUpPod() failed #19576
  • 62913: make a simple dynamic client that is easy to use #19515
  • 62914: kubelet: fix flake in TestUpdateExistingNodeStatusTimeout #19453
  • 63086: Fix discovery default timeout test #19471
  • 63160: kubelet: logs: do not wait when following terminated container #19545
  • 63169: Remove unnecessary dependencies on api/core/v1 #19509
  • 63177: kubectl takes a dependency on the controllers #19509
  • 63295: Fixed CSI volume detach when the volume is already detached #19816
  • 63303: Return attach error to A/D controller #19816
  • 63321: kubelet: force filterContainerID to empty string when removeAll is true #19580
  • 63339: kubelet: volume: do not create event on mount success #19625
  • 63349: Decorate function not called on Create #19602
  • 63403: don't block creation on lack of delete powers #19404
  • 63416: Retry certificate approval on conflict errors #19770
  • 63417: Panic when map string bool flag has no value #19620
  • 63421: Cache preferred resources, use in kubectl resource name autocomplete (single commit) #19884
  • 63490: default the ignorenotfound for delete when selecting objects #19616
  • 63650: Never clean backoff in job controller #19672
  • 63716: Add InstallPathHandler which allows for more then one path to be associated with health checking. #19009
  • 63831: Always track kubelet -> API connections #19638
  • 63831: Close all kubelet->API connections on heartbeat failure #19638
  • 63848: Deflake discovery timeout test #19714
  • 63875: make TestGetServerGroupsWithTimeout more reliable #19723
  • 63903: Revert "Openstack: register metadata.hostname as node name" #19730
  • 63903: Revert "Specify DHCP domain for hostname" #19730
  • 63903: Revert "Split out the hostname when default dhcp_domain is used in nova.conf" #19730
  • 63926: Avoid unnecessary calls to the cloud provider #19742
  • 63966: kubectl: fix Flatten() when used without Latest() #19747
  • 63977: pkg: kubelet: remote: increase grpc client default size #19774
  • 64026: Enable SELinux relabeling in CSI volumes #19816
  • 64028: Tolarate negative values when calculating job scale progress #19765
  • 64443: services must listen on port 443 for aggregation #19866
  • 64516: Fix error message to be consistent with others #19884
  • 64573: remove extra "../" when copying from pod to local #19898
  • 64797: Handle deleted DaemonSet properly #19927
  • 64855: Fix setup of ephemeral storage #19939
  • 64883: Fix up legacy printer table adapter #19934
  • 64916: improve memory footprint of daemonset simulate #19956
  • 64946: log healthz check #19952
  • 64969: volume: decrease memory allocations for debugging messages #19960
  • 65001: Quiet verbose apiserver logs #19970
  • 65009: daemon: add custom node indexer #19980
  • 65027: Use actual etcd client for /healthz/etcd checks #19992
  • 65063: Re-use private key after failed CSR #20000
  • : Add PSP review to /oapi Resources #19542
  • : Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
  • : XFS quota for emptyDir volumes #19533
  • : add RawConfig to factory for commands modifying raw kubeconfig files #19343
  • : aggregator to proxy oapi to apps.openshift.io server #18652
  • : allow injecting printers #19137
  • : allow oc kubeconfig loading to have our flags and errors #19335
  • : change config file location and restore perFSGroup to quantity #19773
  • : controller-manager patches for recycler #18887
  • : disable local storage isolation feature gate #19323
  • : enable critical pod support by default #19104
  • : filter daemonset nodes by namespace node selectors #18989
  • : inject new parameter for image resolution into kubectl set image #19348
  • : pods in openshift-* namespace can be marked critical #19104
  • : rewrite unstructured objects on the CLI to avoid oapi #19327
  • : avoid contacting server for restmappings in local mode #19996
  • : make RootFsInfo error non-fatal on start #19137
  • : stop wrapping --sort-by value in {} #19777
• Other patches
  • docker/distribution#2382: Don't double add scopes
  • docker/docker#36517: ensure hijackedConn implements CloseWrite function
  • google/cadvisor#1903: fix #1902 bug with retryDockerStatus
  • opencontainers/runc#1754: Add timeout while waiting for StartTransinetUnit completion signal
  • opencontainers/runc#1805: fix systemd cpu quota for -1

Features

Multi-stage Docker image build support

Builds using the Dockerfile build strategy can now build multi-stage Docker images. The from field continues to target the last image stage in the Dockerfile, but the new as attribute on imageSources allows other stages to be replaced with triggered images.

• Support multi-stage dockerbuilds via imagebuilder #18741, #19494

Support external OAuth token authenticators

OpenShift can now be configured to delegate login flows to a remote OAuth capable endpoint like Keycloak. This allows a central Keycloak server to authenticate multiple clusters. See the documentation for more details about configuring this option.

