• openshift/origin

    Release notes

    This is the 3.11 release of OpenShift Origin.

    Backwards Compatibility

    • auth: The auth reconcile command is now deprecated as its functionality is part of the server #20177
      • The CLI command is now identical to the upstream auth reconcile and no longer updates roles
    • auth: The cluster-reader RBAC role is now an aggregated role to simplify adding new permissions #20279
    • cli: oc patch is now consistent with the kubectl patch command #20665
    • cli: oc types is now deprecated - use oc api-resources instead #21000
    • security: If the scheduler.alpha.kubernetes.io/node-selector annotion is set on a namespace, openshift.io/node-selector is now ignored #21058
    • server: The openshift start node functionality and openshift start have been removed - the Kubelet must now be started directly #20344, #20717
      • By using the Kubelet directly we make nodes easier to manage and more consistent with the upstream.
      • Future releases will remove other parts of openshift start master.

    Changes

    Roadmap for the v3.11 release

    v3.11.0 (2018-10-10) Full Changelog

    API

    • build: Allow dashes to be used in the environment variable names in builds #20738
    • image: Return information about image layers that are associated with an image stream to improve registry performance #19969, #20643
    • security: Promote sysctl annotations to fields in SecurityContextConstraints #20151

    Component updates

    • Updated to Kubernetes v1.11.0-62-gd4cacc0 + patches
      • 62943: set updated replicas in statefulsets #20347
      • 64378: Don't reset global timeout on each for loop iteration #20452
      • 64426: Clean up fake mounters. #20117
      • 64447: Add block volume support to internal provisioners #20058
      • 64541: Add more kubectl auth reconcile flags #20281
      • 64860:checkLimitsForResolvConf for the pod create and update events instead of checking period #20070
      • 64879: Add block volume support to Cinder volume plugin #20270
      • 64896: kubectl: wait for all errors and successes on podEviction #20452
      • 65189: fix paths w shortcuts when copying from pods #20034
      • 65189: revert: fix paths w shortcuts when copying from pods" #20075
      • 65226: Put all the node address cloud provider retrival complex logic into cloudResourceSyncManager #20615
      • 65238: fix scheduler port boundary to match detection #20033
      • 65326: fix printer check to tolerate vendoring #20033
      • 65329: make builder tolerant of restmapper failures when it doesn't need the answer #20033
      • 65367: make sure delete waiting doesn't re-evaluate the resource lists #20033
      • 65368: legacy api endpoints only support v1 ever #20033
      • 65370: delete should tolerate a failed wait because of missing verbs #20033
      • 65377: special-case templates get.go #20033
      • 65447: Resolve potential devicePath symlink when MapVolume #20117
      • 65480: allow enabling kubelet serving certificate rotation via flag #20033
      • 65486: show type differences in reflect diff #20033
      • 65488: flatten nested lists for flatten in visitor #20033
      • 65489: kubectl convert should not double wrap output in nested lists #20033
      • 65547: Honor custom transport dialer #20033
      • 65549: Fix flexvolume in containerized kubelets #20358
      • 65587: Revert "certs: only append locally discovered addresses when we got none from the cloudprovider" #20033
      • 65686: fix kubectl create priorityclass failure bug #20624
      • 65700: Update output format so that it matches actual accepted values #20139
      • 65705: Block volumes should have empty FSType #20327
      • 65711: make template printers a recommended printer #20257
      • 65715: fail on rbac resources of non-v1 versions in reconcile #20177
      • 65786: update --template printer defaulting #20257
      • 65856: only need to ignore resources that match discovery conditions #20242
      • 65899: use self-signed cert fixtures in integration test servers #20309
      • 65904: track schemes by name for error reporting #20242
      • 65906: Improve multi-authorizer errors #20379
      • 65908: switch delete strategy to background deletion #20274
      • 65987: Add region label to dynamic provisioned cinder PVs #20418
      • 66008: Convert TestServerRunWithSNI to subtests to isolate flake #20302
      • 66085: fix updateJob scheduling of resync #20763
      • 66136: make delete waits match on UID #20305
      • 66172: Reverting commit #56600 as GCE PD is allocated in chunks of GiB inste... #20418
      • 66225: add support for "success" output for edit command #20589
      • 66225: update testcase for edit #20589
      • 66249: fill in normal restmapping info with the legacy guess #20392
      • 66324: Fixing E2E tests for disk resizing #20418
      • 66350: Start cloudResourceSyncsManager before getNodeAnyWay (initializeModules) to avoid kubelet getting stuck in retrieving node addresses from a cloudprovider #20615
      • 66352: update logs cmd to deal w external versions #20343
      • 66397: Fix upper limit on m5/c5 instance typesn #20439
      • 66398: fix logs command to be generic for all resources again #20514
      • 66403: indicate which scheme has conflicting data #20372
      • 66406: Send correct headers for pod printing #20437
      • 66406: tolerate missing column headers in server-side print output #20437
      • 66464: Avoid overflowing int64 in RoundUpSize and return error if overflow int #20418
      • 66519: switch attach to use external objs #20514
      • 66725: update exit code to 0 if patch not needed #20456
      • 66779: add methods to apimachinery to easy unit testing #20471
      • 66835: cloudprovider: aws: return true on existence check for stopped instances #20663
      • 66837: fix panic fake SAR client expansion #20491
      • 66929: add logging to find offending transports #20554
      • 66931: Use the passed-in streams in kubectl top #20529
      • 66932: Include unavailable apiservices in discovery response #20635
      • 67024: add CancelRequest to discovery round-tripper #20554
      • 67033: expose default LogsForObject consumeRequest func #20550
      • 67093: improve config file modification time #20566
      • 67094:Fix incorrect reporting of total request including current pod in the resource allocation priority function. #20603
      • 67094:Ouput volumes (total capacity and requests) too along with cpu and memory when the feature BalanceAttachedNodeVolumes is used. #20603
      • 67097: Ignore EIO error in unmount path #20866
      • 67236: fix azure disk create failure due to sdk upgrade #20662
      • 67316: Adds tests for --all-containers=true #20684
      • 67399: update patch to work with --local and avoid extra requests #20642
      • 67399: update patch to work with --local and avoid extra requests #20665
      • 67433: allow failed discovery on initial quota controller start #20635
      • 67433: allow failed discovery on initial quota controller start #20693
      • 67493: Tolerate nil input in GetValueFromIntOrPercent #20532
      • 67615: attach: Move the AttachFunc default function to the initializer #20697
      • 67698: Fix NameFromCommandArgs when passing command after -- #20730
      • 67822: Remove provisioner config from log message. #20756
      • 67835: Tests that use CheckTestingNSDeletedExcept must be serial #18816
      • 67896: expose generic storage factory primitives #20777
      • 67957: Size http2 buffers to allow concurrent streams #20783
      • 68007: Orphan DaemonSet when deleting with --cascade option set #20793
      • 68008: apiserver: forward panic in WithTimeout filter #20979
      • 68563: fix scheduler crash when Prioritize Map function failed #21194
      • 68678: tighten maximum retry loop for aggregate api availability #21012
      • 68680: Fix chown on distributed flex volumes (like gluster) #21070
      • <carry>: Node selector aware DS controller should not process openshift-io/node-selector if scheduler.alpha.kubernetes.io/node-selector is set. #21058
      • <carry>: Coerce string->int, empty object -> slice for backwards compatibility #20164
      • <carry>: Ensure perFSGroup quanity is positive #20564
      • <carry>: Expose ns lifecyle admission list of allowed resources #20242
      • <carry>: Gracefully handle empty volume-config file #20154
      • <carry>: oc patches on kubectl #20721
      • <carry>: patch in a non-standard location for apiservices #20578
      • <carry>: rewrite unstructured objects on the CLI to avoid oapi #20033
      • <carry>: simplify kube-controller-manager patches #20954
      • <carry>: switch back to use ugorji/go - decode to signed integers #20033
      • <carry>: tidy up oc patches and ensure we never print a non-groupified object #20385
      • <drop>: GCE load balancer unit test is flaky #20230
      • <drop>: Remove influxdb dependency until the next rebase #18816
      • <drop>: carry old printers until we update #20033
      • <drop>: carry old printers until we update #20257
      • <drop>: Fix cloud provider vsphere data race #20033
      • <drop>: Increase loglevel for health check #20616
      • <drop>: Make auth reconcile work with backlevel versions until ansible updates #20033
      • <drop>: vSphere test has race conditions, disable #20231