• auth: Add option to configure an external OAuth server #18969
• auth: Support WebhookTokenAuthenticators for using external servers as token authenticators #18868

Other Features

• auth: Add oc adm prune role command to clean up rolebindings that are not bound to valid roles #19619
• cli: Add server-side column printer support for openshift objects #19934
• clusterup: Add --enable=automation-service-broker #19409
• image: Parallelize image mirroring and reuse mounted layers #19017
• migrate: Allow storage migration to be performed in parallel #19691
• registry: Both internal and external hostnames for the registry should be in docker pull secrets #19838
• router: Make updating status on the router optional #17420
• router: Prometheus should scrape the router by default #18254
• router: Support for DNS names in egress routes #15409
• router: Perform real backoff when contending for writes from the router #18686
• router: Make router conflict detection work even during initial informer sync #19706
• router: Allow only a subset of routes from specific domains to be overriden by the hostname-template #19418
• router: Allow egress-router to connect to its own node IP for DNS #19885
• server: Expose api-versions and api-resources in oc #19884
• template: Allow TemplateInstances to create arbitrary resources, including CRDs #19396

Bugs

• build: Retry retrieving build logs in some cases #19695
• cert: Order x509 certificate subjects to prevent a Golang / GNUTLS incompatibility #18837
• cli: Support quay.io pushing in oc image mirror #19016
• cli: Correct oc scale error handling #19275
• cli: Improve validation for oc set volume #19169
• cli: Fix incorrect oc run default option #19712
• cli: Dots should be allowed in environment variable names passed to oc new-app #19688
• diagnostic: Replace usage of brctl with /sbin/ip #19929
• jenkins: Adjust jenkins template setting to account for effects of constrained default max heap #18832
• network: Fix handleDeleteSubnet() to release network from subnet allocator #18801
• network: Fix egressip handling when a NetNamespac is updated #18808
• network: The NetworkCheck diagnostic did not use the correct config file #18709
• network: Allow configurable CNI bin dir in openshift SDN #18464
• network: Correctly report initial NodeNetworkUnavailable condition #18758
• network: Allow subnet allocator to handle changes to the subnet values #18999
• network: Prevent incorrect deletion of HostSubnet OVS flows #19080
• network: Make changing egress network policy rules more efficient #19346
• network: Print out errors that occur when using macvlan and a namespace cannot be retrieved #19491
• network: Remove openvswitch check from UnitStatus diagnostic #19572
• network: Use a real OVS transaction when changing network configuration on the host #19393
• network: Use a go-native DNS library instead of dig command for dns resolution in egress network policy #19805
• network: Do not throw spurious error when minTTL=0 for the domain in egress network policy #19950
• network: Remove the node from dnsmasq config when shutting down #19987
• network: Get lowest TTL from the DNS resolution chain for egress DNS #19982
• node: Fix to pass quoted unsafe strings (with characters like *,<,%) correctly to kubelet #19951
• registry: Update docker config secret to support the future location of the registry service #19514
• registry: Make docker registry service controller check all secrets #19788
• router: When a router is reloaded after a batch of route/ingress changes are committed, haproxy sometimes fail to reload #18587
• router: Some route status updates were being lost #19018
• router: Combine backend map files to fix path based routing #18840
• router: Wildcard routes should not take precedence over sub-routes #19076
• router: Some routes were being rejected incorrectly when NAMESPACE_LABELS was set #19330
• router: The router can forget routes when routes are created and deleted in rapid succession #19175
• router: Unidle in router should ignore headless services #19416
• router: Allow Prometheus to get metrics from the router #19318
• security: Correctly handle legacy PodSecurityPolicyReview resources #19542
• server: Improve performance of the SDN controller by using shared caches #18911
• server: Move range allocation to an internal API as rangeallocations.security.openshift.io #19277
• server: Set etcd DialTimeout, fix etcd start order in all-in-one #19953
• server: When etcd is down, avoid pathological healthz behaviors #19992
• service-catalog: Start API and controller pods with log verbosity = 3 #19135

Release SHA256 Checksums

f876258c9a6221637a84e35ff68e9af96c2f2013eb9ae41ea33abd9286aa045c  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
dcb414712e8ae08146634d0c18720476e7afd024aa100bd2246d064de6658664  ./openshift-origin-server-v3.10.0-rc.0-c20e215-linux-64bit.tar.gz
872e0b58684af5d17b41a0585c50b41d09fbefa449d80927ba91252ac998deb3  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-mac.zip
25eef2fc0401209e3b5d40239827c023f463cdafeb06f81f1a6a0af9deaa1d25  ./openshift-origin-client-tools-v3.10.0-rc.0-c20e215-windows.zip
1c21ba58ee0f7fc8b55e9d84099632ec970051adc3744a294a10bcd3aefcfe21  ./CHECKSUM