    Features

    • build: Support ConfigMaps as sources in build definitions - allows you to have config from the build #19655, #20064
    • cli: Add oc image append which can add a new layer or change metadata on a Docker image against a remote registry #20027
    • cli: Add oc image extract to extract all or part of an image to disk from any platform #20466
    • cli: Support SSPI (Kerberos authentication) on Windows for the command line #11371
    • cli: Include the kubectl binary in release output #20932, #20958, #20900
    • network: Support automatic and highly available egress IPs for applications #19578, #20485, #21085, #20258, #20500
    • router: Support for mutual TLS authentication between the router and service backends. #19891, #20476
    • router: Allow HAProxy to dynamically change backends without requiring a reload #19073, #20559, #20557, #20630, #20646

    Bugs

    • auth: Add namespaced servicebrokers, serviceclasses and serviceplans to admin/edit/view ClusterRoles #20852
    • auth: Update GitLab IDP to support OIDC #19997
    • auth: Use the upstream RBAC roles for reconciliation #20638
    • build: Ensure OOMKilled reason from pods are reported on build status #20297
    • build: Move deployer and build binaries into oc #20011 #20008
    • build: Remove false alarm warning for repo binary input on oc start-build #20100
    • cli: Allow patching configapi using oc patch #20642
    • cli: Honor 'oc edit' output format #20589
    • cli: accept --kubeconfig like kubectl #20721
    • cluster: Cluster quota controller tolerate inaccessible api resources #20693
    • deploy: Be tolerant on deployment decode and strict on encode to prevent incorrect fields #20185
    • deploy: Fix printing DC replicas #21017
    • dns: Restore graceful shutdown of DNS server #21021
    • image: Deprecate oc import-image legacy path using annotations #19673
    • image: Image stream imports longer than 30s should not fail #20419
    • image: Log image changes on verify-image-signature without --save #19976
    • image: Prune images in parallel #19468
    • image: Reuse existing imagestreams with new-app #20052
    • migrate: Ignore resources that cannot be listed and updated #21075
    • network: Bug 1614660 - Network diagnostic will auto detect runtime #20647
    • network: Show EgressCIDRs in "oc get hostsubnets" #20486
    • network: Update egress IPs when node changes IP #20393
    • node: Set FileCheckFrequency default properly #20158
    • route: Fix issue where routes are not cleaned up when a namespace label is deleted or updated. #20579
    • router: Bug 1618563 - Use the TCP balance scheme if configured before falling back to the default router load balancing algo #20702
    • router: Fix weight logic for A/B testing #19893
    • router: HAProxy ip whitelist exceeding max config arguments that haproxy allows. #20357
    • router: Router metrics sometimes fails to detect HTTP/1 connections #21043
    • service-catalog: use K8s NamespaceLifecycle admission controller #20673
    • test: Enable a large chunk of upstream e2e tests that were accidentally not being run #18816

    Release SHA256 Checksums

    The latest artifacts are always located at https://artifacts-openshift-release-3-11.svc.ci.openshift.org/zips/

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  CHECKSUM
    4b0f07428ba854174c58d2e38287e5402964c9a9355f6c359d1242efd0990da3  openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
    9bfcd70df56d902b2cd39dea06e73f4c5451ef9e2ad0e8d6d5b27a92af8503fc  openshift-origin-server-v3.11.0-0cbc58b-linux-64bit.tar.gz
    75d58500aec1a2cee9473dfa826c81199669dbc0f49806e31a13626b5e4cfcf0  openshift-origin-client-tools-v3.11.0-0cbc58b-mac.zip
    cdb84cc0000d0f0983120f903b2cad7114527ce2a9c4eb1988986eda7b877bfa  openshift-origin-client-tools-v3.11.0-0cbc58b-windows.zip